Académique Documents
Professionnel Documents
Culture Documents
Version 5.1
SC23-9664-00
Tivoli Identity Manager
®
Version 5.1
SC23-9664-00
Note:
Before using this information and the product it supports, read the information in Appendix C, “Notices,” on page 59.
iv IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Preface
About this book
This installation guide provides the basic information that you need to install and
configure the IBM® Tivoli Access Manager Combo Adapter. The Tivoli Access
Manager Combo Adapter enables connectivity between the Tivoli® Identity
Manager Server and the Tivoli Access Manager Policy Server and its associated
directory server.
Read the descriptions of the IBM Tivoli Identity Manager library. To determine
which additional publications you might find helpful, read the “Prerequisite
product publications” on page vii and the “Related publications” on page viii.
After you determine the publications you need, refer to the instructions in
“Accessing publications online” on page viii.
Release Information:
v Release Notes
Provides software and hardware requirements for the product, and additional
fix, patch, and other support information.
v Read This First card
Lists the publications for the product.
Problem determination:
Technical supplements:
Adapter documentation:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity Manager
products. Click the link for your product, and then browse the information center
for the adapter information that you want.
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
vi IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/
supp_tech_exch.html
Preface vii
v WebSphere®
Additional information is available in the product directory or Web sites.
http://www.ibm.com/software/webservers/appserv/was/library/
http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related publications
The following documents also provide useful information:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, IBM Redbooks, and announcement
letters. The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology Web site at the
following Web address:
http://www.ibm.com/software/globalization/terminology
In the Tivoli Information Center window, click Tivoli product manuals. Click the
letter that matches the first letter of your product name to access your product
library. For example, click M to access the IBM Tivoli Monitoring library or click O
to access the IBM Tivoli OMEGAMON® library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe® Reader to print letter-sized
pages on your paper.
Ordering publications
You can order many Tivoli publications online at http://
www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.
viii IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
v In Canada: 800-426-4968
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v IBM Support Assistant: You can search across a large collection of known
problems and workarounds, Technotes, and other information at
http://www.ibm.com/software/support/isa.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix B,
“Support information,” on page 55.
Typeface conventions
This book uses the following typeface conventions:
Bold
Preface ix
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of books, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause," letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents...
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
When using the Unix command line, replace %variable% with $variable for
environment variables and replace each backslash (\) with a forward slash (/) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX®. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
x IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Path variable Default definition Description
DB_INSTANCE_HOME Windows: The directory that
path\IBM\SQLLIB contains the
database for your
UNIX: Tivoli Identity
v AIX, Linux®: /home/dbinstancename Manager product.
v Solaris: /export/home/dbinstancename
IDS_instance_HOME For IBM Directory Server Version 6.0 The directory that
contains the IBM
Windows: Directory Server
drive\ Version 6.0 instance.
idsslapd-instance_owner_name
UNIX:
INSTANCE_HOME/idsslapd-instance_name
UNIX:
path/IBM/WebSphere/AppServer
WAS_NDM_HOME Windows: The home directory
path\IBM\WebSphere\DeploymentManager on the Deployment
Manager.
UNIX:
path/IBM/WebSphere/DeploymentManager
Preface xi
Path variable Default definition Description
ITDI_HOME Windows: The directory where
v for version 6.1.1: Tivoli Directory
Integrator is
drive\Program Files\IBM\TDI\V6.1.1
installed.
UNIX:
v for version 6.1.1:
/opt/IBM/TDI/V6.1.1
xii IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Chapter 1. Overview of the Tivoli Access Manager Combo
Adapter
An Adapter is a program that provides an interface between a managed resource
and the IBM Tivoli Identity Manager Server. Adapters might or might not reside
on the managed resource, and the IBM Tivoli Identity Manager Server manages
access to the resource by using your security system. Adapters function as trusted
virtual administrators on the target platform, performing such tasks as creating
login IDs, suspending IDs, and performing other functions administrators normally
run manually.
The Tivoli Access Manager Combo Adapter leverages the IBM Tivoli Directory
Integrator functionality to facilitate communication between the IBM Tivoli Identity
Manager Server and IBM Tivoli Access Manager Server. The following sections
provide information about the Tivoli Access Manager Combo Adapter:
v “Features of the adapter”
v “Architecture of the adapter”
v “Supported configurations” on page 2
You can also search for account information and change an account password.
The Tivoli Access Manager Combo Adapter consists of IBM Tivoli Directory
Integrator AssemblyLines. When an initial request is made by IBM Tivoli Identity
© Copyright IBM Corp. 2006, 2009 1
Manager Server to the Tivoli Access Manager Combo Adapter, the AssemblyLines
are loaded into the Tivoli Directory Integrator Server. As a result, subsequent
service requests do not require those same AssemblyLines to be reloaded.
The AssemblyLines utilize the Tivoli Directory Integrator Tivoli Access Manager
connector and LDAP connector to undertake user management related tasks on the
directory server. It does this remotely by using the login user ID and password of
a user that has administrator privileges.
Figure 1 shows the various components that work together to complete user
management tasks in a Tivoli Directory Integrator environment.
For additional information about Tivoli Directory Integrator, see the IBM Tivoli
Directory Integrator: Getting Started Guide.
