Tam Combo Adapter

Tivoli Identity Manager

Version 5.1
Tivoli Access Manager Combo Adapter

Installation and Configuration Guide
SC23-9664-00
®

Version 5.1
Tivoli Access Manager Combo Adapter

Installation and Configuration Guide
SC23-9664-00
Note:
Before using this information and the product it supports, read the information in Appendix C, “Notices,” on page 59.
© Copyright International Business Machines Corporation 2006, 2009.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . v Customizing the Tivoli Access Manager Combo
About this book . . . . . . . . . . . . . v Adapter profile . . . . . . . . . . . . . 25
Intended audience for this book . . . . . . . . v Standard parameters . . . . . . . . . . . 26
Publications and related information . . . . . . v Adapter attributes and object classes . . . . . . 26
Tivoli Identity Manager library . . . . . . . v Other Configuration Considerations . . . . . . 32
Prerequisite product publications . . . . . . vii RMI Dispatcher Configuration Properties . . . . 33
Related publications . . . . . . . . . . viii
Accessing terminology online . . . . . . . viii Chapter 7. Configuring SSL
Accessing publications online . . . . . . . viii authentication for the adapter . . . . . 35
Ordering publications . . . . . . . . . viii SSL terminology . . . . . . . . . . . . . 35
Accessibility . . . . . . . . . . . . . . ix SSL configurations . . . . . . . . . . . . 36
Tivoli technical training . . . . . . . . . . ix Configuring for one-way SSL authentication . . 36
Support information . . . . . . . . . . . ix Configuring for two-way SSL authentication . . 37
Conventions used in this book . . . . . . . . ix Task performed on the SSL server (Tivoli Directory
Typeface conventions . . . . . . . . . . ix Integrator server workstation) . . . . . . . . 38
Operating system-dependent variables and paths x Creating a keystore for the Tivoli Directory
Definitions for HOME and other directory Integrator server. . . . . . . . . . . . 38
variables. . . . . . . . . . . . . . . x Creating a truststore for the Tivoli Directory
Integrator server. . . . . . . . . . . . 38
Chapter 1. Overview of the Tivoli Access Creating a server-signed certificate for the Tivoli
Manager Combo Adapter . . . . . . . 1 Directory Integrator server . . . . . . . . 39
Features of the adapter . . . . . . . . . . . 1 Creating a CA certificate for Tivoli Directory
Architecture of the adapter . . . . . . . . . 1 Integrator . . . . . . . . . . . . . . 39
Supported configurations . . . . . . . . . . 2 Importing the WebSphere CA certificate into the
Tivoli Directory Integrator truststore . . . . . 40
Chapter 2. Planning to install the Tivoli Configure Tivoli Directory Integrator to use the
keystores . . . . . . . . . . . . . . 40
Access Manager Combo Adapter . . . . 5 Configure Tivoli Directory Integrator to use the
Preinstallation roadmap . . . . . . . . . . 5 truststores . . . . . . . . . . . . . . 40
Installation roadmap. . . . . . . . . . . . 5 Enabling the adapter service to use SSL . . . . 41
Prerequisites . . . . . . . . . . . . . . 6 Tasks performed on the SSL client (Tivoli Identity
Installation worksheet for the adapter . . . . . . 7 Manager and WebSphere Application Server
Downloading the software . . . . . . . . . . 7 workstation) . . . . . . . . . . . . . . 41
Creating a signed certificate for the Tivoli
Chapter 3. Installing the Tivoli Access Identity Manager server . . . . . . . . . 41
Manager Combo Adapter . . . . . . . 9 Creating a WebSphere Application Server CA
Installing and configuring the Tivoli Access Manager certificate for Tivoli Identity Manager. . . . . 42
Runtime for Java System . . . . . . . . . . 9 Importing the Tivoli Identity Manager CA
Installing using the installation wizard. . . . . . 9 certificate into the WebSphere Application Server
Configuring the Tivoli Directory Integrator truststore . . . . . . . . . . . . . . 42
Application into the Tivoli Access Manager secure
domain . . . . . . . . . . . . . . . . 12 Chapter 8. Verifying the Tivoli Access
Installing the Tivoli Access Manager Combo Manager Combo Adapter profile
Adapter Utilities Package. . . . . . . . . . 15
installation . . . . . . . . . . . . . 43
Installing the RMI Dispatcher . . . . . . . . 15
Chapter 4. Importing the adapter profile Chapter 9. Troubleshooting the Tivoli

into the Tivoli Identity Manager Server . 17 Access Manager Combo Adapter
installation . . . . . . . . . . . . . 45
Logging information format . . . . . . . . . 45
Chapter 5. Creating a Tivoli Access
Reconciliation of Supporting Data . . . . . . . 46
Manager Combo service . . . . . . . 19 Runtime Problems . . . . . . . . . . . . 46
Performance Tuning . . . . . . . . . . . 48
Chapter 6. Configuring the Tivoli Selection of groups to determine membership . . 48
Access Manager Combo Adapter . . . 25
© Copyright IBM Corp. 2006, 2009 iii

Chapter 10. Uninstalling the Tivoli Search the Internet . . . . . . . . . . . 55
Access Manager Combo Adapter . . . 51 Contacting IBM Software Support . . . . . . . 55
Determine the business impact of your problem 56
Describe your problem and gather background
Appendix A. Accessibility . . . . . . 53 information . . . . . . . . . . . . . 57
Navigating the interface using the keyboard . . . 53 Submit your problem to IBM Software Support 57
Magnifying what is displayed on the screen . . . 53
Appendix C. Notices . . . . . . . . . 59
Appendix B. Support information . . . 55 Trademarks . . . . . . . . . . . . . . 60
Searching knowledge bases . . . . . . . . . 55
Search the information center on your local
system or network . . . . . . . . . . . 55
iv IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Preface
About this book
This installation guide provides the basic information that you need to install and
configure the IBM® Tivoli Access Manager Combo Adapter. The Tivoli Access
Manager Combo Adapter enables connectivity between the Tivoli® Identity
Manager Server and the Tivoli Access Manager Policy Server and its associated
directory server.
Intended audience for this book

This book is intended for administrators responsible for installing and configuring
software on their organization’s computer systems. Readers are expected to
understand IBM Tivoli Identity Manager, IBM Tivoli Access Manager and IBM
Tivoli Directory Integrator, and operating system concepts. The person completing
the Tivoli Access Manager Combo Adapter installation procedure must also be
familiar with their organization’s system standards. Readers should be able to
perform routine security administration tasks.
Publications and related information

This section lists publications in the IBM Tivoli Identity Manager library and
related documents. The section also describes how to access Tivoli publications
online and how to order Tivoli publications.
Read the descriptions of the IBM Tivoli Identity Manager library. To determine
which additional publications you might find helpful, read the “Prerequisite
product publications” on page vii and the “Related publications” on page viii.
After you determine the publications you need, refer to the instructions in
“Accessing publications online” on page viii.
Tivoli Identity Manager library

The publications in the technical documentation library for your product are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v Release Notes
Provides software and hardware requirements for the product, and additional
fix, patch, and other support information.
v Read This First card
Lists the publications for the product.
Online user assistance:
© Copyright IBM Corp. 2006, 2009 v

Provides online help topics and an information center for administrative tasks.
Server installation and configuration:
Provides installation and configuration information for the product server.
Problem determination:
Provides problem determination, logging, and message information for the

product.
Technical supplements:
The following technical supplements are provided by developers or by other

groups who are interested in this product:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v IBM Redbooks® and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/
IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks® Web address:
http://www.ibm.com/developerworks/
Adapter documentation:
The technical documentation library also includes a set of platform-specific

documents for the adapter components of the product. Adapter information is
available on the Web at:
Click the I character in the A-Z product list to locate IBM Tivoli Identity Manager
products. Click the link for your product, and then browse the information center
for the adapter information that you want.
Skills and training:
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
vi IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
supp_tech_exch.html
Prerequisite product publications

To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for your product. Publications are available from
the following locations:
v Operating systems
– IBM AIX
http://publib16.boulder.ibm.com/pseries/
– Solaris Operating Environment
http://docs.sun.com/app/docs/prod/solaris
– Red Hat Linux
http://www.redhat.com/docs/
– Microsoft® Windows® Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspx
v Database servers
– IBM DB2 Universal Database
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center: http://publib.boulder.ibm.com/infocenter/db2help/
index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/
winos2unix/support/v8pubs.d2w/en_main
- DB2® product family: http://www.ibm.com/software/data/db2
- Fix packs: http://www.ibm.com/software/data/db2/udb/support/
downloadv8.html
- System requirements: http://www.ibm.com/software/data/db2/udb/
sysreqs.html
– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server
http://www.msdn.com/library/
http://www.microsoft.com/sql/
v Directory server applications
– IBM Directory Server
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the D
character in the A-Z list, and then click the link for your product to access the
product library.
http://www.ibm.com/software/network/directory
– Sun Java System Directory Server
http://www.sun.com/software/products/directory_srvr/home_directory.xml
Preface vii
v WebSphere®
Additional information is available in the product directory or Web sites.
http://www.ibm.com/software/webservers/appserv/was/library/
http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related publications
The following documents also provide useful information:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, IBM Redbooks, and announcement
letters. The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing terminology online

The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available at the following
Tivoli software library Web site:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology Web site at the
following Web address:
http://www.ibm.com/software/globalization/terminology
Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Information Center Web
site at http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html.
In the Tivoli Information Center window, click Tivoli product manuals. Click the
letter that matches the first letter of your product name to access your product
library. For example, click M to access the IBM Tivoli Monitoring library or click O
to access the IBM Tivoli OMEGAMON® library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe® Reader to print letter-sized
pages on your paper.
Ordering publications
You can order many Tivoli publications online at http://
www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.
viii IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli

publications. To locate the telephone number of your local representative, perform
the following steps:
1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/
cgibin/pbi.cgi.
2. Select your country from the list and click Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
For additional information, see Appendix A, “Accessibility,” on page 53.
Tivoli technical training

For Tivoli technical training information, refer to the following IBM Tivoli
Education Web site at http://www.ibm.com/software/tivoli/education.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v IBM Support Assistant: You can search across a large collection of known
problems and workarounds, Technotes, and other information at
http://www.ibm.com/software/support/isa.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix B,
“Support information,” on page 55.
Conventions used in this book

This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This book uses the following typeface conventions:
Bold
Preface ix
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of books, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause," letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents...
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system-dependent variables and paths

This guide uses the Windows convention for specifying environment variables and
for directory notation.
When using the Unix command line, replace %variable% with $variable for
environment variables and replace each backslash (\) with a forward slash (/) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX®. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME and other directory variables

