Document 276988
A Sample Integration of IBM Tivoli Security Management Products IBM Tivoli Identity Manager IBM Tivoli Access Manager for e-business IBM Tivoli Directory Server IBM Tivoli Directory Integrator Mantis – A Sample Open Source Application Version number 1.05 Dated 25 October 2004 Author Lindsay C. Blanton III IBM Tivoli WW Education [email protected] A Sample Integration of IBM Tivoli Security Management Products Copyright Notice Copyright © 10/25/04 IBM Corporation, including this documentation and all software. All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machinereadable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished “as is” without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose. Note to U.S. Government Users—Documentation related to restricted rights—Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corporation. Trademarks The following are trademarks of IBM Corporation or Tivoli Systems Inc.: IBM, Tivoli, AIX, Cross-Site, NetView, OS/2, Planet Tivoli, RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Ready, TME. In Denmark, Tivoli is a trademark licensed from Kjøbenhavns Sommer - Tivoli A/S. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. C-bus is a trademark of Corollary, Inc. in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Lotus is a registered trademark of Lotus Development Corporation. PC Direct is a trademark of Ziff Communications Company in the United States, other countries, or both and is used by IBM Corporation under license. ActionMedia, LANDesk, MMX, Pentium, and ProShare are trademarks of Intel Corporation in the United States, other countries, or both. SET and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. For further information, see http://www.setco.org/aboutmark.html. Other company, product, and service names may be trademarks or service marks of others. Notices References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A. IBM Tivoli WW Education Page 2 of 188 A Sample Integration of IBM Tivoli Security Management Products Version History Version Draft 1.0 Draft 1.01 Draft 1.02 1.03 1.04 Author LCB LCB LCB LCB LCB 1.05 LCB IBM Tivoli WW Education Description Initial for review Editor Proofing Comments Editor Proofing Comments SME Recommended Changes Added ITIM Supplemental CDs as WebSphere install locations. Clarification added for the ITIM Access Manager Agent download as a requirement. This was not specifically mentioned in the previous version of this paper. Page 3 of 188 A Sample Integration of IBM Tivoli Security Management Products Table of Contents 1 2 INTRODUCTION AND OVERVIEW...........................................................................................6 1.1 SCOPE ................................................................................................................................... 6 1.2 PHYSICAL ARCHITECTURE ............................................................................................................ 7 1.3 PROVISIONING PROCESS FLOW ..................................................................................................... 8 1.1.1 1.1.2 1.1.3 Overview....................................................................................................................... 6 Access Control and Management Functions ...................................................................... 6 The Mantis Open Source Application ................................................................................ 6 1.2.1 1.2.2 Hardware and Software .................................................................................................. 7 Physical Architecture Diagram ......................................................................................... 7 1.3.1 1.3.2 1.3.3 1.3.4 Automatic Provisioning ................................................................................................... 8 Manual Provisioning ....................................................................................................... 9 Provisioning Process Flow Diagram .................................................................................. 9 Authentication and Authorization Process Flow Diagram .................................................... 9 PREPARING THE ENVIRONMENT .........................................................................................11 2.1 2.2 REQUIRED SOFTWARE MEDIA AND DOWNLOADS ...............................................................................11 USER ACCOUNTS .....................................................................................................................11 2.3 2.4 2.5 TIVOLI1 2.2.1 2.2.2 2.2.3 ................................................................................................................................12 ................................................................................................................................12 ZEUS ....................................................................................................................................12 TIVOLI2 2.5.1 2.5.2 3 6 INSTALL THE ACCESS MANAGER POLICY SERVER ...............................................................................28 INSTALL WEBSEAL ..................................................................................................................34 INSTALL IBM TIVOLI IDENTITY MANAGER 4.5.1.................................................................40 5.1 DB2 INSTALLATION ..................................................................................................................40 5.2 LDAP CONFIGURATION .............................................................................................................48 5.3 INSTALL ITIM 4.5.1 ................................................................................................................51 5.1.1 5.1.2 5.1.3 Install the DB2 8.1 UDB Base Code.................................................................................40 Install the DB2 8.1 UDB Fixpack 2 ..................................................................................45 Configure DB2 for ITIM .................................................................................................47 5.2.1 Configure LDAP for ITIM................................................................................................48 INSTALL AND CONFIGURE THE WEB INTERFACES ..............................................................59 6.1 6.2 6.3 7 INSTALL THE IBM JRE ..............................................................................................................18 INSTALL DIRECTORY SERVER .......................................................................................................21 INSTALL AND CONFIGURE IBM TIVOLI ACCESS MANAGER 5.1...........................................28 4.1 4.2 5 Configure Apache to Listen on Port 8080.........................................................................13 Download and Install the Mantis Application on Zeus .......................................................13 INSTALL AND CONFIGURE IBM TIVOLI DIRECTORY SERVER 5.2 .......................................18 3.1 3.2 4 tivoli1 User Accounts .....................................................................................................11 tivoli2 User Accounts .....................................................................................................11 zeus User Accounts .......................................................................................................11 INSTALL THE IBM JRE ON TIVOLI2 ...............................................................................................59 INSTALL THE IBM TIVOLI ACCESS MANAGER WEB PORTAL MANAGER (WPM) ..........................................62 INSTALL THE IBM TIVOLI DIRECTORY SERVER WEB ADMINISTRATION TOOL ............................................69 INSTALL AND CONFIGURE IBM TIVOLI IDENTITY MANAGER AGENTS ...............................78 7.1 7.2 INSTALL THE ACCESS MANAGER ITIM AGENT ..................................................................................78 CONFIGURE THE ACCESS MANAGER AGENT ......................................................................................81 7.3 7.4 INSTALL THE ACCESS MANAGER GSO AGENT ...................................................................................89 CONFIGURE THE ACCESS MANAGER GSO AGENT...............................................................................92 7.2.1 7.2.2 Configure Protocol Settings ............................................................................................81 Certificate Installation....................................................................................................82 7.4.1 Configure Protocol Settings ............................................................................................92 IBM Tivoli WW Education Page 4 of 188 A Sample Integration of IBM Tivoli Security Management Products 7.4.2 8 Certificate Installation....................................................................................................93 CONFIGURE ACCESS MANAGER..........................................................................................100 8.1 8.2 8.3 8.4 8.5 CREATE THE APACHE-GROUP GROUP ............................................................................................100 SECURE THE WEB SPACE..........................................................................................................101 CREATE THE MANTIS GSO RESOURCE ..........................................................................................106 MODIFY THE ACCESS MANAGER PASSWORD POLICY .........................................................................107 CONFIGURE WEBSEAL ............................................................................................................108 8.5.1 8.5.2 9 Configure Forms SSO for Mantis application ..................................................................108 Create the WebSEAL Junction ......................................................................................108 CONFIGURE IBM TIVOLI IDENTITY MANAGER ..................................................................110 9.1 9.2 INITIAL CONFIGURATION..........................................................................................................110 CREATE ORGANIZATIONAL ROLES ...............................................................................................111 9.3 CREATE SERVICES ..................................................................................................................113 9.4 9.5 9.6 CREATE THE IDENTITY POLICY ...................................................................................................120 CREATE THE PASSWORD POLICY.................................................................................................124 CREATE THE INITIAL PROVISIONING POLICIES ................................................................................128 9.7 CREATE THE DEFAULT ACCESS CONTROL LISTS ..............................................................................136 9.8 TEST THE CONFIGURATION .......................................................................................................140 9.2.1 Create the Two Organizational Roles ............................................................................111 9.3.1 9.3.2 9.3.3 9.3.4 Download and Install the Certificate Authority Certificate................................................113 Install the Agent Profiles..............................................................................................114 Define the Access Manager Agent Service .....................................................................115 Define the Access Manager GSO Agent Service ..............................................................117 9.6.1 9.6.2 The Automatic Provisioning Policy.................................................................................128 The Manual Provisioning Policy.....................................................................................135 9.7.1 9.7.2 Create the TAM Account Access ACL.............................................................................136 Create the TAM GSO Account Access ACL......................................................................138 10 INSTALL IBM TIVOLI DIRECTORY INTEGRATOR............................................................143 10.1 11 INSTALLATION.......................................................................................................................143 CONFIGURING IBM TIVOLI DIRECTORY INTEGRATOR AS A TIM ENDPOINT ...............146 11.1 11.2 11.3 THE MANTIS MYSQL ACCOUNT AND SERVICE DATA MODEL...............................................................146 LOADING THE DATA DEFINITIONS INTO ITIM ................................................................................148 CONFIGURING ITIM ...............................................................................................................149 11.4 DEFINING THE ITIM PROVISIONING POLICIES FOR MANTIS ...............................................................153 11.5 11.6 INSTALL THE MYSQL JDBC DRIVER FOR IDI ................................................................................159 CONFIGURING IDI .................................................................................................................160 11.7 TESTING THE IDI ENDPOINT .....................................................................................................178 11.3.1 11.3.2 11.3.3 11.3.4 Modify the Imported Data Model ..................................................................................149 Define the DSML2 Service to ITIM ................................................................................150 Add the DSML2 Service to the Identity Policy.................................................................151 Add the DSML2 Service to the Password Policy ..............................................................151 11.4.1 11.4.2 11.4.3 Update the Automatic Provisioning Policy ......................................................................153 Define the Manual Provisioning Policy ...........................................................................156 Update the Access Control Lists for Mantis Accounts ......................................................156 11.6.1 11.6.2 11.6.3 11.6.4 Creating the Add Account Assembly Line and Connector.................................................160 Creating the Modify Account Assembly Line and Connector.............................................166 Creating the Delete Account Assembly Line and Connector .............................................171 Creating the ITIM Event Handler ..................................................................................175 12 12.1 12.2 TEST CASES .....................................................................................................................180 AUTO PROVISION ACCOUNTS ....................................................................................................180 PASSWORD CHANGE ...............................................................................................................184 IBM Tivoli WW Education Page 5 of 188 A Sample Integration of IBM Tivoli Security Management Products 1 Introduction and Overview This document presents a step-by-step example of integrating four different applications in the IBM Tivoli Security Software portfolio – IBM Tivoli Identity Manager v4.5.1, IBM Tivoli Access Manager for e-business v5.1, IBM Tivoli Directory Server v5.2, and IBM Tivoli Directory Integrator v5.2. It is assumed that someone implementing the examples in this paper will have previous experience with each of these products, along with in-depth Windows 2000 and UNIX system administration skills. In addition, LDAP, DB/2 and MySQL database, and TCP/IP networking skills are required to understand the implementation concepts in this paper. 1.1 1.1.1 Scope Overview This example integration demonstrates developing an environment that allows for automatic and manual provisioning, and management of user accounts to the following resources: • • • • The Identity Manager application Access Manager account and group resources (WebSEAL) Access Manager Global Sign-on resources An open source trouble-ticketing application called Mantis (PHP, MySQL based) The ultimate objective is to develop an environment that can easily provision accounts to each of these resources with minimal user and administrator effort, and keep passwords synchronized between each of these resources. 