IBM Tivoli Identity Manager
°AtmΓU
4.5
SC40-1843-02
IBM Tivoli Identity Manager
°AtmΓU
4.5
SC40-1843-02
G
bΩTΣΣúºeA²\¬ 141 ² E, yNzñΩTC
Gq]2003 9 δ
úDbsqñtíAhqA≤ Tivoli Identity Manager 4.5.0 Hß≥MqC
© Copyright International Business Machines Corporation 2003. All rights reserved.
²
eÑ . . . . . . . . . . . . . . . . vA∩H . . . . . . . . . . . . . . vy . . . . . . . . . . . . . . . . . v
Tivoli Identity Manager °Aw . . . . . . vúy . . . . . . . . . . . . . vi÷y . . . . . . . . . . . . . . viuWsy . . . . . . . . . . . . . vii
≤Uuπ . . . . . . . . . . . . . . . viipnΘΣñ . . . . . . . . . . . . viiD . . . . . . . . . . . . . . vii
1 ttmuπ (runConfig) . . 1ttmuπ . . . . . . . . . . 2e . . . . . . . . . . . . . . . 3ttmuπ (runConfig) . . . . . . . . 3
@δte . . . . . . . . . . . . . . 4í°A . . . . . . . . . . . . 5ΩT . . . . . . . . . . . . . . . 5
²e . . . . . . . . . . . . . . . . 5Tivoli Identity Manager °A²suΩT . . . 6LDAP suxsΩT . . . . . . . . . . 6
Ωwe . . . . . . . . . . . . . . . 6@δΩwΩT . . . . . . . . . . . . 7ΩwxsΩT . . . . . . . . . . . . 7
Oⁿe . . . . . . . . . . . . . . . . 8Oⁿh . . . . . . . . . . . . . . . 8lº¼p . . . . . . . . . . . . . 8
l≤e . . . . . . . . . . . . . . . . 8Web °AΩT . . . . . . . . . . . . 9l≤ΩT . . . . . . . . . . . . . . 10l≤°AΩT . . . . . . . . . . . . 10
e . . . . . . . . . . . . . 10ßxMßx . . . . . . . . . 10Mµjp . . . . . . . . . . . . . 10
we . . . . . . . . . . . . . . . 11[K]w . . . . . . . . . . . . . . 11í°Az]w . . . . . . . 11
Tivoli Identity Manager °A Web . . 12
2 tmte . . . . . . . . 13Fe . . . . . . . . . . . . . . 14WebLogic Mtm . . . . . . . . . . . 15WebSphere Mtm . . . . . . . . . . . 18í°AΩT . . . . . . . . . . . 21w] Tenant ΩT . . . . . . . . . . . . 22LDAP °AΩT . . . . . . . . . . . . 23OΘΩT . . . . . . . . . . . . . 24TΩT . . . . . . . . . . . . . . . 25ΩT . . . . . . . . . . . . . . . 29KXµ÷°]w . . . . . . . . . . . 30XML M DTD ΩT . . . . . . . . . . . . 31
LDAP suxsΩT . . . . . . . . . . . 32[KΩT . . . . . . . . . . . . . . . 33ttmí . . . . . . . . . . . . . . 34u@ytmΩT . . . . . . . . . . . . 35l≤Atm . . . . . . . . . . . . . . 39ΩT . . . . . . . . . . . . . . . 40@KXVX . . . . . . . . . . . . . . 42SSL VOe . . . . . . . . . . . . 43nDz UI tm . . . . . . . . . . . . 44
3 tmRe . . . . . . . . 45Fe . . . . . . . . . . . . . . 46enRoleAuthentication.properties . . . . . . . . 47tmqO≈ε . . . . . . . . . . . 48
enRoleDatabase.properties . . . . . . . . . . 50enRoleLDAPConnection.properties . . . . . . . 54enRoleLogging.properties . . . . . . . . . . 57enRoleMail.properties . . . . . . . . . . . 60enrolepolicies.properties . . . . . . . . . . . 62enroleworkflow.properties . . . . . . . . . . 64fesiextensions.properties . . . . . . . . . . . 66UI.properties . . . . . . . . . . . . . . 68CustomLabels.properties . . . . . . . . . . . 71
4 z . . . . . . . . 73SSL M º[. . . . . . . . . . . 73FpK≈M . . . . . . . . . 74Dnµí . . . . . . . . . . . . . . 74Tivoli Identity Manager SSL Ω@ . . . 74
tmKnM² . . . . . . . . . . . . 76b WebSphere íp Tivoli Identity Manager . . . 76b WebLogic íp Tivoli Identity Manager . . . 76
tms²∩ Web °A SSL (WebSphere) . . 771. únD (CSR) . . . . . . . . 772. ww . . . . . . . . . . 783. tX SSL tm Web °A . . . . . . 79
tms²∩ Web °A SSL (WebLogic) . . . 81tm°A Nzí SSL . . . . . . . . 83tmµV SSL °A . . . . . . . . 84bNzítmw . . . . . . . 85
tmNzíl SSL]Nzí Web °A . . . . . . . . . . . . . . . . . 86w∩≤qtm ADK ¼Nzí . . . . 86 JNDI íú¡ . . . . . . 86IBM Directory Integrator (IDI) ¼Nzí . . 86
5 tmµ@nJMΦ . . . . . 89µ@nJ\αº[ . . . . . . . . . . . 89H WebSEAL tmµ@nJ . . . . . . . . . 90°≤BiMµMΦ . . . . . . . 90tm . . . . . . . . . . . . . . 91
© Copyright IBM Corp. 2003 iii
H Tivoli Access Manager í°Atmµ@nJ . . . . . . . . . . . . . . . . . 92H Tivoli Identity Manager WebSEAL X . . 92 TCP X . . . . . . . . . . . . 92 SSL X . . . . . . . . . . . . 95ⁿwX URL. . . . . . . . . . . . 98
6 q . . . . . . . . 99qx . . . . . . . . . . . . . . . 99Nx[J Tivoli Identity Manager tñ . . . 99
qπ . . . . . . . . . . . . . . 99qr¼MCΓ . . . . . . . . . . . . 99qMµπe . . . . . . . . . . . 100
7 tmqll≤T . . . . . . 101qqll≤d . . . . . . . . . . . . 101q . . . . . . . . . . . . . 101[íd . . . . . . . . . . . . 102[ídk . . . . . . . . . . 102
sKX . . . . . . . . . . . . . . 103
8 tmKXrσMúbß . . 105KXrσ . . . . . . . . . . . . . . . 105Nµr[JKXrσñ . . . . . . . . . 105
úbß . . . . . . . . . . . . . 105∩núbºbß . . . . . . . 106
² A. wM ACI Synchronizer 107ACI PBBzIΩT . . . . . . . . . 108
ACI changelog ñΓ . . . . . . . . . 108²°A changelog . . . . . . . . . 108ACI Synchronizer w∩ . . . . . . . . . 108N ACI Synchronizer wb WebSphere/UNIX . . 109wbt@íqúW . . . . . . . . . . 109wbP@íqúW . . . . . . . . . . 110
N ACI Synchronizer wb WebSphere/Windows 111wbt@íqúW . . . . . . . . . . 111wbP@íqúW . . . . . . . . . . 112
N ACI Synchronizer wb WebLogic/UNIX . . . 113wbt@íqúW . . . . . . . . . . 113
wbP@íqúW . . . . . . . . . . 114N ACI Synchronizer wb WebLogic/Windows 115wbt@íqúW . . . . . . . . . . 115wbP@íqúW . . . . . . . . . . 116
ACI Synchronizer . . . . . . . . . . 117íí . . . . . . . . . . . . . 117ⁿOµí . . . . . . . . . . . . . 118
² B. tm Crystal Reports . . . . 121 Crystal Reports Bzy . . . . . . . 122tm² Tivoli Identity Manager Crystal Reports 123
1. RAS tm]¡≤ Windows ¡x . . . . 1232a. Tivoli Identity Manager]Windows WebSpheretm . . . . . . . . . . . 1232b. Tivoli Identity Manager]UNIX WebSpheretm . . . . . . . . . . . 1252c. Tivoli Identity Manager °A]Windows WebLogictm . . . . . . . . . . 1272d. Tivoli Identity Manager]UNIX WebLogictm . . . . . . . . . . . 1283. ßtm]¡≤ Windows ¡x . . . 129
² C. ]p Ad-Hoc °iLo°≤ 131]pLo°≤ⁿ . . . . . . . . . . 131d°i . . . . . . . . . . . . . . . 132b°iñτ . . . . . . . . . . . 133]p°ib°i]píⁿwX°≤ . . . 133
² D. ]p Crystal Report Lo°≤ 137]pLo°≤ⁿ . . . . . . . . . . 137d°i . . . . . . . . . . . . . . . 139]p°ib°i]píⁿwX°≤ . . . 139
² E. N . . . . . . . . . . 141 . . . . . . . . . . . . . . . . 142
Wⁿ. . . . . . . . . . . . . . 143
. . . . . . . . . . . . . . . 147
iv IBM Tivoli Identity Manager: °AtmΓU
eÑ
IBM ® Tivoli ® Identity Manager °A]Tivoli Identity Manager °Ai²t
zñzLDCTivoli Identity Manager °AiHQzb Tivoli
Identity Manager °AM⌠wtWwqwqT≤wAzΩsC
ΓUNíp≤ Tivoli Identity Manager °AtmíC
A∩H
ΓUA∩HAObv⌠qútWwB@znΘtMw
zC¬πtMwzºCA¬]πUCU
zºG
v ²°A
v Ωw°A
v WebSphere® Embedded Messaging Σ
v WebSphere Application Server WebLogic
v IBM HTTP Server
y
\¬ Tivoli Identity Manager wByM÷yíAPy±
C∩wznyºßA\uWsyⁿC
Tivoli Identity Manager °Aw
UO Tivoli Identity Manager °AwñyG
v Tivoli Identity Manager uWU
w∩ Tivoli Identity Manager z@AúπXíuWíDDC
v UNIX Windows Tivoli Identity Manager °AwΓU] WebSphere
WebLogicCAXz⌠C
ú Tivoli Identity Manager wΩTC
v Tivoli Identity Manager Policy and Organization Administration Guide
ú Tivoli Identity Manager z@DDC
v Tivoli Identity Manager °AtmΓU
úµ@°AMO Tivoli Identity Manager tmtmΩTC
v Tivoli Identity Manager @δΓU
ú Tivoli Identity Manager ΩTC
v Tivoli Identity Manager N
ú Tivoli Identity Manager nwΘDAHΣLíBíMΣLΣ
ΩTC
v Tivoli Identity Manager Troubleshooting Guide
ú Tivoli Identity Manager úΣLMDΩTC
© Copyright IBM Corp. 2003 v
úy
pGnΩTAF Tivoli Identity Manager úCziHqU
C moyG
v WebSphere Application Server
http://www.ibm.com/software/webservers/appserv/support.html
: Uo≈u⌡MµANíwMtm WebSphere Application ServerA
BúBwO@C÷Mo≈MµbIΩOsA²biα
wgLFCpßNϕAΩΩTMµC
– IBM WebSphere Application Server V5.0 System Management and ConfigurationA
IBM ⌡
– IBM WebSphere Application Server V5.0 SecurityAIBM ⌡
v WebLogic Application Server
http://e-docs.bea.com/
v Ωw°A
– IBM DB2
http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2
– Oracle
http://technet.oracle.com/documentation/content.html
– Microsoft SQL Server 2000
http://msdn.microsoft.com/library/
v ²°Aí
– IBM Directory Server
http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://www.ibm.com/software/network/directory
v WebSphere Embedded Messaging Σ] IBM MQSeries
http://www.ibm.com/software/ts/mqseries
v Web Proxy °A
– IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
– Microsoft IIS HTTP Server
http://www.microsoft.com/technet/prodtechnol/iis/default.asp
– Apache HTTP Server
http://httpd.apache.org/docs-project
÷y
ziHbUCyΣ Tivoli Identity Manager °A÷ΩTG
v Tivoli Software Library úFU Tivoli yApABΩu@ϕBdB
⌡MqHτCziHbUz⌠Σ Tivoli Software LibraryG
vi IBM Tivoli Identity Manager: °AtmΓU
http://www.ibm.com/software/tivoli/library/
v Tivoli Software Glossary t\h Tivoli nΘ÷NywqCziHb Tivoli
Software Library ⌠¬ΓΣ Glossary Σ Tivoli Software GlossaryAúL
uσC
http://www.ibm.com/software/tivoli/library/
uWsy
ziHQuWΦíb Tivoli Software Library Σ ú IBM yAiΓíσ
≤µí (PDF) WσrOyÑ (HTML) µíAΓµí πC
http://www.ibm.com/software/tivoli/library
pGnbwñMΣúyAbuwv¬ΓΣ÷@UúΓUCMß
buTivoli nΘΩTñvWMΣB÷@UúWC
úy]ANBwΓUBΓUBzΓUHoΓ
UC
: FTOαCL PDF yAb Adobe Acrobat uCLv°íñA∩
X∩]zun÷@U → CLANα≈o∩C
≤Uuπ
úσ≤tUCSAiHUz≤UuπG
v σ≤ HTML M PDF ΓµíAi²Me¬C
v σ≤ñvúNσrAi²°FveC
pnΘΣñ
bV IBM Tivoli nΘΣñDºeA²yX IBM Tivoli nΘΣñ⌠
A⌠pUG
http://www.ibm.com/software/sysmgmt/products/support/
pGznBUAQ IBM Software Support Guide]⌠pUñyz
ΦkApnΘΣñC
http://techsupport.services.ibm.com/guides/handbook.html
ΓUNúUCΩTG
v ⁿΣn²MΩµnD
v q X]zbΩaw
v bpßΣñºeA¼ΩTMµ
D
ΓUNw∩SϕⁿJM@AH@twⁿOM⌠AhD
C
UOrΘDG
eÑ vii
Θ ΘrNϕziH∩°í÷sBµ AHXbΓU
ⁿO]deñⁿOhúC
ÑerΘ ÑerΘ¼σrANϕeBWⁿOΘXC
Θ ΘrNϕ⌠wqMApG
v ⌠W
v W
v W
v sW
v t
v ⌠
% ± (%) Nϕ C Shell eú]XbΓUdñCz
t C Shell eúiαú@C
# ½ (#) Nϕ²HW]¬svñΓnJº[
eúC
viii IBM Tivoli Identity Manager: °AtmΓU
1 ttmuπ (runConfig)
Tivoli Identity Manager °AOzLUteztmCC@teú
Nϕ@Aε Tivoli Identity Manager °AµC±ΦíAziHQt
ePATLdOα≈Y²nJAOHsKX
eqll≤C
teOHUCΦítmG
v ttmí runConfig]Nbí
v sΦAϕeAHΓΦí∩eG
– ÷te (enrole.properties) ΩTA\ 13 2 , yt
mtezC
– ÷ReΩTA\ 45 3 , ytmRezC
DDG
v 2 yttmuπz
v 4 y@δtez
v 5 y²ez
v 6 yΩwez
v 8 yOⁿez
v 8 yl≤ez
v 10 yez
v 11 ywez
v 12 yTivoli Identity Manager °A Web z
© Copyright IBM Corp. 2003 1
ttmuπ
Nú÷ Tivoli Identity Manager ttmuπΩTCtziHbw
Tivoli Identity Manager °AºßAttmuπ∩SwteΩTC
teiHH∩Cb≤∩YteºßAiαo½s Tivoli Identity
Manager °AC±ΦíA°A≤∩teA½s°A
ºßαδXC ≤ΣLte≤Ahib 30 ϕδXCπd
OOⁿeCOⁿe≤ºßAú½s°AANb 30 ϕC
runConfig íO@íuπAsΦ Tivoli Identity Manager °A
eCHouπ≤Aúg AϕteñCrunConfig íO ≤ bin ²UC
ziHQ runConfigA°sΦUCteG
v í°AΩT
– Tivoli Identity Manager °AD≈W]WebSphere O¬A WebLogic O
iHsΦ
– TCP/IP ≡]WebSphere O¬A WebLogic OiHsΦ
– SSL TCP/IP ≡]WebSphere O¬A WebLogic OiHsΦ
– ΩT
v ²xswΩT
– ²°AD≈W
– Tivoli Identity Manager °AnJ²°ADΘ DN MKXC
– ²°A≡
– LDAP suxsΩT
v ΩxswΩT
– Ωw¼
– Ωw°A IP M≡
– ΩwAW
– Tivoli Identity Manager °AnJΩwΩwbßMKXC
– ΩwsuxsΩT
v OⁿΩT
– lM h
v l≤qΩT
– Tivoli Identity Manager °AnJ URL
– el≤q SMTP l≤D≈
– l≤q¼≤HmW
v ΩT
– ßxwq
– ß URL
– Mµjp
v wΩT
2 IBM Tivoli Identity Manager: °AtmΓU
– [K]w
– tKX
– EJB KX
e
tMReAO ≤ Tivoli Identity Manager °A $ITIM_HOME/data
²UCo]ttteMReC
W í
enRole.properties iⁿwte
enRoleAuthentication.properties iⁿwO≈ε
enRoleDatabase.properties iⁿwΩxswe
enRoleLDAPConnection.properties iⁿwvT²°Asu
enRoleLogging.properties iⁿwOⁿe
enRoleMail.properties iⁿwl≤qe
enrolepolicies.properties iⁿwh[ce
enroleworkflow.properties iⁿwtwqe
fesiextensions.properties iⁿwMq FESI W
UI.properties iⁿw@δe
v ÷te (enrole.properties) ΩTA\ 13 2 , yt
mtezC
v ÷ReΩTA\ 45 3 , ytmRezC
ttmuπ (runConfig)ttmuπi≤ Windows® M UNIX® Tivoli Identity ManagerC
v 3 yttmuπ (UNIX)z
v 4 yttmuπ (Windows)z
ttmuπ (UNIX)pGnb UNIX ñttmuπA⌡µUC@G
1. nJw Tivoli Identity Manager °AtC
2. "½ Tivoli Identity Manager l²C
# cd $ITIM_HOME
3. "½ /bin ²C
# cd bin
4. τµ²NO $ITIM_HOME/bin ²C
# pwd$ITIM_HOME/bin
5. ΘJ runConfigAMß÷ Enter ΣC
oeXttmC
bzNiH≤teFC
6. ≤znteAMß÷@UTwC
ΣL÷itmteΩTA\UCXC
1 ttmuπ (runConfig) 3
: ÷@UTwiHxsz≤AB÷¼C÷@UMAh
xs≤A²ú÷¼C
ttmuπ (Windows)pGnb Windows ñttmuπA⌡µUC@G
1. nJw Tivoli Identity Manager °AtC
2. Windows C
3. Tivoli Identity Manager °Al²C
4. bin ²C
5. ÷ΓU runConfig íC
oeXttmC
bzNiH≤teFC
6. ≤znteAMß÷@UTwC
ΣL÷itmteΩTA\UCXC
: ÷@UTwiHxsz≤AB÷¼C÷@UMAh
xs≤A²ú÷¼C
pGzHttmuπ∩LeAIBM znN Tivoli Identity Manager °A½
sC
@δte
ttm@δAπí°AMΩTtmµ C
t\ 13 2 , ytmtezC
1. u@δv
4 IBM Tivoli Identity Manager: °AtmΓU
í°A
: pGO WebSphereA≥oqΩTuα@Aúα∩CpGO
WebLogicA≥oµ úiH∩C
uí°AΩTvµ πΩTAO÷≤í°A≈ΩTAΣ
ñ]AD≈WBTCP ≡M SSL ≡C
ΩT
íTuΩTvµ πAOzxs⌡µⁿdwºTºA≤Bz
Wv]íTCíTOHϕpΓCtzuα∩íTC
Ω ¼sb¡ϕzRú Tivoli Identity Manager ½≤]pµ BHbßA½≤ú
Yqt úAO Ω¼xsCMΩ¼hOt@]
uOΘ¼vA]AHΓΦí⌡µMz ScriptC
uΩ¼sb¡vµ ⁿwOA½≤btΩ¼ñOdX#ºßA
NiHΓΦí⌡µMz Script NªRúCΩ¼sb¡iHbYⁿwí
AO@Ω¼ñ½≤AúQMz Script RúC
Ω¼sb¡]wAMz Script uα ú¡≤sb¡]w½≤C±Φ
íApGsb¡]wO 62 #]w]A≥ub 62 #ºe]wgbΩ¼
dWL 62 #½≤AiHΓΦí⌡µMz Script [HRúC
ziHQUCMz ScriptAH ¡ úΩ¼C
WindowsG
<ITIM_HOME>\bin\win\ldapClean.cmd
UNIXG
<ITIM_HOME>/bin/unix/ldapClean.sh
znw⌡µΩ¼MzCpGO Windows ¡xAhiH Windows
An²WoⁿO ScriptCpGO UNIX ¡xAhiH@ UNIX cron
u@C
UO@ UNIX cron Script dG
<ITIM_HOME>/bin/unix/schedule_garbarge.cron
²e
ttm²Aπ Tivoli Identity Manager °A²suΩT
M LDAP suxsΩTCu²v]÷sAiH²°AsuC
1 ttmuπ (runConfig) 5
t\ 45 3 , ytmRezñ
enRoleLDAPConnection.propertiesC
Tivoli Identity Manager °A²suΩT
Tivoli Identity Manager °A²suΩTµ πO²°ADΘ DNBK
XBD≈WM≡C
LDAP suxsΩT
LDAP suxsΩTiwq Tivoli Identity Manager °Aαs LDAP su
xsCuxsjpW¡vµ AOⁿ LDAP suxsb⌠≤su
W¡Cuxsljpvµ AO LDAP suxslsu
CuWqpvµ AO@'suúbñACnD@suAN[
J LDAP suxsϕñsuC
: ϕsuªAΩ]xsb LDAP ²°AºßApGoA≤D≈W
≡AiαúúQvTC
Ωwe
ttmΩwπOA@δΩwΩTMΩwxsΩ
TCΩw]@÷sAiHΩwsuCsu¼
wAbtmΩweAπΣñ@∩ °íC
: ΩwttfO²Mu@yΩTCbt]wºßA≤tmAiαúúQvTC
ϕ Tivoli Identity Manager °Aú Oracle ßs Oracle ΩwAUo
∩ °íKXΩwCo¼suO¼ IV (Oracle Thin) JDBC
XíCPaAMicrosoft SQLServer O¼ 4 JDBC XíC
2. u²v
6 IBM Tivoli Identity Manager: °AtmΓU
t\ 45 3 , ytmRezñ
enRoleDatabase.propertiesC
@δΩwΩT
@δΩwΩTµ πOuΩw¼vBuΩw⌠⌠AWvMuΩ
wvÑΩTC
v uΩw¼vµ eOtΩw¼C
e IBM Σ IBM DB2BOracle ORACLE 8i M Microsoft SQLServer 2000
Enterprise EditionC
v ¡ DB2GuΩwWOWvµ eAO Tivoli Identity Manager °As
ΩwΦíC
pGΩwOwb⌠AhNOⁿΩwWC
pGΩwOwb⌠AhNOⁿΩwOWWC
v ¡ OracleGµ OuΩw IPG≡GWv
v ¡ Microsoft SQLServerGµ OuΩw IPG≡GAWv
v ¡ Oracle M Microsoft SQLServerGªO¼ 4 JDBC XíCú
⌠≤ßnΘC
v uΩwvµ πO Tivoli Identity Manager °AnJΩw
bßC ID @wO ″enrole″AªO Tivoli Identity Manager Ωwtmí
(DBConfig) C
obßπKXC
v uKXvµ OΩwbßKXC
ΩwxsΩT
ΩwxsΩTiHMw JDBC suCuleqvµ AO JDBC
suCueqW¡vµ AO⌠≤ Tivoli Identity Manager °Ah
α±Ωw JDBC suCunJ ≡ϕvµ AhOsuºí
jϕC
3. uΩwv
1 ttmuπ (runConfig) 7
Oⁿe
ttmuπuOⁿveAO Tivoli Identity Manager °AñOⁿMl
n]wC
t\ 45 3 , ytmRezñ
″enRoleLogging.properties″C
Oⁿh
Tivoli Identity Manager °AN≤O²bΘxñCuOⁿhvµ AOⁿ
boltAΘxCtziH]w INFO M FATAL ºí
uOⁿhvµ XA∩ΘxCHg ΘxΩTíA
INFO n± FATAL CINFO úgJq±hCpGzµú¬ Tivoli
Identity Manager αA FATALC
lº¼p
Tivoli Identity Manager °AltCl¼EΩTAú IBM ß
ΣñCtziHbulº¼pv∩uOvuvΩsA
÷¼l\αC
l≤e
ttmuπl≤eAOl≤qMhDC
4. uΩwv
8 IBM Tivoli Identity Manager: °AtmΓU
t\ 45 3 , ytmRezñ
″enRoleMail.properties″C
Web °AΩT
Tivoli Identity Manager nJ URLAbqll≤ñOHWíAXbs
Tivoli Identity Manager eConJ URL OHul≤vu¡
z°A URLvµ π URL ]≥ URLC
NA≥ URL uⁿwD≈W] IP M≡ABΣPoG
Tivoli Identity Manager tnJ URL PC
∩≤ WebSphere Application Server µ@°AíA≥ URL O Web °
A]pAIBM HTTP Server≥ URLCw]AHTTP O≡ 80A
HTTPS O≡ 443Fí°Ah Web °Aw]AHTTP O≡ 9080A