Supported configurations
The Tivoli Access Manager Combo Adapter supports a number of different
configurations and is designed to operate with Tivoli Identity Manager 5.0.
The Tivoli Access Manager Java™ Runtime Environment (JRTE) must also be
installed on the same Java Runtime Environment (JRE) as used by Tivoli Directory
Integrator.
The Tivoli Access Manager Combo Adapter is both highly configurable and highly
customizable. Please note that support can only extend to the configuration of the
adapter such as adding mapping for additional attributes. Support cannot extend
to customization by way of changes, additions or modifications to its Tivoli
Directory Integrator Assembly Line scripts for example.
2 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
The Tivoli Access Manager Combo adapter cannot support directory service load
balancing or environments that utilize architectures such as Master/Master
directory server replication.
Although reconciliation of dynamic group supporting data may occur through the
use of the Tivoli Access Manager API method of reconciliation, management
including the addition or removal of Tivoli Access Manager accounts to or from
these dynamic groups through IBM Tivoli Identity Manager is unsupported.
The Tivoli Access Manager Combo adapter supports Microsoft Windows Active
Directory and Microsoft Windows Active Directory Application Mode (ADAM)
configured against Tivoli Access Manager.
Note: ADAM is supported only when SSL is implemented between IBM Tivoli
Directory Integrator and the ADAM directory server. You should use the
Identity Manager Windows Active Directory (rather than the Tivoli Access
Manager Combo service) to handle accounts in situations where:
v the Tivoli Access Manager Combo adapter is managing a Tivoli Access
Manager deployment that is configured against Microsoft Windows Active
Directory, and
v the Tivoli Identity Manager Windows Active Directory service is
implemented on Tivoli Identity Manager to manage Windows Active
Directory accounts, which are also associated with the Tivoli Access
Manager instance.
In such situations, anomalous results may result if you delete Active
Directory accounts that are associated with Tivoli Access Manager accounts.
Preinstallation roadmap
You must prepare the environment before you can install the adapter.
Table 1. Preinstallation roadmap
What to do Where to find more information
Verify that the software and hardware See “Prerequisites” on page 6.
requirements for the adapter that you want
to install have been met.
Collect the necessary information for the See “Installation worksheet for the adapter”
installation and configuration. on page 7.
Obtain the installation software Download the software from Passport
Advantage®. See “Downloading the
software” on page 7.
Installation roadmap
You must complete the necessary steps to install the adapter including completing
post-installation configuration tasks and verifying the installation.:
Table 2. Installation roadmap
What to do Where to find more information
Install the adapter. See Chapter 3, “Installing the Tivoli Access
Manager Combo Adapter,” on page 9.
Import the adapter profile. See Chapter 4, “Importing the adapter
profile into the Tivoli Identity Manager
Server,” on page 17.
Create a service. See Chapter 5, “Creating a Tivoli Access
Manager Combo service,” on page 19.
Configure the adapter. See Chapter 6, “Configuring the Tivoli
Access Manager Combo Adapter,” on page
25.
Verify the adapter profile installation. See Chapter 8, “Verifying the Tivoli Access
Manager Combo Adapter profile
installation,” on page 43.
Note: The Tivoli Access Manager Combo adapter supports Microsoft Windows
Active Directory configured against Tivoli Access Manager. The Tivoli
Access Manager Combo adapter can be used where Tivoli Access Manager
is configured against Microsoft Windows Active Directory, and where the
Tivoli Identity Manager Windows Active Directory service is implemented
on Tivoli Identity Manager to manage the same Windows Active Directory
accounts associated with the Tivoli Access Manager instance. In these
situations, the Identity Manager Windows Active Directory should manage
those accounts rather than the Tivoli Access Manager Combo service. Be
aware that anomalous results may result if Active Directory accounts that
have been associated with a Tivoli Access Manager account are deleted.
6 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Installation worksheet for the adapter
Table 4 identifies the information you will need to install the Tivoli Access
Manager Combo Adapter.
Table 4. Required information to install the adapter
Required information Description
Administrator account on the An administrator account on the managed resource that
managed resource for running has administrative rights.
the Tivoli Access Manager
Combo Adapter.
Tivoli Access Manager An administrator account in Tivoli Access Manager with
Administrator account administrative rights. For example, sec_master.
Directory Service Administrator An administrative account on Tivoli Access Manager’s
account underlying directory server. This account must have
enough access rights to manage Tivoli Access Manager
directory accounts and group membership entries.
Installing and configuring the Tivoli Access Manager Runtime for Java
System
The Tivoli Access Manager Runtime for Java must be installed and configured to
allow secure communication between the Tivoli Directory Integrator Java Runtime
Environment and the Tivoli Access Manager Policy Server.
Note: The information provided in this guide is not intended to replace the
information supplied in the Tivoli Access Manager for e-business
documentation. Please refer to the IBM Tivoli Access Manager for e-business
Version 6.x Installation Guide or the IBM Tivoli Access Manager Base Installation
Guide for guidance on the installation and configuration of the Tivoli Access
Manager Runtime for Java.
You can set up this system using either one of the following installation methods:
v Installation using the installation wizard.
v Installation using native utilities.
The installation of the Tivoli Access Manager Runtime for Java is described here
using the installation wizard only. For installation using the native utilities, please
refer to the IBM Tivoli Access Manager Base Installation Guide or IBM Tivoli Access
Manager for e-business Installation Guide.