The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path varies for these operating systems:

v Windows: drive:\Program Files
v AIX®: /usr
v Other UNIX: /opt
x IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Path variable Default definition Description
DB_INSTANCE_HOME Windows: The directory that
path\IBM\SQLLIB contains the
database for your
UNIX: Tivoli Identity
v AIX, Linux®: /home/dbinstancename Manager product.
v Solaris: /export/home/dbinstancename
IDS_instance_HOME For IBM Directory Server Version 6.0 The directory that
contains the IBM
Windows: Directory Server
drive\ Version 6.0 instance.
idsslapd-instance_owner_name
The value of drive might be C:\. An

example of instance_owner_name might be
ldapdb2. For example, the log file might
be C:\idsslapd-itimldap\logs\
ibmslapd.log
UNIX:
INSTANCE_HOME/idsslapd-instance_name
On Linux and AIX systems, the default

home directory is the
/home/instance_name/idsslapd-
instance_name directory. On Solaris
systems, for example, the directory is the
/export/home/itimldap/idsslapd-
itimldap. directory.
HTTP_HOME Windows: The directory that
path\IBMHttpServer contains the IBM
HTTP Server code.
UNIX:
path/IBMHttpServer
ITIM_HOME Windows: The base directory
path\IBM\itim that contains the
Tivoli Identity
UNIX: Manager code,
path/IBM/itim configuration, and
documentation.
WAS_HOME Windows: The WebSphere
path\IBM\WebSphere\AppServer home directory.
UNIX:
path/IBM/WebSphere/AppServer
WAS_NDM_HOME Windows: The home directory
path\IBM\WebSphere\DeploymentManager on the Deployment
Manager.
UNIX:
path/IBM/WebSphere/DeploymentManager
Preface xi
Path variable Default definition Description
ITDI_HOME Windows: The directory where
v for version 6.1.1: Tivoli Directory
Integrator is
drive\Program Files\IBM\TDI\V6.1.1
installed.
UNIX:
v for version 6.1.1:
/opt/IBM/TDI/V6.1.1
The ITDI_HOME directory contains the

jars/connectors subdirectory that contains
files for the adapters. For example, the
jars/connectors subdirectory contains the
files for the UNIX adapter.
Note: If Tivoli Directory Integrator is not
automatically installed with your Tivoli
Identity Manager product, the default
directory path for Tivoli Directory
Integrator might be as follows:
path/IBM/IBMDirectoryIntegrator
Tivoli_Common_Directory Windows: The central location
path\ibm\tivoli\common\ for all
serviceability-related
UNIX: files, such as logs
path/ibm/tivoli/common/ and first-failure data
capture.
xii IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Chapter 1. Overview of the Tivoli Access Manager Combo
Adapter
An Adapter is a program that provides an interface between a managed resource
and the IBM Tivoli Identity Manager Server. Adapters might or might not reside
on the managed resource, and the IBM Tivoli Identity Manager Server manages
access to the resource by using your security system. Adapters function as trusted
virtual administrators on the target platform, performing such tasks as creating
login IDs, suspending IDs, and performing other functions administrators normally
run manually.
The Tivoli Access Manager Combo Adapter leverages the IBM Tivoli Directory
Integrator functionality to facilitate communication between the IBM Tivoli Identity
Manager Server and IBM Tivoli Access Manager Server. The following sections
provide information about the Tivoli Access Manager Combo Adapter:
v “Features of the adapter”
v “Architecture of the adapter”
v “Supported configurations” on page 2
Features of the adapter

You can use the Tivoli Access Manager Combo Adapter to automate the following
administrative tasks:
v Creating new users on the Tivoli Access Manager Server.
v Creating SSO credentials for users on the Tivoli Access Manager Server.
v Modifying users’ SSO credentials and attributes on the Tivoli Access Manager
Server and its underlying directory server.
v Changing user account passwords on the Tivoli Access Manager server.
v Suspending, restoring, and deleting user accounts on the Tivoli Access Manager
server.
v Reconciling user, SSO credentials and LDAP user attributes on the Tivoli Access
Manager Server.
Architecture of the adapter

IBM Tivoli Identity Manager communicates with the Tivoli Access Manager Combo
Adapter to administer IBM Tivoli Access Manager user accounts. You can perform
the following actions on an account:
v Add
v Delete
v Modify
v Change Password
v Restore
v Suspend
You can also search for account information and change an account password.
The Tivoli Access Manager Combo Adapter consists of IBM Tivoli Directory
Integrator AssemblyLines. When an initial request is made by IBM Tivoli Identity
© Copyright IBM Corp. 2006, 2009 1
Manager Server to the Tivoli Access Manager Combo Adapter, the AssemblyLines
are loaded into the Tivoli Directory Integrator Server. As a result, subsequent
service requests do not require those same AssemblyLines to be reloaded.
The AssemblyLines utilize the Tivoli Directory Integrator Tivoli Access Manager
connector and LDAP connector to undertake user management related tasks on the
directory server. It does this remotely by using the login user ID and password of
a user that has administrator privileges.
Figure 1 shows the various components that work together to complete user
management tasks in a Tivoli Directory Integrator environment.
Figure 1. The architecture of the Tivoli Access Manager Combo Adapter
For additional information about Tivoli Directory Integrator, see the IBM Tivoli
Directory Integrator: Getting Started Guide.
Supported configurations
The Tivoli Access Manager Combo Adapter supports a number of different
configurations and is designed to operate with Tivoli Identity Manager 5.0.
The fundamental components of a Tivoli Access Manager Combo Adapter

environment are:
v a Tivoli Identity Manager Server,
v an IBM Tivoli Directory Integrator Server,
v a compatible directory server, and
v the IBM Tivoli Access Manager Combo Adapter.
The Tivoli Access Manager Java™ Runtime Environment (JRTE) must also be
installed on the same Java Runtime Environment (JRE) as used by Tivoli Directory
Integrator.
The Tivoli Access Manager Combo Adapter is both highly configurable and highly
customizable. Please note that support can only extend to the configuration of the
adapter such as adding mapping for additional attributes. Support cannot extend
to customization by way of changes, additions or modifications to its Tivoli
Directory Integrator Assembly Line scripts for example.
2 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
The Tivoli Access Manager Combo adapter cannot support directory service load
balancing or environments that utilize architectures such as Master/Master
directory server replication.
Although reconciliation of dynamic group supporting data may occur through the
use of the Tivoli Access Manager API method of reconciliation, management
including the addition or removal of Tivoli Access Manager accounts to or from
these dynamic groups through IBM Tivoli Identity Manager is unsupported.
The Tivoli Access Manager Combo adapter supports Microsoft Windows Active
Directory and Microsoft Windows Active Directory Application Mode (ADAM)
configured against Tivoli Access Manager.
Note: ADAM is supported only when SSL is implemented between IBM Tivoli
Directory Integrator and the ADAM directory server. You should use the
Identity Manager Windows Active Directory (rather than the Tivoli Access
Manager Combo service) to handle accounts in situations where:
v the Tivoli Access Manager Combo adapter is managing a Tivoli Access
Manager deployment that is configured against Microsoft Windows Active
Directory, and
v the Tivoli Identity Manager Windows Active Directory service is
implemented on Tivoli Identity Manager to manage Windows Active
Directory accounts, which are also associated with the Tivoli Access
Manager instance.
In such situations, anomalous results may result if you delete Active
Directory accounts that are associated with Tivoli Access Manager accounts.
Chapter 1. Overview of the Tivoli Access Manager Combo Adapter 3

Chapter 2. Planning to install the Tivoli Access Manager
Combo Adapter
Installing and configuring the adapter involves several steps that you must
complete in the appropriate sequence. Review the roadmaps before you begin the
installation process.
Preinstallation roadmap
You must prepare the environment before you can install the adapter.
Table 1. Preinstallation roadmap
What to do Where to find more information
Verify that the software and hardware See “Prerequisites” on page 6.
requirements for the adapter that you want
to install have been met.
Collect the necessary information for the See “Installation worksheet for the adapter”
installation and configuration. on page 7.
Obtain the installation software Download the software from Passport
Advantage®. See “Downloading the
software” on page 7.
Installation roadmap
You must complete the necessary steps to install the adapter including completing
post-installation configuration tasks and verifying the installation.:
Table 2. Installation roadmap
What to do Where to find more information
Install the adapter. See Chapter 3, “Installing the Tivoli Access
Manager Combo Adapter,” on page 9.
Import the adapter profile. See Chapter 4, “Importing the adapter
profile into the Tivoli Identity Manager
Server,” on page 17.
Create a service. See Chapter 5, “Creating a Tivoli Access
Manager Combo service,” on page 19.
Configure the adapter. See Chapter 6, “Configuring the Tivoli
Access Manager Combo Adapter,” on page
25.
Verify the adapter profile installation. See Chapter 8, “Verifying the Tivoli Access
Manager Combo Adapter profile
installation,” on page 43.

Prerequisites
Table 3 identifies hardware, software, and authorization prerequisites to install the
Tivoli Access Manager Combo Adapter. Verify that all of the prerequisites have
been met before installing the Tivoli Access Manager Combo Adapter.
Table 3. Prerequisites to install the adapter
Prerequisite Description
Operating System The Tivoli Access Manager Combo Adapter can be used
on any operating system that is supported by Tivoli
Directory Integrator.
Network Connectivity TCP/IP network
System Administrator The person completing the Tivoli Access Manager Combo
Authority Adapter installation procedure must have system
administrator authority to complete the steps in this
chapter.
Tivoli Directory Integrator 6.1.1 Fixpack 5
Server
Tivoli Identity Manager server Version 5.1
IBM Tivoli Identity Manager Version supplied in installation package or later.
Adapter (also known as the
RMI Dispatcher)
IBM Tivoli Access Manager Corresponding version to IBM Tivoli Access Manager
Java Run-Time Server. The Tivoli Access Manager Combo Adapter
supports Tivoli Access Manager Server version 6.0 and
6.1.
Tivoli Directory Integrator Version supplied in installation package or later.
Tivoli Access Manager
Connector (supplied with
Tivoli Access Manager Combo
Adapter)
For information on the minimal system requirements and supported operating

systems for Tivoli Directory Integrator, refer to the IBM Tivoli Directory Integrator
Administrator Guide.
Note: The Tivoli Access Manager Combo adapter supports Microsoft Windows
Active Directory configured against Tivoli Access Manager. The Tivoli
Access Manager Combo adapter can be used where Tivoli Access Manager
is configured against Microsoft Windows Active Directory, and where the
Tivoli Identity Manager Windows Active Directory service is implemented
on Tivoli Identity Manager to manage the same Windows Active Directory
accounts associated with the Tivoli Access Manager instance. In these
situations, the Identity Manager Windows Active Directory should manage
those accounts rather than the Tivoli Access Manager Combo service. Be
aware that anomalous results may result if Active Directory accounts that
have been associated with a Tivoli Access Manager account are deleted.
Installation worksheet for the adapter
Table 4 identifies the information you will need to install the Tivoli Access
Manager Combo Adapter.
Table 4. Required information to install the adapter
Required information Description
Administrator account on the An administrator account on the managed resource that
managed resource for running has administrative rights.
the Tivoli Access Manager
Combo Adapter.
Tivoli Access Manager An administrator account in Tivoli Access Manager with
Administrator account administrative rights. For example, sec_master.
Directory Service Administrator An administrative account on Tivoli Access Manager’s
account underlying directory server. This account must have
enough access rights to manage Tivoli Access Manager
directory accounts and group membership entries.
Downloading the software

After you have purchased IBM Tivoli Identity Manager, you can download the
adapter software from your account in IBM Passport Advantage Online at:
http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm
Chapter 2. Planning to install the Tivoli Access Manager Combo Adapter 7

Chapter 3. Installing the Tivoli Access Manager Combo
Adapter
To install the connector, extract the Tivoli Access Manager Combo zip file
(Adapter50_TamCombo_5.0.x.zip) from the distribution package and follow the
installation steps below.
Installing and configuring the Tivoli Access Manager Runtime for Java
System
The Tivoli Access Manager Runtime for Java must be installed and configured to
allow secure communication between the Tivoli Directory Integrator Java Runtime
Environment and the Tivoli Access Manager Policy Server.
Note: The information provided in this guide is not intended to replace the
information supplied in the Tivoli Access Manager for e-business
documentation. Please refer to the IBM Tivoli Access Manager for e-business
Version 6.x Installation Guide or the IBM Tivoli Access Manager Base Installation
Guide for guidance on the installation and configuration of the Tivoli Access
Manager Runtime for Java.
You can set up this system using either one of the following installation methods:
v Installation using the installation wizard.
v Installation using native utilities.
The installation of the Tivoli Access Manager Runtime for Java is described here
using the installation wizard only. For installation using the native utilities, please
refer to the IBM Tivoli Access Manager Base Installation Guide or IBM Tivoli Access
Manager for e-business Installation Guide.
Installing using the installation wizard

The install_amjrte installation wizard simplifies the setup of a Java Runtime
Environment (JRE) by installing and configuring the following components in the
appropriate order:
1. Tivoli Access Manager License.
2. Tivoli Access Manager Runtime for Java.
Note: The wizard detects if a component is installed and does not attempt to
reinstall it.
To install and configure Tivoli Access Manager Runtime for Java using the
install_amjrte wizard, follow these steps:
1. Ensure that all necessary operating system patches are installed. Also, ensure
that you have reviewed the most-recent release information, including system
requirements, disk space requirements, and known Tivoli Access Manager
defects and limitations. See the IBM Tivoli Access Manager for e-business: Release
Notes®, or the Technotes in the Tivoli Access Manager support knowledge
database.