HTTPS O≡ 9443C
∩≤ WebSphere Application Server OM\αOíAΣ≥ URL O
¡Oϕñí°AΩtⁿ Web °A≥ URL]úOSw
í°AΩ≥ URLC
∩≤ WebLogic Application ServerAú Web °Aµ@°AíA
Σ≥ URL Oπí Web °A%≤í°A≥ URLC±Φ
íAHTTP O≡ 7001A HTTPS hO≡ 7002C
∩≤ WebLogic Application Server M Web °Aµ@°AíA≥
URL O Web °A≥ URLAw]AHTTP O≡ 80A HTTPS O
≡ 443]úOí°A≡C
∩≤ WebLogic Application Server OíA≥ URL O Proxy °A
≥ URL – pGúOwMtm BEA WebLogic í Web °AA
NOt@ϕ@ Proxy °AtmM⌡µ WebLogic Application ServerC≥ URL
úOOϕñY@Swí°AΩ≥ URLC
5. ul≤v
1 ttmuπ (runConfig) 9
l≤ΩT
H≤HaAOz⌠ Tivoli Identity Manager tzqll≤ C
qll≤úqH≤HeCoµ O±gCΣO
@µí&qll≤ C
l≤°AΩT
SMTP l≤°AObΣd≥CSMTP D≈Ol≤hDC
e
ttmuπ UI i²tzq Tivoli Identity Manager °A
C
t\ 45 3 , ytmRezñ ″UI.properties″C
ßxMßx
ußxvµ AOxWCußxvhOⁿx mC
tziHⁿwoΓAN Tivoli Identity Manager tñ IBM xA½
¿LqxC
÷≤xMΩTA\ 99yqxzC
Mµjp
uMµjpvOⁿMµWCXCpGWLuMµ
jpvAMµN¿nXC
6. UI
10 IBM Tivoli Identity Manager: °AtmΓU
we
ttmuπuwvAOⁿ Tivoli Identity Manager °Añ[K]wM
í°Azn]wC
t\ 45 3 , ytmRezñ
″enRoleAuthentication.properties″C
[K]w
[K]∩
pG∩o@AhΩwM LDAP suKXAHiµ EJB O EJB
KXú[KC[KXO] trueCoXO enRole.properties UC
eϕC
enrole.password.database.encryptedenrole.password.ldap.encrypedenrole.password.appServer.encrypted
pGS∩o@AoKXQKABX] falseC
í°Az]w
i²z]wMTUCKXG
v t
WebSphere Application Server ID MKXC
v EJB
bw@ºe²wqMKXC
: pGoµ Xwgw²±nΩAhΣiαOtCNoµ ∩ EJB CΣLΩTA\Aϕ IBM Tivoli
Identity Manager °AwΓUñuwqv²C
7. uwv
1 ttmuπ (runConfig) 11
Tivoli Identity Manager °A Web
z]iHb Tivoli Identity Manager °A Web D\αϕ²Cut
mvqñA∩SwteC
ziHqutmv∩UCeG
v ≥óKXDµ
v /KXsΦ
v KX¡]Θ
oeuα≤ Tivoli Identity Manager °AbßCb ºe≤
KXCCϕ]w Tivoli Identity Manager °AbßsKXAKX¡Nq]w
ϕlΓCziHNo]sA²ª*ú C
v KX¡]Θ
ϕzsbßA¼ @qll≤ABiHqΣñt URL
oKXCbKX¡ ºeoKXC
v nJóW¡
ªOⁿ nJhα≈óCpGWLoAhbßCw]O ″0″] nJúδC
12 IBM Tivoli Identity Manager: °AtmΓU
2 tmte
Ní Tivoli Identity Manager ttm enRole.properties te
ΣMC
DDG
v 14 yFez
enRole.properties qG
v 15yWebLogic Mtmz
v 18yWebSphere Mtmz
v 21yí°AΩTz
v 22yw] Tenant ΩTz
v 23yLDAP °AΩTz
v 24yOΘΩTz
v 25yTΩTz
v 29yΩTz
v 30yKXµ÷°]wz
v 31yXML M DTD ΩTz
v 32yLDAP suxsΩTz
v 33y[KΩTz
v 34yttmíz
v 35yu@ytmΩTz
v 39yl≤Atmz
v 40yΩTz
v 42y@KXVXz
v 43ySSL VOez
v 44 ynDz UI tmz
© Copyright IBM Corp. 2003 13
Fe
Java ewqAiHqMε Java nΘCteMqe
AOtmn]wMq@CJava ewqOAiⁿw
í∩]pAΩwsΩTB⌠]wMSϕSP\απWΩC
eiQeΣMXµíAwqπWΩG
property-key-name = value
property-key-name OⁿΩ IDCvalue OⁿúΩΩ Java ½≤WC
Tivoli Identity Manager \heεí\αA²qSϕS
C
14 IBM Tivoli Identity Manager: °AtmΓU
WebLogic Mtm
UCeitm Tivoli Identity Manager P WebLogic í°AπX@M
C
¡x⌠wq Factory W
enrole.platform.contextFactory
ún∩oeΣMC
iⁿwwq Tivoli Identity Manager P WebLogic í°AπXIº¡x⌠w
q Factory Java OC
w]]ΘJ≤P@µG
enrole.platform.contextFactory = com.ibm.itim.apps.impl.weblogic.WebLogicPlatformContextFactory
í°A
enrole.appServer.contextFactory
ún∩oeΣMC
iⁿw Java OAPn@ JNDI Factory ft WebLogic í°AC
w]G
enrole.appServer.contextFactory = weblogic.jndi.WLInitialContextFactory
enrole.appServer.url.redirect
ún∩oeΣMC
iⁿwNnD Tivoli Identity Manager °A URLC
d]w]G
enrole.appServer.url.redirect = /enrole
enrole.appServer.url
uXµzα≤oeΣMC
iⁿwí°ARWA mCoObw Tivoli Identity Manager
oC
dG
enrole.appServer.url = t3://localhost
enrole.appServer.pwdKey
SC
enrole.appServer.systemUser
2 tmte 15
uXµzα≤oeΣMCzuα runConfig í∩C
ªiHbwAⁿw WebSphere zWCTivoli Identity Manager w
MtmíNOQoO WebSphereC
dG
enrole.appServer.systemUser = system
enrole.appServer.systemUser.credentials
uXµzα≤oeΣMCzuα runConfig í∩C
iⁿw systemUser KXC
dG
enrole.appServer.systemUser.credentials = enrole
enrole.appServer.ejbuser.principal
uXµzα≤oeΣMCzuα runConfig í∩C
iⁿw Tivoli Identity Manager b Java Bean oXIsAOWC
dG
enrole.appServer.ejbuser.principal = rasweb
enrole.appServer.ejbuser.credentials
uXµzα≤oeΣMCzuα runConfig í∩C
iⁿw ejbuser KXC
o[KAO enrole.properties ñ
enrole.password.appServer.encrypted eⁿwC
dG
enrole.appServer.ejbuser.credentials = password
enrole.appServer.usertransaction.jndiname
ún∩oeΣMC
iⁿw JTA]Java µ÷ APIµ÷½≤ JNDI WC
w]G
enrole.appServer.usertransaction.jndiname = javax.transaction.UserTransaction
enrole.appServer.name.java.option
ún∩oeΣMC
iⁿw WebLogic °A JVM ∩C
d]w]G
enrole.appServer.name.java.option = weblogic.Name
16 IBM Tivoli Identity Manager: °AtmΓU
í°A Servlet ⌠jr
enrole.servlet.path.separator
ún∩oeΣMC
iⁿwjr%AⁿwqnΩ⌠WC
w] (WebLogic)G
enrole.servlet.path.separator = /
T
enrole.messaging.JMSServerUrl
uXµzα≤oeΣMC
iⁿwt Java TA (JMS) RWA mC
pGO WebSphereAoϕ≤ enrole.appServer.urlC
dG
enrole.messaging.JMSServerUrl = t3://localhost
enrole.messaging.sessionPoolFactory
SC
enrole.messaging.weblogic.sessionPoolFactory
SC
Login Helper
enrole.appServer.loginHelper.class
SC
≤qtnJ
SystemLoginContextFactory
ún∩oeΣMC
iⁿw WebLogic A≤qtnJ Java Factory OC
w]]ΘJ≤P@µG
SystemLoginContextFactory = com.ibm.itim.remoteservices.provider.itim.weblogic.WLSystemLoginContextFactory
2 tmte 17
WebSphere Mtm
UCeitm Tivoli Identity Manager P WebSphere application server πX@M
C
¡x⌠wq Factory W
enrole.platform.contextFactory
ún∩oeΣMC
iⁿwwq Tivoli Identity Manager P WebSphere application server πXI¡x⌠w
q Factory Java OC
w]]ΘJ≤P@µG
enrole.platform.contextFactory = com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextFactory
í°A
enrole.appServer.contextFactory
ún∩oeΣMC
iⁿw Java OAPn@ JNDI Factory ft WebSphere application server
C
w]G
enrole.appServer.contextFactory = com.ibm.websphere.naming.WsnInitialContextFactory
enrole.appServer.url
uXµzα≤oeΣMC
iⁿwí°ARWA mCoObw Tivoli Identity Manager
oC
dG
enrole.appServer.url = iiop://localhost:2809
enrole.appServer.usertransaction.jndiname
ún∩oeΣMC
iⁿw JTA]Java µ÷ APIµ÷½≤ JNDI WC
w]G
enrole.appServer.usertransaction.jndiname = jta/usertransaction
enrole.appServer.systemUser
uXµzα≤oeΣMCzuα runConfig í∩C
ibwAⁿw WebSphere zWCTivoli Identity Manager wM
tmíNOQoO WebSphereC
dG
enrole.appServer.systemUser = system
18 IBM Tivoli Identity Manager: °AtmΓU
enrole.appServer.systemUser.credentials
uXµzα≤oeΣMCzuα runConfig í∩C
iⁿw systemUser KXC
dG
enrole.appServer.systemUser.credentials = enrole
enrole.appServer.ejbuser.principal
uXµzα≤oeΣMCzuα runConfig í∩C
iⁿw Tivoli Identity Manager b Java Bean oXIsAOWC
dG
enrole.appServer.ejbuser.principal = rasweb
enrole.appServer.ejbuser.credentials
uXµzα≤oeΣMCzuα runConfig í∩C
iⁿw ejbuser KXC
o[KAO enrole.properties ñ
enrole.password.appServer.encrypted eⁿwC
dG
enrole.appServer.ejbuser.credentials = password
í°A Servlet ⌠jr
enrole.servlet.path.separator
ún∩oeΣMC
iⁿwjr%AⁿwqnΩ⌠WC
w] (WebSphere)G
enrole.servlet.path.separator = .
T
enrole.messaging.JMSServerUrl
uXµzα≤oeΣMC
iⁿwt Java TA (JMS) RWA mC
∩≤ WebSphere ÑAoϕ≤ WebLogic enrole.appServer.urlC
dG
enrole.messaging.JMSServerUrl = iiop://localhost:2809
Login Helper
2 tmte 19
enrole.appServer.loginHelper.class
ún∩oeΣMC
iⁿwNC@⌡µⁿnJ J2EE w Java OC
w]G
enrole.appServer.loginHelper.class = com.ibm.itim.util.was.WAS40LoginHelper
u@yÑh URL
enrole.wfcluster.url
ún∩oeΣMC
oeuA≤ WebSphereC
iⁿwbd\u@yÑh BeanCub\αOíh≈WAαⁿ
wΣCΣLhOdw]C
d]w]G
enrole.wfcluster.url = iiop://localhost:2809/cell/clusters/WFCluster
≤qtnJ
SystemLoginContextFactory
ún∩oeΣMC
iⁿw WebSphere A≤qtnJ Java Factory OC
w]]ΘJ≤P@µG
SystemLoginContextFactory = com.ibm.itim.remoteservices.provider.itim.websphere.WSSystemLogonContextFactory
20 IBM Tivoli Identity Manager: °AtmΓU
í°AΩT
UCeiHtm Tivoli Identity Manager í°AM]p
WebSphere WebLogicC
enrole.appServer.name
iⁿwí°AMWC
bO⌠UAOϕñC@¿oWúα½C
d]w]G
enrole.appServer.name = myserver
enrole.appServer.config.latency
S
enrole.password.database.encrypted
runConfig í∩oeC
iⁿwΩwsuKX] enroleDatbase.properties ñ
database.db.password ⁿwO[KCG
v true – [K
v false – ú[K
d]w]G
enrole.password.database.encrypted = false
enrole.password.ldap.encrypted
runConfig í∩oeC
iⁿw LDAP KX] enRoleLDAPConnection.properties ñ
java.naming.security.credentials eⁿwO[KCG
v true – [K
v false – ú[K
d]w]G
enrole.password.ldap.encrypted = false
enrole.password.appServer.encrypted
runConfig í∩oeC
iⁿwí°AKX] enrole.properties ñ
enrole.appServer.ejbuser.credentials eⁿwO[KCG
v true – [K
v false – ú[K
d]w]G
enrole.password.appServer.encrypted = false
2 tmte 21
w] Tenant ΩT
UCeitm²°AWΩC
enrole.defaulttenant.id
ún∩oeΣMC
iⁿw²°AWuWµíC
oObw Tivoli Identity Manager ⁿwC
d]w]G
enrole.defaulttenant.id = Tivoli
ob LDAP ñOϕG
ou = Tivoli
enrole.organization.name
ún∩oeΣMC
iⁿw²°AW°WµíC
oObw Tivoli Identity Manager ⁿwC
d]w]G
enrole.organization.name = Tivoli
22 IBM Tivoli Identity Manager: °AtmΓU
LDAP °AΩT
UCeitm Tivoli Identity Manager ²°AC
enrole.ldapserver.root
iⁿw²°AΩc]dc = ΓεWhΓIC
oObw Tivoli Identity Manager ⁿwC
runConfig í∩oC
d]w]G
enrole.ldapserver.root = dc=com
enrole.ldapserver.home
ún∩oeΣMC
iⁿw Tivoli Identity Manager ²°AñttmΩT mC
w]G
enrole.ldapserver.home = ou=itim
enrole.ldapserver.agelimit
iⁿw½≤btΩ¼ñOdX#ºßANiHΓΦí⌡µMz Script Nª
RúCΩ¼sb¡iHbYⁿwíAO@Ω¼ñ½≤AúQM
z Script RúC
Mz Script uα ú¡≤sb¡]w½≤C±ΦíApGsb¡]wO 62 #]w
]A≥ub 62 #ºe]wgbΩ¼dWL 62 #½≤AiHΓ
Φí⌡µMz Script [HRúC
uXµzα≤oeΣMC runConfig í∩oC
d]w]G
enrole.ldapserver.agelimit = 62
enrole.ldapserver.ditlayout
ún∩oeΣMC
iⁿw Java OAwqxsb²°AñΩºcC
w] – ¡cG
enrole.ldapserver.ditlayout = com.ibm.itim.dataservices.dit.itim.FlatHashedLayout
enrole.ldap.provider
S
2 tmte 23
OΘΩT
UCeitmvTtOΘαC
enrole.profile.timeout
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿw ≤OΘ]wqΩTOCWLoOΩTAq
OΘ úC
oOHϕC
d]w]G
enrole.profile.timeout = 10
enrole.schema.timeout
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿw ≤OΘ⌡qΩTOCWLoOΩTAqO
Θ úC
oOHϕC
d]w]G
enrole.schema.timeout = 10
24 IBM Tivoli Identity Manager: °AtmΓU
TΩT
UCeitmb Tivoli Identity Manager Java TºA (JMS) %≤ºíí
qTCpGnπ Tivoli Identity Manager úαMiπA@wnπo
eCuXµzAα≤oqeC
Connection Factory tm
enrole.messaging.queueConnectionFactory
ún∩oeΣMC
iⁿw Java RWM² (JNDI) εCsu Connection Factory WC
oeOíAúiH≤ úCpGnQtm∩í°A
εCsuA@wnπoC
d]w]G
enrole.messaging.queueConnectionFactory = enrole.jms.QueueConnectionFactory
sÑ⌡µⁿtm
enrole.messaging.defaultMaxThreads
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwbsuxsñAC@ JMS εChα≈Odh'Ñ⌡µⁿ]w]
C
pGεCS]w MAX_THREADS ]\uTεCtmv@AN
ow]C
d]w]G
enrole.messaging.defaultMaxThreads = 10
enrole.messaging.minThreads
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwC@ JMS εC'h'Ñ⌡µⁿCJMS Ñ⌡µⁿΩ A
úα'≤oC
OεCosAiHQ MIN_THREADS ∩g]egbíñO 10C
d]w]G
enrole.messaging.minThreads = 1
enrole.messaging.maxThreads
2 tmte 25
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwC@ JMS εChh'Ñ⌡µⁿCJMS Ñ⌡µⁿΩ A
úαh≤oC
osiH MAX_THREADS εCe\]w¡εC
d]w]G
enrole.messaging.maxThreads = 500
TºOtm
enrole.messaging.ttl
oeΣMvTtX JMS παA]uXµzα≤C
iⁿwεCñTºR¡]HpC
d]w]G
enrole.messaging.ttl = 1440
enrole.messaging.timeout
oeΣMvTtX JMS παA]uXµzα≤C
iⁿwTºBzµ÷O]HϕpCzH 360 ϕ@w]C
o∩≤tαϕ½nA]J[εOípµºßAα[H
πCpGzNúLto]o(CATºBzOCpG]o(¬Aun@
°NiHΓπtΩ)C
d]l]wG
enrole.messaging.timeout = 360
TºBzε
enrole.messaging.threshold
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwPBzTº±h]TºtⁿqC
pGoC≤ 100%Ahu²iTº²XhvtΓkCpG¬≤ 100%A
h²Tº@i[HBzA²iα∩ty¿úOC
d]w]±G
enrole.messaging.threshold = 60
Tºtl]w
enrole.messaging.QueueLookupRetryCount
26 IBM Tivoli Identity Manager: °AtmΓU
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿw Tivoli Identity Manager bsí°AεC½C
d]w]G
enrole.messaging.QueueLookupRetryCount = 5
enrole.messaging.QueueLookupInterval
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwεCsu½íj]HϕpC
d]w]G
enrole.messaging.QueueLookupInterval = 60
TεCtm
enrole.messaging.managers= \enrole.messaging.adhocSyncQueue \enrole.messaging.workflowQueue \enrole.messaging.workflowPendingQueue \enrole.messaging.remoteServicesQueue \enrole.messaging.mailServicesQueue
ún∩oeΣMC
iⁿwⁿΣ Tivoli Identity Manager εC≈WC
enrole.messaging.adhocSyncQueue=adhocSyncQueueenrole.messaging.workflowQueue=workflowQueueenrole.messaging.workflowPendingQueue=workflowPendingQueueenrole.messaging.remoteServicesQueue=remoteServicesQueueenrole.messaging.mailServicesQueue=mailServicesQueue
ún∩oeΣMC
iⁿwí°AΩ εCWC
εCtm
2 tmte 27
v MAX_THREADS
iⁿwoεCÑ⌡µⁿW¡CpGS]woAh
enrole.messaging.defaultMaxThreads ]ww]CpG]woAhⁿ
wúαj≤ enrole.messaging.defaultMaxThreads C
v MIN_THREADS
iⁿwoεCÑ⌡µⁿU¡CpGS]woAh 10 @w
]CpG]woAhⁿwúαp≤ enrole.messaging.minThreads C
v OVERCAPACITY_WAIT_TIME
ϕtWq]TºbÑBzAnÑh[¼ sTºCw]O 60 ϕCo
uA≤ workflowPendingQueueC
v PRIORITY
⌡µⁿu²C÷∩Aϕ (1 – 5) ΩTA\ JVM σ≤Cw]
O 1CzNεCú]PC
v RECEIVE_TIMEOUT
nÑh[]HϕpA¼ JMS °AAiDzªiH¼TºCw]
O 60 ϕC
v WAIT_TIME
nÑh[]HϕpAαBzεCsTºCpG 0AhúÑNi
HBzsTºCw]O 0 ϕC
v TRANSACTED
True – Σµ÷
False – úΣµ÷
dG
enrole.messaging.adhocSyncQueue.attributes = TRANSACTED=trueRECEIVE_TIMEOUT=60 MAX_THREADS=5 MIN_THREADS=5
enrole.messaging.workflowQueue.attributes = TRANSACTED=trueRECEIVE_TIMEOUT=60 MAX_THREADS=1 MIN_THREADS=1
enrole.messaging.workflowPendingQueue.attributes = TRANSACTED=trueRECEIVE_TIMEOUT=60 WAIT_TIME=0 OVERCAPACITY_WAIT_TIME=10 MAX_THREADS=1MIN_THREADS=1
enrole.messaging.remoteServicesQueue.attributes = TRANSACTED=falseRECEIVE_TIMEOUT=60 WAIT_TIME=0 MAX_THREADS=7 MIN_THREADS=7
enrole.messaging.mailServicesQueue.attributes = TRANSACTED=falseRECEIVE_TIMEOUT=60 WAIT_TIME=0 MAX_THREADS=3 MIN_THREADS=3
28 IBM Tivoli Identity Manager: °AtmΓU
ΩT
UCeitmtd⌡µµΣwº≤íC≤ΣOx
sbΩwϕµñC
enrole.scheduling.heartbeat
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿw≤°dΩwϕµAMΣw≤WvC
oOHϕµ C
d]w]G
enrole.scheduling.heartbeat = 60
enrole.scheduling.timeout
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿw≤BzOC
oOHϕC
d]w]G
enrole.scheduling.timeout = 10
enrole.scheduling.fetchsize
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwHσí@TºC
d]w]G
enrole.scheduling.fetchsize = 50
2 tmte 29
KXµ÷°]w
UCeOKXµ÷°tm]wC
ϕ≤úKXAe@hqll≤qCoqll≤
pGútΩ KXANOtAi²NosKXCoíKX
µ÷Cbⁿwíoqll≤AB[JsKXCpGS
bⁿwíAKXµ÷Ki C
KXµ÷°tddKXµ÷ApGLkqll≤qAK
Nµ÷Pw C
enrole.passwordtransactionmonitor.heartbeat
iⁿwKXµ÷°dKXµ÷O WvC
oOHpµ C
d]w]G
enrole.passwordtransactionmonitor.heartbeat = 1
30 IBM Tivoli Identity Manager: °AtmΓU
XML M DTD ΩT
oqwgúAC
enrole.dtd.uri
S
2 tmte 31
LDAP suxsΩT
UCeitmvT Tivoli Identity Manager ²°AsunDC
enrole.connectionpool.maxpoolsize
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwhiHh'Ω LDAP suC
d]w]G
enrole.connectionpool.maxpoolsize = 100
enrole.connectionpool.initialpoolsize
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿw LDAP suxslΩ LDAP suCop≤Ñ≤
maxpoolsize C
d]w]G
enrole.connectionpool.initialpoolsize = 50
enrole.connectionpool.incrementcount
oeΣMvTtX Tivoli Identity Manager παA]uXµ
zα≤C
iⁿwtXWnDAXj]WLDAP suxsAsuC
d]w]G
enrole.connectionpool.incrementcount = 3
32 IBM Tivoli Identity Manager: °AtmΓU
[KΩT
UCeitmvTKX[KC
enrole.encryption.algorithm
ún∩oeΣMC
iⁿw[KKXXC
w]G
enrole.encryption.algorithm = PBE/SHA1/RC2/CBC/PKCS12PBE-5-128
enrole.encryption.password
ún∩oeΣMC
iⁿw@KX¼[KkΘJH≈rΩC
oObw Tivoli Identity Manager ⁿwC
w]G
enrole.encryption.password = sunshine
enrole.encryption.passwordDigest
ún∩oeΣMC
iⁿw Tivoli Identity Manager KXKXKn¼CªΓ∩G″SHA″ M
″MD5″
v SHA – w°ΩtΓkAbw°Ω NIST FIPS 180-1 ñwq
v MD5 – MD5 TºKntΓkAb RFC 1321 ñwq
w]G
enrole.encryption.passwordDigest = MD5
2 tmte 33
ttmí
UCeitm Tivoli Identity Manager tÑ≡]wC
enrole.system.listenPort