1.1.2 Access Control and Management Functions Access control and management functions will be accomplished in the following manner: • IBM Tivoli Identity Manager will be the single point of management for all user accounts in • IBM Tivoli Access Manager for e-business (WebSEAL) will control access to the Web space • • 1.1.3 this environment. using user accounts and group profiles. Identify Manager will provide provisioning services to create, change, and delete Access Manager accounts. IBM Tivoli Access Manager will provide a global sign-on (GSO) resource to provide automatic forms based single sign-on to the Mantis open source trouble-ticketing application. Identity Manager will provide provisioning services to create, change, and delete these Access Manager GSO accounts. IBM Tivoli Directory Integrator will function as an Identity Manager endpoint, allowing for provisioning services to create, change, and delete user accounts defined in the Mantis open source application MySQL database. Mantis stores user account and password information in this MySQL database, so a custom process will be developed within Directory Integrator to pass provisioning requests to and from MySQL. The Mantis Open Source Application Mantis is a Web-based bug tracking system. It is written in the PHP scripting language and requires a MySQL database and a Web server. Mantis can be installed on Windows, MacOS, OS/2, and a variety of UNIX operating systems. Almost any Web browser should be able to function as a client. It is released under the terms of the GNU General Public License (GPL). IBM Tivoli WW Education Page 6 of 188 A Sample Integration of IBM Tivoli Security Management Products Mantis was chosen as an integration point for this project to emphasize the power of using IBM Tivoli Directory Integrator to integrate third-party applications into an Identity Manager framework. Mantis stores its user account and password information in a MySQL database. Typically, Mantis passwords are stored in MD5 encrypted format, however for ease of implementation we decided to configure Mantis to store passwords in clear text format. In the future, we will update this paper to discuss how to convert clear text passwords to MD5 encrypted format using JavaScript within Directory Integrator. 1.2 1.2.1 Physical Architecture Hardware and Software Three machines comprise of the solution. The table below outlines the names, operating systems, and hardware used by the author to develop this scenario. Hostname Operating System Hardware Installed Software tivoli1 Windows 2000 AS w/SP 4 Pentium 4 3GHz • / 2.5GB RAM • • • • • • tivoli2 Windows 2000 AS w/SP 4 Pentium 4 1.8GHz / 1GB RAM • • • IBM Tivoli Identity Manager 4.5.1 IBM Tivoli Access Manager 5.2 Web Portal Manager IBM Tivoli Directory Server Web Administration Tool IBM WebSphere Application Server 5.0.2 • • • IBM Tivoli Access Manager 5.1 WebSEAL Mantis open source application Apache/PHP/MySQL • zeus 1.2.2 Red Hat Pentium 3 800 Fedora Core 2 MHz / 512 MB RAM IBM Tivoli Access Manager 5.1 Base IBM Tivoli Directory Server 5.2 (ITIM and ITAM LDAP) IBM Tivoli Directory Integrator ITIM Access Manager Agent ITIM Access Manager GSO Agent DB2 8.1 UDB (ITIM RDBMS) Microsoft Certificate Server Physical Architecture Diagram The following diagram outlines the physical relationships between each component. IBM Tivoli WW Education Page 7 of 188 A Sample Integration of IBM Tivoli Security Management Products Physcial Architecture Web Browser PC TIVOLI1 TIVOLI2 Windows 2000 SP4 Windows 2000 SP4 - - IBM TAMeb 5.1 Base IBM Directory Server 5.2 IBM Directory Integrator ITIM Access Manager Agent ITIM Access Manager GSO Agent Microsoft Certificate Server IBM Tivoli Identity Manager 4.5.1 IBM AMeb 5.1 Web Portal Manager ITDS Directory Server Admin Tool IBM Websphere AS 5.0.2 ZEUS Red Hat Linux Fedora Core - IBM AMeb 5.1 WebSEAL Mantis Custom Application Apache Web Server MySQL Database Server PHP Note that host tivoli2 is intended to be the sole user interface for all Web-based applications that are used to manage resources in this environment. This allows the environment to be created with a single instance of the IBM WebSphere Application Server. The following applications will be used to manage the environment from tivoli2: • • • 1.3 IBM Tivoli Identity Manager Web Interface IBM Tivoli Directory Server LDAP Administration Tool IBM Tivoli Access Manager Web Portal Manager Provisioning Process Flow Provisioning user accounts within the IBM Tivoli Identity Manager application will be done using two processes, automatic provisioning and manual provisioning. The user account creation process will be subject to an identity policy (user account structure), and a password policy for both user account creation processes. 1.3.1 Automatic Provisioning Automatic provisioning specifies that when a person entity is created in ITIM, user accounts will automatically be created for ITIM access, Access Manager, and Mantis. This will involve auto creating four separate user accounts: • • ITIM account Access Manager account IBM Tivoli WW Education Page 8 of 188 A Sample Integration of IBM Tivoli Security Management Products • • GSO account for Mantis forms single sign-on (SSO) Mantis user account in MySQL During automatic provisioning, each of the account passwords will automatically be set to the username of the user account. If an account is manually provisioned, the administrator must specify an initial password for each account. 1.3.2 Manual Provisioning Manual provisioning specifies when a person entity is created in ITIM, the administrator will have the ability to manually provision the following user accounts. • • • • 1.3.3 ITIM account Access Manager account GSO account for Mantis forms single sign-on (SSO) Mantis user account in MySQL Provisioning Process Flow Diagram The diagram below outlines the provisioning process flow: Add Person to ITIM Decide OrgRole Manual_Provisioning Automatic_Provisioning Prompt for Password Identity Policy Password Policy Identity Policy Password Policy Decide Accounts Set Password to Username Create ITIM Account Create AM LDAP object and assign groups Send to Access Manager Agent Create AM LDAP object and assign groups Send to Access Manager Agent Create AM GSO Account Send to Access Manager GSO Agent Create AM GSO Account Send to Access Manager GSO Agent - Send DSML2 request - Encode Password in Base64 format - Receive DSML request - Decode Base64 Password 1.3.4 Create ITIM Account Sent to IDI Event Handler (For Mantis) Insert account information into MySQL - Send DSML2 request - Encode Password in Base64 format - Receive DSML request - Decode Base64 Password Sent to IDI Event Handler (For Mantis) Insert account information into MySQL Authentication and Authorization Process Flow Diagram After provisioning the necessary accounts for access, the following process occurs when authenticating and authorizing a user for access to the Mantis application. IBM Tivoli WW Education Page 9 of 188 A Sample Integration of IBM Tivoli Security Management Products Access Manager LDAP 2 3 1 4 WebSEAL Web Browser 7 Mantis Web Application 5 6 MySQL 1. The Web browser initiates a request to https://zeus/apache/mantis. 2. WebSEAL intercepts the request and prompts the user for an authorized username and password, receives the response from the Web browser user, and sends on to the Access Manager environment for authentication. 3. WebSEAL and Access Manager authorize the user and build a credential for access. 4. WebSEAL then builds a global sign-on (GSO) credential for the user, intercepts the logon page that Mantis presents, and automatically submits the GSO credentials to the Mantis logon form for authentication. 5. Mantis checks the user credentials submitted with entries in the MySQL database. 6. The resulting user credential information is passed to the Mantis application and authorized. 7. Mantis sends the application page back through WebSEAL to the requesting browser. IBM Tivoli WW Education Page 10 of 188 A Sample Integration of IBM Tivoli Security Management Products 2 Preparing the Environment 2.1 Required Software Media and Downloads The following CDROMs are required: • • • • • • • • • • IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM WebSphere Application Server 5.0 for Windows DB2 8.1 UDB Enterprise for Windows (also the ITIM Supplemental CD2) Tivoli Access Manager 5.2 Directory Server for Windows Tivoli Access Manager 5.1 Base for Windows Tivoli Access Manager 5.1 Web Security for Linux Tivoli Access Manager 5.2 Web Interfaces for Windows Tivoli Directory Integrator 5.2 for Windows Tivoli Identity Manager 4.5.1 Base WebSphere Install for Windows 2000 Tivoli Identity Manager 4.5.1 Supplemental Vol 2 for Windows Tivoli Identity Manager 4.5.1 Supplemental Vol 3 for Windows The following downloads are required: • 2.2 2.2.1 2.2.2 2.2.3 IBM Tivoli Identity Manager 4.5 Agent v4.5.10 for Access Manager on Windows NT and 2000 (c809CIE.zip) User Accounts tivoli1 User Accounts Username Password Explanation Administrator object00 Windows 2000 administrator username and password db2admin db2admin DB2 administrator account cn=root object00 LDAP administrator account sec_master object00 Access Manager administrator account tivoli2 User Accounts Username Password Explanation Administrator object00 Windows 2000 administrator username and password enrole enrole ITIM database account db2admin db2admin DB2 administrator account Username Password Explanation root Object00 UNIX root account mantis mantis Mantis MySQL account (defined in MySQL only) zeus User Accounts IBM Tivoli WW Education Page 11 of 188 A Sample Integration of IBM Tivoli Security Management Products 2.3 tivoli1 The tivoli1 host should be installed as a Windows 2000 Advanced Server SP4, with Internet Information Services, and the Microsoft Certificate Server. The Microsoft Certificate Server can be installed during installation as an additional windows component, or after installation using Control Panel Æ Add Remove Programs Æ Add/Remove Windows Components. Additionally, name your certificate authority ‘ibm’. Set the Administrator password to object00. You should configure the IIS Web server to listen on port 8080 instead of the default 80. This can be accomplished in the IIS configuration snap-in as shown below. 2.4 tivoli2 The tivoli2 host should be installed as a Windows 2000 Advanced Server SP4. Do not install IIS on this machine. Set the Administrator password to object00. In addition, add a user account called enrole with a password of enrole. Set the properties of the user account for the password to never expire. 2.5 zeus IBM Tivoli WW Education Page 12 of 188 A Sample Integration of IBM Tivoli Security Management Products The zeus host should be installed as a Linux host. The author used Red Hat Fedora Core 2 as the operating system (Warning: not officially supported by IBM/Tivoli). Ensure that the following packages are installed as part of the installation: 1. Apache 2. PHP 3. MySQL 2.5.1 Configure Apache to Listen on Port 8080. 1. Log on to a shell account on zeus as root. 2. Edit the /etc/httpd/conf/httpd.conf file and change the listen entry to the following: listen *:8080 As shown below: 3. Save the httpd.conf file and restart Apache with the following command (Red Hat Linux). service httpd restart 2.5.2 Download and Install the Mantis Application on Zeus 1. Log on to a shell account on zeus as root. 2. Download the Mantis archive from the following location: http://www.mantisbt.org/ The version of Mantis used with this paper is 0.19.0. IBM Tivoli WW Education Page 13 of 188 A Sample Integration of IBM Tivoli Security Management Products 3. The default html document root is /var/www/html on Red Hat Linux. Create a directory in /var/www/html called mantis, and set the permissions of the directory to 755 (chmod 755). 4. Copy the downloaded Mantis archive (in this example mantis-0.19.0.tar.gz) to the /var/www/html/mantis directory and untar the installation file with the following command. tar zxvf mantis-0.19.0.tar.gz 5. Move the contents of the /var/www/html/mantis/mantis-0.19.0 directory to the /var/www/html/mantis directory with the following command: mv mantis-0.19.0/* . 6. Delete the old mantis-0.19.0 directory. rm –r mantis-0.19.0 7. Create the MySQL database for Mantis with the command below. When prompted, enter the root password for zeus. $ mysql –u root –p Enter Password: xxxxxx mysql> create database mantis; IBM Tivoli WW Education Page 14 of 188 A Sample Integration of IBM Tivoli Security Management Products 8. Type exit at the mysql> prompt. 9. Change directory to /var/www/html/mantis/sql and import the MySQL SQL tables with the command below. When prompted for a password, enter the root password for zeus. mysql –u root –p mantis < db_generate.sql 10. Open another MySQL shell session and grant access to the user name mantis with the following commands: $ mysql –u root –p mantis Enter Password: ***** mysql> grant all on mantis.* to mantis identified by “mantis”; 11. Verify the account was created properly by opening a MySQL shell session and logging on with the new mantis user account (password is mantis). $ mysql –u mantis –p mantis Enter Password: mantis mysql> Do not exit the MySQL shell yet. 12. Because we will be using clear text passwords, we will update the database table and change the password for the Administrator user to the clear text value admin with the following command: mysql> update mantis_user_table set password=”admin” where username=”Administrator”; Verify the password was updated properly with the following command: mysql> select * from mantis_user_table; IBM Tivoli WW Education Page 15 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. Exit the MySQL shell by typing exit at the mysql> prompt. 14. Change directory to /var/www/html/mantis and rename the config_inc.php.sample file to config_inc.php with the following command: $ mv config_inc.php.sample config_inc.php 15. Edit the config_inc.php file with your favorite text editor (the author chose to use vi) and update the following configuration settings to match the below: $g_hostname $g_db_username $g_db_password $g_database_name = = = = "localhost"; "mantis"; "mantis"; "mantis"; Add the following line anywhere in the configuration file: $g_login_method = “PLAIN”; 16. Save the config_inc.php file and exit. IBM Tivoli WW Education Page 16 of 188 A Sample Integration of IBM Tivoli Security Management Products 17. Remove the directory admin/ with the following command: $ rm –r admin 18. Open a Web browser to the following URL: http://zeus:8080/mantis/ 19. Log on with user name Administrator with a password of admin to verify the installation of Mantis was successful. IBM Tivoli WW Education Page 17 of 188 A Sample Integration of IBM Tivoli Security Management Products 3 Install and Configure IBM Tivoli Directory Server 5.2 3.1 Install the IBM JRE 1. Insert the IBM Tivoli Access Manager Directory Server 5.2 installation CDROM for Windows in the CD drive. Change directory to \windows\JRE and double-click install.exe to start the JRE installation. 2. Choose English as the installation language and click OK. 3. Click Next at the “Welcome” screen. IBM Tivoli WW Education Page 18 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Yes to accept the license agreement. 5. Click Next to accept the default installation directory. 6. Click Next at the component installation selection window. IBM Tivoli WW Education Page 19 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Click YES to install this JRE as the system JVM. 8. Click Next to start copying files. 9. Click Finish to complete the JRE installation. IBM Tivoli WW Education Page 20 of 188 A Sample Integration of IBM Tivoli Security Management Products 3.2 Install Directory Server 1. With the IBM Tivoli Access Manager Directory Server 5.2 for Windows installation CDROM in the CD drive, change directory to the root directory and double-click the install_ldap_server.exe to start the LDAP installation. 2. Choose English as the installation language and click OK to continue. 3. Click Next at the “Welcome” screen. IBM Tivoli WW Education Page 21 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Next to accept the license agreement. 