2. For Tivoli Access Manager version 6.x, ensure that IBM Java Runtime 1.4.2 SR2
is installed before running the installation wizard. The correct Java Runtime
Environment is required for the installation software to function correctly.
3. Ensure that the Tivoli Access Manager Policy Server is up and running.
4. To view status and messages in a language other than English (the default),
install your Tivoli Access Manager language support package before running an
installation wizard.
5. On Windows systems only, exit from all running programs.
6. On Red Hat Enterprise Linux 3.0 systems only, the following patches must be
applied:
v compat-gcc-7.3-2.96.122
v compat-libstdc++-7.3-2.96.122
v compat-libstdc++-devel-7.3-2.96.122
v compat-glibc-7.x-2.2.4.32.5
v compat-gcc-c++-7.3-2.96.122
v compat-db-4.0.14-5
v rpm-4.2.1-4.2
v rpm-build-4.2.1-4.2
7. Run the install_amjrte program, located in the root directory on the IBM Tivoli
Access Manager Base CD for the supported AIX, HP-UX, Solaris, Linux and
Windows platforms. The installation wizard begins by prompting you for
configuration information, as described in the table below. Supply the required
configuration information, or accept default values.
Note: * indicates a required option.

Table 5. install_amjrte configuration options
Configuration Option Description
Directory name * Specifies the Tivoli Access Manager Runtime for Java
(prompted on Windows only) directory. The default directories are:
UNIX or Linux
/opt/PolicyDirector
Windows
C:\Program Files\Tivoli\Policy Director
Enable Tivoli Common Select to enable Tivoli Common Directory, a central
Directory for logging location on systems running Tivoli software for storing
files, such as trace and message logs.
Table 5. install_amjrte configuration options (continued)
Directory name * Specifies the fully qualified path for the Tivoli Common
(for Tivoli Common Directory, Directory.
prompted on Windows only) v If the location of the Tivoli Common Directory has
previously been established on the system by the
installation of another Tivoli application, the directory
location will be displayed in the field but it cannot be
modified.
v If the location of the Tivoli Common Directory has not
previously been established on the system, you can
specify its location.
If Tivoli Common Directory is enabled and the directory
location has not been previously established, the default
common directory name is:
UNIX or Linux
/var/ibm/tivoli/common
Windows
C:\Program Files\ibm\tivoli\common
Beneath the Tivoli Common Directory, each Tivoli product
stores its information in a product-specific subdirectory.
Each product-specific directory is named with a
3-character product identifier. For example,
tivoli_common_dir/HPD for IBM Tivoli Access Manager:
If Tivoli Common Directory is not enabled, Tivoli Access
Manager will write its message and trace log data to the
following location:
UNIX or Linux
/opt/PolicyDirector/log
Windows
C:\Program Files\Tivoli\Policy Director\log
Policy server host name * Specifies the host name or IP address of the Tivoli Access
Manager policy server.
The policy server manages the policy database (sometimes
referred to by its original name of master authorization
database), updates the database replicas whenever a
change is made to the master database, and replicates the
policy information throughout the domains. The policy
server also maintains location information about other
resource managers operating in the domain. There must be
at least one policy server defined for each domain.
Examples:
pdmgr
pdmgr.tivoli.com
Policy server SSL port * Specifies the port number on which the policy server
listens for SSL requests. The default port number is 7135.
Chapter 3. Installing the Tivoli Access Manager Combo Adapter 11

Table 5. install_amjrte configuration options (continued)
JRE directory * Specifies the fully qualified path of the Tivoli Directory
Integrator Java Runtime Environment (JRE) that is being
configured for Tivoli Access Manager. You must specify
the JRE directory of the Tivoli Directory Integrator
installation which you wish to communicate with the
Tivoli Access Manager Policy Server. For example, the
Tivoli Directory Integrator Java Runtime Environment may
be installed at:
UNIX or Linux
ITDI_HOME/jvm/jre/
Windows
ITDI_HOME\jvm\jre\
8. Compare the disk space that is required to install the Tivoli Access Manager
Runtime for Java component with the disk space that is available. If there is
sufficient space, continue the installation.
9. After reviewing the summary and accepting your installation selections and
configuration choices, the components are installed and configured without
further intervention.
Configuring the Tivoli Directory Integrator Application into the Tivoli

Access Manager secure domain
To make use of Tivoli Access Manager security, Tivoli Identity Manager must be
configured into your Tivoli Access Manager secure domain. Tivoli Access Manager
provides a utility class called com.tivoli.pd.jcfg.SvrSslCfg that can be used to
accomplish the necessary configuration and unconfiguration tasks.
Tivoli Access Manager uses a self-generated and self-signed certificate to

authenticate its Secure Sockets Layer (SSL) communications. The Tivoli Access
Manager authorization API Java classes must be able to determine the certificate
that Tivoli Access Manager is using in order to establish its SSL communication. As
a result, you also must establish a Tivoli Access Manager identity for the Tivoli
Directory Integrator Java application.
The SvrSslCfg class is used to create a Tivoli Access Manager user account for
Tivoli Directory Integrator and to store the server’s configuration and certificate
information in local configuration and keystore files. The SvrSslCfg option -action
config is used to create the Tivoli Access Manager application name, the
configuration file, and the keystore file. Configuring an application server creates
user and server information in the user registry as well as creates local
configuration and keystore files.
When using the SvrSslCfg class, ensure that the IBM Tivoli Directory Integrator
JRE is used. This is the same JRE that was used when configuring the Tivoli Access
Manager JRTE. The command to establish an SSL connection between the Tivoli
Directory Integrator host and the Tivoli Access Manager secure domain is as
follows:
java com.tivoli.pd.jcfg.SvrSslCfg -action config
-admin_id admin_user_ID
-admin_pwd admin_password
-appsvr_id application_server_name
-appsvr_pwd application_server_password
-port port_number
-mode { local | remote }
-host Host_name_of_application_server
-policysvr policy_server_name:port:rank [,...]
-authzsvr authorization_server_name:port:rank [,...]
-cfg_file fully_qualified_name_of_configuration_file
-domain Tivoli_Acccess_Manager_domain
-key_file fully_qualified_name_of_keystore_file
-cfg_action { create | replace }
The list of actions available in the SvrSslCfg class are outlined in table below.
Table 6. Description of parameters for the SvrSslCfg configuration action
SvrSslCfg Parameter Value
–admin_id admin_user_ID A Tivoli Access Manager user with administrative
privileges. For example, sec_master. This parameter is
required.
–admin_pwd password Password associated with the Tivoli Access Manager
administrative user specified. This parameter is
required.
–appsvr_id name The name of the server where the Tivoli Directory
Integrator application is installed. For example,
itdi_tam. This parameter is required.
–port port_number The TCP/IP port which the application server listens
to for policy server notifications. This parameter is
required, but not used. Any integer can be specified
(for example, 1234).
–mode remote The Tivoli Directory Integrator application server
processes requests remotely. This parameter is
required and must be specified as remote.
–policysvr hostname:port:rank A list of Tivoli Access Manager policy servers to
[,hostname2:port2:rank2...] which the application server can communicate.
The format of this entry is host name, TCP/IP port
number, and numeric rank, separated by colons.
Multiple servers can be specified by separating them
with commas. For example, the following indicates
two policy servers, both using default TCP/IP port
7135, are available:
primary.myco.com:7135:1,secondary.myco.com:7135:2
This parameter is required.

–authzsvr hostname:port:rank A list of Tivoli Access Manager authorization servers
[,hostname2:port2:rank2...] to which the application server can communicate.
The format of this entry is host name, TCP/IP port
number, and numeric rank, separated by colons.
Multiple servers can be specified by separating them
with commas. For example, the following indicates 2
authorization servers, both using default TCP/IP port
7136, are available:
secazn.myco.com:7136:2,primazn.myco.com:7136:1
This parameter is required. It can be the same value as

defined for -policysvr (above).

Table 6. Description of parameters for the SvrSslCfg configuration action (continued)
SvrSslCfg Parameter Value
–cfg_file file_name Fully qualified name of the configuration file on the
application server.
SvrSslCfg –action config creates this file.
The filename should have a .conf suffix.
You can specify any valid name.
–key_file file_name Fully qualified name of the keystore file on the
application server.
SvrSslCfg –action config creates this file.
The filename should have a .ks suffix.
You can specify any valid name.
–domain domain_name The Tivoli Access Manager domain for the application
server.
This parameter is optional.
The default value is the local domain.
–appsvr_pwd password The password for the user account in the user registry
associated with the application server.
This parameter is optional. If it is specified, the
password must meet the current password rules in
effect. If it is omitted, a default password is
automatically generated.
–host host_name This is typically the unique name of the host machine
where the Tivoli Directory Integrator application is
installed.
This parameter is optional.
The default value is the local host.
Note: The host name is used to build a unique name
(identity) for the application. The pdadmin user list
command displays the application identity name in
the following format:
server_name/host_name
The pdadmin server list command will display the

server name is a slightly different format:
server_name-host_name
–cfg_action { create | replace } Indicates whether the configuration and keystore files
should be created on the application server or
replaced.
This parameter is optional. The default action is
replace.
When the create option is specified but the files
already exist, an exception is raised. When the replace
option is specified, the configuration and keystore files
must already exist.
For example, the following command could be used to configure IBM Tivoli
Directory Integrator to use the IBM Tivoli Access Manager policy server on
amserver.example.com, using standard ports and default install paths:
/opt/IBM/TDI/V6.1.1/jvm/jre/bin/java -cp
/opt/PolicyDirector/java/export/pdjrte/PD.jar com.tivoli.pd.jcfg.SvrSslCfg
-action config
-admin_id sec_master
-admin_pwd SEC_MASTER_PASSWORD
-appsvr_id itdi_tam
-port 1234
-mode remote
-policysvr amserver.example.com:7135:1
-authzsvr amserver.example.com:7136:1
-cfg_file /opt/IBM/TDI/V6.1.1/timsol/PDCfgFile.conf
-key_file /opt/IBM/TDI/V6.1.1/timsol/PDKeyFile.ks
For further information regarding configuring or unconfiguring an application

server such as Tivoli Directory Integrator into the secure domain, please refer to
the IBM Tivoli Access Manager for e-business Authorization Java Classes Developer
Reference.
Installing the Tivoli Access Manager Combo Adapter Utilities Package

The Tivoli Access Manager Combo Adapter utilities package contains a number of
Java classes that are used by the Tivoli Access Manager Combo Adapter TDI
assembly lines. To install the utilities package:
1. Extract the TAMComboUtils.jar file from the compressed file into a temporary
directory.
2. Copy or move TAMComboUtils.jar to an appropriate Tivoli Directory Integrator
location:
Windows
Tivoli Directory Integrator version 6.1.1:
ITDI_HOME\jars\3rdparty\IBM
UNIX or Linux
Tivoli Directory Integrator version 6.1.1:
ITDI_HOME/jars/3rdparty/IBM
3. Restart the IBM Tivoli Identity Manager (RMI Dispatcher) service if it is already
installed and running.
Please refer to the dispatcher50.pdf file, which is contained in the
Adapter-Dispatcher-5.xxx.zip file, for guidance on starting and stopping the
adapter service.
Installing the RMI Dispatcher

To install the RMI Dispatcher, extract the Adapter-Dispatcher-5.xxx.zip file,
contained within the Tivoli Access Manager Combo package.
Please refer to the dispatcher50.pdf file (contained in the ZIP file above) for
guidance on the installation and configuration of the RMI Dispatcher.