Note: The wizard detects if a component is installed and does not attempt to
reinstall it.
To install and configure Tivoli Access Manager Runtime for Java using the
install_amjrte wizard, follow these steps:
1. Ensure that all necessary operating system patches are installed. Also, ensure
that you have reviewed the most-recent release information, including system
requirements, disk space requirements, and known Tivoli Access Manager
defects and limitations. See the IBM Tivoli Access Manager for e-business: Release
Notes®, or the Technotes in the Tivoli Access Manager support knowledge
database.
10 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Table 5. install_amjrte configuration options (continued)
Configuration Option Description
Directory name * Specifies the fully qualified path for the Tivoli Common
(for Tivoli Common Directory, Directory.
prompted on Windows only) v If the location of the Tivoli Common Directory has
previously been established on the system by the
installation of another Tivoli application, the directory
location will be displayed in the field but it cannot be
modified.
v If the location of the Tivoli Common Directory has not
previously been established on the system, you can
specify its location.
If Tivoli Common Directory is enabled and the directory
location has not been previously established, the default
common directory name is:
UNIX or Linux
/var/ibm/tivoli/common
Windows
C:\Program Files\ibm\tivoli\common
Beneath the Tivoli Common Directory, each Tivoli product
stores its information in a product-specific subdirectory.
Each product-specific directory is named with a
3-character product identifier. For example,
tivoli_common_dir/HPD for IBM Tivoli Access Manager:
If Tivoli Common Directory is not enabled, Tivoli Access
Manager will write its message and trace log data to the
following location:
UNIX or Linux
/opt/PolicyDirector/log
Windows
C:\Program Files\Tivoli\Policy Director\log
Policy server host name * Specifies the host name or IP address of the Tivoli Access
Manager policy server.
The policy server manages the policy database (sometimes
referred to by its original name of master authorization
database), updates the database replicas whenever a
change is made to the master database, and replicates the
policy information throughout the domains. The policy
server also maintains location information about other
resource managers operating in the domain. There must be
at least one policy server defined for each domain.
Examples:
pdmgr
pdmgr.tivoli.com
Policy server SSL port * Specifies the port number on which the policy server
listens for SSL requests. The default port number is 7135.
8. Compare the disk space that is required to install the Tivoli Access Manager
Runtime for Java component with the disk space that is available. If there is
sufficient space, continue the installation.
9. After reviewing the summary and accepting your installation selections and
configuration choices, the components are installed and configured without
further intervention.
The SvrSslCfg class is used to create a Tivoli Access Manager user account for
Tivoli Directory Integrator and to store the server’s configuration and certificate
information in local configuration and keystore files. The SvrSslCfg option -action
config is used to create the Tivoli Access Manager application name, the
configuration file, and the keystore file. Configuring an application server creates
user and server information in the user registry as well as creates local
configuration and keystore files.
When using the SvrSslCfg class, ensure that the IBM Tivoli Directory Integrator
JRE is used. This is the same JRE that was used when configuring the Tivoli Access
Manager JRTE. The command to establish an SSL connection between the Tivoli
Directory Integrator host and the Tivoli Access Manager secure domain is as
follows:
java com.tivoli.pd.jcfg.SvrSslCfg -action config
-admin_id admin_user_ID
-admin_pwd admin_password
-appsvr_id application_server_name
-appsvr_pwd application_server_password
12 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
-port port_number
-mode { local | remote }
-host Host_name_of_application_server
-policysvr policy_server_name:port:rank [,...]
-authzsvr authorization_server_name:port:rank [,...]
-cfg_file fully_qualified_name_of_configuration_file
-domain Tivoli_Acccess_Manager_domain
-key_file fully_qualified_name_of_keystore_file
-cfg_action { create | replace }
The list of actions available in the SvrSslCfg class are outlined in table below.
Table 6. Description of parameters for the SvrSslCfg configuration action
SvrSslCfg Parameter Value
–admin_id admin_user_ID A Tivoli Access Manager user with administrative
privileges. For example, sec_master. This parameter is
required.
–admin_pwd password Password associated with the Tivoli Access Manager
administrative user specified. This parameter is
required.
–appsvr_id name The name of the server where the Tivoli Directory
Integrator application is installed. For example,
itdi_tam. This parameter is required.
–port port_number The TCP/IP port which the application server listens
to for policy server notifications. This parameter is
required, but not used. Any integer can be specified
(for example, 1234).
–mode remote The Tivoli Directory Integrator application server
processes requests remotely. This parameter is
required and must be specified as remote.
–policysvr hostname:port:rank A list of Tivoli Access Manager policy servers to
[,hostname2:port2:rank2...] which the application server can communicate.
The format of this entry is host name, TCP/IP port
number, and numeric rank, separated by colons.