5. Click Next to accept the default installation directory for the GSK kit. 6. Click Next to accept the default installation directory for DB2. IBM Tivoli WW Education Page 22 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Click Next to accept the default installation directory for the IBM Tivoli Directory Server. 8. Enter db2admin for the DB2 administrator ID with a password of db2admin, and accept the default database home and database name parameters. Then click Next to continue. IBM Tivoli WW Education Page 23 of 188 A Sample Integration of IBM Tivoli Security Management Products 9. Enter object00 for the Administrator ID password, and o=ibm,c=US for the user-defined suffix. Click Next to continue. 10. Enter key4ssl as the SSL key file password, accept the defaults for the rest of the parameters, and click Next. IBM Tivoli WW Education Page 24 of 188 A Sample Integration of IBM Tivoli Security Management Products 11. Review the configuration options and click Next to start the installation. 12. When prompted to reboot the machine, click Next. IBM Tivoli WW Education Page 25 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. After the machine reboots, log on as Administrator and the installation will continue. English as the installation language and click OK. 14. The installation process will complete. Click Finish to complete the installation. IBM Tivoli WW Education Page 26 of 188 Choose A Sample Integration of IBM Tivoli Security Management Products 15. Open Start Æ Programs Æ Administrative Tools Æ Services. Verify the IBM Tivoli Directory Server service startup type is set to Automatic. 16. Right-click the service entry for IBM Tivoli Directory Server and click Start to start the LDAP server. Verify the service is started in the services list. IBM Tivoli WW Education Page 27 of 188 A Sample Integration of IBM Tivoli Security Management Products 4 Install and Configure IBM Tivoli Access Manager 5.1 4.1 Install the Access Manager Policy Server 1. Log on to tivoli1 as Administrator and place the IBM Tivoli Access Manager 5.1 Base for Windows CDROM in the CD Drive, open the root folder of the CD, and double-click install_ammgr.exe to start the policy server installation. 2. Choose English as the installation language and click OK to continue. 3. Click Next at the welcome screen. IBM Tivoli WW Education Page 28 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Accept the terms of the license agreement and click Next. 5. Choose LDAP as the user registry and click Next. IBM Tivoli WW Education Page 29 of 188 A Sample Integration of IBM Tivoli Security Management Products 6. Accept the default installation directory and click Next. 7. Enable the Tivoli Common Directory for logging and click Next. IBM Tivoli WW Education Page 30 of 188 A Sample Integration of IBM Tivoli Security Management Products 8. Enter tivoli1 for the LDAP server host name, do not enable SSL, and click Next. 9. Enter object00 as the Tivoli Access Manager Administrator password, cn=root for the LDAP Administrator DN, and object00 for the LDAP Administrator password. Then click Next. IBM Tivoli WW Education Page 31 of 188 A Sample Integration of IBM Tivoli Security Management Products 10. Review the installation options and click Next. 11. Click Next when prompted to reboot the machine. IBM Tivoli WW Education Page 32 of 188 A Sample Integration of IBM Tivoli Security Management Products 12. After reboot, log on as Administrator. The installation process will continue. Choose English as the installation language and click OK. 13. Verify each component was installed successfully and click Finish. 14. Reboot the machine again to complete the installation. IBM Tivoli WW Education Page 33 of 188 A Sample Integration of IBM Tivoli Security Management Products 4.2 Install WebSEAL 1. Open a shell session on zeus and log on as root. Set up your Xresource and Xdisplay variables accordingly if you are logging on remotely, as you will need an XDesktop to install the WebSEAL application. 2. Mount the Tivoli Access Manager Web Security for Linux CDROM using the following command. $ mount –t iso9660 /dev/cdrom /mnt/cdrom 3. Change directory to the root of the CDROM by typing: cd /mnt/cdrom. 4. Install the IBM Java JRE with the following command: rpm –ivh xSeries/IBMJava2-JRE-1.3.1.3.i386.rpm NOTE: If using Fedora Core for this installation, do not install the IBM JRE. The Sun JRE will be required. Download the Linux Sun JRE from http://www.java.com and follow the installation instructions there before proceeding. 5. Start the WebSEAL installation by executing ./install_ameb. Choose English as your installation language and click OK. 6. Click Next at the welcome screen. IBM Tivoli WW Education Page 34 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Accept the terms of the license agreement and click Next. 8. Choose LDAP as the user registry and click Next. 9. Check the box to enable Tivoli Common Directory for logging and click Next. IBM Tivoli WW Education Page 35 of 188 A Sample Integration of IBM Tivoli Security Management Products 10. Specify the policy server host name as tivoli1, and accept all the other options as their defaults. 11. Enter the LDAP server host name as tivoli1, and leave the port at the default of 389. 12. Accept the defaults for the instance options and click Next. IBM Tivoli WW Education Page 36 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. Enter the Administrator password as object00 and click Next. 14. Choose NO for enabling SSL for communications with the IBM Directory Server and click Next. 15. Choose YES to allow HTTP Access and click Next. IBM Tivoli WW Education Page 37 of 188 A Sample Integration of IBM Tivoli Security Management Products 16. Accept the default port for HTTP access (80) and click Next. 17. Choose YES to allow HTTPS access and click Next. 18. Accept the default port for HTTPS access (443) and click Next. IBM Tivoli WW Education Page 38 of 188 A Sample Integration of IBM Tivoli Security Management Products 19. Accept the default for the Web document root directory and click Next. 20. Review the configuration options and click Next to install. The Access Manager Java Runtime and the WebSEAL server will be installed. 21. Verify that the installation was successful for all components and click Finish to complete the installation. IBM Tivoli WW Education Page 39 of 188 A Sample Integration of IBM Tivoli Security Management Products 5 Install IBM Tivoli Identity Manager 4.5.1 5.1 DB2 Installation 5.1.1 Install the DB2 8.1 UDB Base Code 1. Log on to tivoli2 as Administrator and place the IBM DB2 UDB 8.1 for Windows CDROM in the CD Drive. Then double-click setup.exe to start the installation. 2. Click Install Products. 3. Click Next. IBM Tivoli WW Education Page 40 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Next. 5. Accept the terms of the license agreement and click Next. 6. Choose Typical for the installation type and click Next. IBM Tivoli WW Education Page 41 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Click OK at the APPC Warning window. 8. Choose Install DB2 Enterprise Server Edition on this computer and click Next. 9. Accept the installation folder defaults by clicking Next. IBM Tivoli WW Education Page 42 of 188 A Sample Integration of IBM Tivoli Security Management Products 10. Enter db2admin as the user name and db2admin as the password, and click Next. 11. Choose Local and click Next. 12. Click OK at the warning. IBM Tivoli WW Education Page 43 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. Click Next at the Configure DB2 instances window. 14. Choose Do not prepare and click Next. 15. Choose Defer the task and click Next. IBM Tivoli WW Education Page 44 of 188 A Sample Integration of IBM Tivoli Security Management Products 16. Click Install to start copying files. 17. When the setup is complete click Finish. 18. Click Exit First Steps to complete. 5.1.2 Install the DB2 8.1 UDB Fixpack 2 1. Log on to tivoli2 as Administrator, place the IBM Tivoli Identity Manager 4.5.1 Supplemental Volume 3 for Windows CDROM in the CD Drive, and start the update.exe executable. IBM Tivoli WW Education Page 45 of 188 A Sample Integration of IBM Tivoli Security Management Products 2. When prompted to shutdown running DB2 processes, click YES. 3. Choose Update to install the fixpack. 4. Click Finish to complete the installation. 5. Click Exit First Steps to finish. IBM Tivoli WW Education Page 46 of 188 A Sample Integration of IBM Tivoli Security Management Products 5.1.3 Configure DB2 for ITIM 1. Log on to tivoli2 as Administrator and open a DB2 Command Window by executing Start Æ Programs Æ IBM DB2 Æ Command Line Tools Æ Command Window. 2. Run the following commands in order to create the ITIM database and configure with the appropriate options. db2 create db itimdb using codeset UTF-8 territory US db2 update db cfg for itimdb using applheapsz 384 db2 update db cfg for itimdb using app_ctl_heap_sz 512 db2 connect to itimdb db2 create bufferpool enrolebp size -1 pagesize 32k db2set DB2_RR_TO_RS=YES db2 force application all db2stop db2start IBM Tivoli WW Education Page 47 of 188 A Sample Integration of IBM Tivoli Security Management Products 5.2 LDAP Configuration 5.2.1 Configure LDAP for ITIM 1. Log on to tivoli1 as Administrator and stop the IBM Tivoli Directory Server service by clicking Start Æ Programs Æ Administrative Tools Æ Services and stopping the service. 2. Open the c:\Program Files\IBM\LDAP\etc\ibmslapd.conf file in notepad. 3. Locate the line that reads: ibm-slapdSuffix: cn=localhost and add a line below that reads: ibm-slapdSuffix: dc=com 4. Save the file and exit Notepad. 5. Insert the IBM Tivoli Identity Manager 4.5 Supplemental Volume #2 for Windows CDROM into the CD Drive and open the \DelRef directory in Windows Explorer. 6. Copy the timdelref.conf file from the CDROM to the C:\Program Files\IBM\LDAP\etc directory on tivoli1. 7. Change directory in Windows Explorer to \DelRef\nt and copy the libdelref.dll file to the C:\Program Files\IBM\LDAP\bin directory. 8. Open the c:\Program Files\IBM\LDAP\etc\ibmslapd.conf file in Notepad again. 9. Search for the following line in the ibmslapd.conf file. IBM Tivoli WW Education Page 48 of 188 A Sample Integration of IBM Tivoli Security Management Products ibm-slapdPlugin: database /bin/libback-rdbm.dll rdbm_backend_init 10. Add the following line directly under the above line: ibm-slapdPlugin: preoperation /bin/libdelref.dll DeleteReferenceInit file="c:\Program Files\ibm\ldap\etc\timdelref.conf" dn=dc=com 11. Next, search for the following two lines in the ibmslapd.conf file. dn: cn=Front End, cn=Configuration cn: Front End 12. Add the following line directly under the above two lines: ibm-slapdsetenv: SLAPD_OCHANDLERS=2 13. Save the ibmslapd.conf file in Notepad and exit. 14. Click Start Æ Programs Æ Administrative Tools Æ Services and start the IBM Tivoli Directory Server 5.2 service. 15. Create a new document in Notepad with the filename suffix.ldif and save the file to the root of the C:\ drive. The file should contain the following text: dn: dc=com dc: com objectclass: top objectclass: domain 16. Open a Command Window and type the following command to import the LDAP suffix.ldif file. IBM Tivoli WW Education Page 49 of 188 A Sample Integration of IBM Tivoli Security Management Products ldapadd –i c:\suffix.ldif –D cn=root –w object00 IBM Tivoli WW Education Page 50 of 188 A Sample Integration of IBM Tivoli Security Management Products 5.3 Install ITIM 4.5.1 1. On tivoli2, insert the IBM Tivoli Identity Manager 4.5.1 Base WebSphere for Windows Installation CDROM in the CD Drive, open the root of the CD drive in Windows Explorer, and double-click the instWIN-WAS.exe file. 2. Choose English as the installation language and click OK. 3. Click Next to accept the terms of the license agreement. IBM Tivoli WW Education Page 51 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Choose a Single Server installation type and click Next. 5. Accept the default directory of C:\itim45 and click Next. 6. Chose IBM DB2 as the database type and click Next. IBM Tivoli WW Education Page 52 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Click Continue at the ‘Run usejdbc2 command’ message. 8. Accept the default configuration entries for the WebSphere Application Server and click Next. 9. Click OK at the ‘Check Disk Space’ message. 10. Accept the defaults for the WebSphere Application Server and click Next. IBM Tivoli WW Education Page 53 of 188 A Sample Integration of IBM Tivoli Security Management Products 11. Enter the Administrator password object00 and click Next. 12. Accept the default encryption key and click Next. 13. Click Install at the Pre-install summary. IBM Tivoli WW Education Page 54 of 188 A Sample Integration of IBM Tivoli Security Management Products 14. When prompted, insert the WebSphere Application Server 5.0 for Windows Installation CDROM in the CD Drive, and enter the drive letter and path to the installation CD image. Then click OK. The WebSphere Application Server will be installed and the installation program will automatically apply Fixpack 02. This will take a few minutes, so be patient, very patient. 15. Enter itimdb as the database name, db2admin as the Admin ID, and db2admin as the Admin password, then click Test. 16. The database connection should be successful. Click OK. 17. Enter the User Password at the bottom as enrole and click Continue. IBM Tivoli WW Education Page 55 of 188 A Sample Integration of IBM Tivoli Security Management Products 18. The DB2 tables will now be created. When finished, you will see the following dialog box. Click OK. 19. Enter cn=root for the Principal DN, object00 as the password, tivoli1 as the host name and click Test. 20. The LDAP connection should be successful. Click OK to continue. 21. Enter IBM Tivoli WW Education as the name of your organization, IBM_TIV_WW_EDU as the default org short name, dc=com as the Identity Manager DN location, and click Continue. 22. The LDAP configuration will continue. When completed, click OK. IBM Tivoli WW Education Page 56 of 188 A Sample Integration of IBM Tivoli Security Management Products 23. The system configuration utility will now load. Click the Mail tab and enter mail.ibm.com as the mail server name. Then click OK to apply the changes. 24. When the install completes, click Done. 25. Open Start Æ Programs Æ Administrative Tools Æ Services. Verify the WebSphere Application Server server1 startup type is set to Automatic. IBM Tivoli WW Education Page 57 of 188 A Sample Integration of IBM Tivoli Security Management Products 26. Reboot the tivoli2 machine. 27. After the reboot is complete, open Internet Explorer to the following URL: http://tivoli2/enrole Verify that a logon screen is presented for ITIM. IBM Tivoli WW Education Page 58 of 188 A Sample Integration of IBM Tivoli Security Management Products 6 Install and Configure the Web Interfaces We will install both the Access Manager Web Portal Manager (WPM) and the Directory Server Web Administration Tool on tivoli2. The tivoli2 machine will be the primary Web interface host for managing all functions in this environment. Log on to tivoli2 as Administrator and follow the instructions below. 6.1 Install the IBM JRE on tivoli2 1. Insert the IBM Tivoli Access Manager Web Interfaces for Windows CDROM in the CD drive and open the /Windows/JRE directory and double-click install.exe. 2. Choose English as the installation language and click OK. 3. Click Next at the welcome screen. IBM Tivoli WW Education Page 59 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Yes to accept the license agreement. 5. Click Next to accept the default installation directory for the JRE. 6. Click Next at the select components window. IBM Tivoli WW Education Page 60 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Click Yes to install as the System JVM. 8. Click Next. 9. Click Finish. IBM Tivoli WW Education Page 61 of 188 A Sample Integration of IBM Tivoli Security Management Products 6.2 Install the IBM Tivoli Access Manager Web Portal Manager (WPM) 1. Insert the IBM Tivoli Access Manager Web Interfaces for Windows CDROM in the CD drive on tivoli2 and open the /Windows/PolicyDirector/Disk Images/Disk1 directory and double-click Setup.exe. 2. Choose English as the install language and click Next. 3. Click Next. IBM Tivoli WW Education Page 62 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Yes. 5. Choose the Access Manager Java Runtime Environment and the Access Manager Web Portal Manager and click Next. 6. Click Next. IBM Tivoli WW Education Page 63 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Click Next. The components will now install. 