ún∩oeΣMC
iⁿw TCP]DwqTÑ≡C
oObw Tivoli Identity Manager ]wC
d]w]G
enrole.system.listenPort = 80
enrole.system.SSLlistenPort
ún∩oeΣMC
iⁿw SSL]wqTÑ≡C
oObw Tivoli Identity Manager ]wC
d]w]G
enrole.system.SSLlistenPort = 443
34 IBM Tivoli Identity Manager: °AtmΓU
u@ytmΩT
UCeitm Tivoli Identity Manager u@yC
u@ytm
enrole.workflow.processcache
uXµzα≤oeΣMC
/íC
bµ@°A⌠ñAiHO ″true″FbO⌠ñA@wO ″false″C
OípúΣCoebwOtmA] ″false″]C
d]w]µ@°AG
enrole.workflow.processcache = true
enrole.workflow.notifyoption
uXµzα≤oeΣMC
iⁿw¿q∩C
pGΣ 1Aϕu@y¿AqnDCpGΣ 0AϕúqnD
C
d]w]G
enrole.workflow.notifyoption = 1
enrole.workflow.notifypassword
uXµzα≤oeΣMC
iⁿwKXµ÷ñqll≤q¼]bKX≤úoXC
pGΣ ″true″Aϕbqll≤qñAΩ KXHXϕCpGΣ
″false″AϕKXO zLqll≤ú URL ∩XC
d]w]G
enrole.workflow.notifypassword = true
enrole.workflow.maxasyncactivitycreate
S
enrole.workflow.maxretry
uXµzα≤oeΣMC
iⁿw½sIs²óu@yíC\
enrole.workflow.retrydelayC
d]w]G
enrole.workflow.maxretry = 2
enrole.workflow.retrydelay
2 tmte 35
uXµzα≤oeΣMC
iⁿwΓ½sIs²óu@yíºí ≡íC\
enrole.workflow.maxretryC
oOH@ϕϕC
d]w]G
enrole.workflow.retrydelay = 60000
enrole.workflow.skipapprovalforrequester
uXµzα≤oeΣMC
∩≤nπu@yíApGnD¡NOπ AiHⁿwOn
ñLΣLππC]pAnD]iHñLⁿπ@C
pGΣ ″true″AϕñLΣLππ]pGnDNOΣñ@π
C
pGΣ ″false″AhjóΣLníπiµπdA²nDú
]pGnD]Oπ C
d]w]G
enrole.workflow.skipapprovalforrequester = false
enrole.workflow.skipfornoncompliantaccount
uXµzα≤oeΣMC
iⁿwb]hIµ@otbß∩@AOniµPbß÷p
vu@yC
pGΣ ″true″AϕñLo@C
pGΣ ″false″AϕúñLo@C
d]w]G
enrole.workflow.skipfornoncompliantaccount = true
u@yqtm
oqi²ziiqu@yq¼Ω@q Java OC
÷p≤qqA\Uzσ≤G
<install-dir>\extensions\doc\mail\mail.html
enrole.workflow.notification.activitytimeout
uXµzα≤oeΣMC
iⁿwúu@yíOqw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.activitytimeout = com.ibm.itim.workflow.notification.ActivityTimeoutNotification
enrole.workflow.notification.processtimeout
36 IBM Tivoli Identity Manager: °AtmΓU
uXµzα≤oeΣMC
iⁿwúu@yBzOqw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.processtimeout = com.ibm.itim.workflow.notification.ProcessTimeoutNotification
enrole.workflow.notification.processcomplete
uXµzα≤oeΣMC
iⁿwúu@yBz¿qw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.processcomplete = com.ibm.itim.workflow.notification.ProcessCompleteNotification
enrole.workflow.notification.pendingwork
uXµzα≤oeΣMC
iⁿwúu@ymu@qw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.pendingwork = com.ibm.itim.workflow.notification.PendingWorkNotification
enrole.workflow.notification.newaccount
uXµzα≤oeΣMC
iⁿwúu@ysbßqw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.newaccount = com.ibm.itim.workflow.notification.NewAccountNotification
enrole.workflow.notification.newpassword
uXµzα≤oeΣMC
iⁿwúu@ysKXqw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.newpassword = com.ibm.itim.workflow.notification.NewPasswordNotification
enrole.workflow.notification.deprovision
uXµzα≤oeΣMC
iⁿwúu@yεqw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.deprovision = com.ibm.itim.workflow.notification.DeprovisionNotification
enrole.workflow.notification.workorder
2 tmte 37
uXµzα≤oeΣMC
iⁿwúu@yu@qw] Java OC
d]w]]ΘJ≤P@µG
enrole.workflow.notification.workorder = com.ibm.itim.workflow.notification.WorkOrderNotification
38 IBM Tivoli Identity Manager: °AtmΓU
l≤Atm
UCeOíl≤qtm]wC
enrole.mail.notify
iⁿwOnPBBzu@yíqll≤e@C
Σ ″SYNC″ M ″ASYNC″ ΓCpGΣ ″SYNC″AϕnPBBzApGO
″ASYNC″AhϕúPBBzC
d]w]G
enrole.mail.notify = ASYNC
2 tmte 39
ΩT
UCeitmvTAbo@ϕñAqNzíΩ
Ab Tivoli Identity Manager ΩwñPBBzC
tm
enrole.reconciliation.accountcachesize
uXµzα≤oeΣMC
iⁿwbßOΘjpW¡]bßC
d]w]G
enrole.reconciliation.accountcachesize = 2000
enrole.reconciliation.threadcount
uXµzα≤oeΣMC
iⁿwBzQ⌡µⁿCC@úo⌡µⁿC
d]w]G
enrole.reconciliation.threadcount = 8
YNQRúq≤
account.EventProcessorFactory
ún∩oeΣMC
iⁿwbß≤Bz Factory Java OC
w]]ΘJ≤P@µG
account.EventProcessorFactory = com.ibm.itim.remoteservices.ejb.reconciliation.AccountEventProcessorFactory
person.EventProcessorFactory
ún∩oeΣMC
iⁿwH≤Bz Factory Java OC
w]]ΘJ≤P@µG
person.EventProcessorFactory = com.ibm.itim.remoteservices.ejb.reconciliation.PersonEventProcessorFactory
Bz
account.ReconEntryHandlerFactory
ún∩oeΣMC
iⁿwbßBzí Factory Java OC
w]]ΘJ≤P@µG
account.ReconEntryHandlerFactory = com.ibm.itim.remoteservices.ejb.mediation.AccountEntryHandlerFactory
person.ReconEntryHandlerFactory
40 IBM Tivoli Identity Manager: °AtmΓU
ún∩oeΣMC
iⁿwHBzí Factory Java OC
w]]ΘJ≤P@µG
person.ReconEntryHandlerFactory = com.ibm.itim.remoteservices.ejb.mediation.PersonEntryHandlerFactory
2 tmte 41
@KXVX
Uzeitm@KXO@hC
bHΩTz⌠wqϕñA@KXOⁿbß sbßKXK
XCpG Tivoli Identity Manager °AtúsbßlKXAN @
KXC
enrole.sharedsecret.hashed
uXµzα≤oeΣMC
iⁿw@KXO°Ω]wOD°Ω]úwC
ΣG
v true – N@KXxs°Ω
v false – N@KXxsD°Ω
d]w]G
enrole.sharedsecret.hashed = false
42 IBM Tivoli Identity Manager: °AtmΓU
SSL VOe
oewgúAA]ú,C
com.ibm.daml.jndi.DAMLContext.CLIENT_CERT
S
com.ibm.daml.jndi.DAMLContext.CLIENT_CERT_KEY
S
com.ibm.daml.jndi.DAMLContext.CLIENT_CERT_KEY_PASSPHASE
S
2 tmte 43
nDz UI tm
UCeitmnDóπuGΩvΩTqC
webclient.request.maxResultDetailLines
oeO Tivoli Identity Manager GUI nDz\αAπónDfΘ
xΩTCΣOⁿwfΘxunDΩvuGΩvq
πµC
> w¿nD > nDΩ > fΘx > nDΩ >GΩ
d]w]G
webclient.request.maxResultDetailLines = 20
44 IBM Tivoli Identity Manager: °AtmΓU
3 tmRe
Ní Tivoli Identity Manager RtmteΣMC
DDG
v 46 yFez
eG
v 47 yenRoleAuthentication.propertiesz
v 50 yenRoleDatabase.propertiesz
v 54 yenRoleLDAPConnection.propertiesz
v 57 yenRoleLogging.propertiesz
v 60 yenRoleMail.propertiesz
v 62 yenrolepolicies.propertiesz
v 64 yenroleworkflow.propertiesz
v 66 yfesiextensions.propertiesz
v 68 yUI.propertiesz
v 71 yCustomLabels.propertiesz
© Copyright IBM Corp. 2003 45
Fe
Java ewqAiHqMε Java nΘCteMqe
AOtmn]wMq@CJava ewqOAiⁿw
í∩]pAΩwsΩTB⌠]wMSϕSP\απWΩC
eiQeΣMµíAwqπWΩG
property-key-name = value
property-key-name OⁿΩ IDCvalue OⁿúΩΩ Java ½≤WC
Tivoli Identity Manager \heεí\αA²qSϕS
C
46 IBM Tivoli Identity Manager: °AtmΓU
enRoleAuthentication.propertiesenRoleAuthentication iⁿw Tivoli Identity Manager tOΦk
¼AHOúⁿwO≈ε Java ½≤CA]iHⁿw½≤AΣ
Tivoli Access Manager WebSEAL µ@nJAH Tivoli Identity Manager sⁿz
AzC
OeOQeΣMXµíⁿwG
property-key-name = value
property-key-name OⁿO≈εΩ IDCvalue OⁿúOA Java ½≤W
A]OHΣMXϕC
factory = value
factory ΣWNϕ Tivoli Identity Manager nΘOΣ@SϕCvalue
Oⁿ Java ½≤Ω WC
d]ΘJ≤P@µG
enrole.authentication.provider.service =factory = com.ibm.enrole.authentication.service.ServiceAuthenticationProviderFactory
OΦk
enrole.authentication.requiredCredentials = simple|certificate
ªiHⁿwí]WMKX] A@nOΦkA
OnJ Tivoli Identity Manager tC
tw]OíC
pG
enrole.authentication.requiredCredentials = simple
z]iHⁿwqO≈εC\ 48 ytmqO≈εzC
Oú (Factory)
enrole.authentication.provider.simple
ªiHⁿw Java ½≤ABzHWMKXiµO@C
d]ΘJ≤P@µG
enrole.authentication.provider.simple =factory = com.ibm.enrole.authentication.simple.SimpleAuthenticationProviderFactory
enrole.authentication.provider.certificate
ªiHⁿw Java ½≤ABzH iµO@C
d]ΘJ≤P@µG
enrole.authentication.provider.certificate =factory = com.ibm.enrole.authentication.certificate.CertificateAuthenticationProviderFactory
OAú
3 tmRe 47
enrole.authentication.provider.service
ªiHⁿw Java ½≤AHzqΦíBz Tivoli Identity Manager ∩ⁿzAs
AHzoAbß≤C
o≤]AbAsWBRúBBM∩bßCzbnJ Tivoli Identity
Manager ºßAiHbⁿzAA≤bßnJMKXΩTC
ServiceAuthenticationProviderFactory ≈εw∩wANzíA
BBz≤ΩTC
d]ΘJ≤P@µG
enrole.authentication.provider.service =factory = com.ibm.enrole.authentication.service.ServiceAuthenticationProviderFactory
WebSEAL µ@nJ
enrole.authentication.provider.webseal
ªiHⁿw Java ½≤A²b WebSEAL ⌠U⌡µµ@nJC
d]ΘJ≤P@µG
enrole.authentication.provider.webseal =factory = com.ibm.enrole.authentication.webseal.WebsealProviderFactory
\ 90 yH WebSEAL tmµ@nJzC
enrole.authentication.idsEqual
ⁿXAϕtΓkAN Tivoli Access Manager ID ∩M Tivoli Identity Manager
IDC
pG Tivoli Access Manager ID P Tivoli Identity Manager ID @]w
]G
enrole.authentication.idsEqual = true
pG Tivoli Access Manager ID P Tivoli Identity Manager ID úPG
enrole.authentication.idsEqual = false
ziHí¡∩MtΓkATOµ@nJ@Q¿C
\ 90 yH WebSEAL tmµ@nJzC
tmqO≈ε
úF Tivoli Identity Manager úW/KXMOΦkºAz]
iH enrole.authentication.requiredCredentials eΣAⁿwIsq
O≈εq Java ½≤C
±ΦíAziαoQ Portal ServerAqwnJÑq@Aµ@nJ Tivoli Identity
ManagerC
ziHb Tivoli ßΣñ≤UUAqO Java ½≤ABΘJo½≤
@ enrole.authentication.requiredCredentials eΣC
48 IBM Tivoli Identity Manager: °AtmΓU
enRoleAuthentication.properties ue\ Tivoli Identity Manager @OΦ
kCzúiHtmhµO≈εC
3 tmRe 49
enRoleDatabase.propertiesenRoleDatabase.properties iⁿwΣ Tivoli Identity Manager u@y
÷píΩwCTivoli Identity Manager ΣUCTΩw¼G
v DB2
v Oracle
v MS SQL Server
teΣAOPAϕí°AtmñtPBBzC
jíAúObw Tivoli Identity Manager MtmΩwúAzi
Hbß≤∩íCúLA runConfig íANePí°AtmñPBBzC
Tivoli Identity Manager OH Java Ωwsu\α (JDBC) s÷píΩwCJDBC
NO@ APIAi²zHΩ ΦíAq Java í]pyÑs⌠≤CϕµíΩ
C
ΩwΩT
database.db.type
ún∩oeΣCoObw Tivoli Identity Manager úC
ªiHⁿw Tivoli Identity Manager u@yΩw¼CΣAϕpUG
v DB2
v Oracle
v MS SQL Server
d (DB2)G
database.db.type = DB2
database.db.server
oObw Tivoli Identity Manager MtmΩwúC
ªiHⁿwΩwWOWWC
pGznsΩw≤oAΩwtmí]wΩwCΩwt
míúsΩwWoeC
pGznt@Ωw≤oA runConfig íAúsΩwWoeC
dG
database.db.server = itimdb
50 IBM Tivoli Identity Manager: °AtmΓU
database.db.owner
ún∩oeΣCΣObtWC
ªiHⁿw Tivoli Identity Manager Ωw⌡ WC
d]G
database.db.owner = enrole
database.db.user
ún∩oeΣCΣObtWC
ªiHⁿw Tivoli Identity Manager w]ΩwC
d]G
database.db.user = enrole
database.db.password
ún∩oeΣCoObtmΩwúC
ªiHⁿwΩwKXC
o[KAO enrole.properties ñ
enrole.password.database.encypted eⁿwC
úDzwgQ runConfig í[K]wAhKX@wOHXϕC
d]XG
database.db.password = secret
suxse
database.jdbc.connectionPool.initialCapacity
únHΓΦísΦoA∩oeΣCziH runConfig í≤oC
ªiHⁿwsuxsΩ ΩwsuCop≤Ñ≤
maxCapacity C
d]w]G
database.jdbc.connectionPool.initialCapacity = 5
database.jdbc.connectionPool.maxCapacity
únHΓΦísΦoA∩oeΣCziH runConfig í≤oC
ªiHⁿwhα≈h'Ω ΩwsuCo¡εⁿXFtαπn
DC
d]w]G
database.jdbc.connectionPool.maxCapacity = 50
3 tmRe 51
database.jdbc.connectionPool.capacityIncrement
ziHΓΦísΦoA∩oeΣCAzo runConfigíANz≤APí°AtmPBBzC
ªiHⁿwtXWnDXj]WsuxsAsuC
d]w]G
database.jdbc.connectionPool.capacityIncrement = 1
database.jdbc.connectionPool.loginDelaySecs
ziHΓΦísΦoA∩oeΣCAzo runConfigíANz≤APí°AtmPBBzC
ªiHⁿwC@Ωwsuºí ≡q]HϕpC
d]w]G
database.jdbc.connectionPool.loginDelaySecs = 1
database.jdbc.connectionPool.ShrinkingEnabled
ziHΓΦísΦoA∩oeΣCAzo runConfigíANz≤APí°AtmPBBzC
ªiHⁿwϕsuxsobΩqW[BsuAwgúAAO
iHY initialCapacity CΣ ″true″ M ″false″ ΓC
d]w]G
database.jdbc.connectionPool.ShrinkingEnabled = true
database.jdbc.connectionPool.ShrinkPeriodMinutes
ziHΓΦísΦoA∩oeΣCAzo runConfigíANz≤APí°AtmPBBzC
ªiHⁿwnÑXAαYpFInvÑXjsuxsC
ShrinkingEnabled ] ″true″AαYpsuxsC
d]w]G
database.jdbc.connectionPool.ShrinkPeriodMinutes = 15
database.jdbc.connectionPool.Targets
ún∩oeΣCoObw Tivoli Identity Manager úC
ªiHⁿwiíposuxsµΓñCoqOí°A
WOWC
dG
database.jdbc.connectionPool.Targets = myserver
52 IBM Tivoli Identity Manager: °AtmΓU
database.jdbc.connectionPool.testTableName
ún∩oeΣC
ªiHⁿwbΩ ΩwsuϕµWCC@Ωw¼úv
G
v DB2 – ″nextvalue″
v Oracle – ″dual″
v MS SQL Server – ″nextvalue″
d (DB2)G
database.jdbc.connectionPool.testTableName = dual
database.jdbc.connectionPool.refreshMinutes
ún∩oeΣC
ªiHⁿwΩwsuºíjC
d]w]G
database.jdbc.connectionPool.refreshMinutes = 5
JDBC Xí
database.jdbc.driverURL
ún ú∩oeΣMC
ªiHⁿw JDBC Xí URLC
d (DB2)G
database.jdbc.driverUrl = jdbc:db2:itimdb
database.jdbc.driver
ún ú∩oeΣMC
ªiHⁿw JDBC XíWC
d (DB2)G
database.jdbc.driver = COM.ibm.db2.jdbc.app.DB2Driver
3 tmRe 53
enRoleLDAPConnection.propertiesenRoleLDAPConnections.properties iútm]wA² Tivoli Identity Manager
M LDAP ²°AºíoHQqTC
java.naming.factory.initial = com.sun.jndi.ldap.LdapCtxFactory
ún∩oeΣMC
ªiHⁿw Java OAb Tivoli Identity Manager M LDAP ²°Aºíú
qTCªO Java RWM² (JNDI) qT≤wC
LDAP ⌠wqGContext.INITIAL_CONTEXT_FACTORY
java.naming.provider.url
ªiHⁿw LDAP ²°A m (URL)C LDAP °A mG
v Tivoli Identity Manager ≈
″localhost″C
v ≈
πgD≈W IP C
oΣObw Tivoli Identity Manager tmCz]iH ldapconfigí runConfig íAúoC
dG
java.naming.provider.url = ldap://localhost:389
LDAP ⌠wqGContext.PROVIDER_URL
java.naming.security.principal
ªiHⁿw LDAP ²°AW LDAP zbßOW (DN)C
oΣObw Tivoli Identity Manager tmCz]iH ldapconfigí runConfig íAúoC
dG
java.naming.security.principal = cn = root
LDAP ⌠wqGContext.SECURITY_PRINCIPAL
54 IBM Tivoli Identity Manager: °AtmΓU
java.naming.security.credentials
ªiHⁿw LDAP ²°AW LDAP zbßKXC
oΣObw Tivoli Identity Manager tmCz]iH ldapconfigí runConfig íAúoC
o[KAO enrole.properties ñ
enrole.password.ldap.encypted eⁿwC
[K¼OQu[K]wv∩Abw Tivoli Identity Manager tmC
dG
java.naming.security.credentials = ibmldap
LDAP ⌠wqGContext.SECURITY_CREDENTIALS
java.naming.security.protocol
Tivoli Identity Manager .oeΣMC
ún∩oeΣMC
ªiHⁿw Tivoli Identity Manager M LDAP ²°AºíqTqT≤wC
LDAP ⌠wqGContext.SECURITY_PROTOCOL
java.naming.security.authentication
ún∩oeΣMC
ªiHⁿw LDAP ²°AO¼CΣ¼pUG
v L]WG¿.gOºs¿
v í]WMKX
v jí]jO≈ε mOd
dG
java.naming.security.authentication = simple
LDAP ⌠wqGContext.SECURITY_AUTHENTICATION
3 tmRe 55
java.naming.referral
ún∩oeΣMC
pGb Tivoli Identity Manager ⌠UFh LDAP ²°AAhiHⁿwO
no⌡µαAH¿ LDAP ΩTnDC
ΣpUG
v ϕ ]ⁿ
v ñ]ú
v YX]úABTº
dG
java.naming.referral = follow
LDAP ⌠wqGContext.REFERRAL
java.naming.batchsize
ún∩oeΣMC
ªO@ JNDI eAiHⁿwb∩ LDAP ²°AoXnD]dA@
Ω%CoUjALDAP úNUpAα]]ú¬C
pGΣ ″0″Ahß (Tivoli Identity Manager) ⌠≤εvA n
D%íεC
dG
java.naming.batchsize = 100
LDAP ⌠wqGContext.BATCHSIZE
java.naming.ldap.attributes.binary
ún∩oeΣMC
ªiHⁿwQϕ@Gi Ω¼ Tivoli Identity Manager CpGhA
hUH@µjªC
dG
java.naming.ldap.attributes.binary = erPassword erHistoricalPassword
LDAP ⌠wqGattribute.binary
56 IBM Tivoli Identity Manager: °AtmΓU
enRoleLogging.propertiesenRoleLogging.properties iⁿw log4j @AOⁿMlHb Tivoli
Identity Manager APIC
Log4j O@δ Java OⁿM≤AH±íX Apache nΘv[HeAB
ª[HCLog4j i²zTº¼Mu²OⁿTºABb⌡µεp≤NoTºµí&AHb°iªC
log4j M≤σ≤CpGn²F log4j \αA\oΩTC
/ traceExceptions
enrole.logprovider.traceexceptions
Tivoli Identity Manager ]úO log4j CªiHⁿwOnNΣLΩT]Is∩[JTºΘxϕñCΣG
v true]OⁿΩT
v false]úOⁿΩT
w]O ″true″C
dG
enrole.logprovider.traceexceptions = true
Ñh]w
G
log4j.rootCategory
Log4j OπWΩΘAi²zNt%≤÷p Oⁿu²CNϕt%≤]%≤úO/lC
log4j.rootCategory eΣiⁿwtw]Oⁿu²ABwq[í]Θ
XaWAⁿwΘXa¼C
u²ÑhG
1. FATAL
2. ERROR
3. WARN
4. INFO
5. DEBUG
±ΦíApGu² INFOAϕ INFOBWARNBERROR M FATAL Tº
@íOⁿC
d]ⁿw WARN Oⁿu²H@Ws ″Logger″ [íΩΘG
log4j.rootCategory = WARN, Logger
3 tmRe 57
%≤G
log4j.category.com.ibm.itim.appslog4j.category.com.ibm.itim.authenticationlog4j.category.com.ibm.itim.authorizationlog4j.category.com.ibm.itim.commonlog4j.category.com.ibm.itim.fesiextensionslog4j.category.com.ibm.itim.logginglog4j.category.com.ibm.itim.maillog4j.category.com.ibm.itim.messaginglog4j.category.com.ibm.itim.migrationlog4j.category.com.ibm.itim.dataservices.modellog4j.category.com.ibm.itim.passworddeliverylog4j.category.com.ibm.itim.policylog4j.category.com.ibm.itim.remoteserviceslog4j.category.com.ibm.itim.reportlog4j.category.com.ibm.itim.securitylog4j.category.com.ibm.itim.schedulinglog4j.category.com.ibm.itim.systemConfiglog4j.category.com.ibm.itim.utillog4j.category.com.ibm.itim.webclientlog4j.category.com.ibm.itim.workflow