Multiple servers can be specified by separating them
with commas. For example, the following indicates
two policy servers, both using default TCP/IP port
7135, are available:
primary.myco.com:7135:1,secondary.myco.com:7135:2
For example, the following command could be used to configure IBM Tivoli
Directory Integrator to use the IBM Tivoli Access Manager policy server on
amserver.example.com, using standard ports and default install paths:
/opt/IBM/TDI/V6.1.1/jvm/jre/bin/java -cp
/opt/PolicyDirector/java/export/pdjrte/PD.jar com.tivoli.pd.jcfg.SvrSslCfg
-action config
-admin_id sec_master
-admin_pwd SEC_MASTER_PASSWORD
14 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
-appsvr_id itdi_tam
-port 1234
-mode remote
-policysvr amserver.example.com:7135:1
-authzsvr amserver.example.com:7136:1
-cfg_file /opt/IBM/TDI/V6.1.1/timsol/PDCfgFile.conf
-key_file /opt/IBM/TDI/V6.1.1/timsol/PDKeyFile.ks
Please refer to the dispatcher50.pdf file (contained in the ZIP file above) for
guidance on the installation and configuration of the RMI Dispatcher.
Before you import the adapter profile, verify that the following conditions are met:
v The Tivoli Identity Manager Server is installed and running.
v You have root or Administrator authority on the Tivoli Identity Manager Server.
The Tivoli Access Manager Combo adapter distribution package contains two JAR
file versions of the adapter profile, only one of which should be used:
itamprofile.jar
The itamprofile.jar profile is intended for use when Tivoli Access
Manager is configured against supported non-Windows-Active-Directory
directory services.
itamprofileAD.jar
The itamprofileAD.jar profile is intended for use when Tivoli Access
Manager is configured against Windows Active Directory, including Active
Directory Application Mode (ADAM) or other supported directory
services.
Note:
If you receive an error related to the schema when you import the adapter profile,
refer to the trace.log file for information about the error. The trace.log file
location is specified using the handler.file.fileDir property defined in the IBM
Tivoli Identity Manager enRoleLogging.properties file. The
enRoleLogging.properties file is installed in the ITIM_HOME\data directory.
18 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Chapter 5. Creating a Tivoli Access Manager Combo service
You must create a service for the Tivoli Access Manager Combo Adapter before the
Tivoli Identity Manager Server can use the adapter to communicate with the
managed resource. To create a service, complete these steps:
1. Log in to the Tivoli Identity Manager Server using an account that has the
authority to perform administrative tasks.
2. Create the service using the information for your IBM Tivoli Identity Manager
product. Refer to the information center or the online help for specific
instructions about creating a service.
To create or change a service, you must use the service form to provide
information for the service. Service forms might vary depending on the adapter.
The Tivoli Access Manager Combo Adapter service form contains the following
fields:
SERVICE SETUP TAB
Service name
Specify a name that defines this Tivoli Access Manager Combo
Adapter service on the Tivoli Identity Manager Server.
Description
Optional: Specify a description for this service.
TDI location
Optional: Specify the URL for the Tivoli Directory Integrator
instance. Valid syntax is rmi://ip-address:port/ITDIDispatcher,
where ip-address is the Tivoli Directory Integrator host and port is
the port number for the RMI Dispatcher. For example, you might
specify the URL as rmi://localhost:16231/ITDIDispatcher. For
information about changing the port number, refer to the
dispatcher50.pdf file, which is contained in the
Adapter-Dispatcher-5.0xxx.zip file.
TAM SETUP TAB
Reconciliation Method
The Tivoli Access Manager Combo adapter has two methods of
reconciling Tivoli Access Manager user accounts and their
associated directory repository attributes:
TAM API
This method will function with Tivoli Access Manager
version 6.0 and 6.1. It is designed to use the Tivoli Access
Manager administration Java API, and is facilitated
through the use of Tivoli Directory Integrator, its Tivoli
Access Manager Connector, and the Tivoli Access Manager
Policy Server.
LDAP – TAM v6.x
This method will function only with Tivoli Access Manager
version 6.0 and 6.1. It is designed to reconcile Tivoli Access
Manager user accounts and their associated directory
repository attributes directly from the director repository
that the Tivoli Access Manager policy server is configured
Note: Simply checking this option will remove any current Tivoli
Access Manager account credentials. This is because Tivoli
Identity Manager will consider any non-returned credential
to mean that the credential no longer exists for the account.
However, it is possible to retain any credentials that have
been reconciled previously by excluding the SSO credentials
attribute from the reconciliation query.
LDAP Reconciliation Page Size
This value is used for LDAP reconciliations only and is ignored for
Tivoli Access Manager API reconciliations. If a page size other than
0 is specified, the Tivoli Access Manager Combo adapter will try to
use page mode search when obtaining Tivoli Access Manager user
account information. Page mode causes the directory server to
return a specific number of entries (called pages) instead of all
entries in one chunk. Not all directory servers support this option.
To test if your directory server supports Page Mode, check the
Tivoli Directory Integrator log file (ibmdi.log) and look for a
reference to “Supported Controls of LDAP Server” when
performing a successful test of the Tivoli Access Manager Combo
service by clicking the Test button for the Tivoli Access Manager
Combo Service. If your directory service supports Page Mode, it is
recommended that this value reflect the SearchResultSetSize value
of the RMI Dispatcher itim_listener.properties file. To locate this
value, please refer to the RMI Dispatcher Installation and
20 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Configuration Guide (dispatcher50.pdf) supplied in the
Adapter-Dispatcher-5.xxx.zip file.
TAM Admin User
Specify the IBM Tivoli Access Manager Administrator account
name (e.g. sec_master). This account must have enough access
rights to manage IBM Tivoli Access Manager accounts and group
memberships.