8. Click OK. 9. Open Windows Explorer to the C:\Program Files\Tivoli\Policy Directory\Java\export\pdjte directory. Copy the PD.jar file located there to the following directory: C:\Program Files\WebSphere\AppServer\java\jre\lib\ext You will be prompted to replace the existing PD.jar file. Click Yes to do so. IBM Tivoli WW Education Page 64 of 188 A Sample Integration of IBM Tivoli Security Management Products 10. Close Windows Explorer and open a Command Window. Change directory in the command window to c:\Program Files\Tivoli\Policy Director\sbin. Execute the following command in the window: pdjrtecfg –action config –interactive 11. Choose Full and click Next. 12. Click Next. IBM Tivoli WW Education Page 65 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. Enter tivoli1 as the host name and click Next. (Verify tivoli1, not tivoli2.) 14. Enable the Common Directory for logging and click Next. 15. Click OK. 16. Back in the Command Window, execute the following command: amwpmcfg –action config –interactive IBM Tivoli WW Education Page 66 of 188 A Sample Integration of IBM Tivoli Security Management Products 17. Click Next. 18. Enter tivoli1 as the host name for the policy server and click Next. 19. Enter sec_master as the Administrator ID and object00 as the password and click Finish. 20. The installation will take several minutes, be patient. 21. Click OK. IBM Tivoli WW Education Page 67 of 188 A Sample Integration of IBM Tivoli Security Management Products 22. Open Start Æ Programs – Administrative Tools Æ Services and restart both of the following services: • • IBM WebSphere Application Server V5 – server1 IBM HTTP Server 1.3.26 23. Open Internet Explorer to the following URL: http://tivoli2/pdadmin Verify a logon page is received: 24. Log on with sec_master as the User Id and object00 as the password. A successful log on indicates a successful WPM installation. IBM Tivoli WW Education Page 68 of 188 A Sample Integration of IBM Tivoli Security Management Products 6.3 Install the IBM Tivoli Directory Server Web Administration Tool 1. Insert the IBM Tivoli Access Manager Web Interfaces for Windows CDROM in the CD drive and open the /Windows/Directory directory. Double-click setup.exe. 2. Choose English as the installation language and click OK. 3. Click Next. IBM Tivoli WW Education Page 69 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Next to accept the terms of the license agreement. 5. Click Next. 6. Click Next. IBM Tivoli WW Education Page 70 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Choose English and click Next. 8. Choose only the Web Administration Tool 5.2 and click Next. 9. Click Next. IBM Tivoli WW Education Page 71 of 188 A Sample Integration of IBM Tivoli Security Management Products 10. Click Next. 11. Choose Yes, restart my computer, and click Next. 12. After the tivoli2 host finishes the reboot process, open Internet Explorer while on tivoli2 to the following URL: http://tivoli2:9090/admin Log on as admin and click OK. IBM Tivoli WW Education Page 72 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. Click Applications Æ Install Application. 14. Enter the following parameters and click Next. Be patient as it takes a few moments to upload the war file to the Web server. Local Path C:\Program Files\IBM\LDAP\idstools\IDSWebApp.war Context Root IDSWebApp 15. Accept the defaults and click Next at the next four screens. 16. Click Finish at the fifth screen. 17. Click the Save to Master Configuration link. IBM Tivoli WW Education Page 73 of 188 A Sample Integration of IBM Tivoli Security Management Products 18. Click Save to save to the master configuration. 19. Click Enterprise Applications. 20. Select the check box next to IDSWebApp_war and click Start. 21. Verify the IDS Web Application starts (green arrow). 22. Open Internet Explorer to the following URL: http://tivoli2:9080/IDSWebApp/IDSjsp/Login.jsp Log on as superadmin with a password of secret. IBM Tivoli WW Education Page 74 of 188 A Sample Integration of IBM Tivoli Security Management Products 23. In the left pane, click Console administration to expand, and then click Manage console servers. 24. Click Add. 25. Enter tivoli1 as the host name and click OK. IBM Tivoli WW Education Page 75 of 188 A Sample Integration of IBM Tivoli Security Management Products 26. Click Logout to log out of the administrative interface. 27. Open Internet Explorer to the following URL again: http://tivoli2:9080/IDSWebApp/IDSjsp/Login.jsp Choose tivoli1 as the LDAP host name, and log on with cn=root as the username and object00 as the password. 28. Click Directory Management Æ Manage Entries. Entries in the LDAP database should be displayed. IBM Tivoli WW Education Page 76 of 188 A Sample Integration of IBM Tivoli Security Management Products 29. Click Logout to log out of the administrative interface. This completes the installation of the Web interfaces. IBM Tivoli WW Education Page 77 of 188 A Sample Integration of IBM Tivoli Security Management Products 7 Install and Configure IBM Tivoli Identity Manager Agents For the tasks in this section, we will be working on tivoli1 host. 7.1 Install the Access Manager ITIM Agent 1. Unzip the IBM Tivoli Identity Manager 4.5 Agent v4.5.10 for Access Manager on Windows NT and 2000 (c809CIE.zip) file into a temporary directory and open the folder in Windows Explorer. Double-click setup.exe to start the installation. 2. Click Next at the welcome screen. 3. Choose Yes to accept the terms and conditions and click Next. IBM Tivoli WW Education Page 78 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Next to accept the default agent installation directory. 5. Click Next at the installation summary screen. 6. Enter sec_master as the Administrator account and object00 as the password. IBM Tivoli WW Education Page 79 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. The installation of the agent will now begin. When finished, you may see the error message below referencing a JRE issue. You may ignore it. Click Finish to complete the Access Manager Agent installation. 8. Open Start Æ Programs Æ Administrative Tools Æ Services and verify the Access Manager Agent is started and is set to automatically start on boot. IBM Tivoli WW Education Page 80 of 188 A Sample Integration of IBM Tivoli Security Management Products 7.2 Configure the Access Manager Agent 7.2.1 Configure Protocol Settings 1. Open a Command Window and change directory to c:\Tivoli\Agents\TAM4Agent\bin. 2. Enter the command agentCfg –agent TAM4Agent to start the agent configuration program. Enter agent when prompted for the configuration key. 3. At the menu, enter B to choose the protocol configuration menu. 4. Enter C to configure a protocol. 5. Enter A to configure the DAML protocol. 6. Do the following: • • • Enter A and set the port to 45580 Enter B and set the username to tam4agent Enter C and set the password to tam4agent IBM Tivoli WW Education Page 81 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Enter X four times to exit the agent configuration application. 8. Open Start Æ Programs Æ Administrative Tools Æ Services and restart the Access Manager Agent. 7.2.2 Certificate Installation 9. Open a Command Window and change directory to c:\Tivoli\Agents\TAM4Agent\bin. 10. Enter the command certtool –agent TAM4Agent to start the agent certificate installation program. Choose A to generate a private key and certificate request. 11. Enter the following values for the certificate request and accept the values by entering Y. • Enter the organization as ibm IBM Tivoli WW Education Page 82 of 188 A Sample Integration of IBM Tivoli Security Management Products • Enter the organizational unit as IBMWWEDU 12. Enter the file name to store the request as request.pem. After the file is written press the enter key to continue. 13. Open Internet Explorer to http://tivoli1:8080/certsrv. Choose Request a Certificate and click Next. 14. Choose Advanced Request and click Next. IBM Tivoli WW Education Page 83 of 188 A Sample Integration of IBM Tivoli Security Management Products 15. Leaving Internet Explorer open in the background, use Windows Explorer to open the request.pem file you just created in Notepad. The file resides in the C:\Tivoli\Agents\TAM4Agent\bin directory. 16. Within Notepad, type CTRL-A to select all text, then select Edit Æ Copy to copy the contents of the certificate request to the clipboard. 17. Return to the Internet Explorer browser and paste the contents of the clipboard into the saved request text box by clicking in the text box and typing Ctrl-V. Then click Submit to submit the certificate request. IBM Tivoli WW Education Page 84 of 188 A Sample Integration of IBM Tivoli Security Management Products 18. You should see the certificate pending notification. Click Home to continue. 19. Open the Certificate Authority tool by clicking Start Æ Programs Æ Administrative Tools Æ Certification Authority. 20. Click IBM Æ Pending Requests. Then right-click the pending certificate request and click All Tasks Æ Issue. This issues the certificate. 21. Return back to the home page of the Certificate Server in Internet Explorer. Choose Check on a pending certificate and click Next. IBM Tivoli WW Education Page 85 of 188 A Sample Integration of IBM Tivoli Security Management Products 22. Click Next. 23. Choose to download the certificate in DER format, and then click Download Certificate. 24. Save the file as tam4agent.cer in the c:\Tivoli\Agents\TAM4Agent\bin directory. 25. Click Home on the Certificate Services Web page. option and click Next. IBM Tivoli WW Education Choose Retrieve the CA Certificate Page 86 of 188 A Sample Integration of IBM Tivoli Security Management Products 26. Choose the Current CA, DER encoded, and click Download CA Certificate. 27. Save the file as ca.cer in the c:\Tivoli\Agents\TAM4Agent\bin directory. 28. Open a Command Window, change directory to c:\Tivoli\Agents\TAM4Agent\bin, and start the agent certificate installation tool by entering the command certtool –agent TAM4Agent. Choose F to install the CA certificate. IBM Tivoli WW Education Page 87 of 188 A Sample Integration of IBM Tivoli Security Management Products 29. Enter the name ca.cer for the certificate file, and type Y to install the CA certificate. 30. Type B at the menu prompt, and enter the certificate name to install as tam4agent.cer. 31. Type X four times to exit the certificate installation tool. certificate installation for the Access Manager Agent. IBM Tivoli WW Education You have completed the SSL Page 88 of 188 A Sample Integration of IBM Tivoli Security Management Products 7.3 Install the Access Manager GSO Agent 1. Open the temporary directory where the Access Manager ITIM agent was unzipped to. Change directory to the TAM41-GSO-Win-4.5.2 directory and double-click setup.exe to start the installation application. 2. Click Next at the welcome screen. 3. Accept the terms of the license agreement and click Next. IBM Tivoli WW Education Page 89 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Next to accept the default installation directory. 5. Click Next at the installation summary screen. 6. Enter sec_master as the Access Manager Administrator account and object00 as the password. IBM Tivoli WW Education Page 90 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. The installation of the agent will now begin. When finished, you may see the error message below referencing a JRE issue. You may ignore it. Click Finish to complete the Access Manager GSO Agent installation. 8. Open Start Æ Programs Æ Administrative Tools Æ Services and verify the Access Manager Agent is started and the startup type is set to Automatic. IBM Tivoli WW Education Page 91 of 188 A Sample Integration of IBM Tivoli Security Management Products 7.4 7.4.1 Configure the Access Manager GSO Agent Configure Protocol Settings 1. Open a Command Window and change directory to c:\Tivoli\Agents\TAMGSOAgent\bin. 2. Enter the command agentCfg –agent TAMGSOAgent to start the agent configuration program. Enter agent when prompted for the configuration key. 3. At the menu, enter B to choose the protocol configuration menu. 4. Enter C to configure a protocol. 5. Enter A to configure the DAML protocol. 6. Do the following: Enter A and set the port to 45581 Enter B and set the username to tamgsoagent Enter C and set the password to tamgsoagent IBM Tivoli WW Education Page 92 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Enter X four times to exit the agent configuration application. 8. Open Start Æ Programs Æ Administrative Tools Æ Services and restart the Access Manager GSO Agent. 7.4.2 Certificate Installation 1. Open a Command Window and change directory to c:\Tivoli\Agents\TAMGSOAgent\bin. 2. Enter the command certtool –agent TAMGSOAgent to start the agent certificate installation program. Choose A to generate a private key and certificate request. 3. Enter the following values for the certificate request and accept the values by entering Y. • • Enter the organization as ibm Enter the organizational unit as IBMWWEDU IBM Tivoli WW Education Page 93 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Enter the file name to store the request as request.pem. After the file is written press the enter key to continue. 5. Open Internet Explorer to http://tivoli1:8080/certsrv. Choose Request a Certificate and click Next. 6. Choose Advanced Request and click Next. IBM Tivoli WW Education Page 94 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Leave Internet Explorer open in the background and use Windows Explorer to open the request.pem file you just created in Notepad. The file resides in the C:\Tivoli\Agents\TAMGSOAgent\bin directory. 8. Within notepad, enter CTRL-A to select all the text, then select Edit Æ Copy to copy the contents of the certificate request to the clipboard. 9. Return to the Internet Explorer window and paste the contents of the clipboard into the Saved Request text box by clicking in the text box and typing Ctrl-V. Then click Submit to submit the certificate request. IBM Tivoli WW Education Page 95 of 188 A Sample Integration of IBM Tivoli Security Management Products 10. You should see the certificate pending notification. Click Home to continue. 11. Open the Certificate Authority tool by clicking Start Æ Programs Æ Administrative Tools Æ Certification Authority. 12. Click IBM Æ Pending Requests. Then right-click the pending certificate request and click All Tasks Æ Issue. This issues the certificate. 13. Return back to the home page of the Certificate Server in Internet Explorer. Choose Check on a pending certificate and click Next. IBM Tivoli WW Education Page 96 of 188 A Sample Integration of IBM Tivoli Security Management Products 14. Click Next. 15. Choose to download the certificate in DER Format, and then click Download Certificate. 16. Save the file as tamgsoagent.cer in the c:\Tivoli\Agents\TAMGSOAgent\bin directory. IBM Tivoli WW Education Page 97 of 188 A Sample Integration of IBM Tivoli Security Management Products 17. Click Home on the Certificate Services Page. Choose Retrieve the CA Certificate option and click Next. 18. Choose the Current CA, DER encoded, and click Download CA Certificate. 19. Save the file as ca.cer in the c:\Tivoli\Agents\TAM4Agent\bin directory. IBM Tivoli WW Education Page 98 of 188 A Sample Integration of IBM Tivoli Security Management Products 20. Open a Command Window, change directory to c:\Tivoli\Agents\TAMGSOAgent\bin, and start the agent certificate information tool by entering the command certtool –agent TAMGSOAgent. Choose F to install the CA certificate. 21. Enter the name ca.cer for the certificate file, and type Y to install the CA certificate. 22. Enter B at the menu prompt, and enter the certificate name to install as tam4agent.cer. 23. Type X four times to exit the certificate installation tool. You have completed the SSL certificate installation for the Access Manager GSO Agent. IBM Tivoli WW Education Page 99 of 188 A Sample Integration of IBM Tivoli Security Management Products 8 Configure Access Manager 8.1 Create the apache-group Group 1. Open Internet Explorer to the URL: http://tivoli2/pdadmin. 2. Log on as sec_master with a password of object00. 3. Click Group Æ Create Group. Create the group with the following parameters: • • Group Name: apache-group Registry GID: cn=apache-group,cn=SecurityGroups,secAuthority=Default Click Create to create the group. IBM Tivoli WW Education Page 100 of 188 A Sample Integration of IBM Tivoli Security Management Products 8.2 Secure the Web Space 1. Open Internet Explorer to the URL: http://tivoli2/pdadmin. 