oNϕ Tivoli Identity Manager %≤CziHOtmC@%≤Am
½Oⁿu²CpGn%≤OⁿtmANµúPC
dG
log4j.category.com.ibm.itim.policy = INFO
bWodñAOⁿu² INFO w∩ itim.policy %≤A[WΣLTºO
ⁿ]du] WARNC
ΘxΘXa][í
log4j.appender.appender-identifier
[íiHⁿwΘxΘXa¼Co¼pUG
v µ@
v ⁿ
v Dx]ΘX eW
v NT ≤Θxí
d][íΩΘ ″Logger″ O]UC Java OABzⁿ¼G
log4j.appender.Logger = org.apache.log4j.RollingFileAppender
RollingFileAppender deG
log4j.appender.Logger.File = c:/temp/itim.loglog4j.appender.Logger.MaxFileSize = 2MBlog4j.appender.Logger.MaxBackupIndex = 10
58 IBM Tivoli Identity Manager: °AtmΓU
ΘxGmMα½¼Wµ
log4j.appender.appender-identifier.layout
GmWµAOaΓnDµí&CªO⌡µGm@ Java OABⁿ
wα½¼C
d]ⁿw ″Logger″ [íΩΘGm¼ Java OG
log4j.appender.Logger.layout = org.apache.log4j.PatternLayout
PatternLayout α½¼dG
log4j.appender.Logger.layout.ConversionPattern = [%d:%t]<%p:%c>%m\n
Wzα½¼G
[date:thread-id]<priority-level:category>messageline break
3 tmRe 59
enRoleMail.propertiesenRoleMail.properties tAiHⁿw JavaMail API l≤Θ
qT≤wAHΣL Tivoli Identity Manager íMeC
zúíMeΣC
JavaMail MeΣww]]]Aw]l≤úMqT≤wApGn≤
∩ JavaMail MeΣw]Aúzv∩qqT≤wMΩ@
τC
÷kMúÑΣLΩTA\UC URLG
http://java.sun.com/products/javamail/
Tivoli Identity Manager íMl≤
mail.from
oOnC
oObw Tivoli Identity Manager úCz]iH runConfig íúoC
ªiHⁿwµqll≤ C
d]úG
mail.from = [email protected]
mail.baseurl
oOnC
ªiHⁿw≥ URLAbs Tivoli Identity Manager qll≤ñAcn
J URLC
oObw Tivoli Identity Manager úCz]iH runConfig íúoC
t\ 9 yWeb °AΩTzC
d]úG
mail.baseurl = http://111.222.333.444:80
mail.title
oOnC
zsΦoeANoúeΣC
ªiHⁿwσrrΩA≤qll≤TºDεTñCw]O ″ITIM notification″C
d]úG
mail.title = ITIM notification
60 IBM Tivoli Identity Manager: °AtmΓU
Java l≤AMl≤
mail.host
oOnC
oObw Tivoli Identity Manager úCz]iH runConfig íúoC
ªiHⁿwl≤°Ab≈ IP C
d]úG
mail.host = 111.222.333.444
mail.protocol.host
ªiHqT≤wMw]l≤°AAⁿw IP CoeΣm½
mail.host eΣC
w]AúnoeA]úú⌠≤C
mail.transport.protocol
ªiHⁿww]ΘqT≤w]Sun SMTP ΘC
d]w]G
mail.transport.protocol = SMTP
mail.protocol.class
ªiHⁿww] Sun SMTP l≤qT≤w Java OΩ@C
d]w]G
mail.SMTP.class = com.sun.mail.smtp.SMTPTransport
mail.store.protocol
ªiHⁿww]TºsqT≤wC
w]AúnoeA]úú⌠≤C
mail.user
ªiHⁿwbsl≤°AAiµOWC
w]AúnoeA]úú⌠≤Cb Tivoli Identity Manager ⌠UA
l≤°AOb ⌡≡¡A]úiµohOC
mail.protocol.user
ªiHⁿwbsl≤°AAiµOqT≤wMWCoe
Σm½ mail.user eΣC
w]AúnoeA]úú⌠≤C
3 tmRe 61
enrolepolicies.propertiesenrolepolicies.properties iúΣ Tivoli Identity Manager h\α
]wMq]wCoeΣ\αpUG
v ⁿw Java OAXⁿBzh≡
v ⁿww]MDw]XⁿO
v ibiµheτAñLhú
XⁿO@WhAiHbhho≡APp≤BzCXⁿ
OΦcM≡CXh]pBu@δ]µ
H Boolean ″AND″/″OR″ ΦM≡AoúOXⁿdC
Tivoli Identity Manager @@ 12 ¼XⁿiHCpGP@A
BAΩA¼P@]@AwqF@HW
hAohXⁿNC
AziHgq Java OAΓqeΣM[JoñAwq
qXⁿC
XⁿO
provisioning.policy.join.PrecedenceSequence = com.ibm.enrole.policy.join.PrecedenceSequence
provisioning.policy.join.Boolean = com.ibm.enrole.policy.join.Booleanprovisioning.policy.join.Bitwise = com.ibm.enrole.policy.join.Bitwiseprovisioning.policy.join.Numeric = com.ibm.enrole.policy.join.Numericprovisioning.policy.join.Textual = com.ibm.enrole.policy.join.Textualprovisioning.policy.join.Multivalued = com.ibm.enrole.policy.join.Multivalued
ún∩oeΣMC
C@eΣúiHⁿw@ Java OABz@Mh≡X
ⁿΦ@C
[jr
provisioning.policy.join.Textual.AppendSeparator
ªiHⁿwr%¼A² Textual Xⁿ Java OjhOC
dG
provisioning.policy.join.Textual.AppendSeparator = <<<>>>
62 IBM Tivoli Identity Manager: °AtmΓU
XⁿO
provisioning.policy.join.defaultCacheTimeout
ªiHⁿw≤sxsw]XⁿOΘOíjCOOHϕpC
]w] = 86400 ϕ = 24 pC
dG
provisioning.policy.join.defaultCacheTimeout = 86400
provisioning.policy.join.overridingCacheTimeout
ªiHⁿw≤sxsDw]XⁿOΘOíjCOOHϕpC
]w] = 300 ϕ = 5 C
dG
provisioning.policy.join.overridingCacheTimeout = 300
heτñLúbß
wúqG
nonvalidateable.attribute.eraccountcompliancenonvalidateable.attribute.eraclnonvalidateable.attribute.eraccountstatusnonvalidateable.attribute.erauthorizationownernonvalidateable.attribute.erglobalidnonvalidateable.attribute.erhistoricalpasswordnonvalidateable.attribute.erisdeletednonvalidateable.attribute.erlastmodifiedtimenonvalidateable.attribute.erlogontimesnonvalidateable.attribute.ernumlogonsnonvalidateable.attribute.erparentnonvalidateable.attribute.erpasswordnonvalidateable.attribute.erservicenonvalidateable.attribute.eruidnonvalidateable.attribute.objectclassnonvalidateable.attribute.owner
wú Windows NT G
nonvalidateable.attribute.erntpasswordexpirednonvalidateable.attribute.erntuserbadpwdcountnonvalidateable.attribute.erntlockedout
ibiµheτñLúbßCoúMµiHUzbτe
Aε'únBtⁿABC]LkbτHΦΦíMA
PtóIC
3 tmRe 63
enroleworkflow.propertiesenroleworkflow.properties iHtwqu@yAⁿw XML ∩MCb
Tivoli Identity Manager ñAu@yO@ⁿwAMH≈µ@yC
u@y]piwqBzSwΦΦkCb enroleworkflow.properties ñⁿ
w XML AiΩ@u@y]pC
tu@yO@M¼ ID M÷p XML OC XML u@y
O ≤Uo²G
$ITIM_HOME\data\workflow_systemprocess
b@δípUAznún ú∩oúw]tu@y¼ ID H
XML C
pGΩ@ Tivoli Identity Manager Ans½swqtu@yΣq
ΦAziHzLUCΦ∩oG
v sΦ – s¼ ID M XML µíwqAúiH[Jñ
v gL∩Φ – w] XML µíwqAúiH½¿q
zπAϕNMí]pΩAα⌡µo∩@C
hIµu@y
enrole.workflow.PS = enforcepolicyforservice.xml
A∩zu@y
enrole.workflow.SA = addserviceselectionpolicy.xmlenrole.workflow.SC = changeserviceselectionpolicy.xmlenrole.workflow.SD = removeserviceselectionpolicy.xml
hzu@y
#Add policyenrole.workflow.PA = addpolicy.xml#Modify policyenrole.workflow.PC = changepolicy.xml#Delete policyenrole.workflow.PD = removepolicy.xml
u@y
enrole.workflow.RC = reconciliation.xml
≤h¼Au@y
enrole.workflow.MS = multiusersuspend.xmlenrole.workflow.MR = multiuserrestore.xmlenrole.workflow.MD = multiuserdelete.xml
≤hbß¼Au@y
64 IBM Tivoli Identity Manager: °AtmΓU
enrole.workflow.LD = multiaccountdelete.xmlenrole.workflow.LS = multiaccountsuspend.xmlenrole.workflow.LR = multiaccountrestore.xmlenrole.workflow.LP = multiaccountpassword.xml
AñΓu@y
#Add dynamic roleenrole.workflow.DA = adddynamicrole.xml#Modify dynamic roleenrole.workflow.DC = changedynamicrole.xml#Delete dynamic roleenrole.workflow.DD = removedynamicrole.xml
3 tmRe 65
fesiextensions.propertiesfesiextensions.properties iwq Tivoli Identity Manager nMq FESI
WCFESI OⁿuFree EcmaScript InterpretervA@H Java g JavaScript
CFESI b Tivoli Identity Manager l]w¬oeA]w
n Java OWC
FESI WNϕ Tivoli Identity Manager nΘñ (s)AziHbo
ϕñA JavaScript iqΦCFESI WOQeΣM
XµíⁿwG
property-key-name = value
value Oπ Java OWCproperty-key-name tr (fesi.extension)B
⌠wqH]≤qO@Nϕπ Java O ID W (ID)Cqg
OWO@ ID W (ID) C
fesi.extension.context.class-ID = fully-qualified-class-name
Tivoli Identity Manager FESI tWAt@s⌠wqMTS
w⌠wqC
s⌠wq IDG
Enrole
Sw⌠wq IDG
IdentityPolicyHostSelectionWorkflow
÷MzúiH∩t FESI WA²ziHsW⌠≤qíq FESI
WCϕzNq FESI W[JoeAΣñ@s
Sw⌠wqC
ziHⁿX value @πq Java OWABqOú@M
eΣ ID W (ID)CdG
fesi.extension.IdentityPolicy.custom-class-ID = custom-fully-qualified-class-namefesi.extension.HostSelection.custom-class-ID = custom-fully-qualified-class-name
t FESI W
fesi.extension.Enrole = com.ibm.itim.fesiextensions.Enrolefesi.extension.IdentityPolicy = com.ibm.itim.fesiextensions.IdentityPolicyfesi.extension.HostSelection = com.ibm.itim.fesiextensions.ModelSelectionfesi.extension.Workflow = com.ibm.itim.workflow.fesiextensions.WorkflowExtensionfesi.extension.Workflow.OrgModelExtension = com.ibm.itim.fesiextensions.
OrganizationModelExtension
C@teΣAúO@Bπ Java OC
ún ú∩oqñΩT
66 IBM Tivoli Identity Manager: °AtmΓU
q FESI W
dG
fesi.extension.enRole.custom-class-ID = custom-fully-qualified-class-name
ziH∩ fesiextensions.properties A²ªtnq½≤MΦkΣL FESI
WC
C@qeΣAúOπq Java OC
eΣWAúOMWC
3 tmRe 67
UI.propertiesUI.properties iⁿwvT Tivoli Identity Manager GUI @MπeC
AΓqtú≤ Tivoli Identity Manager GUI C
Tivoli Identity Manager GUI tm]w
enrole.ui.errorPage.verbosity
ªiHⁿwOnπTºΩT]∩lCΣG
v 0 – úπ⌠≤ΩT
v 1 – πΩT
w]O ″0″C
dG
enrole.ui.errorPage.verbosity = 0
enrole.ui.customerLogo.image
ªiHⁿw Tivoli Identity Manager GUI DεTkΓΣπWCo
qOqxC .gif .jpeg µíAαb Web s²πCΩ
xsbUC mG
WebSphereG
...WebSphere/AppServer/installedApps/domain-name/enRole.ear/app_web.war/images
WebLogicG
...bea/user_projects/domain-name/applications/enrole/images
dG
enrole.ui.customerLogo.image = ibm_banner.gif
enrole.ui.customerLogo.url
ªiHⁿwzb÷@U Tivoli Identity Manager GUI DεTkΓΣqv]
qxA URL C
dG
enrole.ui.customerLogo.url = www.ibm.com
enrole.ui.pageSize
ªiHⁿwπbeWMµCpGMµñΣLAMµ°
XA ≥o≈Mµ]pA 2 B 3 B 4 C
dG
enrole.ui.pageSize = 10
68 IBM Tivoli Identity Manager: °AtmΓU
enrole.ui.pageLinkMax
ªiHⁿwNϕ°Mµ⌠]\ enrole.ui.pageSizeCpGMµ
nD⌠Ah≤oeΣⁿw⌠AN[JuU@v
C
dG
enrole.ui.pageLinkMax = 10
enrole.ui.maxSearchResults
ªiHⁿwjM@CoeΣiHbjqAε
ú²tαCC
dG
enrole.ui.maxSearchResults = 1000
WfDesigner M FormDesigner Applet e
enrole.build.versionenrole.java.pluginenrole.java.plugin.classidenrole.java.plugin.jpi-versionenrole.java.pluginspageenrole.ui.logoffURLenrole.ui.timeoutURL
oqΩTúiH∩ úC
oeΣMXAiHú⌡µ Tivoli Identity Manager GUI Web s²
n Java Applet ΣC
°i\αϕe
enrole.ui.reconReport.maxFileSize
°iiHUCTµíúG
v PDF
v HTML
v CVS]HrIw
oeΣMiHⁿw PDF ΘX∩°ijp¡ε]H %µ CpG
o°ij≤ .5 MBAh PDF ∩NúαA@ΘX∩C
dG
enrole.ui.reconReport.maxFileSize = 500000
enrole.ui.accountReport.maxPeopleInReport
ªiHⁿwbß°iñhαeh'HC
dG
enrole.ui.accountReport.maxPeopleInReport = 500
3 tmRe 69
enrole.ui.report.maxRecordsInReport
ªiHⁿwb@BBAMQ°iñAhα≈πh'ºO²C
dG
enrole.ui.report.maxRecordsInReport=5000
/ WebSEAL µ@nJ
enrole.ui.ssoEnabled
oqeΣMXAú≤ Tivoli Identity Manager GUIC
ziH WebSEAL µ@nJ\αCΣG
v true]
v false]
w]O ″false″C
dG
enrole.ui.ssoEnabled = false
WebSEAL µ@nJ\αnΣLtmC\ 90 yH WebSEAL tmµ
@nJzC
bO∩MjM ObjectProfileCategory
oqeΣMXAú≤ Tivoli Identity Manager GUIA]úi
H∩ úC
70 IBM Tivoli Identity Manager: °AtmΓU
CustomLabels.propertiesTivoli Identity Manager GUI OQ CustomLabels.properties ñeΣM
XAπϕµσrC
Tivoli Identity Manager ΣC@OyÑAú@W
CustomLabels.properties C
ϕ Tivoli Identity Manager wbΩ ⌠ANOQoúg&
GUI %C
WiHOSwyÑCpG
CustomLabels_JA.properties — Θσ
CustomLabels_EN.properties — σ
3 tmRe 71
72 IBM Tivoli Identity Manager: °AtmΓU
4 z
Níp≤]w Tivoli Identity Manager ípAHKzL SSLA i
µOzMtm@C
º[MtmKnG
v 73 ySSL M º[z
v 76 ytmKnM²z
WebSphere W Tivoli Identity Manager tmΩ
v 77 ytms²∩ Web °A SSL (WebSphere)z
v 83 ytm°A Nzí SSLz
WebLogic W Tivoli Identity Manager tmΩ
v 81 ytms²∩ Web °A SSL (WebLogic)z
v 83 ytm°A Nzí SSLz
WΩTG
v 86 ytmNzíl SSL]Nzí Web °Az
SSL Mº[
Tivoli Identity Manager íptm%≤ºíqTwC
Secure Sockets Layer (SSL) ≈εOQ iµOAΣOTO Tivoli
Identity Manager ípwqTC
SSL O²ΓízL⌠⌠suO¡AúwsuCASSL
iHΓbíºíµ½Ω[H[KCOi²°A]µVM∩a[
Wß]Vτ⌠⌠sut@í¡C[KiHzL⌠⌠AΘu
ⁿw¼≤HoΩC
SSL S]AUCºG
v SSL ú≈εAi²í∩t@íOv¡C
v µV SSL i²íTwt@í¡C
v V SSL]µ¼Oi²ΓíTw¡C
v ß⌠u°AvñΓí °AABQª∩ßí
πΣ¡C
v bµ¼OñAß⌠ußvñΓí ßABQª∩°
AíπΣ¡C
v ¼ íA zñ (CA) Dn]Aib
¼ WCCA Dnhtdτ¼ C
v bßsuñAϕ¼ úozñoXAß
s²iC
© Copyright IBM Corp. 2003 73
FpK≈M
ziHpK≈B MHzñAMτ⌠⌠t
¡C
SSL OQ≈[KNO¡Cbiµ≈[KAú@≈
MpK≈íCoΓ≈÷A]NOíAH≈[KΩ
AuαH∩pK≈KCPaAHpK≈[KΩA]uαH∩
≈KCpK≈ⁿ YKO@Au αNH≈[K
TºKC
≈Pí≈ ΩT]pAmWBaMqll≤ A@
Ob ñCpK≈M úí¡C
Ob ñΩAOHzñ (CA) τABHzñ
AH ΦíCVerisign M Entrust.net úOWzñCH
zñiHíiHC
P SSL suíAObt@Φ⌠BⁿΣ QO¡CO
¡ AO ≤¼í÷ CA DnτC
unOHzñ AWeb s²B°AMΣL SSL
íúⁿAB°uΩ AhK°LC±ΦíApG
LAªzñ LFA Niα]ó
CpG°A D≈WAPßⁿwD≈Wú@A°A
]]óC
Dnµí
WebLogic Server iH .pemB.arm .der µí C
.pem][jpKl≤µíAOHUoΓµ@YM⌠G
-----BEGIN CERTIFICATE----------END CERTIFICATE-----
.pem µíΣh ]±ΦíA]ΓCúLAñ
o½nC±ΦíAcert ABcert B]O cert A oBcert C]O cert
B o... @ Dn CAC
.arm µíOH ASCII sXGi C.arm tH Base-64 sX ASCII
ϕAΣñt≈A²útpK≈C.arm µíO GSKit iKeymaníúM]¡ WebSphereC
.der µítGi ΩC.der uα≤µA² .pem oiH≤h
C
Tivoli Identity Manager SSL Ω@
Tivoli Identity Manager FnX SSL Ω@G
v IBM Global Security Toolkit (GSKit)
v RSA SSL-J]°A
v RSA SSL-C]Nzí
74 IBM Tivoli Identity Manager: °AtmΓU
v ±í SSL]Nzí
Tivoli Identity Manager bUCTaΦw SSL qTG
v bß Web s²H Tivoli Identity Manager í°A
Web °Aºí
v b Tivoli Identity Manager °AM Tivoli Identity Manager Nzíºí
v b Web °AMNzíºíANzíl SSL
4 z 75
tmKnM²
ΩTNú²A²ztX SSL tm Tivoli Identity Manager ípC
b WebSphere íp Tivoli Identity ManagerUCtmKnDnbiDzAp≤b WebSphere application server Wíp Tivoli Identity
ManagerC
v bßs²M Web °A (IBM HTTP Server) ºítm SSLC
u⌡µµVOYiC
\ 77 ytms²∩ Web °A SSL (WebSphere)zC
v b Tivoli Identity Manager °AMNzíºítm SSLC
u⌡µµVOYiC
\ 83 ytm°A Nzí SSLzC
b WebLogic íp Tivoli Identity ManagerUCtmKnDnbiDzAp≤b WebLogic í°AWíp Tivoli Identity
ManagerC
v bßs²Mí WebLogic Web °Aºítm SSLC
u⌡µµVOYiC
\ 81 ytms²∩ Web °A SSL (WebLogic)zC
v b Tivoli Identity Manager °AMNzíºítm SSLC
u⌡µµVOYiC
\ 83 ytm°A Nzí SSLzC
76 IBM Tivoli Identity Manager: °AtmΓU
tms²∩ Web °A SSL (WebSphere)UCΩTDnbiDzAp≤b WebSphere application server Wíp Tivoli Identity
ManagerC
ípKnG
v ßOⁿπ Web s²C
v Web °AOⁿípb≈BP WebSphere ípbP@í≈ IBM
HTTP ServerC
v GSKit SSL]Hb WebSphereC
: bUoϕñA″ITIM Server″ Oⁿ IBM Tivoli Identity Manager °AC
KnG
1. ú@nD (CSR) zñ (CA)AzñAß
A² Web °AQoA∩ßs²Ov¡C
2. Nwb Web °AC
3. tX SSL tm Web °AC
4. Tws²π CA Dn]o CA wgL Web °AA²s
² CA Dnτ Web °AeC CA Dn
]p VeriSignAqOs²e@íC
1. ú nD (CSR)nozñ (CA) A²eXnD (CSR)C
WebSphere Application Server πiHúnD Java íCouπ
iKeymanCiKeyman O@ ServletAiHVt¼ΩTABúpK≈M
nDCo Servlet i²zeX CSR CA]p VeriSign²ªC
÷ WebSphere Application Server íΩTA\Uo⌠
WebSphere Application Server σ≤wG
8. ípb WebSphere Tivoli Identity Manager
4 z 77
http://www.ibm.com/software/webservers/appserv/library.html
UCNíp≤ú CSRG
1. WebSphere Application Server ≈zí iKeymanC
MΣM⌡µ ../gsk5 ²U gsk5ikmC
2. ≈A@≈ΩwC
3. ∩H\αϕAMß÷@UHnDC
4. ÷@UsC
5. ±gUCµ G
v ≈
v @δW
v
v W
6. ÷@UTwC
oeX@∩ °íAznDwgúABxsbe@ⁿw
ñC
7. ÷@UTwC
÷¼o∩ °íC
8. ⌠ iKeymanC
9. eXnDAϕ CAC
2. ww
Q eAO]zwg¼ zñoXAP]Γo
xsb²UFC
UCNíp≤H WebSphere Application Server íwC
÷ WebSphere Application Server íΩTA\ WebSphere
Application Server σ≤wG
http://www.ibm.com/software/webservers/appserv/library.html
1. WebSphere Application Server ≈zí iKeymanC
2. nDΩwC
3. ÷@UHnD\αϕAA÷@UHC
4. ÷@U¼C
5. ÷@UΩ¼A∩ Ω¼C
v pGO ASCII µíA∩uBase64 sX ASCII ΩvΩ¼C
v pGOGi µíAh∩uGi DER ΩvΩ¼C
6. ⁿw² mMWC
7. ÷@UTwC
8. ΘJs AMß÷@UuTwvC
iKeyman Nxsb≈ΩwABΓªCbHMµñC
9. ⌠ iKeymanC
78 IBM Tivoli Identity Manager: °AtmΓU
: pG Web °AOµAúO CA]p VeriSignoX
Ahßs²úAMwOnH⌠°Aú
C
3. tX SSL tm Web °A
zbwºßAtX SSL tm IBM HTTP ServerC
1. WebSphere Application Server ≈zí iKeymanC
2. ≈xs SSL ≈MCpG
$ITIM_HOME/myKeys
3. ÷@U≈Ωw\αϕA∩sC
4. wqUC]wAMß÷@UTwC
v ≈Ωw¼GCMS ≈Ωw
v WG WebServerKeys.kdb
v mGq $ITIM_HOME/myKeys ²⌠
5. ΘJ SSL ≈KXABTKXC
6. ∩n∩⌠KXH∩C
7. ÷@UTwC
oN@Ws WebServerKeys.sth AΣñtgLsXKXC
: @t\ivAO ε.gvsoC
8. \αϕABb w]MµA∩HC
pGzπ CA]pAVeriSigno°AANiH÷@UJANo
J SSL ≈CoeúzAΘJt°Aº¼
M mC
pGzS CA o°AA²SQntA÷@Usµ
C
eKúzΘJ@≈]p ITIMH]p IBMC
úw]C
9. ≈Ωw\αϕA∩÷¼C
10. b httpd.conf [JUCXµ]N $ITIM_HOME ½¿q myKeys
²T⌠G
LoadModule ibm_ssl_module libexec/mod_ibm_ssl_128.soListen 443SSLEnableKeyfile “$ITIM_HOME/myKeys/WebServerKeys.kdb”
o@A Web °AKÑ≡ 443]w] SSL ≡C
11. bDntW WebSphere Server zDxΩ D≈[W≡ 443 M 9443A
B≤s Web °AíC
12. IBM HTTP ServerC
SolarisG/opt/IBMHTTPd/bin/apachectl start
AIXG/usr/HTTPServer/bin/apachectl start
WindowsGAεx
13. ΘJpU URLAqs²tmG
4 z 79
https://localhost
: pGzOµAúO VeriSign oÑzñoX
Ahs²úzOnH⌠ Web °AúC
80 IBM Tivoli Identity Manager: °AtmΓU
tms²∩ Web °A SSL (WebLogic)UCΩTDnbiDzAp≤b WebLogic í°AWíp Tivoli Identity
ManagerC
ípKnG
v ßOⁿπ Web s²C
v Web °AOH WebLogic [HC
v RSA SSL-JC
: bUoϕñA″ITIM Server″ Oⁿ IBM Tivoli Identity Manager °AC
KnG
1. ú@nD (CSR) zñ (CA)AzñAß