TAM Admin User Password
Specify the password for the IBM Tivoli Access Manager
Administrator account.
TAM Config File
File path name for the Tivoli Access Manager configuration file
that was created when the Tivoli Access Manager Java Runtime
Environment (JRTE) was installed and configured. This is an
absolute reference to the configuration file from the Tivoli
Directory Integrator server.
22 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
2. Multiple object classes can be specified, but must be provided
as a comma-separated list.
3. The Object Class for TAM Entry is not modifiable. Should you
wish to change this entry, a new service must be created with
any new set of object classes. As a result, accounts created with
the new service will be provisioned using the object classes
defined in that service. Accounts created with the old service
will have been provisioned using the object classes defined in
that service. It is not possible to modify the object classes that
define accounts already created.
REPOSITORY SETUP TAB
TAM Repository Admin ID
Specify the Tivoli Access Manager directory repository
Administrator’s Distinguish Name (such as cn=root). For Windows
Active Directory, you should fully qualify the Administrator’s
Distinguished name. For example:
CN=Administrator,CN=users,DC=company,DC=com
Once the service has been created, click Test to ensure that the connection to both
the directory server and to the Tivoli Access Manager Policy Server can be
established. Configuration information for the adapter should be reported in the
IBM Tivoli Directory log file (ibmdi.log) as a result of a successful test.
24 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Chapter 6. Configuring the Tivoli Access Manager Combo
Adapter
This chapter describes the configuration options for the Tivoli Access Manager
Combo Adapter.
The Tivoli Access Manager Combo Adapter is designed to work with the
inetOrgPerson object class. This class is a default object class which contains
attributes about people, and is used by Tivoli Access Manager. If you are using the
inetOrgPerson schema for your Tivoli Access Manager, the Tivoli Access Manager
Combo Adapter may require simple UI customization for the account form. For
more detailed information about account form customization please refer to the
IBM Tivoli Identity Manager Administration and Configuration Guide.
The Tivoli Access Manager Combo Adapter supports a standard set of attributes
for default object classes used in Tivoli Access Manager Servers. Standard user
provisioning operations such as add, delete, modify, suspend, restore, change
password, search and test are supported by the Tivoli Access Manager Combo
Adapter. Because Tivoli Access Manager Server requirements vary, you may need
to customize or extend the Tivoli Access Manager Combo schema to support
additional attributes or object classes.
When Tivoli Access Manager is configured against Windows Active Directory, the
Tivoli Access Manager Combo Adapter is designed to manage most of the
Windows Active Directory User object class attributes.
If you are not using the IBM Directory Server inetOrgPerson object class or
Windows Active Directory User object class attributes, and your object class has an
attribute that is not an inetOrgPerson or User standard attribute, you will need to
customize the Tivoli Access Manager Combo adapter.
Standard parameters
The Tivoli Access Manager Combo Adapter is configured to use a standard set of
parameters for the inetOrgPerson class. The Tivoli Access Manager Combo
resource must support referential integrity.
inetOrgPerson
This is the default IBM Directory Server object class used to create new
Tivoli Access Manager user accounts when Tivoli Access Manager is
configured against IBM Directory Server. The supporting object classes are
organizationalPerson, person, and top.
User This is the default Windows Active Directory object class used to create
new Tivoli Access Manager user accounts when Tivoli Access Manager is
configured against Windows Active Directory. Not all of the User object
class attributes are managed by default. However, the majority of the
attributes that are managed through the Active Directory user properties
dialogue box are catered for. Exceptions include non-modifiable attributes
such as the memberOf attribute and logonHours, which is of INTEGER8
syntax and would be difficult to manage from the Tivoli Identity Manager
TAM Combo account form. Attributes such as userAccountControl are
also unsupported. For the list of Windows Active Directory User object
class attributes that are supported by default, please refer to Table 10 on
page 27.
26 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Table 8. Standard attributes supported by the Tivoli Access Manager Combo
Adapter (continued)
TAM account property Attribute name in schema Schema
Do Not Change Password on eritampvalid Boolean
Next Login
Single Signon Capability eritamsinglesign Boolean
Group Membership eritamgroupname Directory String
(multi-value attribute)
SSO Credentials (multi-value eritamcred Directory String
attribute)
Account status eraccountstatus Integer
Table 9. The inetOrgPerson attributes supported by the Tivoli Access Manager Combo
Adapter
Attribute Attribute Attribute
BusinessCategory homePostalAddress PreferredLanguage
CarLicense initials RegisteredAddress
HomePhone L RoomNumber
DepartmentNumber Mail Secretary
preferreddeliverymethod manager UserPassword
DestinationIndicator mobile St
DisplayName Pager Street
EmployeeNumber physicalDeliveryOfficeName TelephoneNumber
EmployeeType postalAddress teletexTerminalIdentifier
FacisimileTelephoneNumber postalCode TelexNumber
GivenName postOfficeBox Title
Table 10. Mapping of Windows Active Directory User attributes supported by the Tivoli
Access Manager Combo adapter
Windows Active IBM Directory
Directory Attribute Server Attribute Description Note
accountExpires ntUserAcctExpires Account expires on Tivoli Directory
AD Account Tab integrator performs
advanced mapping to
support this attribute.