2. Log on as sec_master with a password of object00. 3. Click Object Space Æ Create Object Space. Create the object space with the following parameters: • Object Space Name: /WebSEAL/[webseal-hostname]-default/apache/mantis • Description: Mantis Object Space Click Create to create the object space. Then click Done. 4. Click ACL Æ Create ACL. Create the ACL with the following parameters: • • ACL Name: Description: mantis-acl Mantis ACL Click Create to create the ACL. Then click Done. IBM Tivoli WW Education Page 101 of 188 A Sample Integration of IBM Tivoli Security Management Products 6. Click the ACL entry mantis-acl that you just created. 7. Click Create to create an ACL entry. 8. Choose Group as the entry type, and enter the name apache-group for the entry name. Select the Traverse, Read, Execute, and List Directory permissions and click Apply, then click Done. IBM Tivoli WW Education Page 102 of 188 A Sample Integration of IBM Tivoli Security Management Products 9. Click Object Space Æ Browse Object Space, and click the link for the following location in the object space: /WebSEAL/[webseal-hostname]-default/apache/mantis 10. Click Attach in the ACL Attached section. IBM Tivoli WW Education Page 103 of 188 A Sample Integration of IBM Tivoli Security Management Products 11. Choose the mantis-acl and click Apply. Click Apply again to apply the changes. 12. Click Object Space Æ Browse Object Space, and then click Refresh. Navigate to the following location in the object space and verify the ACL was attached. /WebSEAL/[webseal-hostname]-default/apache/mantis IBM Tivoli WW Education Page 104 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. Click Sign Off at the bottom to sign out of the Web application. IBM Tivoli WW Education Page 105 of 188 A Sample Integration of IBM Tivoli Security Management Products 8.3 Create the Mantis GSO resource 1. Open Internet Explorer to the URL: http://tivoli2/pdadmin. 2. Log on as sec_master with a password of object00. 3. Click GSO Resource Æ List GSO. Then click Create to create a new GSO resource. 4. Enter mantis as the GSO name, and click Create. 5. Click Done. This completes creating the GSO resource. IBM Tivoli WW Education Page 106 of 188 A Sample Integration of IBM Tivoli Security Management Products 8.4 Modify the Access Manager Password policy 1. Open Internet Explorer to the URL: http://tivoli2/pdadmin. 2. Log on as sec_master with a password of object00. 3. Click User Æ Show Global User Policy. Unset the following policy entries: • • • • • • • Minimum Password Length Minimum Password Alphas Minimum Password Non-Alphas Max Password Repeater Characters Password Spaces Allowed Account Expiration Date Time of Day Access We are un-setting these parameters because we are going to allow ITIM to manage the password policies for this environment, and we do not want a conflict between the two. IBM Tivoli WW Education Page 107 of 188 A Sample Integration of IBM Tivoli Security Management Products 8.5 8.5.1 Configure WebSEAL Configure Forms SSO for Mantis application Single sign-on format authentication allows WebSEAL to transparently log an authenticated Tivoli Access Manager user into a back-end junctioned application server that requires authentication via an HTML form. Single sign-on forms authentication supports existing applications that use HTML forms for authentication and cannot be modified to directly trust the authentication performed by WebSEAL. Enabling single sign-on forms authentication produces the following results: • • • • • WebSEAL interrupts the authentication process initiated by the back-end application. WebSEAL supplies data required by the login form and submits the login form on behalf of the user. WebSEAL saves and restores all cookies and headers. The user is unaware that a second login is taking place. The back-end application is unaware that the login form is not coming directly from the user. WebSEAL must be configured to: • • Recognize and intercept the login form. Fill in the appropriate authentication data. We will enable forms single sign-on for the Mantis application by: • • Creating a configuration file to specify how the login form is to be recognized, completed, and processed. Enable forms single sign-on by adding the appropriate junction with the –S option (which specifies the location of the configuration file). To enable forms SSO for the Mantis application, do the following on the zeus WebSEAL host. 1. Log on to a shell session on zeus. 2. Create a text file with the following configuration information and save it in the /opt/pdweb/etc directory with file name fsso.conf. [forms-sso-login-pages] login-page-stanza = login-page-one [login-page-one] login-page = /mantis/login_page.php login-form-action = login.php* gso-resource = mantis argument-stanza = args-for-login-page-one [args-for-login-page-one] username = gso:username password = gso:password /opt/pdweb/etc/fsso.conf 8.5.2 Create the WebSEAL Junction 1. Log on to a shell session on zeus. IBM Tivoli WW Education Page 108 of 188 A Sample Integration of IBM Tivoli Security Management Products 2. Type pdadmin and login with sec_master with a password of object00. 3. Enter the command server list to verify the WebSEAL instance name. In this example default-webseald-zeus.lcblanton-int.local is the default WebSEAL instance name. 4. Enter the following command to create the junction. Note the use of the –S option to create the junction using the fsso.conf file. server task [webseal-instance-name] create -t tcp -h zeus -P 8080 -S /opt/pdweb/etc/fsso.conf /apache Replace [webseal-instance-name] with the default WebSEAL instance determined in step 3. 5. The junction will have been created in WebSEAL on /apache. IBM Tivoli WW Education Page 109 of 188 A Sample Integration of IBM Tivoli Security Management Products 9 Configure IBM Tivoli Identity Manager 9.1 Initial Configuration In this section, we will configure Identity Manager with the necessary objects to provision user accounts in the environment. To complete these tasks, log on to the ITIM Web interface by pointing your Internet Explorer browser to the following URL: http://tivoli2/enrole Log on with the following user name and password: Username ITIM Manager Password secret You will initially be presented with a change password screen. Change the password for the ‘ITIM Manager’ account to object00 and submit the change. IBM Tivoli WW Education Page 110 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.2 Create Organizational Roles An organizational role is a method of classifying users based on their role in the organization. For instance, a company may create organizational roles for the various functions that exist within each department. Depending on the nature of the organization and the complexity of the organization tree, several organizational roles can be created to suit the needs of the organization. Placing a user in an organizational role authorizes the user to have access to certain resources in the organization. For this example, we will create two organizational roles within ITIM: 9.2.1 Roles Description Auto_Provisioned_Users When created as a person in ITIM, users belonging to this role will be automatically provisioned with user accounts with no intervention by the administrator. Manual_Provisioned_Users When created as a person in ITIM, users belonging to this role will must have each account manually provisioned by an administrator. Create the Two Organizational Roles To create the Auto_Provisioned_Users Organizational Role, follow these steps: 1. Log on to the ITIM Web interface as the itim manager. 2. Click the My Organization tab. 3. Click the IBM Tivoli WW Education entry in the organization chart, and click Manage Organizational Roles on the left toolbar, then click Add to add a new organizational role. IBM Tivoli WW Education Page 111 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Choose a Static type of role to add and click Continue. 5. Enter the name Auto_Provisioned_Users as the name and a short description for the role, and then click Submit. 6. Following the same process as above, create the static organizational role Manual_Provisioned_Users and verify both appear in the list of organizational roles. IBM Tivoli WW Education Page 112 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.3 Create Services A service represents a resource that a user can subscribe to which provides a needed function to that user. Before services can be added to IBM Tivoli Identity Manager, a service profile must be installed so the agents are recognized. A service profile is a generic description of a particular type of agent. It describes how that agent works, the attributes it supports, provides service and account forms, and so on. In this section we will install both the Access Manager Agent profile, and the Access Manager GSO Agent profile. We will then define both agents that we installed on tivoli1 as services to ITIM. 9.3.1 Download and Install the Certificate Authority Certificate We must install the CA Certificate from the certificate authority that we used to create the private certificates for each agent. This will ensure that the ITIM server can complete SSL communications with each of the agents. 1. On the ITIM server tivoli2, open Internet Explorer to the following URL: http://tivoli1:8080/certsrv 2. Choose Request the CA certificate or certificate revocation list and click Next. 3. Choose the current CA Certificate, choose DER encoded, and click Download CA certificate. IBM Tivoli WW Education Page 113 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. When prompted with the File Download pop-up, choose to Save the file in the directory c:\itim45\cert with the filename of ca.cer. 5. Verify the certificate was saved in this directory. 6. This completes the installation of the CA Certificate. 9.3.2 Install the Agent Profiles We will be executing these instructions on the ITIM Server tivoli2. 1. Locate the ZIP file for the Access Manager ITIM agent. 2. Unzip the agent ZIP file into a temporary directory. 3. To run the Access Manager Agent Profile installation, double-click tam4profile.exe in the root of the directory. IBM Tivoli WW Education Page 114 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Next at the welcome screen, then enter c:\itim45 as the ITIM installation directory and click Next. 5. Click Next at the installation summary screen to install the Access Manager Agent profile. 6. In the same folder that you unzipped the Agent installation files in to, change directory to the TAM41-GSO-Win-4.5.2 directory and double-click tamgsoprofile.exe to install the GSO Agent profile. 7. Use the same installation instructions as the tam4agent profile installation to complete the GSO agent installation. 8. Restart the ITIM server to allow for the profile installation changes to take effect. 9.3.3 Define the Access Manager Agent Service 1. To complete these tasks, log on to the ITIM Web interface by pointing your Internet Explorer browser to the following URL: http://tivoli2/enrole 2. Log on at the itim manager with a password of object00. 3. Click the Provisioning tab at the top, and click the Mange Services icon on the left toolbar. Then click Add. IBM Tivoli WW Education Page 115 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Choose the TAM4Profile type and click Continue. 5. Enter the following parameters to add the service. Do not submit yet. Name Value Explanation Service Name tivoli1_tameb The arbitrary name of the service we are going to create. URL https://tivoli1:45580 The URL and port that the service is listening on. User Id tam4agent The user ID that ITIM will use to connect to the agent with. This was specified when we configured the agent. Password tam4agent The password that ITIM will use to connect to the agent with. This was specified when we configured the agent. CA certificate store location c:\itim45\cert Where the certificate for the certificate authority is stored. Add account Import or Create user entry When adding accounts, we can import from TAMeb or we can create user entry in TAMeb. Leave user entry in registry when delete account unchecked When deleting a person in ITIM, we also want to delete the corresponding TAMeb account. Certificate file location --leave blank-- If we were setting up two-way SSL we would specific these parameters. We are not using two-way SSL in this example. Private key file location --leave blank-- If we were setting up two-way SSL we would specific these parameters. We are not using two-way SSL in this example. IBM Tivoli WW Education Page 116 of 188 A Sample Integration of IBM Tivoli Security Management Products Owner --leave blank-- Service Prerequisite --leave blank-- Your entries should look like the following screen shot: 6. Click Test to test the connection parameters. indicates a successful test. Then click Done. You should receive a pop-up box that 7. Click Submit and verify the new service named tivoli1_tameb shows up in the service list. 9.3.4 Define the Access Manager GSO Agent Service 1. We will now add the Access Manager GSO Agent service. Click Add, choose the TAMGSOProfile type, and click Continue. IBM Tivoli WW Education Page 117 of 188 A Sample Integration of IBM Tivoli Security Management Products 2. Enter the following parameters to add the service. Do not submit yet. Name Value Explanation Service Name tivoli1_gso The arbitrary name of the service we are going to create. URL https://tivoli1:45581 The URL and port that the service is listening on. User Id tamgsoagent The user ID that ITIM will use to connect to the agent with. This was specified when we configured the agent. Password tamgsoagent The password that ITIM will use to connect to the agent with. This was specified when we configured the agent. CA certificate store location c:\itim45\cert Where the certificate for the certificate authority is stored. Certificate file location --leave blank-- If we were setting up two-way SSL we would specific these parameters. We are not using two-way SSL in this example. Private key file location --leave blank-- If we were setting up two-way SSL we would specific these parameters. We are not using two-way SSL in this example. Service Prerequisite tivoli1_tameb Click Search, choose TAM4Profile, and filter on ‘*’, and choose the tivoli_tameb profile as a service prerequisite. This is needed since we cannot create a GSO account for a TAMeb user until the user is created in Access Manager. GSO Resource Name mantis The name of the Mantis GSO resource that we created during the GSO configuration in Access Manager. GSO Resource Type Web The type GSO resource that we created during the GSO configuration in Access Manager. Your entries should look like the following screen shot: IBM Tivoli WW Education Page 118 of 188 A Sample Integration of IBM Tivoli Security Management Products 3. Click Test to test the connection parameters. You should receive a pop-up box that indicates a successful test. Then click Done. 4. Click Submit and verify the new service named tivoli1_gso shows up in the service list. IBM Tivoli WW Education Page 119 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.4 Create the Identity Policy 1. While logged into the ITIM Web interface as the itim manager, choose the Provisioning tab, click the Define Identity Policies icon on the left toolbar, and then click Add to add a new Identity Policy. 2. Name the new Identity Policy EDU_Identity_Policy, verify a SubTree service resolution scope is chosen, and then click the Services tab. 3. Click Service Instances IBM Tivoli WW Education Page 120 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click Search. 5. Choose TAM4Profile, enter an ‘*’ as a ‘Search by Filter’, and click Search. 6. Check the tivoli_tameb service and click Add, then click Back. 7. Now choose the TAMGSOProfile, enter an ‘*’ as a ‘Search by Filter’, and click Search. 8. Choose the tivoli1_gso profile, click Add, then click Back. IBM Tivoli WW Education Page 121 of 188 A Sample Integration of IBM Tivoli Security Management Products 9. Now choose the ITIM profile, enter an ‘*’ as a ‘Search by Filter’, and click Search. 