A² Web °AQoA∩ßs²Ov¡C
2. Nwb Web °AC
3. tm Web °A SSLC
4. Tws²π CA Dn]o CA wgL Web °AA²s
² CA Dnτ Web °AeCDn CA
]p VeriSignAqOs²e@íC
°≤G
v ]]A CA DnM≈iH Base64 sX ASCII µí (.pem)
Gi µí (.der)C
v nDú ServletAopK≈B MH CA Co Servlet
O≤ WebLogic e@íC
v pK≈MH CA AOHíxsbΓ²UC
G
÷b WebLogic ]ws²∩ Web °A SSL ΩTA\ BEA WebLogic
⌠G
9. ípb WebLogic Tivoli Identity Manager
4 z 81
http://e-docs.bea.com/wls/docs70/secmanage/ssl.html
82 IBM Tivoli Identity Manager: °AtmΓU
tm°ANzí SSLUCΩTDnbiDzAp≤b WebSphere WebLogic í°Aíp Tivoli
Identity ManagerC
boΩϕñATivoli Identity Manager °AzL SSLAlPNzíºí
qT]°A NzíA¿²Os²lµ÷C
ΣLΩAONzízL SSLAlP Tivoli Identity Manager °A]Nz
í °AºíqTCΣL÷oΩΩTA\ 86 ytm
Nzíl SSL]Nzí Web °AzC
ípKnG
v w]ATivoli Identity Manager °AMNzíOzL SSLAµVOC
v NzíO RSA SSL-C ±í SSL
v Tivoli Identity Manager °AO RSA SSL-J
: bUCϕñA″ITIM Server″ Oⁿ IBM Tivoli Identity Manager °AC
Kn]w]µVOG
1. ú@nD (CSR) zñ (CA)AzñAß
A²NzíQoA∩ Tivoli Identity Manager °AOv
¡C
2. NwwbNzíWC
3. TwNzí CA DnO ≤ Tivoli Identity Manager °AWC
CA DnO°AτNzíeC
Tivoli Identity Manager Nzí@Ws CertTool íAnDBwBRúMn²C
10. tm°A NzíµV SSL
4 z 83
tmµV SSL °A
µV SSL °≤G
v Tivoli Identity Manager °AOw²tmnnΣzL SSL iµµVOC
v NzíOQwOF Tivoli Identity Manager °AhH÷p
CA DnτoC
v ]]A CA DnM≈Gi µí (.der)C
tm∩KnG
v 84 y≤Ot CA CA Dnz
v 84 yH OpenSSL íúMz
≤Ot CA CA Dn
1. Nzí CertTool íAú@nD (CSR) CAC
÷tmNzíA\ 85 ybNzítmwzC
2. Nzí CertTool íANwwbNzíWC
÷tmNzíA\ 85 ybNzítmwzC
3. HΓΦíN÷p CA DnAs Tivoli Identity Manager °A
<ITIM_HOME>/cert ²UC
H OpenSSL íú M
ziHzL SSL iµ°A NzíqTAHi OpenSSL íú
ABnD (CSR) AtJCoíúiHb
www.openssl.org oAw]wbjí Linux eñCUCBJOH
0.9.6b OpenSSL íτC
1. H CertTool ú CSRCziH\αϕ∩ AAuúpK≈Mn
DvC
2. nDΘJAϕC
3. xsb agentreq.pem ñCoO ≤ <AGENT_HOME>/bin ²UC
pK≈g n²ñA CSR hOtb .pem ñC
4. N agentreq.pem s ú≈C
5. pGnzñ (CA) pK≈MwAb≈ⁿOµ
⌡µUCBJG
$ opensslOpenSSL> req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem# enter values for CA cert, including country, state, etc.OpenSSL> quit
6. pGn]w⌠AΘJG
$ mkdir demoCA$ cp cacert.pem demoCA/cacert.pem$ mkdir demoCA/private$ mv cakey.pem demoCA/private/cakey.pem$ mkdir demoCA/newcerts$ touch demoCA/index.txt$ cat > demoCA/serial01
7. pGnnDAΘJG
84 IBM Tivoli Identity Manager: °AtmΓU
$ opensslOpenSSL> ca -in ntagentreq.pem -out agentcert.pemOpenSSL> quit$ mv demoCA/newcerts/01.pem agentcert.pem
8. pGnN CA cert α½Gi µíAΘJG
$ opensslOpenSSL> x509 -inform PEM -outform DER -in demoCA/cacert.pem -out cacert.derOpenSSL> quit$
9. NwnDAsNzí≈C
10. b CertTool ΘJ∩ BAuqwvC
11. ΘJwnD mC
12. °ew]CertTool ∩ DAτwgwC
13. NGi µí CA (cacert.der)As Tivoli Identity Manager °A
≈ <ITIM_HOME>/cert ²UC
bNzítmw
÷ CertTool íAzNzíbiµµVOwA\Aϕ Tivoli Identity Manager Agent Installation Guide ″Certificate Installation″o@C
4 z 85
tmNzíl SSL]Nzí Web °A
q SSL qTONzí]°A NzílA¿²Os²
lµ÷C
ΣñTΩONzízL SSLAlP Web °AºíqT]Nzí
Web °AG
v 86 yw∩≤qtm ADK ¼Nzíz
v 86 y JNDI íú¡z
v 86 yIBM Directory Integrator (IDI) ¼Nzíz
úO@ípAzú IBM HTTP Server iKeyman uπAX Web °
A CA DnCMßAN CA m≤íNzíAϕ≈x
swñC
w∩≤qtm ADK ¼Nzí
pGn⌡µ≤qAADK ¼NzílP Web °AqTAqªsb
ßBbßQ∩BObßQRúCWeb °AtXjεV SSL [HtmC
ziH CertToolAΓ Web °A CA DnAwbNzí
WCCA Gi µí]IBM HTTP Server iKeyman uπO .der
WrC
ADK ¼NzíO≈xswn²C CertTool íz≈C
JNDI íú¡
ú¡AOí Java í]úONzílP Web °Aºí
qTAHKsWB∩RúHΩTO²Co Java íO Java RW²
(JNDI)AP Web °AqTC
¡úíO@tzíAN CA DnA±b JNDI í
ⁿwΩ¿ñCCA Gi µí]IBM HTTP Server iKeyman uπO .der WrC
IBM Directory Integrator (IDI) ¼Nzí
úO¡úbßzNzíAIDI (IBM Directory Integrator) úlqTA
NΩ Tivoli Identity Manager °ACN DSMLv2 JNDI ú
q Java íNC
pGO IDI ¼NzíACA DnO±b Java ≈xswñC IBM
HTTP Server ú iKeyman uπCCA iHGi ASCII base 64 s
XµíCpGOGi µíAIBM HTTP Server iKeyman uπ .der WrF
pGO ASCII base 64 sXµíAh .arm WrC
ziH WebSphere Application Server Sun Java keytool ≈Mzíú iKeyman uπA Java ≈xswC
÷ keytool íΩA\ Sun JDK σ≤A\Uz⌠
G
86 IBM Tivoli Identity Manager: °AtmΓU
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
IDI ¼NzíO Java ≈xsw (JKS) @≈xswC
4 z 87
88 IBM Tivoli Identity Manager: °AtmΓU
5 tmµ@nJMΦ
NQ Tivoli Identity Manager µ@nJ\αC
DDG
v 89 yµ@nJ\αº[z
v 90 yH WebSEAL tmµ@nJz
v 92 yH Tivoli Access Manager í°Atmµ@nJz
v 92 yH Tivoli Identity Manager WebSEAL Xz
µ@nJ\αº[
IBM Tivoli Access Manager (Tivoli Access Manager) ú Web w°AAi
Hµ@nJ\αnJ Tivoli Identity ManagerCb,sv Tivoli Identity
Manager íºeAªiH² Tivoli Access Manager ⌡µOMñ
vCMß Tivoli Identity Manager íAªvsεΩT (ACI)AM
vδsεC
Tivoli Identity Manager °AQtmnµµ@nJA@W ″iv-user″ HTTP YOC Tivoli Access Manager úC@ Web w
°AAiHbΩq Tivoli Identity Manager °AºeAwa]wo HTTP
YC
:
1. pG Tivoli Identity Manager °AQtmnµµ@nJAKú Tivoli
Identity Manager °A⌠⌠svCpGiHQ false ″iv-user″nDABNnDe Tivoli Identity Manager °AANϕs
bwCpGnF nwO@AjPzu Access Manager Web °
AA∩ Tivoli Identity Manager °Aiµ⌠⌠sC
2. Tivoli Identity Manager °AM Tivoli Access Manager Web w°AOHs²
@Ñq@CTivoli Identity Manager °AÑq@OAp≤ Tivoli
Access Manager Web w°AOCo@I3ΣA≤@u@⌠C
3. Tivoli Identity Manager íO ″Stateful″C]NOíA@n hnDα¿ABnDG]n°²enDΘJΩwCpGtⁿ¡
≈εONe h Tivoli Identity Manager íípA≥
P@oXnDA@wnP@ Tivoli Identity Manager °A
ΩµC
4. pG Tivoli Identity Manager °AQtmnµµ@nJ Aunⁿw
ID sbA JAAS nJ@wúQ¿C]A Tivoli Identity
Manager API íA]qⁿO@ m⌡µOC
⌡µUC@G
1. ∩ Tivoli Identity Manager eµ@nJC
2. tm Tivoli Access Manager Web w°AAb Tivoli Identity Manager
ΩqϕñAíJ¡C
© Copyright IBM Corp. 2003 89
3. N Tivoli Access Manager vM Tivoli Access Manager O@½≤íAu²
≥ovs Tivoli Identity ManagerC
H WebSEAL tmµ@nJ
H WebSEAL ON Tivoli Identity Manager OAiH²b WebSEAL n
J⌠ΘJµ@ ID MKXAo Tivoli Identity Manager svCbiµµ
@nJ@AúX Tivoli Identity Manager nJeC
°≤BiMµMΦ
iG SSO hHbßTivoli Access Manager M Tivoli Identity Manager ºíµ@nJ\αAΣDnO
b@ Tivoli Access manager M@ Tivoli Identity Manager ºíAú
¡∩MCTivoli Access Manager ID AhOMΣb Tivoli Identity
Manager ⌠U bß Tivoli Identity Manager HC²OA@ Tivoli Identity
Manager HiαhbßCboípUANLkwΣñ@bß¡∩M
FCpGnb Tivoli Access Manager M Tivoli Identity Manager Hºíiµ
µ@nJA@wnSOpC
°≤G]wyÑ⌠
bµ@nJ WebSEAL ⌠UALk Tivoli Identity Manager nJeñu∩
t@yÑvA]b WebSEAL nJºßANúX Tivoli Identity Manager
nJeFC
MΦkObnJºeA²zLs²]wyÑ⌠CUolNAX
Microsoft Internet ExplorerG
1. NsX] Unicode (UTF-8)G
° > sX > Unicode (UTF-8)
2. tmAϕyÑG
⌠⌠⌠∩ > @δ > yÑ
3. oyÑ@wnΣ UnicodeG
⌠⌠⌠∩ > @δ > r¼
µMΦkGtmϕzzL WebSEAL X\α]µ@nJnJ Tivoli Identity Manager °AA
GUI uΘvµ π°AíAO GMT]µLvíúO
ϕas²íC]pAbiµµ@nJA⌡L Tivoli Identity Manager n
JCun⌡LnJATíMNú Tivoli Identity Manager °
AC
¡zzAiHú@µMΦkG
1. ßs² GMT ApΓ C±ΦíAF!]Θ
O 9C[]ⁿΩ O -8](¡vΘ1íO -7C
2. N O zHUC档]oG URLG
http://<WebSEAL-system-address>/<junction-name>/enrole/logon?timezoneOffset=<calculated-offset>
90 IBM Tivoli Identity Manager: °AtmΓU
bΘoGAURL N ϕ@ HTTP eC
±ΦíApG°AOb[]ⁿΩA]ßs²ObF!]Θ
ANUz URL oGΘG
http://<WebSEAL-system-address>/<junction-name>/enrole/logon?timezoneOffset=9
z]iHoG WebSEAL Web °AWY⌠ URLAO≤QqJf
⌠⌠ URLCo⌠πq WebSEAL SSO Co⌠t
JavaScript \αAiHpΓßs²M GMT ºí C÷@Uoº
ßAªeX@ HTTP nD]sPϕ@ HTTP [HepΓ
Tivoli Identity Manager °ACúF OpΓo@IºAoΦkPW
í URL µMΦkⁿC
tm
1. btm Tivoli Identity Manager ºeA²tm WebSEALG
v Cookie YeΓ
v uδ UTF-8 sXrΩ
2. N ui.properties ñ enrole.ui.ssoEnabled e] TRUEA
WebSEAL µ@nJ\αCTivoli Identity Manager KúXnJ⌠C
enrole.ui.ssoEnabled = true
3. w]Aú WebSEAL µ@nJ≈ε Java ½≤AOb
enRoleAuthentication.properties ñⁿw]úOn@G
enrole.authentication.provider.webseal =factory = com.ibm.enrole.authentication.webseal.WebsealProviderFactory
4. zb enRoleAuthentication.properties ñⁿXAϕtΓkAN Tivoli
Access Manager ID ∩M Tivoli Identity Manager IDG
v pG Tivoli Access Manager ID P Tivoli Identity Manager ID@
G
enrole.authentication.idsEqual = true
v pG Tivoli Access Manager ID P Tivoli Identity Manager ID ú
@G
enrole.authentication.idsEqual = false
ziHí¡∩MtΓkATOµ@nJ@Q¿C
5. pG≤ípyzlñ Tivoli Identity Manager OÑq@Aiαb@
u@⌠UúwCN Tivoli Identity Manager OÑq@w]
]UAH εwG
v Tivoli Identity Manager ]úb@ñOC
v Tivoli Identity Manager ]úb@ñAP WebSEAL POAb
ªºeOC
6. H Tivoli Identity Manager tm TCP SSL XCpGnΣLΩTA
\ 92yH Tivoli Identity Manager WebSEAL XzC
5 tmµ@nJMΦ 91
H Tivoli Access Manager í°Atmµ@nJ
Tivoli Access Manager íOAi²ΘJµ@ ID MKXA
Ho Tivoli Identity Manager svCíiαO Web °A Tivoli Access
Manager íA]iαO Edge °AíC
⌡µUC@G
1. tm Tivoli Access Manager íAΓgLO¡íJ ″iv-user″ HTTP
YϕñCpGnΣLΩTA\ Web °A Edge °A Tivoli
Access Manager σ≤ñA÷µ@tm¼íC
2. tm Tivoli Identity Manager ui.properties M enRoleAuthentication.properties
]ßúOtmC
v N ui.properties ñ enrole.ui.ssoEnabled e] TRUEAo Tivoli
Identity Manager NúXnJ⌠FC
v pG Tivoli Access Manager IDAú@wÑ≤ Tivoli
Identity Manager IDAN enRoleAuthentication.properties ñ
enrole.authentication.idsEqual e] FALSE C
H Tivoli Identity Manager WebSEAL X
Níp≤@ TCP SSL su WebSEAL XC
btmXºeA²w∩UCΓtm WebSEALG
v Cookie YeΓ
v uδ UTF-8 sXrΩ
TCP X
nH Tivoli Identity Manager TCP XA⌡µUC@G
: UCBJ] WebSEAL wgwBtmϕCΣLΩTA\ WebSEAL
wσ≤C
1. bROúíΘJ pdadminA pdadmin ⁿOµC
2. b pdadmin ROúíΘJ loginAHwzWMKXnJC
pdadmin> login
3. ΘJwzWC
Enter User ID: sec_master
4. ΘJwzKXC
Enter Password: passwordpdadmin>
5. Mw Tivoli Access Manager wq WebSEAL Server WCoWµíG
webseald-shortHostnameCpGnCX Tivoli Access Manager wq°AA
ΘJUzⁿOG
pdadmin> server list
6. WebSEAL XC
WebSEAL XⁿOykpUG
server task WebSEALServer create -t Type -h Hostname-p Portnumber -s -j -c ClientIdentityOptions /JunctionName
92 IBM Tivoli Identity Manager: °AtmΓU
ΣñAWebSEALServer Oⁿ WebSEAL Server WCdO
webseald-drbtestC
-t Type
X¼Cⁿw tcpC
-h Hostname
πD≈W
-p Portnumber
≡CTCP Xw]O 80C
-s Stateful XCϕ Tivoli Identity Manager °AQgA o
XC
-j X CookieCCookie OBz°A∩ URLC
-c ClientIdentityOptions
∩@Aⁿ WebSEAL íJ ″iv-user″ HTTP YCpA
″iv_user″CpGnπ∩÷ΩTA\ Tivoli Access Manager
zσ≤C
/JunctionName
MXIWC
±ΦíAHµµΘJUzⁿOA@ TCP XG
pdadmin> server task webseald-drbtest create -t tcp–h drbtest.tivoli.com –p 8080 –s –j –c iv_user /websphere
7. @≈sεMµ (ACL)Ao≈MµπgLOsvAαPn
WebSEAL X÷pC ACL ⁿOykpUG
pdadmin> acl create aclName
pG
pdadmin> acl create itim-acl
8. QUzykANs[J ACL ñG
pdadmin> acl modify aclName set group groupName permissions
pG
pdadmin> acl modify itim-acl set group ITIM-Group Trxpdadmin> acl modify itim-acl set unauthenticated Tpdadmin> acl modify itim-acl remove any-other
ΣñApermissions OⁿG
ϕ 1. \iv
\iv í
T MXl²
r ¬
x ⌡µ
9. QUzykAN ACL ÷p XG
pdadmin> acl attach fullJunctionName aclName
pG
5 tmµ@nJMΦ 93
pdadmin> acl attach /WebSEAL/drbtest/websphere/enrole itim-acl
10. @≈sεMµAⁿ.gOsCZO@δúnJYis
½≤Ao≈ ACL ú÷p C
pG
pdadmin> acl create unprotected-acl
11. bnD.gOºs ACL ñ[JsCUzykG
pdadmin> acl attach fullJunctionName aclName
pG
pdadmin> acl attach /WebSEAL/drbtest/itim/enrole/self_reg unprotected-acl
12. ≤s Tivoli Identity Manager ui.properties Atm APP_WEB.war ²ú
Σñ@nX≈εCUϕNzíªúnXC
ssoLogout.jsp M websealLogout.jsp uOdAΣOdb
WebSEAL µ@nJípUA Tivoli Identity Manager GUI nX÷s
díXCziHsΦo]]AyÑA⌡µ⌠≤AXz⌠\
αC
logoff.html
]w]
w] Tivoli Identity Manager nXµG
SSOG
v nXAX Tivoli Identity Manager nJ⌠
SSOG
v nXA²z Tivoli Identity Manager GUIA] Tivoli
Access Manager]b iv-user HTTP YñOΩT6MiH
C
ssoLogout.jsp pGzµbµ@nJ⌠UoXµAiHod
G
v εµ Tivoli Identity Manager nJÑq@ABúA
Tivoli Identity Manager GUIC
v OnJ Tivoli Access Manager ¼A]iv-user HTTP YΩT6
MiHC±ΦíAoNiH≥Jf⌠⌠Aú
nnJúYi Tivoli Identity ManagerC
ziHsΦoAqnX\αdC
websealLogout.jsp pGzµbµ@nJ⌠UoXµAiHod
G
v ε Tivoli Identity Manager nJÑq@C
v ε Tivoli Access Manager nJÑq@]Is pkmslogout τC
pkmslogout uA≤YßAoßO≈εAúOC@nDúúOΩC±ΦíApkmslogout NúA≤≥OB IP ΩTßCboípUAz
÷¼s²nXCpkmslogout bnX⌠Wπ@hTºAúoΩTC
ziHsΦoAqnX\αdC
94 IBM Tivoli Identity Manager: °AtmΓU
pG
enrole.ui.logoffURL=ssoLogout.jsp
13. ε½s WebSphere Application ServerAδ ui.properties ≤C
SSL X
: UCBJ] WebSEAL wgwBtmϕCΣLΩTA\ WebSEAL
wσ≤C
pGnH Tivoli Identity Manager SSL XA⌡µUC@G
1. WebSphere Application Server iKeyman íC
2. bu≈Ωwv@ñA∩C
3. ≤ WebSphere_root\etc ²U DummyServerKeyFile.jks Coe
X@KXúCpGzOΩ AhKX ″WebAS″C
4. ∩ WebSphere Ω°AAMß÷@UC
5. bu ñv∩ ΘJUCΩG
v Ω¼G∩ Base64 sX ASCII ΩC
v WGΘJWC
v mGΘJnxs²⌠CHolíAΘJ
WebSphereServerCert.arm @WANxsb WebSphere_root\etc
²UC
6. ÷@UTwCsnºßAαe WebSEAL ServerC
pGz WebSphere wqv≈ABq CA oFAh CA
DnAHUCBJz WebSphere C
7. ÷¼ WebSphere IBM Key Management GUIC
8. b WebSEAL Server WA GSKit iKeyman ⌡µC
9. bu≈Ωwv@ñA∩C
10. dO WebSEAL w]ΩwC²
WebSphere_root\www\certs\pdsrv.kdb A÷@UC
11. beXKXú∩ ΘJKXC]w] WebSEAL ΩwKXO
pdsrvC
12. ϕΩwA∩C
13. ÷@UsWCoeXuq[J CA v∩ C
14. b∩ ⌡µUC@Aq[J CA G
v Ω¼G∩ Base64 sX ASCII
v WG÷@Us²A² WCO ≤ WebSphere_root\etc
²U WebSphereServerCert.arm C
15. ÷@UTwCoeúzΘJWxsCdO WAS 5
Server C
16. ÷@UTwCoeXuIBM Key ManagementveACXA
Σñ]AzⁿwWC
17. ÷¼ GSKit IBM Key Management GUIC
5 tmµ@nJMΦ 95
18. bROúíΘJ pdadminA pdamin ⁿOµC
19. b pdadmin ROúíΘJ loginAHwzWMKXnJC
pdadmin> loginEnter User ID: sec_masterEnter Password: passwordpdadmin>
20. Mw Tivoli Access Manager wq WebSEAL Server WCoWµíG
webseald-shortHostnameCpGnCX Tivoli Access Manager wq°AA
ΘJUzⁿOG
pdadmin> server list
21. WebSEAL XC
WebSEAL XⁿOykpUG
server task WebSEALServer create -t Type -h Hostname-p Portnumber -s -j -c ClientIdentityOptions /JunctionName
ΣñAWebSEALServer Oⁿ WebSEAL Server WCdO
webseald-drbtestC
-t Type
X¼Cⁿw sslC
-h Hostname
πD≈W
-p Portnumber
≡CSSL Xw]O 9443C
-s Stateful XCϕ Tivoli Identity Manager °AQgANo
Xú7αC
-j X CookieC Cookie OBz°A∩ URLC
-c ClientIdentityOptions
∩@Aⁿ WebSEAL íJ ″iv-user″ HTTP YCpA
″iv_user″CpGnπ∩÷ΩTA\ Tivoli Access Manager
zσ≤C
/JunctionName
MXIWC
±ΦíAHµµΘJUzⁿOA@ SSL XG
pdadmin> server task webseald-drbtest create -t ssl–h drbtest.tivoli.com –p 9443 –s –j –c iv_user /websphere
22. @≈sεMµ (ACL)Ao≈MµπgLOsvAαPn
WebSEAL X÷pC ACL ⁿOykpUG
pdadmin> acl create aclName
pG
pdadmin> acl create itim-acl
23. QUzykANs[J ACL ñG
pdadmin> acl modify aclName set group groupName permissions
96 IBM Tivoli Identity Manager: °AtmΓU
Σñ permissions OⁿG
ϕ 2. \iv
\iv í
T MXl²
r ¬
x ⌡µ
24. QUzykAN ACL ÷p XG
pdadmin> acl attach fullJunctionName aclName
pG
pdadmin> acl attach /WebSEAL/drbtest/enrole itim-acl
25. @≈nD.gOssεMµCZO@δúnJYis
½≤Ao≈ ACL ú÷p C
pG
pdadmin> acl create unprotected-acl
26. bnD.gOºs ACL ñ[JsCUzykG
pdadmin> acl attach fullJunctionName aclName
pG
pdadmin> acl attach /WebSEAL/drbtest/itim/enrole/self_reg unprotected-acl
27. ≤s Tivoli Identity Manager ui.properties Atm APP_WEB.war ²ú
Σñ@nX≈εCUϕNzíªúnXC
ssoLogout.jsp M websealLogout.jsp uOdAΣOdb
WebSEAL µ@nJípUA Tivoli Identity Manager GUI nX÷s
díXCziHsΦo]]AyÑA⌡µ⌠≤AXz⌠\
αC
logoff.html
]w]
w] Tivoli Identity Manager nXµG
SSOG
v nXAX Tivoli Identity Manager nJ⌠
SSOG
v nXA²z Tivoli Identity Manager GUIA] Tivoli
Access Manager]b iv-user HTTP YñOΩT6MiH
C
5 tmµ@nJMΦ 97
ssoLogout.jsp pGzµbµ@nJ⌠UoXµAiHod
G
v εµ Tivoli Identity Manager nJÑq@ABúA
Tivoli Identity Manager GUIC
v OnJ Tivoli Access Manager ¼A]iv-user HTTP YΩT6
MiHC±ΦíAoNiH≥Jf⌠⌠Aú
nnJúYi Tivoli Identity ManagerC
ziHsΦoAqnX\αdC
websealLogout.jsp pGzµbµ@nJ⌠UoXµAiHod
G
v ε Tivoli Identity Manager nJÑq@C
v ε Tivoli Access Manager nJÑq@]Is pkmslogout τC
pkmslogout uA≤YßAoßO≈εAúOC@nDúúOΩC±ΦíApkmslogout NúA≤≥OB IP ΩTßCboípUAz
÷¼s²nXCpkmslogout bnX⌠Wπ@hTºAúoΩTC
ziHsΦoAqnX\αdC
pG
enrole.ui.logoffURL=ssoLogout.jsp
28. ε½s WebSphere Application Server Hδ ui.properties ≤C