Chapter 4. Importing the adapter profile into the Tivoli Identity
Manager Server
An IBM Tivoli Identity Manager adapter profile defines the types of resources that
the Tivoli Identity Manager Server can manage. In this case, the profile is used to
create a Tivoli Access Manager Combo Adapter service on the Tivoli Identity
Manager Server. You must import the adapter profile into the Tivoli Identity
Manager Server before using the Tivoli Access Manager Combo Adapter.
Before you import the adapter profile, verify that the following conditions are met:
v The Tivoli Identity Manager Server is installed and running.
v You have root or Administrator authority on the Tivoli Identity Manager Server.
The Tivoli Access Manager Combo adapter distribution package contains two JAR
file versions of the adapter profile, only one of which should be used:
itamprofile.jar
The itamprofile.jar profile is intended for use when Tivoli Access
Manager is configured against supported non-Windows-Active-Directory
directory services.
itamprofileAD.jar
The itamprofileAD.jar profile is intended for use when Tivoli Access
Manager is configured against Windows Active Directory, including Active
Directory Application Mode (ADAM) or other supported directory
services.
Table 7 indicates which profile to use.

Table 7. Profile selection guide
itamprofile.jar itamprofileAD.jar
Tivoli Access Manager is No Yes
configured against Active
Directory or ADAM
Tivoli Access Manager is Yes Yes (see Note)
configured against a
non-Active Directory service,
such as IBM Directory
Server.
Note:
The itamprofileAD.jar profile augments the Tivoli Identity Manager

directory with attributes that can be mapped to Windows Active Directory
attributes. Although the itamprofileAD.jar profile can work with Tivoli
Access Manager directory servers other than Windows Active Directory
(such as IBM Directory Server), these additional attributes will be present
but remain empty if the itamprofileAD.jar profile is used with those
servers.
The itamprofileAD.jar profile should be used either when Tivoli Access

Manager is configured against Windows Active Directory (or ADAM), or

when Tivoli Identity Manager manages multiple Tivoli Access Manager
services, where the Tivoli Access Manager instances are configured against a
mixture of both Windows Active Directory and Tivoli Access
Manager-supported non-Windows Active Directory servers.
The itamprofileAD.jar profile can be imported after having imported the

itamprofile.jar profile. This should be done if you want to manage a
Tivoli Access Manager instance configured against Windows Active
Directory. However, importing the itamprofile.jar after having imported
an itamprofileAD.jar profile is unsupported, and may have spurious
effects. In this case, the additional attributes that support Tivoli Access
Manager Active Directory attributes would not be removed.
To import the adapter profile, complete the following steps:

1. Log in to the Tivoli Identity Manager Server using an account that has the
authority to perform administrative tasks.
2. Import the adapter profile using the import feature for your IBM Tivoli Identity
Manager product. Refer to the information center or the online help for specific
instructions about importing the adapter profile.
3. Restart the IBM Tivoli Identity Manager Adapter (Dispatcher) service.
If you receive an error related to the schema when you import the adapter profile,
refer to the trace.log file for information about the error. The trace.log file
location is specified using the handler.file.fileDir property defined in the IBM
Tivoli Identity Manager enRoleLogging.properties file. The
enRoleLogging.properties file is installed in the ITIM_HOME\data directory.
Chapter 5. Creating a Tivoli Access Manager Combo service
You must create a service for the Tivoli Access Manager Combo Adapter before the
Tivoli Identity Manager Server can use the adapter to communicate with the
managed resource. To create a service, complete these steps:
1. Log in to the Tivoli Identity Manager Server using an account that has the
authority to perform administrative tasks.
2. Create the service using the information for your IBM Tivoli Identity Manager
product. Refer to the information center or the online help for specific
instructions about creating a service.
To create or change a service, you must use the service form to provide
information for the service. Service forms might vary depending on the adapter.
The Tivoli Access Manager Combo Adapter service form contains the following
fields:
SERVICE SETUP TAB
Service name
Specify a name that defines this Tivoli Access Manager Combo
Adapter service on the Tivoli Identity Manager Server.
Description
Optional: Specify a description for this service.
TDI location
Optional: Specify the URL for the Tivoli Directory Integrator
instance. Valid syntax is rmi://ip-address:port/ITDIDispatcher,
where ip-address is the Tivoli Directory Integrator host and port is
the port number for the RMI Dispatcher. For example, you might
specify the URL as rmi://localhost:16231/ITDIDispatcher. For
information about changing the port number, refer to the
dispatcher50.pdf file, which is contained in the
Adapter-Dispatcher-5.0xxx.zip file.
TAM SETUP TAB
Reconciliation Method
The Tivoli Access Manager Combo adapter has two methods of
reconciling Tivoli Access Manager user accounts and their
associated directory repository attributes:
TAM API
This method will function with Tivoli Access Manager
version 6.0 and 6.1. It is designed to use the Tivoli Access
Manager administration Java API, and is facilitated
through the use of Tivoli Directory Integrator, its Tivoli
Access Manager Connector, and the Tivoli Access Manager
Policy Server.
LDAP – TAM v6.x
This method will function only with Tivoli Access Manager
version 6.0 and 6.1. It is designed to reconcile Tivoli Access
Manager user accounts and their associated directory
repository attributes directly from the director repository
that the Tivoli Access Manager policy server is configured

against. If you are using Tivoli Access Manager version 6.0
or 6.1, there may be some increase in reconciliation
performance as a result of using this reconciliation method.
Note: A Search Filter may be specified for the Tivoli

Access Manager reconciliation query. You may
provide an LDAP filter in the Query page to specify
a subset of accounts only (no supporting data) to be
included in the reconciliation. Both the Tivoli Access
Manager API and LDAP reconciliation methods
support Tivoli Access Manager user account
filtering. If a subset of user accounts is required, a
Search Filter may be supplied that conforms to the
Tivoli Access Manager pattern used when listing
User accounts.
For example, a Search Filter to reconcile a subset of

Tivoli Access Manager User accounts which would
include JaneDoe, JonDoe and JimDolt might be:
(eruid=J*Do*) The pattern for the eruid attribute is
interpreted as a literal string, with the exception of
the asterisk (*) character, which is interpreted as a
metacharacter that matches zero or more characters.
Asterisks can be located at the beginning, in the
middle, or at the end of the pattern, and the pattern
can contain multiple asterisks.
Do not reconcile SSO credentials
Checking this option will exclude SSO credentials from the
retrieval of Tivoli Access Manager Accounts’ information during a
TAM Combo service reconciliation.
Note: Simply checking this option will remove any current Tivoli
Access Manager account credentials. This is because Tivoli
Identity Manager will consider any non-returned credential
to mean that the credential no longer exists for the account.
However, it is possible to retain any credentials that have
been reconciled previously by excluding the SSO credentials
attribute from the reconciliation query.
LDAP Reconciliation Page Size
This value is used for LDAP reconciliations only and is ignored for
Tivoli Access Manager API reconciliations. If a page size other than
0 is specified, the Tivoli Access Manager Combo adapter will try to
use page mode search when obtaining Tivoli Access Manager user
account information. Page mode causes the directory server to
return a specific number of entries (called pages) instead of all
entries in one chunk. Not all directory servers support this option.
To test if your directory server supports Page Mode, check the
Tivoli Directory Integrator log file (ibmdi.log) and look for a
reference to “Supported Controls of LDAP Server” when
performing a successful test of the Tivoli Access Manager Combo
service by clicking the Test button for the Tivoli Access Manager
Combo Service. If your directory service supports Page Mode, it is
recommended that this value reflect the SearchResultSetSize value
of the RMI Dispatcher itim_listener.properties file. To locate this
value, please refer to the RMI Dispatcher Installation and
Configuration Guide (dispatcher50.pdf) supplied in the
Adapter-Dispatcher-5.xxx.zip file.
TAM Admin User
Specify the IBM Tivoli Access Manager Administrator account
name (e.g. sec_master). This account must have enough access
rights to manage IBM Tivoli Access Manager accounts and group
memberships.
TAM Admin User Password
Specify the password for the IBM Tivoli Access Manager
Administrator account.
TAM Config File
File path name for the Tivoli Access Manager configuration file
that was created when the Tivoli Access Manager Java Runtime
Environment (JRTE) was installed and configured. This is an
absolute reference to the configuration file from the Tivoli
Directory Integrator server.
Note: The Tivoli Access Manager JRTE must be installed on the

same Java Runtime Environment (JRE) as used by Tivoli
Directory Integrator. Please refer to the appropriate Tivoli
Access Manager guides for instructions on how to install
and configure the Tivoli Access Manager Java Runtime
Environment.
Add Account
When creating a new Tivoli Access Manager account, the Add
account field specifies whether the Adapter creates a completely
new user or re-uses an existing user entry in the Tivoli Access
Manager User Registry. The Tivoli Access Manager User Entry
object class type can be either iNetOrgPerson or ePerson.
Add account options:
Create user entry in registry.
Causes the Adapter to create a new user entry in the Tivoli
Access Manager User Registry with a specific DN. If the
entry already exists, requests for account provisioning will
fail.
Import user entry from registry.
Causes the Adapter to re-use an existing user entry from
the Tivoli Access Manager User Registry. The user entry
will be extended with Tivoli Access Manager specific
attributes. If an entry with a specified DN doesn’t exist, the
request will fail.
Import or Create user entry.
Causes the Adapter to check if a user entry with a specific
DN exists, and if so, this user entry is used. Otherwise a
new registry entry for the Tivoli Access Manager account is
created.
Delete user entry from Registry
This check box determines what happens during IBM Tivoli Access
Manager account de-provisioning. If the check box is checked,
during the deletion of the Tivoli Access Manager account, the user
entry is completely removed from the Tivoli Access Manager
Chapter 5. Creating a Tivoli Access Manager Combo service 21

registry. If the check box is left unchecked, only Tivoli Access
Manager-specific attributes from the user entry are removed, but
the user entry remains in the registry.
Synchronize TAM password in SSO Lockbox
If this check box is checked, all of the Tivoli Access Manager SSO
credentials the user owns will be synchronized with the IBM
Access Manager Account password.
TAM Domain Name
Specify the IBM Tivoli Access Manager Domain name. The domain
name must not be the Tivoli Access Manager Administration
domain. If this field is left blank, the domain will be the considered
to be the default IBM Tivoli Access Manager run-time domain.
TAM Management Domain Name
The management domain specified when the Tivoli Access
Manager policy server was configured. This object represents the
Access Manager domain and is named using the secAuthority
attribute with the name of the domain as its value; for example:
secAuthority=domain_name
If you do not provide a different name, the default name of the

management domain is Default, making the secAuthorityInfo
object name secAuthority=Default. This field is used only for
Tivoli Access Manager version 6.1 and is not used for systems
where Tivoli Access Manager is configured against Windows
Active Directory.
TAM LDAP Management Domain Location DN
The LDAP management domain location DN is the location
distinguished name in the LDAP server where the management
domain information is stored. If the LDAP management domain
location DN is not specified, the management domain information
is stored in its own suffix by default. Whether the DN is specified
or the default is used, the location must already exist in the LDAP
server. If the management domain location is not specified, the
management domain location is assumed to be a standalone suffix
on the LDAP server. Whether the default location is used, or a
different location in the LDAP DIT is specified, the location
specified for the management domain must already exist. This field
is used only for Tivoli Access Manager version 6.1 and is not used
for systems where Tivoli Access Manager is configured against
Windows Active Directory.
Object Class(es) for TAM Entry
If left blank, IBM Tivoli Access Manager directory entries will be
instances of the iNetOrgPerson and ePerson object class type (when
Tivoli Access Manager is configured against IBM Directory Server),
or the user object class (when Tivoli Access Manager is configured
against Windows Active Directory). If an entry is made, new Tivoli
Access Manager entries will be instantiated as object class types
defined by the field.
Notes:
1. These classes MUST already be defined in the IBM Tivoli
Access Manager’s LDAP schema.
2. Multiple object classes can be specified, but must be provided
as a comma-separated list.
3. The Object Class for TAM Entry is not modifiable. Should you
wish to change this entry, a new service must be created with
any new set of object classes. As a result, accounts created with
the new service will be provisioned using the object classes
defined in that service. Accounts created with the old service
will have been provisioned using the object classes defined in
that service. It is not possible to modify the object classes that
define accounts already created.
REPOSITORY SETUP TAB
TAM Repository Admin ID
Specify the Tivoli Access Manager directory repository
Administrator’s Distinguish Name (such as cn=root). For Windows
Active Directory, you should fully qualify the Administrator’s
Distinguished name. For example:
CN=Administrator,CN=users,DC=company,DC=com
This account must have enough access rights to manage Tivoli