10. Check the ITIM Service service and click Add, the click Done. 11. Verify that the tivoli1_tameb, tivoli_gso, and ITIM Service service profiles are in the services instances list. Then click the Definition tab. 12. Enter the following JavaScript definition into the Definition (Rule) box. This JavaScript definition will use a person’s surname and given name initial to generate a default login ID. It also checks to see if the new login ID is already used and will add a number to the ID until it finds one that is unique. Additionally, it will ensure that the new login ID is all lower case. function createIdentity() { var tf = false; var baseidentity = ""; var identity = ""; var counter = 0; var givenname = subject.getProperty("givenname"); if(givenname == null || givenname.length == 0 || givenname == "") givenname = ""; else givenname = givenname[0].substring(0,1); baseidentity = givenname + subject.getProperty("sn")[0]; tf =IdentityPolicy.userIDExists(baseidentity, true, true); if(!tf) return baseidentity.toLowerCase(); while(tf) IBM Tivoli WW Education Page 122 of 188 A Sample Integration of IBM Tivoli Security Management Products { counter+=1; identity = baseidentity + counter; tf = IdentityPolicy.userIDExists(identity, true, true); } return identity.toLowerCase(); } return createIdentity(); Your screen should look like the following: 13. Click Submit to add the Identity Policy. Verify the policy is in the list of defined identity policies. IBM Tivoli WW Education Page 123 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.5 Create the Password Policy 1. While logged into the ITIM Web interface as the itim manager, choose the Provisioning tab, choose the Define Password Policies entry on the left toolbar, and click Add to add a new password policy. 2. Name the policy EDU_Password_Policy, verify a SubTree service resolution scope is chosen, then click the Services tab. 3. Click Service Instances. 4. Click Search. IBM Tivoli WW Education Page 124 of 188 A Sample Integration of IBM Tivoli Security Management Products 5. Choose the TAM4Profile, enter an ‘*’ as a ‘Search by Filter’, and click Search. 6. Check the tivoli_tameb service and click Add, then click Back. 7. Now choose the TAMGSOProfile, enter an ‘*’ as a ‘Search by Filter’, and click Search. 8. Choose the tivoli1_gso profile, click Add, and then click Back. IBM Tivoli WW Education Page 125 of 188 A Sample Integration of IBM Tivoli Security Management Products 9. Now choose the ITIM profile, enter an ‘*’ as a ‘Search by Filter’, and click Search. 10. Check the ITIM Service service and click Add, the click Done. 11. Verify the tivoli1_tameb, tivoli_gso, and ITIM Service service profiles are in the services instances list. Then click the Rules tab. 12. Enter a minimum password length of 4 and a maximum length of 12, and then click Submit. IBM Tivoli WW Education Page 126 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. Verify your new password policy appears in the list. IBM Tivoli WW Education Page 127 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.6 9.6.1 Create the Initial Provisioning Policies The Automatic Provisioning Policy 1. While logged into the ITIM Web interface as itim manager, choose the Provisioning tab, choose the Define Password Policies entry on the left toolbar, then click Add to add a new password policy. 2. The General tab will be selected. Fill in the following values on the form: Parameter Value Explanation Policy Name auto_provisioning_policy The name of the provisioning policy you are creating Service Resolution Scope SubTree The resolution scope of this provisioning policy should propagate through the organization chart Priority 200 A designated priority value for this policy Status Enabled Enable the provisioning policy after creating 3. Choose the Membership tab, click Add, select Organizational Role, then click Continue. 4. Enter an ‘*’ in the ‘Search By Filter’ on the right, and click Search. IBM Tivoli WW Education Page 128 of 188 A Sample Integration of IBM Tivoli Security Management Products 5. Choose the Auto_Provisioned_Users organizational role and click Add. This adds the Auto_Provisioned_Users organizational role to the provisioning policy. 6. Choose the Entitlements tab and click Add. Modify the form with the following parameters, but do not click Add yet. Parameter Value Explanation Type Automatic This provisioning policy will automatically provision accounts. Target Type Service This provisioning policy will target a specific service. Service Type ITIM This provisioning policy will target the ITIM service type. Service Name ITIM Service This provisioning policy will target the ITIM service ‘ITIM Service’ that was created automatically during the installation. IBM Tivoli WW Education Page 129 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Click the Get detail link next to the Advanced Provisioning Parameter List entry. 8. Click Add, and then choose the following attributes by checking the boxes to the left of their entries, then click Add. • • • User Id Password Home Page 9. For the values for each attribute parameter, enter the following JavaScript/constant values: Name Value Explanation User Id { var ui = parameters.eruid[0]; return ui; } Retrieve the person’s username to create an ITIM account with the same value. Password { var pw = parameters.eruid[0]; return pw; } Retrieve the person’s username and use that string as the initial password. This will set the initial password to the person’s username during the automatic provisioning of the account. Home Page Password Management Set the user’s home page in ITIM to the password management page. The enforcement and Expression Type values can remain at their defaults. Your form should look like the following: 10. Click Submit to submit the attribute parameters, and then click Add to add the automatic entitlement to the entitlements list. The result should be the following: IBM Tivoli WW Education Page 130 of 188 A Sample Integration of IBM Tivoli Security Management Products 11. Click Add again. Modify the form with the following parameters, but do not click Add yet. Parameter Value Explanation Type Automatic This provisioning policy will automatically provision accounts. Target Type Service This provisioning policy will target a specific service. Service Type TAM4Profile This provisioning policy will target the TAM4Profile service type. Service Name tivoli1_tameb This provisioning policy will target the TAM4Profile service ‘tivoli1_tameb’ that was created earlier. 12. Click the Get detail link next to the Advanced Provisioning Parameter List entry. 13. Click Add, and then choose the following attributes by checking the boxes to the left of their entries, then click Add. • • • • • • • Full Name Password ertam4dn ertam4groupmember ertamsinglesign User Id Last Name 14. For the values for each attribute parameter, enter the following JavaScript and constant entries: Name Value Explanation Full Name { var fn= subject.getProperty("cn"); if (fn.length >0) { return fn[0]; } else { return " "; }} Set the user’s Access Manager Full Name to the cn property from ITIM. Password { var pw = parameters.eruid[0]; return Retrieve the person’s username and use that string IBM Tivoli WW Education Page 131 of 188 A Sample Integration of IBM Tivoli Security Management Products pw; } as the initial password. This will set the initial password to the person’s username during the automatic provisioning of the account. ertam4dn { var dn = 'cn=' + parameters.eruid[0] + ',o=ibm,c=US'; return dn; } Set the Access Manager LDAP dn to the user ID plus the Access Manager org and country as it was installed. ertam4groupmember apache-group Assign the Access Manager apache-group group to the user so they can receive access to WebSEAL resources. ertam4singlesign TRUE The user should have the SSO property enabled in Access Manager so GSO resources can be utilized. User Id { var ui = parameters.eruid[0]; return ui; } Retrieve the person’s ITIM username to create an Access Manager account with the same value. Last Name { var ln= subject.getProperty("sn"); if (ln.length >0) { return ln[0]; } else { return " "; } } Set the user’s Access Manager last name to the surname property from ITIM. The enforcement and Expression Type values can remain at their defaults. Your form should look like the following: 15. Click Submit to submit the attribute parameters, and then click Add to add this automatic entitlement to the entitlements list. The result should be the following: IBM Tivoli WW Education Page 132 of 188 A Sample Integration of IBM Tivoli Security Management Products 16. Click Add again. Modify the form with the following parameters, but do not click Add yet. Parameter Value Explanation Type Automatic This provisioning policy will automatically provision accounts. Target Type Service This provisioning policy will target a specific service. Service Type TAMGSOProfile This provisioning policy will target the TAMGSOProfile service type. Service Name tivoli1_gso This provisioning policy will target the TAMGSOProfile service ‘tivoli1_gso’ that was created earlier. 17. Click the Get detail link next to the Advanced Provisioning Parameter List entry. 18. Click Add, and then choose the following attributes by checking the boxes to the left of their entries, then click Add. • • • TAM User Name User Id Password 19. For the values for each attribute parameter, enter the following JavaScript/constant values: Name Value TAM User Name { var u = parameters.eruid[0]; Retrieve the ITIM user ID and IBM Tivoli WW Education Explanation Page 133 of 188 A Sample Integration of IBM Tivoli Security Management Products return u; } set the TAM User Name that this GSO Resource will be created for. User Id { var u = parameters.eruid[0]; Retrieve the ITIM user ID and return u; } set the GSO Resource user ID. Password { var u = parameters.eruid[0]; Retrieve the person’s return u; } username and use that string as the initial password for this GSO resource. This will set the initial password to the person’s username during the automatic provisioning of the account. The enforcement and expression type values can remain at their defaults. Your form should look like the following: 20. Click Submit to submit the attribute parameters, and then click Add to add this automatic entitlement to the entitlements list. The result should be the following: 21. Click Submit to add the completed automatic provisioning policy. Uncheck the Schedule Immediately check box and click Submit again to submit the policy to ITIM. IBM Tivoli WW Education Page 134 of 188 A Sample Integration of IBM Tivoli Security Management Products 22. Click Refresh and verify your new provisioning policy appears in the list. This completes the addition of the automatic provisioning policy to ITIM. 9.6.2 The Manual Provisioning Policy Using the steps in 9.6.1 that show how to create the automatic provisioning policy, create a manual provisioning policy called manual_provisioning_policy and implement the following changes to the creation process: • Set each entitlement definition to manual as indicated in the example screen shot below: • Ensure that the membership tab includes the Manual_Provisioned_Users organizational role instead of the Auto_Provisioned_Users. • All other parameters should remain the same as the automatic policy definitions. You should now have two provisioning policies created: IBM Tivoli WW Education Page 135 of 188 A Sample Integration of IBM Tivoli Security Management Products IBM Tivoli WW Education Page 136 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.7 Create the Default Access Control Lists We must give all ITIM users the ability to manage all of their accounts that are provisioned to them. To do this, we need to create default Access Control Lists (ACLs) that allow users to manage their newly defined accounts. To do this, start by clicking the My Organization Tab, then the Control Access icon. You should see the default list of ACLs that were created when ITIM was installed. 9.7.1 Create the TAM Account Access ACL 1. Click Add 2. Select the Account category and TAM Account class and click Continue. 3. Name the ACL Default TAM Account ACL, set the scope to SubTree, and Grant access to the Search, Restore, and Modify Operations. Also ensure that Apply permissions to user’s own information (Allow Self) is set to Yes. Do not select submit yet. See below for the example screen shot: IBM Tivoli WW Education Page 137 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. On the same page, click the Attribute Permissions link. 5. Grant read and write access to the following attributes: Full Name, Last Name, and Password and click Continue. 6. Click Submit to submit the new ACL. 7. Verify the new ACL appears in the list. IBM Tivoli WW Education Page 138 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.7.2 Create the TAM GSO Account Access ACL 1. Click Add. 2. Select the Account category and TAMGSOAccount class and click Continue. 3. Name the ACL Default TAM GSO Account ACL, set the scope to SubTree, and Grant access to the Search, Restore, and Modify operations. Also ensure that Apply permissions to user’s own information (Allow Self) is set to Yes. Do not select submit yet. See below for the example screen shot: 4. On the same page, click the Attribute Permissions link. IBM Tivoli WW Education Page 139 of 188 A Sample Integration of IBM Tivoli Security Management Products 5. Grant read and write access to the password attribute and click Continue. 6. Click Submit to submit the new ACL. 7. Verify new ACL shows up in the list. IBM Tivoli WW Education Page 140 of 188 A Sample Integration of IBM Tivoli Security Management Products 9.8 Test the Configuration We will test the configuration by adding a person to ITIM, and verifying that three accounts were provisioned for the user, an ITIM account, a TAM Account, and a TAM GSO Account. 1. Click on the My Organization tab, click the Manage People icon, then click add to add a new person to ITIM. 2. Select Person as the type of person to add and click Submit. 3. In the Personal Information tab, enter the following details: Name Value Last Name Hudson Full Name Jennifer E. Hudson First Name Jennifer Organizational Roles Auto_Provisioned_Users *** Tip: Select the Organizational Role by clicking on search then filtering on ‘*’. IBM Tivoli WW Education Page 141 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Choose the Communications Information tab and add the following details: Name Value Email Address [email protected] 5. Click Submit to add the person to ITIM. 6. Ensure that the schedule immediately check box is checked, and click Submit. 7. Click Refresh to verify the person was added to ITIM. 8. Click the Jennifer Hudson entry, then click Manage Accounts. 9. If the three accounts that should have been automatically provisioned for the user show up in the list, then the automatic provisioning process worked. IBM Tivoli WW Education Page 142 of 188 A Sample Integration of IBM Tivoli Security Management Products Note that the user IDs were automatically created and set based upon the identity policy assigned to the Auto_Provisioned_Users organizational role. Also note that the automatic provisioning was accomplished since the user was assigned to the Auto_Provisioned_Users organizational role. IBM Tivoli WW Education Page 143 of 188 A Sample Integration of IBM Tivoli Security Management Products 10 Install IBM Tivoli Directory Integrator 10.1 Installation 1. Insert the IBM Tivoli Directory Integrator 5.2 for Windows CDROM in the CD drive and open the root folder in Windows Explorer. Double-click setupwin32.exe to start the installation. 2. Click Next at the Installation Wizard screen. 3. Click Next at the welcome screen. IBM Tivoli WW Education Page 144 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Accept the terms of the license agreement and click Next. 5. Click Next to accept the default installation directory. 6. Click Next at the installation review screen. IBM Tivoli WW Education Page 145 of 188 A Sample Integration of IBM Tivoli Security Management Products 7. Directory Integrator will now install. Click Finish when the installation has completed. IBM Tivoli WW Education Page 146 of 188 A Sample Integration of IBM Tivoli Security Management Products 11 Configuring IBM Tivoli Directory Integrator as a TIM Endpoint In this section you will configure IDI with a connector to a MySQL database server. The custom application Mantis stores account information in MySQL database tables, and this endpoint provides ITIM the ability to add, modify, and delete accounts in the MySQL database for use by the Mantis application. The following steps will be accomplished in this section: • Defining a data model and adding it to the ITIM data store. • Configuring ITIM for management of the newly defined account type. • Adding an assembly line and connector to allow for adding accounts to MySQL. • Adding an assembly line and connector to allow for processing account modifications to MySQL. • Adding an assembly line and connector to allow for deleting accounts in MySQL. • Configuring an IDI event handler. 