c c Country/region on
AD Address Tab
co co Country/region on
AD Address Tab
company company Company on AD To support its
User Organization management, this
Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
28 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Table 10. Mapping of Windows Active Directory User attributes supported by the Tivoli
Access Manager Combo adapter (continued)
Windows Active IBM Directory
Directory Attribute Server Attribute Description Note
otherFacsimile otherFacsimile Fax Number (Others) To support its
TelephoneNumber TelephoneNumber on AD User management, this
Telephones Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherHomePhone otherHomePhone Home Phone (Others) To support its
on AD User management, this
Telephones Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherIpPhone otherIpPhone IP Phone Number To support its
(Others) on AD User management, this
Telephones Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherMobile otherMobile Mobile Number To support its
(Others) on AD User management, this
Telephones Ta attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
otherPager otherPager Pager Number To support its
(Others) on AD User management, this
Telephones Tab attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
30 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Table 10. Mapping of Windows Active Directory User attributes supported by the Tivoli
Access Manager Combo adapter (continued)
Windows Active IBM Directory
Directory Attribute Server Attribute Description Note
userPrincipalName userPrincipalName User logon name on
AD Account Tab
userWorkstations ntUserWorkstations Log On To/Logon Tivoli Directory
Workstations on AD integrator performs
Account Tab advanced mapping to
support this attribute.
wWWHomePage wWWHomePage Web page on AD To support its
User General Tab management, this
attribute is added to
Tivoli Identity
Manager’s IBM
Directory Server
schema during the
importation of the
TAM Combo profile.
Notes:
1. Although cn, sn and description attributes are multi-valued in the LDAP
schema, Tivoli Access Manager supports only single-valued attributes. Values
other than the first value will be ignored by Tivoli Access Manager.
2. The eritamcred attribute contains password information for Tivoli Access
Manager resources. For security reasons, it is strongly recommended that the
file ITIM_HOME/data/enRoleHiddenSearchAttribute.properties be edited to
include this attribute.
3. The Windows Active Directory User object class supports the sn attribute.
However, this attribute is not a mandatory User object class attribute. As the
IBM Directory Server inetOrgPerson object class mandates the use of the sn
attribute when creating a Tivoli Identity Manager TAM Combo account, if a
Windows Active Directory User account does not have a value for sn, a dash (-)
will be returned for sn during a reconciliation.
4. Windows Active Directory User attributes that correspond to inetOrgPerson
attributes such as homepostaladdress may also be managed through Tivoli
Identity Manager. These attributes should be available when customizing the
account form.
5. In the case of both Microsoft Windows Active Directory and Microsoft
Windows Active Directory Application Mode (ADAM), the attributes listed are
not exhaustive. Directory server attributes with the same name(s) as provided
through the itamaccount object class should function correctly through a
same-name-to-same-name mapping by the TAM Combo adapter. However,
management of custom directory service attributes that have a different name
to attributes of the itamaccount object class must be facilitated through
user-customised advanced mapping.
Table 11. The objectclasses supported by the Tivoli Access Manager Combo Adapter.
Description Objectclass name in schema Superior
Account class itameraccount iNetOrgPerson
Service class eritamservice top
List of Tivoli Access Manager eritamgroups top
groups
where Group_Objectclass_member_attribute_name1,
Group_Objectclass_member_attribute_nameN denotes a comma-separated list of
known directory server Group Object class member attribute names. For example,
you might provide the following:
com.ibm.itim.adapter.tamcombo.groupMembershipAttributeNames=member,uniqueMember
Notes:
1. The correct properties file to use should also contain the Tivoli Identity
Manager Dispatcher properties under the heading "ITIM Dispatcher properties".
2. If a group object class member attribute name is supplied that does not exist,
the functionality of LDAP-based search will not be affected but performance
may be impacted.
3. The group object class member attribute names supplied are considered
case-insensitive.
4. If either the property is not supplied, or no group object class member attribute
names are provided, then the group object class member attribute name will be
considered to be member by default. If the property is supplied and member is
to be considered a valid group object class member attribute name, it must be
explicitly provided in the comma-separated list of group object class member
attribute names provided as a value for the property.
32 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
RMI Dispatcher Configuration Properties
For guidance on setting Tivoli Directory Integrator configuration properties for the
operation of the Tivoli Access Manager Combo adapter, refer to the
dispatcher50.pdf file, which is contained in the Adapter-Dispatcher-5.0xxx.zip
file.
SSL terminology
SSL server
For this SSL configuration, the Tivoli Directory Integrator side is the SSL
Server. It listens for connection requests.
SSL client
For these SSL configurations the workstation on which the Tivoli Identity
Manager server and the WebSphere Application Server are installed is the
SSL client. It issues connection requests to the Tivoli Directory Integrator.
Signed certificates
A signed digital certificate is an industry-standard method of verifying the
authenticity of an entity, such as a server, client, or application. Signed
certificates are issued by a third-party certificate authority for a fee. Some
utilities, such as the iKeyman utility, can also issue signed certificates. A
Certificate Authority or CA certificate must be used to verify the origin of
a signed digital certificate.