Access Manager directory accounts and group membership entries.
Password
Specify the Tivoli Access Manager directory repository
administrator’s password.
TAM Repository URL
Specify the location and port number of the directory repository
configured against Tivoli Access Manager. The valid syntax is
ldap://ip-address:port, where ip-address is the directory server
host and port is the port number. For example, you might specify
the URL as ldap://9.38.215.218:389.
TAM Directory Server Type
Specify the type of directory server that Tivoli Access Manager is
configured against:
v LDAP-based refers to any supported directory server other than
Microsoft Windows Active Directory or Microsoft Windows
Active Directory Application Mode.
v Active Directory should be used if a Microsoft Windows Active
Directory is configured against the managed Tivoli Access
Manager instance.
v ADAM should be used if Tivoli Access Manager is configured
against an implementation of Microsoft Windows Application
Mode.
TAM Repository SSL Connection
Check this option if Secure Sockets Layer is used by the Tivoli
Directory Integrator LDAP Connector for communication with the
directory server.
Once the service has been created, click Test to ensure that the connection to both
the directory server and to the Tivoli Access Manager Policy Server can be
established. Configuration information for the adapter should be reported in the
IBM Tivoli Directory log file (ibmdi.log) as a result of a successful test.
Chapter 5. Creating a Tivoli Access Manager Combo service 23

When testing the Tivoli Access Manager Combo service, the following message
may be observed:
CTGIMT605E An error occurred while processing the CTGIMT401E
An error occurred while starting the tamTest_TAMCombo on
my_server-requestid_4329bac6-28ad-11b2-d8dc-00000930ab5b agent. Error:
java.lang.NoClassDefFoundError: com/tivoli/pd/jutil/PDException operation
on the IBM Tivoli Directory Integrator server. Error: {1}
This may be due to either of the following:

v the Tivoli Directory Integrator JVM is not configured with Tivoli Access
Manager, or
v the Dispatcher has not been stopped and restarted to pick up the change.
Ensure that the Tivoli Access Manager Runtime for Java has been installed and
configured correctly. Alternatively, restart the RMI Dispatcher as described in the
dispatcher50.pdf file, which is contained in the Adapter-Dispatcher-5.xxx.zip
file.
Chapter 6. Configuring the Tivoli Access Manager Combo
Adapter
This chapter describes the configuration options for the Tivoli Access Manager
Combo Adapter.
The Tivoli Access Manager Combo Adapter is designed to work with the
inetOrgPerson object class. This class is a default object class which contains
attributes about people, and is used by Tivoli Access Manager. If you are using the
inetOrgPerson schema for your Tivoli Access Manager, the Tivoli Access Manager
Combo Adapter may require simple UI customization for the account form. For
more detailed information about account form customization please refer to the
IBM Tivoli Identity Manager Administration and Configuration Guide.
The Tivoli Access Manager Combo Adapter supports a standard set of attributes
for default object classes used in Tivoli Access Manager Servers. Standard user
provisioning operations such as add, delete, modify, suspend, restore, change
password, search and test are supported by the Tivoli Access Manager Combo
Adapter. Because Tivoli Access Manager Server requirements vary, you may need
to customize or extend the Tivoli Access Manager Combo schema to support
additional attributes or object classes.
The following sections provide information for configuring the adapter.

v “Customizing the Tivoli Access Manager Combo Adapter profile”
v “Standard parameters” on page 26
v “Adapter attributes and object classes” on page 26
v “Other Configuration Considerations” on page 32
v “RMI Dispatcher Configuration Properties” on page 33
Customizing the Tivoli Access Manager Combo Adapter profile

The Tivoli Access Manager Combo Adapter is designed to work with the
inetOrgPerson object class. This is a general purpose object class that contains
attributes about people. If you are using the inetOrgPerson schema for the IBM
Directory Server configured against Tivoli Access Manager, the Tivoli Access
Manager Combo adapter does not require customization.
When Tivoli Access Manager is configured against Windows Active Directory, the
Tivoli Access Manager Combo Adapter is designed to manage most of the
Windows Active Directory User object class attributes.
However to manage any of the inetOrgPerson attributes or Windows Active

Directory Attributes, you will need to enable any required attributes on the
Adapter Account Form:
1. Log in to Tivoli Identity Manager as an Administrator.
2. From the Tivoli Identity Manager GUI, go to Configuration then Form
Customization.
3. Expand the Account tree and select itamaccount Account.
4. Select the tab where you want to place an attribute.
5. From the attribute list, select the attribute you wish to add.

6. The attribute will be added to the account form by double-clicking on it.
7. Select Save Form Template.
If you are not using the IBM Directory Server inetOrgPerson object class or
Windows Active Directory User object class attributes, and your object class has an
attribute that is not an inetOrgPerson or User standard attribute, you will need to
customize the Tivoli Access Manager Combo adapter.
Standard parameters
The Tivoli Access Manager Combo Adapter is configured to use a standard set of
parameters for the inetOrgPerson class. The Tivoli Access Manager Combo
resource must support referential integrity.
inetOrgPerson
This is the default IBM Directory Server object class used to create new
Tivoli Access Manager user accounts when Tivoli Access Manager is
configured against IBM Directory Server. The supporting object classes are
organizationalPerson, person, and top.
User This is the default Windows Active Directory object class used to create
new Tivoli Access Manager user accounts when Tivoli Access Manager is
configured against Windows Active Directory. Not all of the User object
class attributes are managed by default. However, the majority of the
attributes that are managed through the Active Directory user properties
dialogue box are catered for. Exceptions include non-modifiable attributes
such as the memberOf attribute and logonHours, which is of INTEGER8
syntax and would be difficult to manage from the Tivoli Identity Manager
TAM Combo account form. Attributes such as userAccountControl are
also unsupported. For the list of Windows Active Directory User object
class attributes that are supported by default, please refer to Table 10 on
page 27.
Adapter attributes and object classes

After you install the adapter profile, the Tivoli Access Manager Combo Adapter
supports a standard set of attributes. Table 8 lists the standard attributes supported
by the adapter. Attributes not listed in Table 8 to Table 10 on page 27 will be
automatically mapped provided that a corresponding attribute with the same
name, type, and syntax is associated with the TAM Combo account object class
schema.
Table 8. Standard attributes supported by the Tivoli Access Manager Combo Adapter
TAM account property Attribute name in schema Schema
User ID eruid Directory String
User password erpassword Binary
Distinguish Name eritamdn DN
Common name (cn) cn Directory String
Surname (sn) sn Directory String
Description description Directory String
Max number of failed logon eritammaxfailedlogon Integer
Do Not Enforce Password eritamppolicy Boolean
Policy
Table 8. Standard attributes supported by the Tivoli Access Manager Combo
Adapter (continued)
TAM account property Attribute name in schema Schema
Do Not Change Password on eritampvalid Boolean
Next Login
Single Signon Capability eritamsinglesign Boolean
Group Membership eritamgroupname Directory String
(multi-value attribute)
SSO Credentials (multi-value eritamcred Directory String
attribute)
Account status eraccountstatus Integer
Table 9. The inetOrgPerson attributes supported by the Tivoli Access Manager Combo
Adapter
Attribute Attribute Attribute
BusinessCategory homePostalAddress PreferredLanguage
CarLicense initials RegisteredAddress
HomePhone L RoomNumber
DepartmentNumber Mail Secretary
preferreddeliverymethod manager UserPassword
DestinationIndicator mobile St
DisplayName Pager Street
EmployeeNumber physicalDeliveryOfficeName TelephoneNumber
EmployeeType postalAddress teletexTerminalIdentifier
FacisimileTelephoneNumber postalCode TelexNumber
GivenName postOfficeBox Title
Table 10. Mapping of Windows Active Directory User attributes supported by the Tivoli
Access Manager Combo adapter
Windows Active IBM Directory
Directory Attribute Server Attribute Description Note
accountExpires ntUserAcctExpires Account expires on Tivoli Directory
AD Account Tab integrator performs
advanced mapping to
support this attribute.
c c Country/region on
AD Address Tab
co co Country/region on
AD Address Tab
company company Company on AD To support its
User Organization management, this
Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
Chapter 6. Configuring the Tivoli Access Manager Combo Adapter 27

Access Manager Combo adapter (continued)
countryCode countryCode Country/region on
AD Address Tab
department department Department on AD To support its
User Organization management, this
Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
displayName displayName Display name on AD
General Tab
facsimileTelephone facsimileTelephone Fax on AD
Number Number Telephones Tab
homeDirectory NTUserHomeDir Home folder: Local Tivoli Directory
path/To on AD integrator performs
Profile Tab advanced mapping to
homeDrive ntUserHomeDirDrive Home folder: Tivoli Directory
Connect on AD integrator performs
Profile Tab advanced mapping to
homePhone homePhone Home on AD
Telephones Tab
info info Notes on AD
Telephones Tab
initials initials Initials on AD
General Tab
ipPhone ipPhone IP phone on AD User To support its
Telephones Tab management, this
attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
l l City on AD Address
Tab
mail mail E-mail on AD
General Tab
manager manager DN of manager on
AD Organization Tab
mobile mobile
otherFacsimile otherFacsimile Fax Number (Others) To support its
TelephoneNumber TelephoneNumber on AD User management, this
Telephones Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherHomePhone otherHomePhone Home Phone (Others) To support its
on AD User management, this
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherIpPhone otherIpPhone IP Phone Number To support its
(Others) on AD User management, this
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherMobile otherMobile Mobile Number To support its
Telephones Ta attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherPager otherPager Pager Number To support its
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.