ⁿwX URLWebSEAL XiH∩ URLAs Tivoli Identity Manager úCs URL
ykOUC@G
http://hostname/JunctionName/enrole/logon
https://hostname/JunctionName/enrole/logon
±ΦíAU@G
http://drbtest.tivoli.com/websphere/enrole/logon
https://drbtest.tivoli.com/websphere/enrole/logon
98 IBM Tivoli Identity Manager: °AtmΓU
6 q
tΩTAiHUzq Tivoli Identity Manager GUICq@]AsW
qxB∩r¼MCΓBHwqπMµC
t\ 45 3 , ytmRezñ ″UI.properties″C
DDG
v 99 yqxz
v 99 yqπz
qx
Tivoli Identity Manager GUI iHbCkWñπqxCox]iH
URLCw]Aπ IBM x (IBM_banner.gif)AB IBM ⌠Ct
ziH¿UCA[JLqxC
Nx[J Tivoli Identity Manager tñ
1. N GIF qxs Uo mG
WebSphere/AppServer/installedApps/enrole.ear/enrole.war/images
2. ttmuπC
ΣL÷ΩTA\ 1 1 , yttmuπ (runConfig)zC
3. ÷@U UI C
4. bußxvσrµ ñAΘJ GIF WC
5. ∩@Gbußxvσrµ ñΘJ@ URLANx ⌠C
6. ÷@UTwC
xs∩eAB÷¼ttmuπC
qπ
ziHq Tivoli Identity Manager GUIAqr¼MCΓABbC@π
¡C
≤∩ºßA½s≈C
qr¼MCΓ
ziH∩UCΩ¿ (WebSphere 5.0.2) ñ Styles.css Aq GUI
tr¼MΓmC
<WAS_HOME>/AppServer/installedApps/<server-name>/enrole.ear/app_web.war/en
© Copyright IBM Corp. 2003 99
qMµπe
Tivoli Identity Manager GUI ñ\hACXSwhCziHtmo
MµAbC@π@TwqAHπ@TwqAq
Mµ ≥Cw]AChiHπ 10 ABChiHπ 10
C
oΓOtmbΓaΦCMµñCAOHttmuπ]wC
q ≥AhOb $ITIM_HOME/data Ω¿ ui.properties
ñ]wC
]wCW¡
1. ttmuπC
ΣL÷ΩTA\ 1 1 , yttmuπ (runConfig)zC
2. ÷@U UI C
3. buMµjpvσrµ ñAΘJCπC
4. ÷@UTwC
xs∩eAB÷¼ttmC
]wCW¡
1. nJw Tivoli Identity Manager °AtC
2. "½ ΩΩ¿C
3. HσrsΦ ui.properties C
4. N enrole.ui.pageLinkMax ∩znC
UNOñoedG
# number of page links to be shown for multi-page result setsenrole.ui.pageLinkMax=10
5. xsB÷¼ ui.properties C
≤ß]wAYXbtWC
100 IBM Tivoli Identity Manager: °AtmΓU
7 tmqll≤T
Tivoli Identity Manager °AúMeqll≤Aqwg¿B
nDMΣLtTºCziHtmqµíMWvC
DDG
v 101 yqqll≤dz
v 101 yqz
v 103 ysKXz
qqll≤d
Tivoli Identity Manager °AORAWσrOyÑ (HTML) A@÷
≤tu@yBzqll≤TºqdCoiHεqll≤T
ºπΩTAHπΦkC
o HTML Ws notifytemplate.htmlA ≤
$ITIM_HOME/data/workflow_systemprocess ²UC
úFTe⌠ (’$’) ºA HTML ñΣLúiH
∩CoTOG
v $TITLE
v $BODY
v $BASE_URL
@δ∩OIΓmAHΩµjpMΓmÑϕµC
q
w]ATivoli Identity Manager °AΓOⁿ≤MTºAe
WebSphere Application Server [HlC²OA≤ Tivoli Identity Manager °A
O Log4j Oⁿ≤A]ziH∩tAsW∩ Log4j [í%≤ANqll≤qtzC
Log4j iú@[íOFC@Oú JavaBean í getter M setter Φ
kAtmΣeCpGn÷ Log4j Σ%≤ΩTA\Uo Log4j⌠C
http://jakarta.apache.org/log4j
: Log4j σ≤O JavaDoc µíCz⌠x JavaDoc µíAα² Log4j σ≤C
OⁿeOb enRoleLogging.properties ñwqCUNíp≤b Tivoli Identity
Manager °AtmOⁿSAHKboY½Aeqll≤qC
© Copyright IBM Corp. 2003 101
[íd
Log4j O SMTP [íAeTº qll≤ C]Az²wq
SMTP [íAαtm² Log4j eqll≤qCUNO@ SMTP [
ídG
#SMTP Appender used to send errors to email addresses.log4j.appender.EMAIL=org.apache.log4j.net.SMTPAppenderlog4j.appender.EMAIL.SMTPHost=enablemailservlog4j.appender.EMAIL.To=admin@ibm.comlog4j.appender.EMAIL.BufferSize=50log4j.appender.EMAIL.layout=org.apache.log4j.PatternLayoutlog4j.appender.EMAIL.layout.ConversionPattern=<%d> [%t] <%c> %m \n
odtUCUG
EMAILs[íM[íWAOwq SMTPAppender ¼C
SMTPHosteqll≤Tºl≤°AWC
To ¼Tºqll≤ C
BufferSizeHqll≤Tºe≤Θxñ≤CpGSwq BufferSizeAh
w]O 512C
layout, layout.ConversionPatternoOnOCoΓOiwqqll≤TºπeCWo
lπeGΘBúOⁿ≤⌡µⁿWBOⁿ≤B
P Tivoli Identity Manager °AúºOⁿ≤÷pTºBH½µC
[ídk
d[íOwq]w[í[HIsCUolNd
e@[ídkG
log4j.rootCategory=FATAL, EMAILlog4j.category.com.ibm.enrole=INFOlog4j.additivity.com.ibm.enrole=false
C@µúⁿwFTºne CUOC@µ≥µíG
category=priority, appender
ΣñG
category
OⁿW
priority
OⁿznOⁿhu²
u²O@∩]wCu²iHdA]iH] INHERITA
NªTwqCpGSwq⌠≤u²Ahw]u²]wO DEBUGC
pGu²] INHERITAhu²hOP/Iu²]P
@hCu²]iHQUC@ⁿJ[HTwqG
INFO ϕñíiTºC
102 IBM Tivoli Identity Manager: °AtmΓU
WARNϕiαo¼pC
ERRORϕ6M²í ≥⌡µA²o²ó≤C
FATALϕPíóY½≤C
appender
≤ⁿw[íWCziHC[íArI (,) jC@
[íA@HW[íC
÷u²hΣLΩTA\ Log4j ⌠C
dµtUCUG
v log4j.rootCategory=FATAL, EMAIL
o@µiⁿw FATAL u²TºAú EMAIL [íOⁿC
≤ EMAIL [íiⁿwªoAHqll≤e Swq
ll≤ A] FATAL TºAúHqll≤e ⁿwqll≤
CpGoO@wq@µA≥ΣLTºA]Q EMAIL
[í[HOⁿA]oOC
v log4Jcategory.com.ibm.enrole=INFO
o@µiⁿw INFO u²TºAú WebSphere [íOⁿ
C WebSphere [íbnΘñw²wqA]OTºw][
íCo@µiH≤i@BwqOⁿδCúLAúDsW@O falseAho@
µ] rootCategory eC
v log4J.additivity.com.ibm.enrole=false
o@µiH²u² INFO Tº WebSphere [íAú EMAIL [
íA]wSwOⁿδCsW@iHwqOO Σ/O
eCpGsW@Q] trueASwqA INFO N rootCategory
eC
ΣLOⁿδhiHwqΣL[íAHⁿwΣLk[HwqCΣ
LiHb enRoleLogging.properties ñCoewQPC
sKX
ϕ@HKFsbߺßANiHQUC@ΦkbßKXG
v HXϕKXqll≤
v QΣ@KXs URL
Tivoli Identity Manager °Aw]tmAONbßKXHqll≤eoHCp
Gzntm²te URLA²oHKXA∩ enRole.properties ñ
enrole.workflow.notifypassword eC
pGntm² Tivoli Identity Manager °AHqll≤eHXϕKXY
HAN enrole.workflow.notifypassword e] trueC
7 tmqll≤T 103
pGntm² Tivoli Identity Manager °AHqll≤e URL YHA²L
KXAN enrole.workflow.notifypassword e] falseC
e ]w µ
enrole.workflow.notifypassword true qbß Aqll≤TºϕñH
XϕsbßKXC
false ú URL Mµ÷ ID bß A²
LD∩sKXCbß ú@
KXAαD∩sKXC
104 IBM Tivoli Identity Manager: °AtmΓU
8 tmKXrσMúbß
DDG
v 105 yKXrσz
v 105 yúbßz
KXrσ
ziHtm Tivoli Identity Manager °AA εYSwµr@bßK
XCoµrOxsb LDAP Directory Server KXrσñCoKXrσtúα
@KXµrMµC
ziHzL LDAP s²∩orσAΦkOb erDictionaryName=<password>
UA erDictionaryItem FNtC LDIF AJ ²
°AϕñC
UO LDIF @dAΣñCFUúα@KXµrG
dn: erword=apple, erdictionaryname=password, ou=ITIM, dc=comobjectClass: topobjectClass: erdictionaryitemerWord: appledn: erword=orange, erdictionaryname=password, ou=ITIM, dc=comobjectClass: topobjectClass: erdictionaryitemerWord: orange
zun∩ erword YiC erword OⁿúiH@KXµrC
: LDIF ß@µAß≥«r%AαδoC
ϕKXrσ JnµrºßA∩KXhAαrσC÷∩KX
hΩTA\ Tivoli Identity Manager Policy and Organization Administration
GuideC
Nµr[JKXrσñ
pGnNµr[JKXrσñA⌡µUC@G
1. LDIF Aⁿwn[J KXrσµrC
2. N LDIF J LDAP Directory ServerC
úbß
biµAúDdtⁿwAhbßúqⁿzΩCp
GbßOtñδX ApG⌠≤@bßOWsb
ANobßC
²OAziHtm Tivoli Identity Manager °AAú²ªⁿwbßCziH
QoSA εtbß]pAUNIX Ωñ rootBlpBsys M etcQCiH εúVcNaM∩≈KbßC
© Copyright IBM Corp. 2003 105
÷MobßSQA²ª6Mα≈HΓΦíQzC
úbºbßAOb LDIF ñⁿwCUNO LDIF ñdG
dn: ou=excludeAccounts, ou=ITIM, ou=ITIM, dc=comou: excludeAccountsobjectClass: topobjectClass: organizationalunitdn: cn=SolarisProfile, ou=excludeAccounts, ou=ITIM, ou=ITIM, dc=comerObjectProfileName: SolarisProfileobjectClass: topobjectClass: eridentityexclusioncn: SolarisProfileerAccountID: rooterAccountID: admin
cn M erObjectProfileName OⁿA]wWCQúbßO erAccountID
wqCodúF root M admin bßAb Solaris A⌡µ@A
ú²ªQC
∩núbºbß
pGn∩bßNªúbºA⌡µUC@G
1. LDIF AⁿwnúbºbßAHobßsbAC
2. N LDIF J LDAP Directory ServerC
t\ 45 3 , ytmRezñuΩTvC
106 IBM Tivoli Identity Manager: °AtmΓU
² A. wM ACI Synchronizer
ACI Synchronizer iHú Tivoli Identity Manager Ad-Hoc °i[j¼wC
b Ad-Hoc °i⌠wqñAACI Synchronizer b Tivoli Identity Manager ²°A
M Tivoli Identity Manager ΩwºíúF ACI ΩTYPBBzC
ACI Synchronizer O@W∩%≤AiHbw Tivoli Identity Manager ºß
[HtmCACI PBBz@úO Ad-Hoc °in°≤A²pGznD ±G
Y ACI PBBzANtϕO FC
÷ Ad-Hoc °iπΩTA\ IBM Tivoli Identity Manager Policy and
Organization Administration Guide ñ ″Reports″ o@C
DDG
v 108 yACI PBBzIΩTz
v 108 y²°A changelogz
v 108 yACI Synchronizer w∩z
v 109 yN ACI Synchronizer wb WebSphere/UNIXz
v 111 yN ACI Synchronizer wb WebSphere/Windowsz
v 113 yN ACI Synchronizer wb WebLogic/UNIXz
v 115 yN ACI Synchronizer wb WebLogic/Windowsz
v 117 y ACI Synchronizerz
© Copyright IBM Corp. 2003 107
ACI PBBzIΩT
Tivoli Identity Manager °Ai²tzs Ad-Hoc °iAJH≤
Otuπ°iC Ad-Hoc °iúOxsb Tivoli Identity Manager Ω
w°iϕµñC°itsv]Σñ]A]pM⌡µ°i\αAⁿ
Tivoli Identity Manager ACI SO@C
pGn Ad-Hoc °iA⌡µUC@G
1. ∩MAHKb⌡]píñ°i
2. QΩPBBz%≤mΩ
3. °i]pí]p°iAJH≤Otuπ°i
4. N°isv,
Tivoli Identity Manager ΩPBBz%≤tdm Tivoli Identity Manager ²°A
ΩCzb⌡]pí≤Aub¿ΩPBBzºßAπb
°i]píñC Tivoli Identity Manager Ωm%≤P ACI Synchronizer ¼
@A Tivoli Identity Manager ²°Añ ACI ≤C
ACI PBBzOΩPBBzlCACI Synchronizer Ob Tivoli Identity
Manager ²°AHmb Tivoli Identity Manager Ωw°iϕµºíATO
ACI ≤@PCb°iΩAw∩DzúAϕ ACICpG
² ACI PBBz@≤[WcAhY≤bßΩTA]±úbAϕ
Ad-Hoc °i\ivAP¿óC
ACI changelog ñΓ
ACI Synchronizer @s changelog ≈εAoO²°AúSC
changelog O²@≤CziHtm IBM Directory Server M Sun
ONE Directory ServerAO²Uo²IñΩ≤G
cn=changelog
ACI Synchronizer ¬o²IABD∩PBBzΩPmΩwϕµ
ACI ≤CACI Synchronizer uSBz changelog C
²°A changelogpGnw∩ Tivoli Identity Manager Sw²°A changelogA\
o²°AúAϕσ≤C
: pGO IBM Directory ServerAh@wnjTXj DB2 Ωww]íΩ
∩jp]IBM Directory Server xs changelog Ap 4096C\
DB2 ΓUA∩íΩ∩jpC
ACI Synchronizer w∩
ziH∩UC@AXzí°AM¡xwqG
v 109 yN ACI Synchronizer wb WebSphere/UNIXz
v 111 yN ACI Synchronizer wb WebSphere/Windowsz
v 113 yN ACI Synchronizer wb WebLogic/UNIXz
108 IBM Tivoli Identity Manager: °AtmΓU
v 115 yN ACI Synchronizer wb WebLogic/Windowsz
N ACI Synchronizer wb WebSphere/UNIXziHΓ ACI Synchronizer P WebSphere Application Server wbP@íqúWA
wbúPqúWCzΓ ACI Synchronizer wbt@íqúWC
NúoΓw¼ⁿC
wbt@íqúW
UCNíp≤bP WebSphere Application Server úPqúW]w ACI
SynchronizerC
: <itimri_aci_synchronizer_computer> OⁿYNw ACI Synchronizer qúC
<tim_computer> hOⁿwgw Tivoli Identity Manager qúC
1. N itim45 ²q <tim_computer> s <itimri_aci_synchronizer_computer>C
2. N java ²q <tim_computer>
WebSphere/AppServer ²As <itimri_aci_synchronizer_computer> itim45
²C
3. b <itimri_aci_synchronizer_computer> itim45 ²UA@Ws
websphere_lib ²C
4. NMΩ¿Aq <tim_computer>
WebSphere/AppServer/lib ²As <itimri_aci_synchronizer_computer>
itim45/websphere_lib ²C
5. N app_ejb.jar q <tim_computer>
WebSphere/AppServer/installedApps/<computer_name>/enRole.ear ²As
<itimri_aci_synchronizer_computer> itim45/lib ²C
<computer_name> qOⁿw Tivoli Identity Manager °AqúWCo
WObw Tivoli Identity Manager ,CziHb enRole.ear b
WebSphere w²²⌠U
(/usr/WebSphere/AppServer/installedApps/<computer_name>/enRole.ear)AΣ
oWC
6. N implfactory.properties q <tim_computer>
WebSphere/AppServer/properties ²As <itimri_aci_synchronizer_computer>
itim45/data ²C
7. b <itimri_aci_synchronizer_computer> itim45 UA@Ws ″logs″ ²C
8. b adhocreporting.properties] ≤ <tim_computer> changelog BzAp
UG
a. b adhocreporting.properties ] ≤ Tivoli Identity Manager °Aw
[c data ²U]w changelogEnabled=trueC
b. b adhocreporting.properties ] ≤ Tivoli Identity Manager °Aw
[c data ²U]w changelogBaseDN=<changelog_base_dn>C
<changelog_base_dn> OⁿN changelog s±b²°A≥ DNC
pG
changelogBaseDN=cn=changelog
² A. wM ACI Synchronizer 109
9. ∩ enRole.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45/data ²UApUG
enrole.appServer.url=iiop://<itim_server_computer_name>:2809
10. ∩ enRoleDatabase.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45/data ²UA[J Tivoli Identity Manager ΩwΩC
11. ∩ enRoleLDAPConnection.properties ] ≤ <itimri_aci_synchronizer_computer
itim45/data ²UA[J Tivoli Identity Manager ²°AΩC
12. ∩ enRoleLogging.properties ] ≤ <itimri_aci_synchronizer_computer
itim45/data ²UApUG
log4j.appender.Logger.File=<path_to_itim>.log
itim.log ⌠O itim45/logs/itim.logC ″logs″ ²Obe@BJCpG
log4j.appender.Logger.File=/home/itim45/logs/itim.log
13. pG Tivoli Identity Manager ΩwO DB2AN db2java.zip q
<tim_computer> SQLLIB/java12 ²As <itimri_aci_synchronizer_machine>
itim45/lib ²UC
14. ∩UoΓ ITIM_HOME A²ªⁿV itim45 ²G
startACISynchronizationCMD_WAS.shstartACISynchronizationUI_WAS.sh
pG
ITIM_HOME = /home/itim45
oΓOb itim45/bin/unix ²UC
wbP@íqúW
UCNíp≤b WebSphere Application Server bqúWA]w ACI
SynchronizerC
1. N java ²q WebSphere/AppServer ²As itim45 ²C
2. b itim45 ²UA@Ws websphere_lib ²C
3. NMΩ¿Aq WebSphere/AppServer/lib ²As
itim45/websphere_lib ²C
4. N app_ejb.jar q
WebSphere/AppServer/installedApps/<computer_name>/enRole.earAs
itim45/lib ²C
<computer_name> qOⁿw Tivoli Identity Manager °AqúWCo
Obw Tivoli Identity Manager úCziHb enRole.ear b
WebSphere w²²⌠U
(/usr/WebSphere/AppServer/installedApps/<computer_name>/enRole.ear)AΣ
oWC
5. N implfactory.properties q WebSphere/AppServer/propertiesAs
itim45/data ²C
6. b adhocreporting.properties changelog BzApUG
110 IBM Tivoli Identity Manager: °AtmΓU
a. b adhocreporting.properties ] ≤ itim45/data ²U]w
changelogEnabled=trueC
b. b adhocreporting.properties ] ≤ itim45/data ²U]w
changelogBaseDN=<changelog_base_dn>C <changelog_base_dn> OⁿN changelog
s±b²°A≥ DNCpG
changelogBaseDN=cn=changelog
7. pG Tivoli Identity Manager ΩwO DB2AN db2java.zip q
SQLLIB/java12 ²As itim45/lib ²C
N ACI Synchronizer wb WebSphere/WindowsziHΓ ACI Synchronizer P WebSphere Application Server wbP@íqúWA
wbúPqúWCzΓ ACI Synchronizer wbt@íqúWC
NúoΓw¼ⁿC
wbt@íqúW
UCNíp≤bP WebSphere Application Server úPqúW]w ACI
SynchronizerC
: <itimri_aci_synchronizer_computer> OⁿYNw ACI Synchronizer qúC
<tim_computer> hOⁿwgw Tivoli Identity Manager qúC
1. N itim45 ²q <tim_computer>As <itimri_aci_synchronizer_computer>C
2. N java ²q <tim_computer>
WebSphere\AppServer ²As <itimri_aci_synchronizer_computer> itim45
²C
3. b <itimri_aci_synchronizer_computer> itim45 ²UA@Ws
websphere_lib ²C
4. NMΩ¿Aq <tim_computer>
WebSphere\AppServer\lib ²As <itimri_aci_synchronizer_computer>
itim45\websphere_lib ²C
5. N app_ejb.jar q < tim_computer>
WebSphere\AppServer\installedApps\<computer_name>\enRole.ear ²As
<itimri_aci_synchronizer_computer> itim45\lib ²C
<computer_name> qOⁿw Tivoli Identity Manager °AqúWCo
Obw Tivoli Identity Manager úCziHb enRole.ear b
WebSphere w²²⌠
( C : \ P r o g r a m
Files\WebSphere\AppServer\installedApps\<computer_name>\enRole.ear) UA
Σ oWC
6. N implfactory.properties q <tim_computer>
WebSphere\AppServer\properties ²As <itimri_aci_synchronizer_computer>
itim45\data ²C
7. b <itimri_aci_synchronizer_computer> itim45 UA@Ws ″logs″ ²C
8. b adhocreporting.properties] ≤ <tim_computer> changelog BzAp
UG
² A. wM ACI Synchronizer 111
a. b adhocreporting.properties ] ≤ Tivoli Identity Manager °Aw
[c data ²U]w changelogEnabled=trueC
b. b adhocreporting.properties ] ≤ Tivoli Identity Manager °Aw
[c data ²U]w changelogBaseDN=<changelog_base_dn>C
<changelog_base_dn> OⁿN changelog s±b²°A≥ DNC
pG
changelogBaseDN=cn=changelog
9. ∩ enRole.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UApUG
enrole.appServer.url=iiop://<itim_server_computer_name>:2809
10. ∩ enRoleDatabase.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UA[J Tivoli Identity Manager ΩwΩC
11. ∩ enRoleLDAPConnection.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UA[J Tivoli Identity Manager ²°AΩC
12. ∩ enRoleLogging.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UApUG
log4j.appender.Logger.File=<path_to_itim>.log
itim.log ⌠O itim45\logs\itim.logC ″logs″ ²Obe@BJCpG
log4j.appender.Logger.File=C:\\itim45\logs\itim.log
13. pG Tivoli Identity Manager ΩwO DB2AN db2java.zip q
<tim_computer>
SQLLIB\java12 ²As <itimri_aci_synchronizer_machine> itim45\lib
²C
14. ∩UoΓ ITIM_HOME A²ªⁿV itim45 ²G
startACISynchronizationCMD_WAS.batstartACISynchronizationUI_WAS.bat
pG
set ITIM_HOME = C:\itim45
oΓO ≤ itim45\bin\win ²UC
wbP@íqúW
UCNíp≤b WebSphere Application Server bqúWA]w ACI
SynchronizerC
1. N java ²q WebSphere\AppServer ²As itim45 ²C
2. b itim45 ²UA@Ws websphere_lib ²C
3. NMΩ¿Aq WebSphere\AppServer\lib ²As
itim45\websphere_lib ²C
4. N app_ejb.jar q
WebSphere\AppServer\installedApps\<computer_name>\enRole.earAs
itim45\lib ²C
<computer_name> qOⁿw Tivoli Identity Manager °AqúWCo
WObw Tivoli Identity Manager ,CziHb enRole.ear b
112 IBM Tivoli Identity Manager: °AtmΓU
WebSphere w²²⌠
( C : \ P r o g r a m
Files\WebSphere\AppServer\installedApps\<computer_name>\enRole.ear) UAΣ
oWC
5. N implfactory.properties q WebSphere\AppServer\properties ²As