11.1 The Mantis MySQL Account and Service Data Model The files located in the examples directory on the ITIM server contain a sample data model definition which will be used for this example. Three files are included: • schema.dsml – defines the directory syntax for the account and service classes. • resource.def – the resource definition for the creation of a service profile. • CustomLables.properties – defines labels for the forms displayed in the user interface. The schema.dsml file contains the definitions of LDAP attributes and object classes for the account and service objects in DSML format. These are described in the table below: Entity Type Object Class Description Service erdsml2testservice This represents a service in ITIM to manage remote LDAP accounts. Account erdsml2testaccount This represents account entries associated with the service of type erdsml2testservice. Supporting Data erdsml2testgroup This represents the type of a group that account users may have membership to. The attributes associated with the service are described below. The labels are given in CustomLabels.properties. Attribute Name Label Required Description erservicename Service Name Yes The name of the service to display on the ITIM user interface. Erurl URL Yes The URL that ITDI is listening on. Eruid User ID Yes The principal used for authentication of ITIM by ITDI. erpassword Password Yes The password used for authentication of ITIM by ITDI. The attributes associated with the account are described in the table below: IBM Tivoli WW Education Page 147 of 188 A Sample Integration of IBM Tivoli Security Management Products Attribute Name Label Required Description Eruid User ID Yes The identifier that the account user is identified by. Erpassword Password Yes The password that the managed resource authenticates its users by. Cn Full Name Yes The full name of the user. lastname Last Name Yes The family name of the user. firstname First Name No The given name of the user. telephoneNumber Telephone Number No The telephone number of the user. Mail Email No The email address of the user. testgroupmembership Test Group No Membership in Test Groups. The group has a single attribute, erdsml2testgroup, used to identify the group and display it in the user interface. The service and accounts profiles are defined in the resource definition file, resource.def. NOTE: In this example, we will not utilize the following account attributes even though they will be defined: • telephoneNumber • testgroupmembership These attributes will not be needed for this example. IBM Tivoli WW Education Page 148 of 188 A Sample Integration of IBM Tivoli Security Management Products 11.2 Loading the Data Definitions into ITIM To load the data definitions into ITIM, follow these steps on the ITIM server (tivoli2): 1. Copy the directory C:\itim45\extensions\examples\idi_integration\LDAPAccountManagement\dsm l2testservice to: C:\itim45\data\remote_resources\dsml2testservice 2. Within a Command Window, change directory to c:\itim45\bin\win. 3. Type the command: config_remote_services dsml2testservice. This adds the data definitions to the ITIM server and LDAP. 4. Restart the ITIM server. You may verify that the LDAP schema has been imported successfully by using the LDAP directory administration console. Any errors that occur will appear in the ITIM log and the directory log if they are related to schema import problems. IBM Tivoli WW Education Page 149 of 188 A Sample Integration of IBM Tivoli Security Management Products 11.3 Configuring ITIM To add and configure the service instance for our specific example, log on to the ITIM user interface as itim manager and follow these steps: 11.3.1 Modify the Imported Data Model 1. From the top navigation bar select Configuration. 2. Choose the User Interface Customization tab. 3. Choose Account Æ DSML2TestAccount to load the DSML2TestAccount form configuration. 4. Modify the form to match exactly what you see in the above screen shot. This includes removing the $telephonenumber and $testgroupmemebership attributes from the list. 5. Choose Service Æ dsml2testservice to load the dsml2testservice service entity. IBM Tivoli WW Education Page 150 of 188 A Sample Integration of IBM Tivoli Security Management Products 6. Modify the form to match exactly what you see in the above screen shot. 11.3.2 Define the DSML2 Service to ITIM 1. Using the top navigation bar, choose Provisioning Æ Manage Services and click Add to add a new service profile: 2. Choose DSML2 Test Service as the service type, and click Continue. 3. Add the follow values for the DSML2 service parameters: Parameter Value Explanation Service Name zeus_mantis The name of the service that you are creating. URL http://tivoli1:8800 The URL of the IDI server that will be processing DSML2 events. The IDI listener will be configured to listen on port 8800. User ID admin The username that ITIM will use to authenticate to IDI. This will not be used in this configuration, and is provided only as an example. (We will be using unauthenticated IBM Tivoli WW Education Page 151 of 188 A Sample Integration of IBM Tivoli Security Management Products access to IDI so IDI will ignore this.) Password admin The password that ITIM will use to authenticate to IDI. This will not be used in this configuration, and is provided only as an example. (We will be using unauthenticated access to IDI so IDI will ignore this.) Naming Context dc=mantis Used to related requests to the correct context within IDI. Category Account The Type of entity for use with TIM data service API’s. This is the appropriate value for account management. After configuration, the add service form should look like the following: 4. 11.3.3 Click Submit to add the service definition to ITIM. Add the DSML2 Service to the Identity Policy 1. Choose the Provisioning tab, the click the Define Identity Policies icon. 2. Click the EDU_Identity_Policy entry, click the Services tab, and then click Service Instances link. 3. Add the DSML Service you just created to the Service Instances list, and then submit the updated Identity Policy. 11.3.4 Add the DSML2 Service to the Password Policy 1. Choose the Provisioning tab, the click the Define Password Policies icon. IBM Tivoli WW Education Page 152 of 188 A Sample Integration of IBM Tivoli Security Management Products 2. Click the EDU_Password_Policy entry, click the Services tab, and then click the Service Instances link. 3. Add the DSML Service you just created to the Service Instances list, and then submit the updated Password Policy. IBM Tivoli WW Education Page 153 of 188 A Sample Integration of IBM Tivoli Security Management Products 11.4 Defining the ITIM Provisioning Policies for Mantis Now that we have created the data model and the service entity in ITIM, we need to update the two provisioning policies for provisioning accounts for Mantis. Users will be assigned to one of these provisioning policies based upon the organizational role they are assigned to when created as a person in ITIM. 11.4.1 Update the Automatic Provisioning Policy To update the automatic provisioning policy, follow these steps: 1. Using the top navigation bar, choose Provisioning Æ Define Provisioning Policies and click the auto_provisioning_policy entry: 2. Click the Entitlements tab, then click Add. 3. Enter the following values in the form, but do not click Add yet. Parameter Value Explanation Type Automatic This provisioning policy will automatically provision accounts. Target Type Service This provisioning policy will target a specific service. Service Type DSML2 Test Service This provisioning policy will target the DSML2 Test Service type. Service Name zeus_mantis This provisioning policy will target the DSML2 Test Service zeus_mantis that we just created. IBM Tivoli WW Education Page 154 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Click the Get detail link next to the Advanced Provisioning Parameter List entry. 5. Click Add, and then choose the following attributes by checking the boxes to the left of their entries, then click Add. • • • • • • Full Name First Name Last Name User Id Password Email Address Note: You may need to click next at the bottom of the select list to select all the attributes in the list above. 6. For the values for each attribute parameter, enter the following JavaScript/constant values: Name Value Explanation Full Name { var fn = subject.getProperty("givenname")[0] + ' ' + subject.getProperty("sn")[0]; return fn; } Retrieve the givenname property from the person definition and append it to the sn property (last name) to create a string with the person’s First and Last name. Password { var pw = parameters.eruid[0]; return pw; } Retrieve the person’s username and use that string as the initial password. This will set the initial password to the person’s username during the automatic provisioning of the account. User Id { var ui = parameters.eruid[0]; return ui; } Retrieve the person’s username to create a Mantis account with the same value. IBM Tivoli WW Education Page 155 of 188 A Sample Integration of IBM Tivoli Security Management Products First Name { var fn= subject.getProperty("givenname"); if (fn.length >0) { return fn[0]; } else { return " "; } } Retrieve the person’s First Name. Last Name { var ln= subject.getProperty("sn"); if (ln.length >0) { return ln[0]; } else { return " "; } } Retrieve the person’s Last Name. Email Address { var email= subject.getProperty("mail"); if (email.length >0) { return email [0]; } else { return " "; } } Retrieve the person’s email address. The enforcement and expression type values can remain at their defaults. Your form should look like the following: 7. Click Submit to submit the attribute parameters, and then click Add to add the automatic entitlement to the entitlements list. The result should be the following: 8. Click Submit to submit the new provisioning policy, leave the defaults for the effective date and uncheck the schedule immediately check box, then click Submit again. IBM Tivoli WW Education Page 156 of 188 A Sample Integration of IBM Tivoli Security Management Products Tip: We are unchecking the Schedule Immediately tab to prevent the automatic provisioning policy from updating existing users with DSML accounts to Mantis, since the IDI connector has not yet been created. 9. The automatic provisioning policy should now be updated with the proper information for the IDI endpoint. 11.4.2 Define the Manual Provisioning Policy Using the steps in 11.4.1 that show how to update the automatic provisioning policy, update the manual provisioning policy called manual_provisioning_policy and add the zeus_mantis target with the following constraints: 11.4.3 • Set each entitlement definition to manual as indicated in the example screen shot below: • All other parameters should remain the same as the automatic policy definitions. Do not forget to define the Advanced Provisioning Parameter list JavaScript entries. Update the Access Control Lists for Mantis Accounts 1. Start by clicking the My Organization Tab, then the Control Access icon. IBM Tivoli WW Education Page 157 of 188 A Sample Integration of IBM Tivoli Security Management Products You should see the default list of access control lists (ACLs) that were created when ITIM was installed, and the two additional account ACL entries created previously. 2. Click Add 3. Select the Account category and DSML2TestAccount class and click Continue. 4. Name the ACL Default DSML Account ACL, set the scope to SubTree, and Grant access to the Search, Restore, and Modify Operations. Also ensure that Apply permissions to user’s own information (Allow Self) is set to Yes. Do not select submit yet. See below for the example screen shot: 5. On the same page click the Attribute Permissions link. IBM Tivoli WW Education Page 158 of 188 A Sample Integration of IBM Tivoli Security Management Products 6. Grant read and write access to the following attributes: Password and click Continue. First Name, Last Name, and 7. Click Submit to submit the new ACL. 8. Verify the new ACL appears in the list. IBM Tivoli WW Education Page 159 of 188 A Sample Integration of IBM Tivoli Security Management Products 11.5 Install the MySQL JDBC Driver for IDI 1. The MySQL JDBC driver must be downloaded from the following location: • http://www.mysql.com/products/connector-j/ 2. Download the latest stable version, extract the Mysql-connector-java-version-bin.jar file and place this file into the following location on the tivoli1 server running IBM Tivoli Directory Integrator: $(IDI)/jars/ 3. This completes the installation of the MySQL JDBC driver. IBM Tivoli WW Education Page 160 of 188 A Sample Integration of IBM Tivoli Security Management Products 11.6 Configuring IDI This process will involve creating each of the Assembly Lines, Connectors, and the ITIM Event Handler for processing account management tasks from ITIM. 1. On the tivoli1 machine, start the IBM Tivoli Directory Integrator user interface. 2. Create a new IDI configuration root by clicking the icon shown below: 3. Name the file itim with no password and click OK to save. 4. A new blank IDI configuration root will now be created. 11.6.1 Creating the Add Account Assembly Line and Connector In this section, we will create an IDI assembly line that adds the account as sent from ITIM. 1. Right-click AssemblyLines and choose New AssemblyLine. 2. Enter the assembly line name of AddAccount and click OK. IBM Tivoli WW Education Page 161 of 188 A Sample Integration of IBM Tivoli Security Management Products 3. Select the new entry in the tree, and click the Call/Return tab on the new entry. 4. Add the following attribute names to the Call/Return tab by clicking the add entry icon and entering the attributes one by one. Set the Null Behavior value as indicated below. Name Null behavior cn Default Behavior erUid Default Behavior erpassword Default Behavior firstname Default Behavior lastname Default Behavior mail Default Behavior These attributes define to IDI what will be received during the DSML request from ITIM. Your results should match the screenshot below: 5. Select the Data Flow tab and click the Add New Connector icon. IBM Tivoli WW Education Page 162 of 188 A Sample Integration of IBM Tivoli Security Management Products 6. Name the connector personAdd, with a type of system:/Connectors/ibmdi.JDBC, and a connector mode of AddOnly. 7. Choose the Config tab, and fill in the following properties as shown below for the JDBC connector details. Name Value Explanation JDBC URL jdbc:mysql://zeus/mantis The JDBC URL specifying the MySQL server name (zeus) and the database name (mantis) Username mantis The MySQL username that has access to the mantis database tables (you defined this earlier during the MySQL database installation and configuration) Password mantis The MySQL password JDBC Driver com.mysql.jdbc.Driver The JDBC driver name 8. Click the Select… button and choose the mantis_user_table table. IBM Tivoli WW Education Page 163 of 188 A Sample Integration of IBM Tivoli Security Management Products If you receive an error when clicking the Select… button, then the database parameters entered above are incorrect or communications with the database server could not be established. 9. Click the Schema tab on the connector. Then click the Connect to the data source icon. 10. Click the Retrieve entry icon to retrieve all the database columns and populate the schema table. 11. Click the Output Map tab. In this process, we will map attributes available in MySQL to the attributes that will be received by the DSML requests from ITIM. IBM Tivoli WW Education Page 164 of 188 A Sample Integration of IBM Tivoli Security Management Products 12. Drag the following attributes from the available connector attributes window on the right to the connector attribute window in the center: • • • • • username password realname email cookiestring The attributes should have a red font, indicating they need to be mapped to incoming attributes from the DSML requests. 