otherTelephone otherTelephone Phone Number To support its
General Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
pager pager Pager on AD
Telephones Tab
physicalDelivery physicalDelivery Office on AD General
OfficeName OfficeName Tab
postalCode postalCode Zip/Postal Code on
AD Address Tab
postOfficeBox postOfficeBox P.O. Box on AD
Address Tab
profilePath profilePath Profile path on AD To support its
User Profile Tab management, this
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
sAMAccountName sAMAccountName User logon name To support its
(pre-Windows 2000) management, this
on AD User Account attribute is added to
Tab Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
scriptPath ntUserScriptPath Logon script on AD Tivoli Directory
Profile Tab integrator performs
advanced mapping to
st st State/province on
AD Address Tab
streetAddress streetAddress Street on AD Address
Tab
telephoneNumber telephoneNumber Telephone number on
AD General Tab
title title Title on AD
Organization Tab
url url Web Page Address
(Others) on AD
General Tab
userPrincipalName userPrincipalName User logon name on
AD Account Tab
userWorkstations ntUserWorkstations Log On To/Logon Tivoli Directory
Workstations on AD integrator performs
Account Tab advanced mapping to
wWWHomePage wWWHomePage Web page on AD To support its
User General Tab management, this
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
Notes:
1. Although cn, sn and description attributes are multi-valued in the LDAP
schema, Tivoli Access Manager supports only single-valued attributes. Values
other than the first value will be ignored by Tivoli Access Manager.
2. The eritamcred attribute contains password information for Tivoli Access
Manager resources. For security reasons, it is strongly recommended that the
file ITIM_HOME/data/enRoleHiddenSearchAttribute.properties be edited to
include this attribute.
3. The Windows Active Directory User object class supports the sn attribute.
However, this attribute is not a mandatory User object class attribute. As the
IBM Directory Server inetOrgPerson object class mandates the use of the sn
attribute when creating a Tivoli Identity Manager TAM Combo account, if a
Windows Active Directory User account does not have a value for sn, a dash (-)
will be returned for sn during a reconciliation.
4. Windows Active Directory User attributes that correspond to inetOrgPerson
attributes such as homepostaladdress may also be managed through Tivoli
Identity Manager. These attributes should be available when customizing the
account form.
5. In the case of both Microsoft Windows Active Directory and Microsoft
Windows Active Directory Application Mode (ADAM), the attributes listed are
not exhaustive. Directory server attributes with the same name(s) as provided
through the itamaccount object class should function correctly through a
same-name-to-same-name mapping by the TAM Combo adapter. However,
management of custom directory service attributes that have a different name
to attributes of the itamaccount object class must be facilitated through
user-customised advanced mapping.
Table 11. The objectclasses supported by the Tivoli Access Manager Combo Adapter.
Description Objectclass name in schema Superior
Account class itameraccount iNetOrgPerson
Service class eritamservice top
List of Tivoli Access Manager eritamgroups top
groups

Table 11. The objectclasses supported by the Tivoli Access Manager Combo
Adapter. (continued)
Description Objectclass name in schema Superior
List of SSO resources eritamresources top
Other Configuration Considerations

In non-Active Directory environments, most often Tivoli Access Manager uses
objects of the object class groupOfNames to create directory group objects. This
object class must use an attribute called member. However, some Tivoli Access
Manager directory service deployments may use other group-based object classes,
such as groupOfUniqueNames which uses the uniqueMember attribute for
example. This may cause Tivoli Access Manager account group membership to not
be reported correctly in Tivoli Identity Manager.
By default, (when using the LDAP-based reconciliation method only) group

membership is determined by searching the group membership using the member
attribute. However, should your Tivoli Access Manager deployment use one or
more object classes that utilize member attribute names other than “member”,
these attribute names must be specified.
To implement the determination of group membership through the use of member

attribute names other than “member” during LDAP-based reconciliation, you must
provide a comma-separated list of those member attribute names as per the
com.ibm.itim.adapter.tamcombo.groupMembershipAttributeNames property in
the appropriate Tivoli Directory Integrator solution.properties or global.properties
file. The addition of this property to the properties file may be as follows:
## -------------------------
## ITIM TAM Combo properties
## -------------------------
com.ibm.itim.adapter.tamcombo.groupMembershipAttributeNames=
Group_Objectclass_member_attribute_name1, Group_Objectclass_member_attribute_nameN
where Group_Objectclass_member_attribute_name1,
Group_Objectclass_member_attribute_nameN denotes a comma-separated list of
known directory server Group Object class member attribute names. For example,
you might provide the following:
com.ibm.itim.adapter.tamcombo.groupMembershipAttributeNames=member,uniqueMember
Notes:
1. The correct properties file to use should also contain the Tivoli Identity
Manager Dispatcher properties under the heading "ITIM Dispatcher properties".
2. If a group object class member attribute name is supplied that does not exist,
the functionality of LDAP-based search will not be affected but performance
may be impacted.
3. The group object class member attribute names supplied are considered
case-insensitive.
4. If either the property is not supplied, or no group object class member attribute
names are provided, then the group object class member attribute name will be
considered to be member by default. If the property is supplied and member is
to be considered a valid group object class member attribute name, it must be
explicitly provided in the comma-separated list of group object class member
attribute names provided as a value for the property.
RMI Dispatcher Configuration Properties
For guidance on setting Tivoli Directory Integrator configuration properties for the
operation of the Tivoli Access Manager Combo adapter, refer to the
dispatcher50.pdf file, which is contained in the Adapter-Dispatcher-5.0xxx.zip
file.

Chapter 7. Configuring SSL authentication for the adapter
When configuring Secure Sockets Layer (SSL) communication for the Tivoli
Directory Integrator-based adapters, you are configuring SSL between WebSphere
Application Server and Tivoli Directory Integrator. There are steps needed to
configure the Tivoli Directory Integrator to use SSL as well as the steps needed to
configure WebSphere using the default keystore and default truststore. For
additional WebSphere SSL configuration information, see the WebSphere online
help available from the WebSphere Application Server Administrative Console.
SSL terminology
SSL server
For this SSL configuration, the Tivoli Directory Integrator side is the SSL
Server. It listens for connection requests.
SSL client
For these SSL configurations the workstation on which the Tivoli Identity
Manager server and the WebSphere Application Server are installed is the
SSL client. It issues connection requests to the Tivoli Directory Integrator.
Signed certificates
A signed digital certificate is an industry-standard method of verifying the
authenticity of an entity, such as a server, client, or application. Signed
certificates are issued by a third-party certificate authority for a fee. Some
utilities, such as the iKeyman utility, can also issue signed certificates. A
Certificate Authority or CA certificate must be used to verify the origin of
a signed digital certificate.
Signer certificates (Certificate Authority certificates)
A Certificate Authority (CA) certificate must be used to verify the origin of
a signed digital certificate. When an application receives another
application’s signed certificate, it uses a CA certificate to verify the
originator of the certificate. Many applications, such as Web browsers, are
configured with the CA certificates of well-known certificate authorities to
eliminate or reduce the task of distributing CA certificates throughout the
security zones in a network.
Self-signed certificates
A self-signed certificate contains information about the owner of the
certificate and the owner’s signature. Basically, it is a signed certificate and
CA certificate in one. If you choose to use self-signed certificates, you must
extract the CA certificate from it in order to configure SSL.
SSL keystore
The SSL keystore is a key database file designated as a keystore. It contains
the SSL certificate.
Note: The keystore and truststore can be the same physical file.
SSL truststore
The SSL truststore is a key database file designated as a truststore. The SSL
truststore contains the list of signer certificates (CA certificates) that define
which certificates the SSL protocol trusts. Only a certificate issued by one
of these listed trusted signers is accepted.

Note: The truststore and keystore can be the same physical file.
One-way SSL authentication
For one-way SSL, a keystore and certificate is only required on the SSL
server side (Tivoli Directory Integrator server) and a truststore is only
required on the SSL client side (the Tivoli Identity Manager server).
Two-way SSL authentication (client-side authentication)
For SSL using two-way SSL (client-side) authentication, both a keystore
with a certificate, and a truststore containing the signer certificate that
issued the other side’s certificate, are required on both the SSL server and
SSL client sides.
SSL configurations
The following steps describe how to configure WebSphere Application Server and
Tivoli Directory Integrator for one-way or two-way SSL communication. If you
need more information about any of the steps, go to the referenced task for the
detailed steps.
Configuring for one-way SSL authentication
Tivoli Identify Manager Tivoli Directory Integrator

(SSL client) (SSL server)
Truststore Keystore
CA certificate “A” Certificate “A”
Figure 2. One-way SSL authentication (server authentication)
To configure one-way SSL perform the following tasks:

1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a
keystore for the Tivoli Directory Integrator server” on page 38.
2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a
truststore for the Tivoli Directory Integrator server” on page 38.
3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a
server-signed certificate for the Tivoli Directory Integrator server” on page 39.
4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating
a CA certificate for Tivoli Directory Integrator” on page 39.
5. Import the Tivoli Directory Integrator CA certificate into the WebSphere
Application Server truststore. See “Importing the Tivoli Identity Manager CA
certificate into the WebSphere Application Server truststore” on page 42
6. Configure Tivoli Directory Integrator to use the keystores. See “Configure
Tivoli Directory Integrator to use the keystores” on page 40.
Note: The editing of the solution.properties file for steps 6, 7, and 8 can be
done in one operation. Doing so eliminates the need for a stop and
restart of the adapter service at the end of steps 6 and 7.
7. Configure Tivoli Directory Integrator to use the truststores. See “Configure
Tivoli Directory Integrator to use the truststores” on page 40.
8. Enable the adapter service to use SSL. See “Enabling the adapter service to
use SSL” on page 41.
9. Stop and restart the adapter service.
10. Stop and restart WebSphere Application Server.
Note: The truststore is not needed on the Tivoli Directory Integrator server for
one-way SSL, but the configuration of truststore is needed for the RMI SSL
initialization to succeed.
Configuring for two-way SSL authentication
Tivoli Identify Manager Tivoli Directory Integrator

(SSL client) (SSL server)
Truststore Truststore
CA certificate “A” CA certificate “B”
Keystore Keystore
Certificate “B” Certificate “A”
Figure 3. Two-way SSL authentication (client authentication)
To configure two-way SSL perform the following tasks:

1. Create a keystore for the Tivoli Directory Integrator server. See “Creating a
keystore for the Tivoli Directory Integrator server” on page 38.
2. Create a truststore for the Tivoli Directory Integrator server. See “Creating a
truststore for the Tivoli Directory Integrator server” on page 38.
3. Create a certificate for the Tivoli Directory Integrator server. See“Creating a
server-signed certificate for the Tivoli Directory Integrator server” on page 39.
4. Create a CA certificate for the Tivoli Directory Integrator server. See “Creating
a CA certificate for Tivoli Directory Integrator” on page 39.
5. Import the Tivoli Directory Integrator CA certificate into the WebSphere
Application Server truststore. See “Importing the Tivoli Identity Manager CA
certificate into the WebSphere Application Server truststore” on page 42
6. Configure Tivoli Directory Integrator to use the keystores. See “Configure
Tivoli Directory Integrator to use the keystores” on page 40.
Note: The editing of the solution.properties file for steps 6, 7, and 8 can be
done in one operation. Doing so eliminates the need for a stop and
restart of the adapter service at the end of steps 6 and 7.
Chapter 7. Configuring SSL authentication for the adapter 37

7. Configure Tivoli Directory Integrator to use the truststores. See “Configure
Tivoli Directory Integrator to use the truststores” on page 40.
8. Enable the adapter service to use SSL. See “Enabling the adapter service to
use SSL” on page 41.
9. Create a certificate for the Tivoli Identity Manager server. See “Creating a
signed certificate for the Tivoli Identity Manager server” on page 41.
10. Create a CA certificate for Tivoli Identity Manager. See “Creating a WebSphere
Application Server CA certificate for Tivoli Identity Manager” on page 42.
11. Import WAS CA Certificate into Tivoli Directory Integrator truststore. See
“Importing the WebSphere CA certificate into the Tivoli Directory Integrator
truststore” on page 40.
13. Stop and restart WebSphere Application Server.
Task performed on the SSL server (Tivoli Directory Integrator server

workstation)
The Tivoli Directory Integrator acts as the SSL server. All of these tasks are
performed on the Tivoli Directory Integrator server.
Note: The file names and locations such as tdikeys.jks and ITDI_HOME\keys used
in theses tasks are examples and used for consistency. Your actual file names
and locations might be different.
Creating a keystore for the Tivoli Directory Integrator server