Signer certificates (Certificate Authority certificates)
A Certificate Authority (CA) certificate must be used to verify the origin of
a signed digital certificate. When an application receives another
application’s signed certificate, it uses a CA certificate to verify the
originator of the certificate. Many applications, such as Web browsers, are
configured with the CA certificates of well-known certificate authorities to
eliminate or reduce the task of distributing CA certificates throughout the
security zones in a network.
Self-signed certificates
A self-signed certificate contains information about the owner of the
certificate and the owner’s signature. Basically, it is a signed certificate and
CA certificate in one. If you choose to use self-signed certificates, you must
extract the CA certificate from it in order to configure SSL.
SSL keystore
The SSL keystore is a key database file designated as a keystore. It contains
the SSL certificate.
Note: The keystore and truststore can be the same physical file.
SSL truststore
The SSL truststore is a key database file designated as a truststore. The SSL
truststore contains the list of signer certificates (CA certificates) that define
which certificates the SSL protocol trusts. Only a certificate issued by one
of these listed trusted signers is accepted.
SSL configurations
The following steps describe how to configure WebSphere Application Server and
Tivoli Directory Integrator for one-way or two-way SSL communication. If you
need more information about any of the steps, go to the referenced task for the
detailed steps.
Truststore Keystore
Note: The editing of the solution.properties file for steps 6, 7, and 8 can be
done in one operation. Doing so eliminates the need for a stop and
restart of the adapter service at the end of steps 6 and 7.
36 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
7. Configure Tivoli Directory Integrator to use the truststores. See “Configure
Tivoli Directory Integrator to use the truststores” on page 40.
8. Enable the adapter service to use SSL. See “Enabling the adapter service to
use SSL” on page 41.
9. Stop and restart the adapter service.
10. Stop and restart WebSphere Application Server.
Note: The truststore is not needed on the Tivoli Directory Integrator server for
one-way SSL, but the configuration of truststore is needed for the RMI SSL
initialization to succeed.
Truststore Truststore
Keystore Keystore
Note: The editing of the solution.properties file for steps 6, 7, and 8 can be
done in one operation. Doing so eliminates the need for a stop and
restart of the adapter service at the end of steps 6 and 7.
Note: The file names and locations such as tdikeys.jks and ITDI_HOME\keys used
in theses tasks are examples and used for consistency. Your actual file names
and locations might be different.
Note: The keystore can be the same physical file as the truststore.
1. Navigate to the ITDI_HOME\jvm\jre\bin directory.
2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman
(Unix/Linux operating systems).
3. Select Key Database File > New.
4. Select key database type of JKS.
5. Type the keystore file name: tdikeys.jks.
6. Type the location: ITDI_HOME\keys.
Note: This directory must already exist, otherwise the step fails.
7. Click OK .
8. Type the keystore a password, for example, secret.
9. Click OK to continue.
Note: The truststore can be the same physical file as the keystore. You can skip
this task if you choose to use the same file for keystore and truststore.
38 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
1. Navigate to the ITDI_HOME\jvm\jre\bin directory.
2. Launch the ikeyman.exe file (Windows operating systems) or ikeyman (UNIX
or Linux operating systems).
3. Select Key Database File > New.
4. Select key database type of JKS.
5. Type the keystore file name: tditrust.jks.
6. Type the location: ITDI_HOME\keys.
Note: This directory must already exist, otherwise the step fails.
7. Click OK.
8. Type the keystore a password, for example, secret.
9. Click OK to continue.
Note: The file names and locations such as timclient.der and c:\keys used in
theses tasks are examples and used for consistency. Your actual file names
and locations might be different.
42 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Chapter 8. Verifying the Tivoli Access Manager Combo
Adapter profile installation
If the Tivoli Access Manager Combo Adapter profile is not already installed on
your system, you must import the adapter profile. See Chapter 4, “Importing the
adapter profile into the Tivoli Identity Manager Server,” on page 17 for
information about importing the adapter profile.
After you install the adapter profile, verify that the adapter profile was
successfully installed. If the adapter profile is not installed correctly, the adapter
might not function as intended.
To verify that the adapter profile was successfully installed, complete the following
steps.
v In the IBM Tivoli Identity Manager web console (http://ITIMhostname:9080/
itim/console/main), click Configure system > Manage Service Types from the
left navigation panel. Verify that “TAM Combo Profile” is listed as a service type
in the table.
v Create a service using the Tivoli Access Manager Combo Adapter profile. Refer
to Chapter 5, “Creating a Tivoli Access Manager Combo service,” on page 19.
v Open an account on the service.
If you are unable to create a service using the Tivoli Access Manager Combo
Adapter profile or open an account on the service, the adapter profile is not
installed correctly. You might need to import the adapter profile again.
When the Test button on the TAM Combo service form is clicked, service,
environment and configuration values are sent to the Tivoli Directory Integrator
log during the test. The information collected during the test may assist in
diagnosing issues.