13. Click each red connector attribute and map according to the criteria below. You will select from a work entry attribute to map to the connector attribute. Connector attribute Work entry attribute to map to username erUid password erpassword email mail realname firstname cookie_string ** erUid IBM Tivoli WW Education Page 165 of 188 A Sample Integration of IBM Tivoli Security Management Products ** NOTE: The cookie_string attribute is mapped to the erUid attribute due to the fact that the Mantis application requires a unique, not null attribute to be defined for the account in the MySQL database. Inserting an empty value for the cookie_string attribute results in a database error. An example of the mapping process for the username attribute is below: 14. Click the Hooks tab on the Assembly Line entry (not the connector) and select the Prolog entry. 15. The Prolog hook allows you to run a JavaScript script for preprocessing data before the assembly line runs. Here, we will input a script that will convert the erpassword attribute received from the ITIM DSML request into a clear text string format. ITIM sends passwords within DSML requests in Base64 encoded format, and the ITIM EventHandler that we define later will be configured to decode that Base64 encoded string into a byte array. This JavaScript entry translates the byte array into a clear text string usable for storage in the MySQL database table. Paste the following script into the Prolog window: // convert the password into clear text IBM Tivoli WW Education Page 166 of 188 A Sample Integration of IBM Tivoli Security Management Products cpw = system.arraytoString(work.getObject(“erpassword”)); work.setAttribute(“erpassword”, cpw); 16. The AddAccount assembly line is now added and complete. 11.6.2 Creating the Modify Account Assembly Line and Connector In this section, we will create an IDI assembly line that modifies account information when a DSML update request is received from ITIM. This includes password updates, name and email address changes. 1. Right-click AssemblyLines and choose New AssemblyLine. 2. Enter the assembly line name of ModifyAccount and click OK. 3. Select the new entry in the tree, and click the Call/Return tab on the new entry. Add the following attributes into the Call/Return work entry area. Name Null behavior $dn Error erUid Default Behavior erpassword Default Behavior firstname Default Behavior lastname Default Behavior IBM Tivoli WW Education Page 167 of 188 A Sample Integration of IBM Tivoli Security Management Products mail Default Behavior These attributes define to IDI what will be received during the DSML request from ITIM. Your results to should match the screenshot below: 4. Select the Data Flow tab, and then click the Add new Connector icon. 5. Name the connector personModify, with a type of system:/Connectors/ibmdi.JDBC, and a connector mode of Update. IBM Tivoli WW Education Page 168 of 188 A Sample Integration of IBM Tivoli Security Management Products 6. Choose the Config Tab, and fill in the following properties as shown below for the JDBC Connector details. Name Value Explanation JDBC URL jdbc:mysql://zeus/mantis The JDBC URL specifying the MySQL server name (zeus) and the database name (mantis) Username mantis The MySQL username that has access to the mantis database tables (you defined this earlier during the MySQL database installation and configuration) Password mantis The MySQL password JDBC Driver com.mysql.jdbc.Driver The JDBC driver name 7. Click the Schema tab on the connector. Click the Connect to the data source icon, then click the Retrieve entry icon to retrieve the MySQL database schema. IBM Tivoli WW Education Page 169 of 188 A Sample Integration of IBM Tivoli Security Management Products 8. Click the Output Map tab. In this process, we will map attributes available in MySQL to the attributes that will be received by the DSML requests from ITIM. Drag the following attributes from the available connector attributes window on the right to the connector attribute window in the center. • • • • password realname email cookiestring 9. The attributes should initially have a red font, indicating they need to be mapped to incoming attributes from the DSML requests. Click each red connector attribute and map according to the criteria below. You will select from a work entry attribute to map to the connector attribute. Connector attribute Work entry attribute to map to password erpassword email mail realname firstname cookie_string ** erUid IBM Tivoli WW Education Page 170 of 188 A Sample Integration of IBM Tivoli Security Management Products NOTE: You will notice that we did not define in the work entry or map the username attribute. This is because during a modify DSML request, only the attributes that have changed are sent in the DSML request. Therefore, we must pull the username attribute from the dn entry (the dn is always sent). The $dn entry is defined in the work entry for preprocessing using JavaScript in the Prolog section of the AssemblyLine. We will implement this later. 10. Click the Link Criteria tab, and then click the Add new Link Criteria icon. Here we will add a new link criteria that allows the assembly line to match the existing entry in the MySQL database and update accordingly. 11. Set the link criteria to the following values shown in the screen shot below. Pay particular attention to the case sensitivity of the $eruid attribute. IBM Tivoli WW Education Page 171 of 188 A Sample Integration of IBM Tivoli Security Management Products You should now have a link criteria entry like below: 12. Click the Hooks tab on the Assembly Line entry (not the connector) and select the Prolog entry. 13. Here we will add custom JavaScript code to convert the received password into clear text, as well as parse the distinguished name received from the DSML request and get the erUID. We are doing this because during modify requests ITIM typically only sends the attributes that were changed. The following JavaScript parses the distinguished name of the DSML request from ITIM and sets the eruid attribute with the parsed username from the DN in the request. // // Parse the DN to get the user erUID // cn = work.getString(“$dn”); dn_start = dn.indexOf(“=”); dn_end = dn.indexOf(“,”); erUserID = dn.substring(dn_start + 1, dn_end); main.logmsg(“INFO”,”++ erUID: “ + erUserID); IBM Tivoli WW Education Page 172 of 188 A Sample Integration of IBM Tivoli Security Management Products if (work.getString(“eruid”) != null) work.setAttribute(“neweruid”, work.getString(“eruid”)); work.setAttribute(“eruid”, erUserID); In addition, we will add this JavaScript entry to convert the password byte array to clear text. // convert the password into clear text Cpw = system.arraytoString(work.getObject(“erpassword”)); Work.setAttribute(“erpassword”, cpw); Copy the above JavaScript entries into your Prolog window. Your Prolog entry should look like the below screen shot: 14. The ModifyAccount assembly line is now added and complete. 11.6.3 Creating the Delete Account Assembly Line and Connector In this section, we will create an IDI assembly line that deletes account information when a DSML delete request is received from ITIM. 1. Right-click AssemblyLines and choose New AssemblyLine. 2. Enter the assembly line name DeleteAccount and click OK. IBM Tivoli WW Education Page 173 of 188 A Sample Integration of IBM Tivoli Security Management Products 3. Select the new entry in the tree and click the Call/Return tab on the new entry. Add the following attributes into the Call/Return work entry area. Name Null behavior $dn Error This attribute defines to IDI what will be received during the DSML request from ITIM. Since we only need to know the username of the account to delete, and we will be pulling this from the distinguished name, we only need to define $dn as an attribute to be received. Your results should match the screenshot below: 4. Select the Data Flow tab, and then click the Add new Connector icon. Name the connector personDelete, with a type of system:/Connectors/ibmdi.JDBC, and a connector mode of Delete. 5. Choose the Config Tab, and fill in the following properties as shown below for the JDBC Connector details. Name Value Explanation JDBC URL jdbc:mysql://zeus/mantis The JDBC URL specifying the MySQL server name (zeus) and the database name (mantis) Username mantis The MySQL username that has access to the mantis database tables (you defined this earlier during the MySQL database installation and configuration) IBM Tivoli WW Education Page 174 of 188 A Sample Integration of IBM Tivoli Security Management Products Password mantis The MySQL password JDBC Driver com.mysql.jdbc.Driver The JDBC driver name 6. Click the Schema tab on the connector. Then click the Connect to the data source icon. Then click the Retrieve entry icon to retrieve the MySQL database schema. NOTE: We will not be defining any output information since a delete request is not adding or modifying existing information, thus no information needs to be mapped. 7. Click the Link Criteria tab, then click the Add New Link Criteria icon. 8. Here we will add a new link criteria that allows the assembly line to match the existing entry in the MySQL database and delete accordingly. Set the link criteria to the following values shown in the screen shot below. Pay particular attention to the case sensitivity of the $eruid attribute. IBM Tivoli WW Education Page 175 of 188 A Sample Integration of IBM Tivoli Security Management Products You should now have a link criteria entry like below: 9. Click the Hooks tab on the Assembly Line entry (not the connector) and select the Prolog entry. Add the following JavaScript code to the Prolog entry to get the user erUID from the DN of the DSML request: // // Parse the DN to get the user erUID // cn = work.getString(“$dn”); dn_start = dn.indexOf(“=”); dn_end = dn.indexOf(“,”); erUserID = dn.substring(dn_start + 1, dn_end); main.logmsg(“INFO”,”++ erUID: “ + erUserID); if (work.getString(“eruid”) != null) work.setAttribute(“neweruid”, work.getString(“eruid”)); work.setAttribute(“eruid”, erUserID); Your Prolog entry should look like the below screen shot: IBM Tivoli WW Education Page 176 of 188 A Sample Integration of IBM Tivoli Security Management Products 10. The Delete Account assembly line is now added and complete. 11.6.4 Creating the ITIM Event Handler In this section, we will create an event handler that will listen for DSML2 requests from ITIM. The event handler will then call each of the assembly lines that we created depending on the function to run – add, modify, or delete. 1. Right-click EventHandlers in the tree, and click New EventHandler. 2. Set the name of the event handler to TIM Listener, with a template type of system:/EventHandlers/ibmdi.DSMLv2EventHandler. 3. In the tree, select the TIM Listener event handler that you just created. Choose the Config tab, and fill in the following attributes: IBM Tivoli WW Education Page 177 of 188 A Sample Integration of IBM Tivoli Security Management Products Name Value Explanation HTTP Port 8800 The port that the listener will monitor for requests from ITIM. Auth Connector (none) No authentication mechanism will be used in this example. Auto-start Service Checked Auto-start the service. Extra Binary Attribute Names erpassword The erpassword attribute is passed as a Base64 binary attribute from ITIM. This parameter tells the event handler to decode this and place the results in a binary array for further processing. Naming Context dc=mantis The reference naming context for requests. AssemblyLine for add /AssemblyLines/AddAccount Call the AddAccount assembly line for add requests from ITIM. AssemblyLine for modify /AssemblyLines/ModifyAccount Call the ModifyAccount assembly line for modification requests from ITIM. AssemblyLine for delete /AssemblyLines/DeleteAccount Call the DeleteAccount assembly line for delete requests from ITIM. Your TIM listener entry should look like the following below: 4. Click the start icon to start the event handler. The event handler is now started. IBM Tivoli WW Education Page 178 of 188 A Sample Integration of IBM Tivoli Security Management Products IBM Tivoli WW Education Page 179 of 188 A Sample Integration of IBM Tivoli Security Management Products 11.7 Testing the IDI Endpoint 1. Select the Provisioning tab, then click the Define Provisioning Policies icon, and then click the auto_provisioning_policy to open it. 2. Click Submit. 3. Verify that Schedule Immediately is checked and click Submit. Scheduling immediately submits the provisioning policy and will update any existing person entries that belong to the auto_provisioned_users organizational role with accounts for the DSML service. 4. To verify this process, click My Organization, then the Manage People icon. Jennifer Hudson person entry you previously created. IBM Tivoli WW Education Open the Page 180 of 188 A Sample Integration of IBM Tivoli Security Management Products 5. Click Manage Accounts. 6. Verify the zeus_mantis account entry was created. IBM Tivoli WW Education Page 181 of 188 A Sample Integration of IBM Tivoli Security Management Products 12 Test Cases 12.1 Auto Provision Accounts 1. Open Internet Explorer to the following URL: http://tivoli2/enrole Log on as itim manager with a password of object00. 2. Click on the My Organization tab, click the Manage People icon, and then click Add to add a new person to ITIM. 3. Select Person as the type of person to add and click Submit. 4. In the Personal Information tab, enter the following details: Name Value Last Name Banter Full Name John A. Banter First Name John Organizational Roles Auto_Provisioned_Users IBM Tivoli WW Education *** Page 182 of 188 A Sample Integration of IBM Tivoli Security Management Products Tip: Select the Organizational Role by clicking Search then filtering on ‘*’. 5. Choose the Communications Information tab and add the following details: Name Value Email Address [email protected] 6. Click Submit to add the person to ITIM. 7. Ensure that the Schedule Immediately check box is checked and click Submit. 8. Click Refresh to verify the person was added to ITIM. IBM Tivoli WW Education Page 183 of 188 A Sample Integration of IBM Tivoli Security Management Products 9. Click the John A. Banter entry, then click Manage Accounts. 10. If the four accounts that should have been automatically provisioned for the user show up in the list, then the automatic provisioning process worked. Note that the user ID was automatically created and set based upon the identity policy assigned to the Auto_Provisioned_Users organizational role. Also note that automatic provisioning was accomplished since the user was assigned to the Auto_Provisioned_Users organizational role. 11. Open Internet Explorer to the following URL to test the complete provisioning, authentication, authorization, and single sign-on process. https://zeus/apache/mantis Click Yes to accept the SSL certificate from WebSEAL. 12. Log on with the user name jbanter and password jbanter. IBM Tivoli WW Education Page 184 of 188 A Sample Integration of IBM Tivoli Security Management Products 13. After being authenticated to WebSEAL, you should be brought directly to the Mantis ticket screen – a logon page should not display. This is because the WebSEAL junction executed the forms SSO option and automatically signed on jbanter with his GSO credentials. IBM Tivoli WW Education Page 185 of 188 A Sample Integration of IBM Tivoli Security Management Products 12.2 Password Change 1. Open Internet Explorer to the following URL: http://tivoli2/enrole Log on as jbanter with a password of jbanter. 2. Notice jbanter is taken directly to the manage passwords page as his default home page. This was automatically set in the automatic provisioning policy that you created. Enter a new password of test4new, enter the same confirmation password, and click Submit. This will automatically change all four accounts for jbanter. 3. Click OK. Then click Logout. IBM Tivoli WW Education Page 186 of 188 A Sample Integration of IBM Tivoli Security Management Products 4. Open Internet Explorer to the following URL to test the complete password change. https://zeus/apache/mantis Click Yes to accept the SSL certificate from WebSEAL. 5. 6. Log on with the user name jbanter and password test4new. After being authenticated to WebSEAL, you should be brought directly to the Mantis screen – a logon page should not display. This is because the WebSEAL junction executed the forms SSO option and automatically signed on jbanter with his GSO credentials. IBM Tivoli WW Education Page 187 of 188 A Sample Integration of IBM Tivoli Security Management Products IBM Tivoli WW Education Page 188 of 188
© Copyright 2024