A keystore is a database of private keys and the associated certificates needed to
authenticate the corresponding public keys. Digital certificates are stored in a
keystore file. A keystore also manages certificates from trusted entities.
Note: The keystore can be the same physical file as the truststore.
1. Navigate to the ITDI_HOME\jvm\jre\bin directory.
2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman
(Unix/Linux operating systems).
3. Select Key Database File > New.
4. Select key database type of JKS.
5. Type the keystore file name: tdikeys.jks.
6. Type the location: ITDI_HOME\keys.
Note: This directory must already exist, otherwise the step fails.
7. Click OK .
8. Type the keystore a password, for example, secret.
9. Click OK to continue.
Creating a truststore for the Tivoli Directory Integrator server

A truststore is a database of public keys for target servers. The SSL truststore
contains the list of signer certificates (CA certificates) that define which certificates
the SSL protocol trusts. Only a certificate issued by one of these listed trusted
signers can be accepted.
Note: The truststore can be the same physical file as the keystore. You can skip
this task if you choose to use the same file for keystore and truststore.
2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX
or Linux operating systems).
3. Select Key Database File > New.
5. Type the keystore file name: tditrust.jks.
Note: This directory must already exist, otherwise the step fails.
7. Click OK.
8. Type the keystore a password, for example, secret.
Creating a server-signed certificate for the Tivoli Directory

Integrator server
A self-signed certificate contains information about the owner of the certificate and
the owner’s signature. This type of certificate is generally used in a testing
environment. It is a signed certificate and CA certificate in one. If you choose to
use self-signed certificates, you must extract the CA certificate from it in order to
configure SSL.
Alternatively, you can purchase a certificate from a well-known authority such as

VeriSign, which is the generally done in production environments. As another
alternative, you can use a certificate server, such as the one included with
Microsoft Windows 2003 Advanced Server, to generate your own certificates.
To create the self-signed certificate:

or Linux operating systems.)
3. Select Key Database File > Open.
4. Browse to the keystore file created previously: ITDI_HOME\keys\tdikeys.jks
5. Enter the keystore password: secret.
6. Select Create > New Self Signed certificate.
7. Set the Key Label to tdiserver.
8. Use your system name (DNS name) as the Common Name (workstation
name).
9. Enter your Organization, for example IBM.
10. Click OK.
Creating a CA certificate for Tivoli Directory Integrator

A Certificate Authority or CA certificate must be used to verify the origin of a
signed digital certificate. When an application receives another application’s signed
certificate, it uses a CA certificate to verify the originator of the certificate. Many
applications, such as Web browsers, are configured with the CA certificates of
well-known certificate authorities to eliminate or reduce the task of distributing CA
certificates throughout the security zones in a network.
1. Extract the Server certificate for client use by selecting Extract Certificate.
2. Select Binary DER data as the data type.

3. Enter the certificate file name: idiserver.der.
4. Enter the location as ITDI_HOME\keys.
5. Click OK.
6. Copy the idiserver.der certificate file to the workstation on which Tivoli
Identity Manager is installed.
Importing the WebSphere CA certificate into the Tivoli

Directory Integrator truststore
1. Copy the SSL Client CA certificate file created in “Creating a WebSphere
Application Server CA certificate for Tivoli Identity Manager” on page 42,
timclient.der, to the ITDI_HOME\keys directory on the workstation on which
Tivoli Directory Integrator is installed.
or Linux operating systems).
4. Select Key Database File > Open.
6. Type the keystore file name: tditrust.jks.
8. Click OK.
9. Click Signer Certificates in the dropdown menu.
10. Click Add.
12. Use Browse to select the timclient.der file stored in ITDI_HOME\keys.
13. Use timclient as the label.
Configure Tivoli Directory Integrator to use the keystores

1. Navigate to the Tivoli Directory Integrator adapters solution directory
(ITDI_HOME\timsol).
2. Open the Tivoli Directory Integrator solution.properties file in an editor.
3. Edit the following lines under client authentication, uncomment them if
necessary, and set the location, password and type of keystore to match the
keystore you created in “Creating a keystore for the Tivoli Directory Integrator
server” on page 38:
javax.net.ssl.keyStore=ITDI_HOME\keys\tdikeys.jks
{protect}-javax.net.ssl.keyStorePassword=secret
javax.net.ssl.keyStoreType=JKS
4. Save your changes.
Configure Tivoli Directory Integrator to use the truststores

(ITDI_HOME\timsol).
3. Edit the following lines under client authentication, uncomment them if
necessary, and set the location, password and type of truststore to match the
truststore you created in “Creating a truststore for the Tivoli Directory
Integrator server” on page 38:
javax.net.ssl.trustStore=ITDI_HOME\keys\tditrust.jks
{protect}-javax.net.ssl.trustStorePassword=secret
javax.net.ssl.trustStoreType=JKS
Enabling the adapter service to use SSL

(ITDI_HOME\timsol).
3. Edit the following two lines depending on the type of secure communications
you want to use.
For no SSL:
com.ibm.di.dispatcher.ssl=false
com.ibm.di.dispatcher.ssl.clientAuth=false
For one-way SSL:
com.ibm.di.dispatcher.ssl=true
com.ibm.di.dispatcher.ssl.clientAuth=false
For two-way SSL:
com.ibm.di.dispatcher.ssl=true
com.ibm.di.dispatcher.ssl.clientAuth=true
Tasks performed on the SSL client (Tivoli Identity Manager and

WebSphere Application Server workstation)
All the tasks are performed on the server workstation on which Tivoli Identity
Manager and WebSphere Application Server are installed.
Note: The file names and locations such as timclient.der and c:\keys used in
theses tasks are examples and used for consistency. Your actual file names
and locations might be different.
Creating a signed certificate for the Tivoli Identity Manager

server
As previously mentioned in the server-side tasks, you can alternatively use a
well-known authority or your own certificate server to generate a certificate. For
these cases, use the Personal certificates requests option under the
NodeDefaultKeyStore step to produce a certificate request to send to the
well-known authority or to your certificate server. You use the accept option under
Personal certificates to load the data sent by the certificate authority in response to
the request.
1. Connect to the WebSphere Application Server Administrative Console.
2. Navigate to Security > SSL certificate and key management > Keystores and
certificates.
3. Select NodeDefaultKeyStore.
4. Select Personal certificates.
5. Select Create a self-signed certificate.
6. Enter appropriate values for the certificate fields:

v Set the Alias to timclient.
v Use your system name (DNS name) as the Common Name (workstation
name).
v Enter your Organization, for example IBM.
7. Click OK and save.
8. Extract the CA certificate from the self-signed certificate.
Creating a WebSphere Application Server CA certificate for

1. Check the checkbox for the created certificate, and select Extract.
2. Enter a file name: c:\keys\timclient.der.
4. Click OK.
Importing the Tivoli Identity Manager CA certificate into the

WebSphere Application Server truststore
1. Copy the SSL server CA certificate file created in “Creating a CA certificate for
Tivoli Directory Integrator” on page 39, idiserver.der, to the c:\keys directory
on the workstation on which Tivoli Identity Manager is installed.
2. Connect to the WebSphere Application Server Administrative Console.
3. Navigate to Security > SSL certificate and key management > Keystores and
certificates.
4. Select NodeDefaultTrustStore.
5. Select Signer certificates.
6. Click Add.
v Set the Alias to idiserver.
v Specify the file name of the exported Tivoli Directory Integrator server
certificate: c:\ keys\idiserver.der.
v Select Binary DER data as the data type.
7. Click OK to continue and save.
Chapter 8. Verifying the Tivoli Access Manager Combo
Adapter profile installation
If the Tivoli Access Manager Combo Adapter profile is not already installed on
your system, you must import the adapter profile. See Chapter 4, “Importing the
adapter profile into the Tivoli Identity Manager Server,” on page 17 for
information about importing the adapter profile.
After you install the adapter profile, verify that the adapter profile was
successfully installed. If the adapter profile is not installed correctly, the adapter
might not function as intended.
To verify that the adapter profile was successfully installed, complete the following
steps.
v In the IBM Tivoli Identity Manager web console (http://ITIMhostname:9080/
itim/console/main), click Configure system > Manage Service Types from the
left navigation panel. Verify that “TAM Combo Profile” is listed as a service type
in the table.
v Create a service using the Tivoli Access Manager Combo Adapter profile. Refer
to Chapter 5, “Creating a Tivoli Access Manager Combo service,” on page 19.
v Open an account on the service.
If you are unable to create a service using the Tivoli Access Manager Combo
Adapter profile or open an account on the service, the adapter profile is not
installed correctly. You might need to import the adapter profile again.

Chapter 9. Troubleshooting the Tivoli Access Manager Combo
Adapter installation
Troubleshooting is the process of determining why a product does not function as
it is designed to function. This chapter provides information and techniques for
identifying and resolving problems related to the Tivoli Access Manager Combo
Adapter. It also provides information about troubleshooting errors that might occur
during installation.
Logging information format

Logs added to the log file for the adapter or the RMI Dispatcher have the
following format:
<Log Level> [<Assembly Line_ProfileName>_<Request Id>]_
[<Connector Name>] - <message>
Log Level
Specifies the logging level that you configured for the adapter. The options
are DEBUG, ERROR, INFO, and WARN. For information about using the
log4j.properties file to configure logging, refer to the dispatcher50.pdf
file, which is contained in the Adapter-Dispatcher-5.0xxx.zip file.
Assembly Line
Specifies the name of the assembly line that is logging the information.
ProfileName
Specifies the name of the profile. Profile names may vary based on the
adapter that is running or the operating system.
Request ID
Specifies the number of the request. The Request ID is used to uniquely
identify a specific request.
Connector Name
Specifies the adapter connector.
message
Specifies the informational message .
The following is an example of a message that may be displayed in a log file:

INFO [AssemblyLine.AssemblyLines/TAM ComboAdd_itamprofile_518536692232324188_
91ea4bb8-2801-11b2-91ba-00000a2c0670.1297881434 - Load Attribute Map
When the Test button on the TAM Combo service form is clicked, service,
environment and configuration values are sent to the Tivoli Directory Integrator
log during the test. The information collected during the test may assist in
diagnosing issues.