itim45\data ²C
6. b adhocreporting.properties changelog BzApUG
a. b itim45\data ²U adhocreporting.properties ñA]w
changelogEnabled=trueC
b. b itim45\data ²U adhocreporting.properties ñA]w
changelogBaseDN=<changelog_base_dn>C <changelog_base_dn> OⁿN changelog
s±b²°A≥ DNCpG
changelogBaseDN=cn=changelog
7. pG Tivoli Identity Manager ΩwO DB2AN db2java.zip q
SQLLIB\java12 ²As itim45/lib ²C
N ACI Synchronizer wb WebLogic/UNIXziHΓ ACI Synchronizer P WebLogic Application Server wbP@íqúWA
wbúPqúWCzΓ ACI Synchronizer wbt@íqúWCN
úoΓw¼ⁿC
wbt@íqúW
UCNíp≤bP WebLogic Application Server úPqúW]w ACI
SynchronizerC
: <itimri_aci_synchronizer_computer> OⁿYNw ACI Synchronizer qúC
<tim_computer> hOⁿwgw Tivoli Identity Manager qúC
1. N itim45 ²q <tim_computer>As <itimri_aci_synchronizer_computer>C
2. b <itimri_aci_synchronizer_computer> itim45 ²UA@Ws java
²C
3. N jdk131_06 ²eAq < t im_computer> bea ²As
<itimri_aci_synchronizer_computer> itim45/java²C
4. N weblogic.jar q <tim_computer>
bea/weblogic700/server/lib ²As <itimri_aci_synchronizer_computer>
itim45/lib ²C
5. b <itimri_aci_synchronizer_computer> itim45 ²UA@Ws logs
²C
6. b adhocreporting.properties] ≤ <tim_computer> changelog BzAp
UG
a. b adhocreporting.properties ] ≤ <tim_computer> itim45/data
²U]w changelogEnabled=trueC
b. b adhocreporting.properties ] ≤ <tim_computer> itim45/data
²U]w changelogBaseDN=<changelog_base_dn>C <changelog_base_dn> O
ⁿN changelog s±b²°A≥ DNCpG
² A. wM ACI Synchronizer 113
changelogBaseDN=cn=changelog
7. ∩ enRole.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45/data ²UApUG
enrole.appServer.url=t3://<tim_server_computer_name>:<tim_server_port>
<tim_server_computer_name> Oⁿ <tim_computer> WC<tim_server_port> Oⁿ
⌡µ Tivoli Identity Manager ≡C
: ≡Oϕ½nCpGSw≡AíKs WebLogic w]
≡ 7001C
8. ∩ enRoleDatabase.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45/data ²UA[J Tivoli Identity Manager ΩwΩC
9. ∩ enRoleLDAPConnection.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45/data ²UA[J Tivoli Identity Manager ²°AΩC
10. ∩ enRoleLogging.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45/data ²UApUG
log4j.appender.Logger.File=<path_to_itim>.log
itim.log ⌠O itim45/logs/itim.logC logs ²Obe@BJC
pG
log4j.appender.Logger.File=/home/itim45/logs/itim.log
11. ∩UoΓ ITIM_HOME A²ªⁿV itim45 ²G
startACISynchronizationCMD_WLS.shstartACISynchronizationUI_WLS.sh
pG
ITIM_HOME = /home/itim45
oΓO ≤ itim45/bin/unix ²UC
wbP@íqúW
UCNíp≤b WebLogic Application Server bqúW]w ACI
SynchronizerC
1. b itim45/java ²UA@Ws java ²C
2. N bea ²U jdk131_06 ²eAs itim45/java ²C
3. N weblogic.jar q bea/weblogic700/server/lib ²As itim45/lib
²C
4. b adhocreporting.properties changelog BzApUG
a. b adhocreporting.properties ] ≤ itim45/data ²U]w
changelogEnabled=trueC
b. b adhocreporting.properties ] ≤ itim45/data ²U]w
changelogBaseDN=<changelog_base_dn>C <changelog_base_dn> OⁿN changelog
s±b²°A≥ DNCpG
changelogBaseDN=cn=changelog
5. ∩ itim45/data ²U enRole.properties ApUG
enrole.appServer.url=t3://<tim_server_computer_name>:<tim_server_port>
114 IBM Tivoli Identity Manager: °AtmΓU
<tim_server_computer_name> Oⁿ <tim_computer> WCqoO
″localhost″C<tim_server_port> Oⁿ⌡µ Tivoli Identity Manager ≡C
: ≡Oϕ½nCpGSw≡AíKs WebLogic w]≡
7001C
N ACI Synchronizer wb WebLogic/WindowsziHΓ ACI Synchronizer P WebLogic Application Server wbP@íqúWA
wbúPqúWCzΓ ACI Synchronizer wbt@íqúWCN
úoΓw¼ⁿC
wbt@íqúW
UCNíp≤bP WebLogic Application Server úPqúW]w ACI
SynchronizerC
: <itimri_aci_synchronizer_computer> OⁿYNw ACI Synchronizer qúC
<tim_computer> hOⁿwgw Tivoli Identity Manager qúC
1. N itim45 ²q <tim_computer>As <itimri_aci_synchronizer_computer>C
2. b <itimri_aci_synchronizer_computer> itim45 ²UA@Ws java
²C
3. N jdk131_06 ²] ≤ <tim_computer> bea ²UeAs
<itimri_aci_synchronizer_computer> itim45\java ²C
4. N weblogic.jar q <tim_computer>
bea\weblogic700\server\lib ²As <itimri_aci_synchronizer_computer>
itim45\lib ²C
5. b <itimri_aci_synchronizer_computer> itim45 ²UA@Ws logs
²C
6. b adhocreporting.properties] ≤ <tim_computer> changelog BzAp
UG
a. b adhocreporting.properties ] ≤ <tim_computer> itim45\data
²U]w changelogEnabled=trueC
b. b adhocreporting.properties ] ≤ <tim_computer> itim45\data
²U]w changelogBaseDN=<changelog_base_dn>C <changelog_base_dn> O
ⁿN changelog s±b²°A≥ DNCpG
changelogBaseDN=cn=changelog
7. ∩ enRole.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UApUG
enrole.appServer.url=t3://<tim_server_computer_name>:<tim_server_port>
<tim_server_computer_name> Oⁿ <tim_computer> WC<tim_server_port> Oⁿ
⌡µ Tivoli Identity Manager ≡C
: ≡Oϕ½nCpGSw≡AíKs WebLogic w]
≡ 7001C
8. ∩ enRoleDatabase.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UA[J Tivoli Identity Manager ΩwΩC
² A. wM ACI Synchronizer 115
9. ∩ enRoleLDAPConnection.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UA[J Tivoli Identity Manager ²°AΩC
10. ∩ enRoleLogging.properties ] ≤ <itimri_aci_synchronizer_computer>
itim45\data ²UApUG
log4j.appender.Logger.File=<path_to_itim>.log
itim.log ⌠O itim45\logs\itim.logC logs ²Obe@BJC
pG
log4j.appender.Logger.File=C:\\itim45\logs\itim.log
11. ∩UoΓ ITIM_HOME A²ªⁿV itim45 ²G
startACISynchronizationCMD_WLS.batstartACISynchronizationUI_WLS.bat
pG
set ITIM_HOME = C:\itim45
oΓOb itim45\bin\win ²UC
wbP@íqúW
UCNíp≤b WebLogic Application Server bqúW]w ACI
SynchronizerC
1. b itim45 ²UA@Ws java ²C
2. N bea ²U jdk131_06 ²eAs itim45\java ²C
3. N weblogic.jar q bea\weblogic700\server\lib ²As itim45\lib
²C
4. b adhocreporting.properties changelog BzApUG
a. b itim45\data ²U adhocreporting.properties ñA]w
changelogEnabled=trueC
b. b itim45\data ²U adhocreporting.properties ñA]w
changelogBaseDN=<changelog_base_dn>C <changelog_base_dn> OⁿN changelog
s±b²°A≥ DNCpG
changelogBaseDN=cn=changelog
5. ∩ itim45\data ²U enRole.properties ApUG
enrole.appServer.url=t3://<tim_server_computer_name>:<tim_server_port>
<tim_server_computer_name> Oⁿ <tim_computer> WCqoO
″localhost″C<tim_server_port> Oⁿ⌡µ Tivoli Identity Manager ≡C
: ≡Oϕ½nCpGSw≡AíKs WebLogic w]≡
7001C
116 IBM Tivoli Identity Manager: °AtmΓU
ACI SynchronizerziHbííⁿOµíAIs ACI SynchronizerC
: b ACI PBBz@ºeA² Tivoli Identity Manager °AA
B∩ªiµΩPBBzC
íí
UNIXG
pGznHííIs ACI SynchronizerA⌡µUo ≤
itim45/bin/unix ²ⁿOG
startACISynchronizationUI_WAS.sh
: XClient Is ACI SynchronizerC
WindowsG
pGznHííIs ACI SynchronizerA⌡µUo ≤
itim45\bin\win ²ⁿOG
startACISynchronizationUI_WAS.bat
UNπHííIs ACI SynchronizerG
nJG
pGn ACI PBBz@A²ú Tivoli Identity Manager zí
CziH÷@UnJ÷sAúoCo∩ πbUñG
11. íí ACI Synchronizer
² A. wM ACI Synchronizer 117
∩G
bzbxs changelog LDAP directory server ΘJ≥ DNAHΘJ
ΓFPBBz@ºí ≡íC
: ≡íOⁿ@PBBz@⌠A U@PBBzlºííjC
pGn]woA÷@U∩÷sCo∩ πbUñG
ACI Synchronizer @G
ziH÷@U÷sAPBBz@CPBBz@iΣLΩA
OπbíσrϕñC
ziH÷@Uε÷sAεPBBzC
ziH÷@UMú÷sAMú ACI Synchronizer σrC
ziH÷@U⌠÷sA⌠ ACI SynchronizerC
ⁿOµí
UNIXG
pGznHⁿOµíIs ACI SynchronizerA⌡µUo ≤ itim45/bin/unix
²ⁿOG
startACISynchronizationCMD_WAS.sh itim-manager passwd chglog-base-dn time-int
WindowsG
12. ΘJ
13. ∩
118 IBM Tivoli Identity Manager: °AtmΓU
pGznHⁿOµíIs ACI SynchronizerA⌡µUo ≤ itim45\bin\win
²ⁿOG
startACISynchronizationCMD_WAS.bat itim-manager passwd chglog-base-dn time-int
ΣñG
í
itim-manager Tivoli Identity Manager zínJ ID
passwd Tivoli Identity Manager zíKX
chglog-base-dn Tivoli Identity Manager ²°A changelog ≥ DN
time-int ΓFPBBz@ºííj]Hϕp
d (UNIX)G
startACISynchronizationCMD_WAS.sh "itim manager" password cn=changelog 1800
d (Windows)G
startACISynchronizationCMD_WAS.bat "itim manager" password cn=changelog 1800
: íjíOⁿ@PBBz@⌠A U@PBBzlºí ≡ϕC
² A. wM ACI Synchronizer 119
120 IBM Tivoli Identity Manager: °AtmΓU
² B. tm Crystal Reports
Crystal Reports ® 9 O Crystal Decisions, Inc. ú°idMπXú
CziH Crystal Reports Designer uπA]p≤T°idCod
iHπX í⌠ñA²ú°iC
Crystal Reports \αO Tivoli Identity Manager @∩]úOnSC
Crystal Report duαb Tivoli Identity Manager Ad-Hoc °iC
ziHQ Tivoli Identity Manager GUIAq Crystal Reports ß≈J°id
AN Crystal Report dπX Tivoli Identity Manager ⌠ñCb Tivoli Identity
Manager wgvso°idABodú Ad-Hoc °iC
Tivoli Identity Manager iúπ ACI εvAε Crystal Report dπ
⌠≤°iΩC
DDG
v 122 y Crystal Reports Bzyz
v 123 ytm² Tivoli Identity Manager Crystal Reportsz
© Copyright IBM Corp. 2003 121
Crystal Reports Bzy
π Crystal Reports \α Tivoli Identity ManagerAO@tUC%≤Dqí[c
tG
v Crystal Reports ß]NOw Crystal Reports Designer uπß
iH Crystal Reports Designer uπA]p°idC
v Tivoli Identity Manager GUI
ziH² Tivoli Identity Manager s°id]QuJv\
αC
v Tivoli Identity Manager °A
N°inD Crystal Reports °ií°A (RAS)
v Crystal Reports RAS]°ií°A
iq Tivoli Identity Manager ΩwΩABbd JΩABz°iC
v SDKAb Tivoli Identity Manager °AM RAS ºíú
UoBzyiHíb Crystal Reports dú°i≤C
1. b Crystal Reports ß≈WA Crystal Reports Designer uπ]p°i
dC
Crystal Reports Designer uπuαH Tivoli Identity Manager ⌡]p
í∩MΩΘMµCb]p°idºßACrystal Reports Designer uπNiH
bßtWAΓdxs°id (.rpt)C
2. Tivoli Identity Manager GUI uJvd]u]p°iv@ñuJv
÷sA² Tivoli Identity Manager ⌠iHs°idC
3. ϕ∩od⌡µ°iATivoli Identity Manager °Ae°in
D RAS BzC
4. RAS Ob RAS ≈W DSN]ΩWAs Tivoli Identity
Manager ΩwAAϕΩAHúπ°iC
122 IBM Tivoli Identity Manager: °AtmΓU
tm² Tivoli Identity Manager Crystal ReportspGnΓQ Crystal Reports Designer uπ]p°idAJ Tivoli Identity
Manager ⌠ñA°ií°A (RAS) b⌠⌠W⌡µABw∩ RAS
SDK tm Tivoli Identity Manager °AC
b Tivoli Identity Manager Crystal Reports ΣtmAtUCT%≤G
1. Crystal Enterprise °ií°A (RAS) tm
v ¡≤ Windows ¡x
2. Tivoli Identity Manager í°Atm
: ziH∩UC@AXzí°AM¡xwqG
a. Windows WebSphere
b. UNIX WebSphere
c. Windows WebLogic
d. UNIX WebLogic
3. ßtm]≤⌡µ Crystal Reports Designer uπ≈
v ¡≤ Windows ¡x
1. RAS tm]¡≤ Windows ¡x
ziH⌡µUCBJAtm°ií°A (RAS)G
1. nΘúⁿAw Crystal Reports °ií°A (RAS)C
RAS iHM Tivoli Identity Manager í°AwbP@í Windows ≈
WA]iHwbúP Windows ≈WC
2. b RAS Wt DSN]ΩWAⁿV Tivoli Identity Manager °A
Tivoli Identity Manager ΩwC
2a. Tivoli Identity Manager]Windows WebSpheretm
ziH⌡µUCBJAb Windows ≈WAH WebSphere application server tm Tivoli
Identity ManagerG
1. q RAS w²AN .jar ]OB405.jar/ebus405.jar M xerces.jar
úAís WebSphere UC²G
WAS_HOME\installedApps\<machine-name>\enrole.ear
o .jar qO ≤UC²G
C:\Program Files\Common Files\Crystal Decisions\2.0\jars
: uúnv∩gwgb²U xerces.jar CBuúnvN
OB405.jar ebus405.jar s ²COB405.jar ebus405.jar
iα Crystal Report Application Server mAπb Crystal w
Ω¿ñC
2. ∩ ITIM_HOME\data\crystal.properties AB≤sUCeG
v crystalrasGNo]w RAS °A
v dsnGNo]ºe DSN
v databaseGNo] Tivoli Identity Manager Ωw
² B. tm Crystal Reports 123
∩≤ DB2 ΩwtmíApGΩwúbw RAS ≈WAⁿwⁿV
Tivoli Identity Manager Ω ΩwΩwOWC
3. ½s Tivoli Identity Manager °AC
WebSphere íXuπ .war G
UCⁿi²zb WebSphere 5.0AN crystalreportviewers ²íp .war C
1. WebSphere íXuπG
l > í > IBM WebSphere > Application Server 5.0 >íXuπ
2. ∩ Web C
3. iIC
4. ½kΣ÷@UΩA∩sWC
5. q Crystal w²∩ crystalreportviewers ²CqªO ≤G
C:\Program Files\Common Files\Crystal Decisions\2.0\crystalreportviewers
6. ÷@UsWC
T crystalreportviewers ²ñMµXb GUI eWC
7. ÷@UTwC
8. ½kΣ÷@U Jar A∩sWC
9. q Crystal w²∩ jars ²CqªO ≤G
C:\Program Files\Common Files\Crystal Decisions\2.0\jars
10. ∩W .jar C
11. ÷@UsWC
T jars ²ñMµXb GUI eWC
12. ÷@UTwC
13. ÷@UMC
14. ÷@U¬e≡¼c²IC
15. sΦqUCO⌠]ΘJ≤P@µG
WEB-INF/lib/rascore.jar;WEB-INF/lib/rasapp.jar;WEB-INF/lib/webreporting.jar;WEB-INF/lib/WebReportingWizard.jar;WEB-INF/lib/Serialization.jar;WEB-INF/lib/MetafileRenderer.jar;WEB-INF/lib/ReportTemplate.jar;WEB-INF/lib/CorbaIDL.jar;WEB-INF/lib/OBBiDir.jar;WEB-INF/lib/OBEvent.jar;WEB-INF/lib/OBIMR.jar;WEB-INF/lib/OBNaming.jar;WEB-INF/lib/OBProperty.jar;WEB-INF/lib/OBTime.jar;WEB-INF/lib/OBUtil.jar;WEB-INF/lib/reportsourcefactory.jar
16. ÷@UMC
17. Nxs .war C
b WebSphere zDxíp .war G
124 IBM Tivoli Identity Manager: °AtmΓU
1. WebSphere °AC
2. iJ WebSphere zDxG
http://machine-name:9090/admin/
3. qzDx∩G
í > wsí
4. pGOq°AH≈ípA∩⌠ChAN∩π°
A⌠WC
5. ∩bW@ .war C
6. N⌠wql²ⁿwG
/crystalreportviewers
7. Osw]ABNíWⁿwG
crystalreportviewers
8. ÷@U¿C
9. ÷@UxsDntmC
10. ÷@UxsC
11. i ≤¬≡¼cñI⌠C
12. ∩≤s Web °AíC
13. ÷@UkñTwC
14. ½s WebSphere application server C
2b. Tivoli Identity Manager]UNIX WebSpheretm
ziH⌡µUCBJAb UNIX ≈WAH WebSphere application server tm Tivoli
Identity ManagerG
1. q RAS w²AN .jar ]OB405.jar/ebus405.jar M xerces.jar
úAís WebSphere UC²G
WAS_HOME/installedApps/<machine-name>/enrole.ear
o .jar qO ≤UC²G
C:\Program Files\Common Files\Crystal Decisions\2.0\jars
: uúnv∩gwgb²U xerces.jar CBuúnvN
OB405.jar ebus405.jar s ²COB405.jar ebus405.jar
iα Crystal Report Application Server mAπb Crystal w
Ω¿ñC
2. ∩ ITIM_HOME/data/crystal.properties AB≤sUCeG
v crystalrasGNo]w RAS °A
v dsnGNo]ºe DSN
v databaseGNo] Tivoli Identity Manager Ωw
∩≤ DB2 ΩwtmíApGΩwúbw RAS ≈WAⁿwⁿV
Tivoli Identity Manager Ω ΩwΩwOWC
3. ½s Tivoli Identity Manager °AC
WebSphere íXuπ .war G
² B. tm Crystal Reports 125
UCⁿi²zb WebSphere 5.0AN crystalreportviewers ²íp .war C
1. WebSphere íXuπG
l > í > IBM WebSphere > Application Server 5.0 >íXuπ
2. ∩ Web C
3. iIC
4. ½kΣ÷@UΩA∩sWC
5. q Crystal w²∩ crystalreportviewers ²CqªO ≤G
C:\Program Files\Common Files\Crystal Decisions\2.0\crystalreportviewers
6. ÷@UsWC
T crystalreportviewers ²ñMµXb GUI eWC
7. ÷@UTwC
8. ½kΣ÷@U Jar A∩sWC
9. q Crystal w²∩ jars ²CqªO ≤G
C:\Program Files\Common Files\Crystal Decisions\2.0\jars
10. ∩W .jar C
11. ÷@UsWC
T jars ²ñMµXb GUI eWC
12. ÷@UTwC
13. ÷@UMC
14. ÷@U¬e≡¼c²IC
15. sΦqUCO⌠]ΘJ≤P@µG
WEB-INF/lib/rascore.jar;WEB-INF/lib/rasapp.jar;WEB-INF/lib/webreporting.jar;WEB-INF/lib/WebReportingWizard.jar;WEB-INF/lib/Serialization.jar;WEB-INF/lib/MetafileRenderer.jar;WEB-INF/lib/ReportTemplate.jar;WEB-INF/lib/CorbaIDL.jar;WEB-INF/lib/OBBiDir.jar;WEB-INF/lib/OBEvent.jar;WEB-INF/lib/OBIMR.jar;WEB-INF/lib/OBNaming.jar;WEB-INF/lib/OBProperty.jar;WEB-INF/lib/OBTime.jar;WEB-INF/lib/OBUtil.jar;WEB-INF/lib/reportsourcefactory.jar
16. ÷@UMC
17. Nxs .war C
b WebSphere zDxíp .war G
1. WebSphere °AC
2. iJ WebSphere zDxG
http://machine-name:9090/admin/
3. qzDx∩G
í > wsí
126 IBM Tivoli Identity Manager: °AtmΓU
4. pGOq°AH≈ípA∩⌠ChAN∩π°
A⌠WC
5. ∩bW@ .war C
6. N⌠wql²ⁿwG
/crystalreportviewers
7. Osw]ABNíWⁿwG
crystalreportviewers
8. ÷@U¿C
9. ÷@UxsDntmC
10. ÷@UxsC
11. i ≤¬≡¼cñI⌠C
12. ∩≤s Web °AíC
13. ÷@UkñTwC
14. ½s WebSphere application server C
2c. Tivoli Identity Manager °A]Windows WebLogictm
ziH⌡µUCBJAb Windows ≈WAH WebLogic í°Atm Tivoli
Identity ManagerG
1. q RAS w²AN .jar ]OB405.jar/ebus405.jar M xerces.jar
úAs WebLogic UC²G
ITIM_HOME\lib
o .jar qO ≤UC²G
C:\Program Files\Common Files\Crystal Decisions\2.0\jars
: uúnv∩gwgb²U xerces.jar CBuúnvN
OB405.jar ebus405.jar s ²COB405.jar ebus405.jar
iα Crystal Report Application Server mAπb Crystal w
Ω¿ñC
2. ∩ ITIM_HOME\data\crystal.properties AB≤sUCeG
v crystalrasGNo]w RAS °A
v dsnGNo]ºe DSN
v databaseGNo] Tivoli Identity Manager Ωw
3. ½s Tivoli Identity Manager °AC
WebLogic tmG
UCⁿi²zN crystalreportviewers ²ípb WebLogic 7.0C
1. b BEA_HOME\user_projects\itim\applications DefaultWebapp_myserver l
²
2. N crystalreportviewers q Crystal w²s o²UCq Crystal w
²OG
C:\Program Files\Common Files\Crystal Decisions\2.0
3. WebLogic °AC
² B. tm Crystal Reports 127