All supporting data can be reconciled through the use of the search filter in the
reconciliation query. To reconcile supporting data only, the following search filter
could be used:
(!(objectclass=eritamaccount))
Runtime Problems
Runtime Problems and recommended actions are described in the following table:
Table 12. Runtime Problems
Problem Recommended Action
When running Test Check that the correct version of TamComboUtils.jar
Connection in TAM Combo, (supplied in the adapter install package) is installed on the
the Change a Service form dispatcher server.
displays errors such as the
following:
v CTGIMU107W
The connection to the
specified service cannot be
established. Verify the
service information, and
try again.
v CTGIMT605E
An error occurred while
processing the
CTGIMT401E An error
occurred while starting the
tamTest_TAM Combo
TAM 6.1_test-no-
requestid_xxxagent. Error:
Script interpreter error,
line=xx, col=xx Reference
Error : ’MgmtDomain’ not
found operation on the
IBM Tivoli Directory
Integrator server. Error: {1}
46 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Table 12. Runtime Problems (continued)
Problem Recommended Action
Reconciliation doesn’t return The default settings for LDAP and Tivoli Access Manager
all Tivoli Access Manager have constraints on the search size limit. The best practice is
accounts. It returns 500 or as follows:
2048 accounts only. 1. Modify the IBM Directory Server configuration file,
slapd32.conf for LDAP 5.2 or ibmslap.conf for LDAP
6.0. This file is located in the etc directory of the IBM
Directory Server. Set the ibm-slapdSizeLimit variable to
0 (no limit).
2. Modify the Tivoli Access Manager LDAP ldap.conf
configuration file located in the etc directory of the
Tivoli Access Manager Policy Server. Set the
max-search-size variable to greater than 2048 (the
default setting). Setting the max-search-size to 0 would
mean the search size is unlimited.
3. Modify the Tivoli Access Manager configuration file,
pd.conf, located in the etc directory of the Tivoli Access
Manager Policy Server. Set the ssl-v3-timeout variable to
84600 (the maximum setting) and set the ssl-io-inactivity
variable to 0 (no limit).
Reconciliation doesn’t return For the adapter to reconcile a large number of accounts
all Tivoli Access Manager successfully, you may need to increase Websphere’s JVM
accounts. Reconciliation is memory. The following steps must be completed on the
successful but some accounts WebSphere host machine:
missing. Note: The JVM memory should not be increased to a value
higher than the System memory.
1. Login to the WebSphere Administrative Console.
2. Expand Servers in the left menu and select Application
Servers.
3. A table displays the names of known application servers
on your system. Click the link for your primary
application server.
4. Select Process Definition from within the Configuration
tab.
5. Select the Java Virtual Machine property.
6. Enter a new value for the Maximum Heap Size. The
default value is 256 MB.
If the allocated JVM memory is not large enough, an
attempt to reconcile a large number of accounts using the
Tivoli Access Manager Adapter will result in log file errors,
and the reconciliation process will not complete successfully.
The Adapter log files will contain entries stating
ErmPduAddEntry failed. The WebSphere_install_dir/logs/
itim.log file will contain java.lang.OutOfMemoryError
exceptions.
Performance Tuning
For example, if Account ‘A’ was a member of Tivoli Access Manager group ‘Y’ and
‘Z’, then to increase reconciliation performance, it is possible to search only Tivoli
Access Manager group ‘Y’ to determine if account ‘A’ is a member. However, this
would result in the account only reporting in Tivoli Identity Manager that it is a
member of Tivoli Access Manager group ‘Y’. It would not report that it was
actually also member of Tivoli Access Manager group ‘Z’.
To implement the search of specific Tivoli Access Manager groups for membership
to determine if each Tivoli Access Manager account is a member during
LDAP-based reconciliation, you should provide a comma-separated list of Tivoli
Access Manager groups to be searched as per the
com.ibm.itim.adapter.tamcombo.searchMembershipGroups property in the
appropriate Tivoli Directory Integrator solution.properties or global.properties file.
The addition of this property to the properties file may be as follows:
## -------------------------
## ITIM TAM Combo properties
## -------------------------
com.ibm.itim.adapter.tamcombo.searchMembershipGroups=TAM_Group1, TAM_Group2
48 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Tivoli Access Manager groups are provided, there is no performance benefit
over having defined no groups to be searched.
3. If a group name is supplied that did not exist, it will be ignored.
4. The Group names supplied are considered case-insensitive.
5. If either the property is not supplied, or no groups are provided to be searched,
then all groups will be searched.
6. Setting of this configuration item will not impact the reconciliation of Tivoli
Access Manager groups, and all Tivoli Access Manager group names will be
returned by way of supporting data. As a result, errors may occur if an attempt
is made to add an Tivoli Access Manager account to a Tivoli Access Manager
group for which it is already a member, but simply not reported as such by
Tivoli Identity Manager because this configuration has been set.
Note: The RMI Dispatcher component must be installed on your system in order
for adapters to function correctly in a Tivoli Directory Integrator
environment. If you delete the adapter profile for the Tivoli Access Manager
Combo Adapter, do not uninstall the RMI Dispatcher.
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
56 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
developerWorks
eServer
IBM
iSeries
Lotus
Notes
OMEGAMON
Passport Advantage
pSeries
Rational
Redbooks
Tivoli
WebSphere
zSeries
60 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Adobe, Acrobat, Portable Document Format (PDF), and PostScript® are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the
United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel® Centrino®, Intel Centrino
logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are
trademarks or registered trademarks of Intel Corporation or its subsidiaries in the
United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix C. Notices 61
62 IBM Tivoli Identity Manager: Tivoli Access Manager Combo Adapter Installation and Configuration Guide
Printed in USA
SC23-9664-00