Reconciliation of Supporting Data
Although the reconciliation of group names only is not currently supported using a
search filter such as:
(eritamgroup=pattern)
All supporting data can be reconciled through the use of the search filter in the
reconciliation query. To reconcile supporting data only, the following search filter
could be used:
(!(objectclass=eritamaccount))
Such a filter should reconcile all non-account information.
Runtime Problems
Runtime Problems and recommended actions are described in the following table:
Table 12. Runtime Problems
Problem Recommended Action
When running Test Check that the correct version of TamComboUtils.jar
Connection in TAM Combo, (supplied in the adapter install package) is installed on the
the Change a Service form dispatcher server.
displays errors such as the
following:
v CTGIMU107W
The connection to the
specified service cannot be
established. Verify the
service information, and
try again.
v CTGIMT605E
An error occurred while
processing the
CTGIMT401E An error
occurred while starting the
tamTest_TAM Combo
TAM 6.1_test-no-
requestid_xxxagent. Error:
Script interpreter error,
line=xx, col=xx Reference
Error : ’MgmtDomain’ not
found operation on the
IBM Tivoli Directory
Integrator server. Error: {1}
Table 12. Runtime Problems (continued)
Reconciliation doesn’t return The default settings for LDAP and Tivoli Access Manager
all Tivoli Access Manager have constraints on the search size limit. The best practice is
accounts. It returns 500 or as follows:
2048 accounts only. 1. Modify the IBM Directory Server configuration file,
slapd32.conf for LDAP 5.2 or ibmslap.conf for LDAP
6.0. This file is located in the etc directory of the IBM
Directory Server. Set the ibm-slapdSizeLimit variable to
0 (no limit).
2. Modify the Tivoli Access Manager LDAP ldap.conf
configuration file located in the etc directory of the
Tivoli Access Manager Policy Server. Set the
max-search-size variable to greater than 2048 (the
default setting). Setting the max-search-size to 0 would
mean the search size is unlimited.
3. Modify the Tivoli Access Manager configuration file,
pd.conf, located in the etc directory of the Tivoli Access
Manager Policy Server. Set the ssl-v3-timeout variable to
84600 (the maximum setting) and set the ssl-io-inactivity
variable to 0 (no limit).
Reconciliation doesn’t return For the adapter to reconcile a large number of accounts
all Tivoli Access Manager successfully, you may need to increase Websphere’s JVM
accounts. Reconciliation is memory. The following steps must be completed on the
successful but some accounts WebSphere host machine:
missing. Note: The JVM memory should not be increased to a value
higher than the System memory.
1. Login to the WebSphere Administrative Console.
2. Expand Servers in the left menu and select Application
Servers.
3. A table displays the names of known application servers
on your system. Click the link for your primary
application server.
4. Select Process Definition from within the Configuration
tab.
5. Select the Java Virtual Machine property.
6. Enter a new value for the Maximum Heap Size. The
default value is 256 MB.
If the allocated JVM memory is not large enough, an
attempt to reconcile a large number of accounts using the
Tivoli Access Manager Adapter will result in log file errors,
and the reconciliation process will not complete successfully.
The Adapter log files will contain entries stating
ErmPduAddEntry failed. The WebSphere_install_dir/logs/
itim.log file will contain java.lang.OutOfMemoryError
exceptions.
Chapter 9. Troubleshooting the Tivoli Access Manager Combo Adapter installation 47

Table 12. Runtime Problems (continued)
Reconciliation of very large During reconciliation of very large numbers of Tivoli Access
numbers of Tivoli Access Manager accounts (in the hundreds of thousands or
Manager accounts times-out millions), initialization of the reconciliation may take some
time. This is of course hardware and performance-tuning
dependent. Problems may occur as a result of timeout issues
if you have IBM Directory Server (and DB2) configured
against your Tivoli Access Manager Policy Server. Please
refer to the IBM Directory Server user guides on configuring
the ibm-slapdIdleTimeOut value in the ibmslapd.conf file.
As an indicator, this value is known to have been increased
to greater than 10,000 for reconciliation of approximately
five million accounts.
Performance Tuning
Selection of groups to determine membership

Reconciliation performance may be enhanced at the expense of not being able to
determine full group membership. It is possible - although not recommended - to
search only a subset of Tivoli Access Manager groups for account membership.
This may result in only a subset of groups, for which an account is a member,
being reported for that account.
For example, if Account ‘A’ was a member of Tivoli Access Manager group ‘Y’ and
‘Z’, then to increase reconciliation performance, it is possible to search only Tivoli
Access Manager group ‘Y’ to determine if account ‘A’ is a member. However, this
would result in the account only reporting in Tivoli Identity Manager that it is a
member of Tivoli Access Manager group ‘Y’. It would not report that it was
actually also member of Tivoli Access Manager group ‘Z’.
To implement the search of specific Tivoli Access Manager groups for membership
to determine if each Tivoli Access Manager account is a member during
LDAP-based reconciliation, you should provide a comma-separated list of Tivoli
Access Manager groups to be searched as per the
com.ibm.itim.adapter.tamcombo.searchMembershipGroups property in the
appropriate Tivoli Directory Integrator solution.properties or global.properties file.
The addition of this property to the properties file may be as follows:
## -------------------------
## ITIM TAM Combo properties
## -------------------------
com.ibm.itim.adapter.tamcombo.searchMembershipGroups=TAM_Group1, TAM_Group2
where TAM_Group1, TAM_Group2 denotes a comma-separated list of known

(non-dynamic) Tivoli Access Manager groups. For example, you might provide the
following:
com.ibm.itim.adapter.tamcombo.searchMembershipGroups=customers,employees
Notes:
1. The correct properties file to use should also contain the Tivoli Identity
Manager Dispatcher properties under the heading, Tivoli Identity Manager
Dispatcher properties.
2. If a list of Tivoli Access Manager groups is defined to be searched for
membership, performance drops as the number of groups is increased. If all
Tivoli Access Manager groups are provided, there is no performance benefit
over having defined no groups to be searched.
3. If a group name is supplied that did not exist, it will be ignored.
4. The Group names supplied are considered case-insensitive.
5. If either the property is not supplied, or no groups are provided to be searched,
then all groups will be searched.
6. Setting of this configuration item will not impact the reconciliation of Tivoli
Access Manager groups, and all Tivoli Access Manager group names will be
returned by way of supporting data. As a result, errors may occur if an attempt
is made to add an Tivoli Access Manager account to a Tivoli Access Manager
group for which it is already a member, but simply not reported as such by
Tivoli Identity Manager because this configuration has been set.
Extreme care should be exercised when implementing this feature in production. It

should be considered an advanced configuration item and should not be required
in most cases.
Chapter 9. Troubleshooting the Tivoli Access Manager Combo Adapter installation 49

Chapter 10. Uninstalling the Tivoli Access Manager Combo
Adapter
To remove the Tivoli Access Manager Combo Adapter, complete the following
steps:
1. Stop the adapter service.
2. Remove the adapter. For more specific information about removing the adapter,
see the online help or the information center for your Tivoli Identity Manager
product.
Note: The RMI Dispatcher component must be installed on your system in order
for adapters to function correctly in a Tivoli Directory Integrator
environment. If you delete the adapter profile for the Tivoli Access Manager
Combo Adapter, do not uninstall the RMI Dispatcher.

Appendix A. Accessibility
Accessibility features help users with physical disabilities, such as restricted
mobility or limited vision, to use software products successfully. The major
accessibility features in this product enable users to do the following:
v Use assistive technologies, such as screen-reader software and digital speech
synthesizer, to hear what is displayed on the screen. Consult the product
documentation of the assistive technology for details on using those technologies
with this product.
v Operate specific or equivalent features using only the keyboard.
v Magnify what is displayed on the screen.
In addition, the product documentation was modified to include the following

features to aid accessibility:
v All documentation is available in both HTML and convertible PDF formats to
give the maximum opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Navigating the interface using the keyboard

Standard shortcut and accelerator keys are used by the product and are
documented by the operating system. Refer to the documentation provided by
your operating system for more information.
Magnifying what is displayed on the screen

You can enlarge information on the product windows using facilities provided by
the operating systems on which the product is run. For example, in a Microsoft
Windows environment, you can lower the resolution of the screen to enlarge the
font sizes of the text on the screen. Refer to the documentation provided by your
operating system for more information.

Appendix B. Support information
Use the following options to obtain support for IBM products:
v “Searching knowledge bases”
v “Contacting IBM Software Support”
Searching knowledge bases

If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or

network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet

If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Contacting IBM Software Support

IBM Software Support provides assistance with product defects.

Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus®, and Rational® products, as well as DB2 and WebSphere products that
run on Windows or UNIX operating systems), enroll in Passport Advantage in
one of the following ways:
– Online: Go to the Passport Advantage Web page (http://www.lotus.com/
services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How
to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site (http://techsupport.services.ibm.com/guides/
contacts.html) and click the name of your geographic region.
v For IBM eServer™ software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries®, pSeries®, and iSeries® environments),
you can purchase a software maintenance agreement by working directly with
an IBM sales representative or an IBM Business Partner. For more information
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:

1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem

When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
Submit your problem to IBM Software Support

You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web (http://
techsupport.services.ibm.com/guides/contacts.html) and click the name of your
geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases.
Appendix B. Support information 57

Appendix C. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
developerWorks
eServer
IBM
iSeries
Lotus
Notes
OMEGAMON
Passport Advantage
pSeries
Rational
Redbooks
Tivoli
WebSphere
zSeries
Adobe, Acrobat, Portable Document Format (PDF), and PostScript® are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, other countries, or both.
Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony Computer

Entertainment, Inc., in the United States, other countries, or both and is used under
license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the
United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel® Centrino®, Intel Centrino
logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the
United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the

Office of Government Commerce, and is registered in the U.S. Patent and
Trademark Office.
IT Infrastructure Library® is a registered trademark of the Central Computer and

Telecommunications Agency which is now part of the Office of Government
Commerce.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix C. Notices 61

Printed in USA
SC23-9664-00

Tam Combo Adapter

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Tam Combo Adapter

Transféré par

Droits d'auteur :

Formats disponibles

Tivoli Identity Manager

Tivoli Access Manager Combo Adapter

Tivoli Access Manager Combo Adapter

© Copyright International Business Machines Corporation 2006, 2009.

Chapter 4. Importing the adapter profile Chapter 9. Troubleshooting the Tivoli

© Copyright IBM Corp. 2006, 2009 iii

Intended audience for this book

Publications and related information

Tivoli Identity Manager library

Online user assistance:

© Copyright IBM Corp. 2006, 2009 v

Server installation and configuration:

Provides installation and configuration information for the product server.

Provides problem determination, logging, and message information for the

The following technical supplements are provided by developers or by other

The technical documentation library also includes a set of platform-specific

Skills and training:

Prerequisite product publications

Accessing terminology online

Accessing publications online

In other countries, contact your software account representative to order Tivoli

For additional information, see Appendix A, “Accessibility,” on page 53.

Tivoli technical training

Conventions used in this book

Operating system-dependent variables and paths

Definitions for HOME and other directory variables

The value of path varies for these operating systems:

The value of drive might be C:\. An

On Linux and AIX systems, the default

The ITDI_HOME directory contains the

Features of the adapter

Architecture of the adapter

Figure 1. The architecture of the Tivoli Access Manager Combo Adapter

The fundamental components of a Tivoli Access Manager Combo Adapter

Chapter 1. Overview of the Tivoli Access Manager Combo Adapter 3

© Copyright IBM Corp. 2006, 2009 5

For information on the minimal system requirements and supported operating

Downloading the software

Chapter 2. Planning to install the Tivoli Access Manager Combo Adapter 7

Installing using the installation wizard

© Copyright IBM Corp. 2006, 2009 9

Note: * indicates a required option.

Chapter 3. Installing the Tivoli Access Manager Combo Adapter 11

Configuring the Tivoli Directory Integrator Application into the Tivoli

Tivoli Access Manager uses a self-generated and self-signed certificate to

This parameter is required.

This parameter is required. It can be the same value as

Chapter 3. Installing the Tivoli Access Manager Combo Adapter 13

The pdadmin server list command will display the

For further information regarding configuring or unconfiguring an application

Installing the Tivoli Access Manager Combo Adapter Utilities Package

Installing the RMI Dispatcher

Chapter 3. Installing the Tivoli Access Manager Combo Adapter 15

Table 7 indicates which profile to use.

The itamprofileAD.jar profile augments the Tivoli Identity Manager

The itamprofileAD.jar profile should be used either when Tivoli Access

© Copyright IBM Corp. 2006, 2009 17

The itamprofileAD.jar profile can be imported after having imported the

To import the adapter profile, complete the following steps:

© Copyright IBM Corp. 2006, 2009 19

Note: A Search Filter may be specified for the Tivoli

For example, a Search Filter to reconcile a subset of

Note: The Tivoli Access Manager JRTE must be installed on the