4. s²s WebLogic DxG
http://machine-name/console
5. ú ″system″ MKXnJCw]KXO ″enrole″C
6. ie¬Σ≡¼cG
itim > íp > Web í > DefaultWebapp_myserver
7. ÷@UuvC
8. pGuivMµñ myserverA÷@UbY÷sANª[ u∩w
vMµñC
9. ÷@UMC
2d. Tivoli Identity Manager]UNIX WebLogictm
ziH⌡µUCBJAb UNIX ≈WAH WebLogic í°Atm Tivoli
Identity ManagerG
1. q RAS w²AN .jar ]OB405.jar/ebus405.jar M xerces.jar
úAs WebLogic UC²G
ITIM_HOME/lib
o .jar qO ≤UC²G
C:\Program Files\Common Files\Crystal Decisions\2.0\jars
: uúnv∩gwgb²U xerces.jar CBuúnvN
OB405.jar ebus405.jar s ²COB405.jar ebus405.jar
iα Crystal Report Application Server mAπb Crystal w
Ω¿ñC
2. ∩ ITIM_HOME/data/crystal.properties AB≤sUCeG
v crystalrasGNo]w RAS °A
v dsnGNo]ºe DSN
v databaseGNo] Tivoli Identity Manager Ωw
3. ½s Tivoli Identity Manager °AC
WebLogic tmG
UCⁿi²zN crystalreportviewers ²ípb WebLogic 7.0C
1. b BEA_HOME/user_projects/itim/applications DefaultWebapp_myserver l
²C
2. N crystalreportviewers q Crystal w²s o²UCq Crystal w
²OG
C:\Program Files\Common Files\Crystal Decisions\2.0
3. WebLogic °AC
4. s²s WebLogic DxG
http://machine-name/console
5. ú ″system″ MKXnJCw]KXO ″enrole″C
6. ie¬Σ≡¼cG
itim > íp > Web í > DefaultWebapp_myserver
128 IBM Tivoli Identity Manager: °AtmΓU
7. ÷@UuvC
8. pGuivMµñ myserverA÷@UbY÷sANª[ u∩w
vMµñC
9. ÷@UMC
3. ßtm]¡≤ Windows ¡x
⌡µ Crystal Reports 9 Designer uπnΘß≈AπUCtmC
v b⌡µ Crystal Reports 9 Designer uπß≈W]ⁿV Tivoli Identity Manager
°A Tivoli Identity Manager ΩwAt DSN]ΩWC
ϕ]píuπq Tivoli Identity Manager ΩwAϕΩΘMµΩTA@
wnosuC
v ″enrole″ WMAϕKXCovs Tivoli Identity
Manager °AΩwϕµCziHV Tivoli Identity Manager zoK
XC
² B. tm Crystal Reports 129
130 IBM Tivoli Identity Manager: °AtmΓU
² C. ]p Ad-Hoc °iLo°≤
DDG
v 131 y]pLo°≤ⁿz
v 132 yd°iz
]pLo°≤ⁿ
Lo°≤PsΩw SQL yÑADK"∩MCQ°i]pí
]pLo°≤α½ SQLABbú°i⌡µC
bU@≈MµAC ITIM ⌠wqñΩΘΣM÷YCpGzn
b]p°iAAϕLo°≤Aú½o≈MµCUϕuLo°≤vµ
CTΩX°≤AiHb°iñoXδTBNqGC
ⁿtd°iAiHíb]p°iA≤Bp≤oX°≤C
ΩΘ Lo°≤
1 HBbß Person.DN = Account.ownerAccount.ParentDN = Person.DN
2 HBñΓ Person.Organization Roles = Organization Role.DN
3 HBµ Person.ParentDN = Organizational Unit.DNOrganizational Unit. Supervisor = Person.DN
4 bßBA Account.Service = Service.DN
5 hBñΓ Organization Role.DN = getDN(Provisioning Policy.Policy Membership) **
6 hBµ Provisioning Policy.Parent DN = Organizational Unit.DN
7 hBA Service.DN = getDN(Provisioning Policy.Policy Target ) **
8 mBH Location.Supervisor = Person.DN
9 ±
BHBusiness Partner Organization.Sponsor = Person.DN
10 ±
HBñΓBusiness Partner Person.Organization Roles = Organization Role.DN
11 B m Organization.DN = Location.Parent DN
12 Bµ
B±
Organization .DN = Organizational Unit.ParentDN
Organization.DN = Business Partner
Organization.ParentDN
13 µ B m Organizational Unit.Parent DN = Location.DNLocation.Parent DN = Organizational Unit.DN
© Copyright IBM Corp. 2003 131
14 µ B±
Organizational Unit.Parent DN = Business Partner Organization DNBusiness Partner Organization.Parent DN = Organizational Unit.DN
15 mB±
Location..Parent DN = Business Partner Organization.DNBusiness Partner Organization.Parent DN = Location.DN
16 ABH Service.Account Owner = Person.DN
17 SQL2000AccountBA SQL2000Account.Service = Service.DN
18 ITIMAccountBITIM A ITIMAccount.Service = ITIMService.DN
19 vBA Service.DN = Entitlement.Service Target Name
20 ProvisioningPolicyBv ProvisioningPolicy.DN = Entitlement.DN
21 ACIBACI DΘ ACI.DN = ACI Principals.DN
AND ACI.Name = ACI Principals.Name
AND ACI.Target = ACI Principals.Target
22 ACIBACI \iv
ClassRightACI.DN = ACI Permission ClassRight.DN
AND ACI.Name = ACI Permission ClassRight.Name
AND ACI.Target = ACI Permission ClassRight.Target
23 ACIBACI \iv
AttributeRightACI.DN = ACI Permission AttributeRight.DN
AND ACI.Name = ACI Permission AttributeRight.Name
AND ACI.Target = ACI Permission
AttributeRight.Target
24 ACIBACI ñΓ DN ACI.DN = ACI Role DNs.DN
AND ACI.Name = ACI Role DNs.Name
AND ACI.Target = ACI Role DNs.Target
25 ACIBµ ACI.DN = Organizational Unit.DN
G
getDN O Ad-Hoc °i]píú@\αAOqUCµíΩµ
DNG
<number>;<dn>
±ΦíAProvisioningPolicy.Policymembership µµípUG
<number>;<dn>
getDN τAOFqorΩ DNCUNOoLo°≤dG
Organization Role.DN = getDN(ProvisioningPolicy.Policymembership)
d°i
UNíX]pLo°≤≈εCo≈εO@dABQdΩ
íªAí]pLo°≤Cª]8MFPB&ϕµúPµºí
÷YC
132 IBM Tivoli Identity Manager: °AtmΓU
b°iñτ
ziHb°i]pUµñτCUOΩ@úw]τG
Upper oτF@ANoα½jgr/C
Lower oτF@ANoα½pgr/C
GetDN DnOqtUzµírΩµ DNC
<number>;<dn>
pG
ProvisioningPolicy.Policymembership µµípUG
<number>;<dn>
getDN τAOFqorΩ DNCUNOoLo°≤dG
Organization Role.DN = getDN(ProvisioningPolicy.Policymembership)
]p°ib°i]píⁿwX°≤
bQ°i]pí]p°iAⁿwAϕLoAoαb⌡µ°
iAúznΩC
UO@dG
bß°i
]bß¼ ITIMService
N°i]ppUG
v °i µG Account.Userid, ITIM.ServiceName
v LoGL
pGΓG
v bß¼ ITIMService1 M ITIMService2 User1
v bß¼ ITIMService3 User2
GpUG
User1 ITIMService1
User1 ITIMService2
User1 ITIMService3
User2 ITIMService1
User2 ITIMService2
User2 ITIMService3
oNOoΓϕµ Cartesian úC
pGnoXAϕGAⁿwAϕX°≤AⁿwoΓϕµºí÷YC
oX°≤pUG
² C. ]p Ad-Hoc °iLo°≤ 133
v Lo°≤GAccount.Service = ITIM.DN
oLo°≤oXGpUG
User1 ITIMService1
User1 ITIMService2
User2 ITIMService3
H-ñΓ°i
]PñΓ÷pH
N°i]ppUG
v °i µG Person.FullName, OrganizationRole.Name
v Lo°≤G OrganizationRole.Name = ’_USERINPUT_’
pGΓG
v π Role1 Person1
v π Role2 Person2
pGbú°iΘJ ″Role1″AhGG
Person1 Role1
Person2 Role1
pGn²°iúTGAπUCLo°≤G
Person.OrganizationRoles = OrganizationRole.DNAND OrganizationRole.Name = ’_USERINPUT_’
pGbú°iΘJ ″Role1″AhGG
Person1 Role1
≤uHvΩΘuñΓvtñΓ DN A]ⁿw
Lo°≤oHB@CP]NAñΓO@hA]NOíAb
ϕñA@HiHhñΓC
H-bß°i
]tñPH÷pbß
N°i]ppUG
v °i µG Person.FullName, Account.AccountStatus
v Lo°≤GL
o≈°iHMbßϕµ Cartesian úC
UOⁿwuHvMubßvϕµ÷YX°≤G
Account.ParentDN = Person.DN
134 IBM Tivoli Identity Manager: °AtmΓU
≤ Tivoli Identity Manager ΓH DN xsbßΩΘ ″ParentDN″A]oLo°≤oHB@C
² C. ]p Ad-Hoc °iLo°≤ 135
136 IBM Tivoli Identity Manager: °AtmΓU
² D. ]p Crystal Report Lo°≤
DDG
v 137 y]pLo°≤ⁿz
v 139 yd°iz
]pLo°≤ⁿ
Lo°≤PsΩw SQL yÑADK"∩MCQ Crystal Report
Designer ]pLo°≤α½ SQLABbú°i⌡µC
Crystal Report Designer ²∩uΩwMav°iϕµC
biµPBBzϕµCb∩ϕµANUCUG
v UOw∩húϕµWG
<ENTITY_NAME>_<ATTRIBUTE_NAME>
²OAo <ATTRIBUTE_NAME>AúO Tivoli Identity Manager ñπ
WAOoíϕkC]pAcn NϕπWC
v UObPBBzΩúϕµW[cG
<ENTITY_NAME>_<ATTRIBUTE_NAME>
²OAOracle ΩwúΣWL 30 r% ID WC]AbPBBzΩ
ϕµAΣWúαWL 30 r%C
pGoWWL 30 r%AhHUz[cúϕµWG
We 22 r% ( <ENTITY_NAME>_<ATTRIBUTE_NAME> ) + <M ID>
o[ciHTOϕµW∩úWL 30 r%CϕµWiαQ[KA]
°i]pídϕµµAΣXϕµhC
v úbΩwMañA∩⌠≤ USER_<ENTITY> ϕµCoϕµt ACI
ΩTAoΩúO@°iºC
bU@≈MµAC Tivoli Identity Manager ⌠wqñΩΘΣM
÷YCpGznb]p°iAAϕLo°≤Aú½o≈MµCUϕ
Lo°≤µ]CTΩX°≤AiHb°iñoXδTBNqGC
© Copyright IBM Corp. 2003 137
ΩΘ Lo°≤
1 HBbß Person.DN = Account.ownerAccount.erparent = Person.DN
2 Person_errolesBDefaultRole Person_erroles.erroles= DefaultRole.DN
3 HBOrganizationalUnit Person.ParentDN = OrganizationalUnit.DNOrganizationalUnit.ersupervisor = Person.DN
4 bßBA Account.erservice = Service.DN
5 hBñΓ ProvisioningPolicy.erparent = OrganizationUnit.DN
6 mBH Location.ersupervisor = Person.DN
7 BPOrganizationBH BPOrganization.ersponsor = Person.DN
8 BPPersonBDefaultRole BPPerson.erroles = DefaultRole.DN
9 B m Organization.DN = Location.erparent
10 BOrganizationalUnit Organization .DN = OrganizationUnit.erparent
11 BBPOrganization Organization.DN = BPOrganization.erparent
12 OrganizationalUnitB m OrganizationalUnit.erparent = Location.DNLocation.erparent = OrganizationalUnit.DN
13 OrganizationalUnitBBPOrganization OrganizationalUnit.erparent = BPOrganization.DNBPOrganization.erparent = OrganizationalUnit.DN
14 mBBPOrganization Location.erparent = BPOrganization.DNBPOrganization.erparent = Location.DN
15 ABH Service.owner = Person.DN
16 SQL2000AccountBA SQL2000Account.erservice = Service.DN
17 ITIMAccountBITIM A ITIMAccount.erservice = ITIMService.DN
18 vBA Service.DN = Entitlement.ServiceTargetName
19 ProvisioningPolicyBv ProvisioningPolicy.DN = Entitlement.DN
20 ACIBACI_Principals ACI.DN = ACI_Principals.DNAND ACI.Name = ACI_Principals.NameAND ACI.Target = ACI_Principals.Target
21 ACIBACI_Permission_ClassRight ACI.DN = ACI_Permission_ClassRight.DNAND ACI.Name = ACI_Permission_ClassRight.NameAND ACI.Target = ACI_Permission_ClassRight.Target
22 ACIBACI_Permission_AttributeRight ACI.DN = ACI_Permission_AttributeRight.DNAND ACI.Name = ACI_Permission_AttributeRight.NameAND ACI.Target = ACI_Permission_AttributeRight.Target
23 ACIBACI_RoleDNS ACI.DN = ACI_RoleDNS.DNAND ACI.Name = ACI_RoleDNS.NameAND ACI.Target = ACI_RoleDNS.Target
138 IBM Tivoli Identity Manager: °AtmΓU
ΩG
ITIM ñπW íW
ñΓ DefaultRole
± BPOrganization
±H BPPerson
d°i
UNíX]pLo°≤≈εCo≈εO@dABQdΩ
íªAí]pLo°≤Cª]8MFPB&ϕµúPµºí
÷YC
]p°ib°i]píⁿwX°≤
bQ°i]pí]p°iAⁿwAϕLoAoαb⌡µ°
iAúznΩC
UO@dG
bß°i
]bß¼ ITIMService
N°i]ppUG
v °i µG Account.eruid, ITIM.Service.erservicename
v Lo°≤GL
pGΓG
v bß¼ ITIMService1 M ITIMService2 User1
v bß¼ ITIMService3 User2
GpUG
User1 ITIMService1
User1 ITIMService2
User1 ITIMService3
User2 ITIMService1
User2 ITIMService2
User2 ITIMService3
oNOoΓϕµ Cartesian úC
pGnoXAϕGAⁿwAϕX°≤AⁿwoΓϕµºí÷YC
oX°≤pUG
v Lo°≤G Account.Service = ITIMService.DN
² D. ]p Crystal Report Lo°≤ 139
oLo°≤oXGpUG
User1 ITIMService1
User1 ITIMService2
User2 ITIMService3
H-ñΓ°i
]PñΓ÷pH
N°i]ppUG
v °i µG Person.cn, DefaultRole.Name
v Lo°≤G DefaultRole.Name = ’_USERINPUT_’
pGΓG
v π Role1 Person1
v π Role2 Person2
pGbú°iΘJ ″Role1″AhGG
Person1 Role1
Person2 Role1
pGn²°iúTGAπUCLo°≤G
Person.erroles = DefaultRole.DNAND DefaultRole.Name = ’_USERINPUT_’
pGbú°iΘJ ″Role1″AhGG
Person1 Role1
≤uHvΩΘuñΓvtñΓ DN A]ⁿw
Lo°≤oHB@CP]NAñΓO@hA]NOíAb
ϕñA@HiHhñΓC
H-bß°i
]tñPH÷pbß
N°i]ppUG
v °i µG Person.cn, Account.eraccountstatus
v Lo°≤GL
o≈°iHMbßϕµ Cartesian úC
UOⁿwuHvMubßvϕµ÷YX°≤G
Account.erparent = Person.DN
≤ Tivoli Identity Manager ΓH DN xsbßΩΘu/ DNv(erparent)A]
oLo°≤oHB@C
140 IBM Tivoli Identity Manager: °AtmΓU
² E. N
σ≤Yw∩ IBM bⁿΩúºúPAoFbΣLΩañAIBM úúo
ú≤ñúUúBASCóϕa IBM NϕAHo
ϕaeúúMAº÷ΩTCo≈σ≤bú IBM úBíAA
úϕtuα IBM úBíACun.I3 IBM z]úvA
⌠≤\αϕúBíAúiHN IBM úBíACúLA⌠≤
D IBM úBíAAµtd@⌠Mτd⌠C
o≈σ≤íDDeAIBM iα ΣMQMQ4Cúo≈σ≤úNϕ
úoMQvCziHúXvdAτH G
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.
pGO÷ % (DBCS) ΩTvdAóbΩ IBM z]úíA
úXvdAτH G
IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan
UCq¿úA≤Ω°PϕakΦΣLΩaGInternational Business
Machines Corporation) uypzúXAúú⌠≤tºOAΣ
ñ]ABú¡≤úH8WwBiSwºA⌠tOCab
Swµ÷WAú9\útOA]Aonú@wAXzC
oΩTñiαNWLΩWC]AIBM wqFNqß
eJsñCIBM H∩iM/≤XúúM/íAút
µqC
o≈ΩTñú⌠≤D IBM ⌠uAIBM úo⌠úOCo⌠
úΩúO IBM úΩeApGno⌠ΩAz
µßIC
IBM oHUAϕΦíGzú⌠≤ΩTAL∩ztdC
pGí≥vHF (i) bOíMΣLí]]Aíºíµ½
ΩTAH (ii) ¼µ½ΩTA]n÷ΩTAóG
IBM Corporation2ZA4/10111400 Burnet RoadAustin, TX 78758U.S.A.
© Copyright IBM Corp. 2003 141
oΩTiAϕ°oAbYípUIOΦoC
IBM ≥≤Φº IBM Ω ívX]⌠≤PÑX°AúΩTú
víPΣAvΩC
Bt⌠≤αΩAObⁿε⌠UoXAPbΣL@⌠UoX
GAiαjtºCqΩObotWAúOPΣLqt
WqΩ@CAqΩiαOzL [Hw⌠AΩ Gúú
oPCσTΣSw⌠AΩC
úºD IBM úΩTAúAΣoGnΣLDC
IBM .LoúA]LkToD IBM ú⌡µαBe⌠≤∩
úΣLDiOLC÷D IBM úαDóúC
UCⁿJO International Business Machines Corporation bⁿΩ/ΣLΩa
UG
AIX
DB2
IBM
IBM x
SecureWay
Tivoli
Tivoli x
Universal Database
WebSphere
Lotus O Lotus Development Corporation / IBM Corporation UC
Domino O International Business Machines Corporation M Lotus Development Corporation
bⁿΩ/ΣLΩaC
MicrosoftBWindowsBWindows NT M Windows xO Microsoft Corporation bⁿΩ
/ΣLΩaC
UNIX O The Open Group bⁿΩΣLΩaUC
Java™ MH Java ≥ªMxAO Sun
Microsystems, Inc. bⁿΩMΣLΩaUC
ΣLqBúAWAiαOTAxC
142 IBM Tivoli Identity Manager: °AtmΓU
Wⁿ
T
l (subprocess). Qϕ@t@u@y]p@íu@y]pC
u@y (workflow). ÷°⌡µíC
w¿nD (completed requests). wgeX tABwg¿nDC
úe\@ (disallowed action). AªiHwqϕ Tivoli Identity Manager Server obß
HLv ∩AbßA⌡µ@Co
ub∩udhv∩C
ñíΩxsw (central data repository). oΩwiHO²Mxsn²MsMvΩ
AΣñ]Aµ÷M@O²bC
Σ (branch). ≡¼cñC@hAú@ΣC≡¼cñC@ΣAúúPⁿ
XCziH÷@Ulµ ΣΣ[ (+)A°Σ
eC
¡
²AOyÑ (Directory Services MarkupLanguage, DSML). O@ XML Ω@AiHú@
µíAíM@úP²t²AΩTC
@KX (shared secret). @[KAΣO
lKXAs Tivoli Identity Manager tC
oObHΩTⁿJ twqC
Xⁿ (join directive). @WhAoWhiwqϕΓΓHWho≡Ap≤Bz
C
s (access). xsbqútWΩTΩMvC
sεΩT (access control informationAACI). oΩiHO@sDΘsvCt\us
εvC
C
m (location). iH[Jñ@lqΩΘCq
A mOHΦΦíaz mAiµ
zC
@ñbß (active account). @sbBe sΩbßC
@°i (operation report). o≈°iO@¼BΘBnD@AHw∩nD@AC
Tivoli Identity Manager @nDC
OW (alias). @¡AqOⁿ IDC
@HiHnXOWApGGSmith M GWSmithC
tz (system administrator). vstHC
Tivoli Identity Manager tñú@w²tm
uITIM svCouITIM svQ]pnNt
¬sv,¿C¡zuITIM sv¿
Avst\αMΩC
¡Oh (identity policy). Tivoli Identity Manager
twqp≤ ID WhC
K
(user). Pt¼@⌠≤HC
(user interfaceAUI). Pt¼
πeC
W (user name). st IDC
o ID ]iHw∩tOAB²t
bUñΓM ITIM sñ¿ΩµAMw
svC
°i (user report). o≈°iOΘBnD@Hw∩nD@ACX Tivoli Identity
Manager @C
O (user class). @ LDAP OAp
inetorgperson BPPersonC
© Copyright IBM Corp. 2003 143
(provision). iH]wM@∩tsvC
h (provisioning policy). ohiHwqUⁿzAsvAp Tivoli Identity Manager @
tCsv,HAHñΓ
[H,Csv]iHSO,úO⌠≤ñΓ¿
HC
eú (delegate). oHQⁿútdπt@nDAw∩t@nDúΩTC
tbß (orphanAorphan account). ΩbßAbßb Tivoli Identity Manager tñ Lk
PwC
A (service). ⌡µ°A÷nΘñDn\α
íC
A∩h (service selection policy). bh
ñAtdMwn@A JavaScript LoC
D@ñbß (inactive account). sb≤tñA²ebß úbñbßC
E
Mµ (to do list). ⁿú¿@MµC
d (query). ¡ε@p¼]ΦkC
nD (request). O Tivoli Identity Manager tñAn
DπΩT@@C
nD (requestor). eXnDHC
nDΩT (request for information, RFI). bz¡
OAVⁿwPnDΣLΩT@Aobu
@yO@nBJC
¡ε (constraint). h¡εC
Q
HΩT (personal information). HΩTCoΩTiH]tm≤BWrBϕaaBq XBq
lHcaB XMÑC
h (policy). b Tivoli ñA@M≤ⁿzΩW
hC±ΦíAhiHM KXAM Q
nsΩC
hIµ (policy enforcement). Tivoli Identity Manager
tⁿúⁿH8hºbΦíC
Q@
P (participant). b¡zñAvw∩zLu@yeXnDXHCPiQ°H
ñΓAQq JavaScript Script [HOC
µ (business unit). ñ@lqΩΘC
±H (business partner person). ±ñ@HC
± (business partner organization). iH
[Jñ@lqΩΘCq±O
O]HBΣLúOu²iαnq
ΩsvHsC
KX (password). bqúM⌠⌠wñAΘJHtOSwrΩAªiH²stA
HxsbΣñΩC
KXh (password policy). wqKXXº]wWhAp°AHe\Múe\r%
¼C
KX¡ (password expiration period). bjó≤∩KXºeAªα≈h[C
bß (account). wqnJΩTMsεΩT
C
bß°i (account report). o≈°iCXHΣ÷bßAHbßOµhC
ε¼ (control type). Java ¼O@ΩAN
ϕWµ ¼C
v (authorization). bqúwñA,qútPqútqTv¡C,∩½
≤BΩτπ¡svC
jíwtúOΓBJC@Ñq
OOATwNOLnHCGÑqO
vAe\o¡sUΩC
v (authorization owner). oO@s
ALiHbΣµ ⌠wqñAwqs
εΩT (ACI)C
(organization). b¡zñAWMΩDΘC÷MºíiH@ΩA²ºí
πXhoϕCCqNOⁿqC
ñΓ (organizational role). b¡zñAMwvsUⁿzΩºh¿ΩµC
µ (organizational unit). ñMΩDΘAtdNhiHzsCu
144 IBM Tivoli Identity Manager: °AtmΓU
αⁿú@µ CΩ]uαⁿú@µ
]úDªQwqqC
≡ (organization tree). ÑhícAiúΦíBsMxsΩTC
Q°i (rejected report). o≈°iOΘBnD@Hw∩nD@ACFQn
DC
QnD (requestee). nDOw∩oHeXC
QG
ú%¡ε (escalation limit). biµú7@ºeAP∩nDXq]ΘBBϕC
ú%P (escalation participant). b¡zñAvbⁿwú7íA∩≤PSnDX
HCú7PiQ°HñΓAQ
q JavaScript Script [HOC
ú DSML ¡ (DSML identity feed). Tivoli Identity
Manager Tw]A¼Σñ@C
ú DSML ¡AiqHOΩΩwAN
ΩJ Tivoli Identity Manager ²ñABNΩT
m≤ Tivoli Identity Manager ²UCoAiHQU
C@Φk¼ΩTG@YNQRúq
C
ú HR (HR feed). Tivoli Identity Manager tqH
OΩΩwJΩC
uú DSML ¡vC
QT
Ω (resource). Tivoli nΘzwΘBnΘ
ΩΩΘCt\uⁿzΩvC
Ωz (resource provisioning management,rpm). XTDn%]ΦBu@yzHeNzízhAtdñzvsΩT
MΩºC
qlϕµ (electronic form). qlϕµO@dAiHw∩nDsvwqC
Q
ΩΘ (entity). 1) ⁿH½≤AΩTNOw∩oH½
≤xsC
2) Tivoli Identity Manager tUC@OG
v Person
v BPPerson
v Organization
v BPOrganization
(supervisor). Tivoli Identity Manager tñA
Qⁿúµ HC
zΓ (admin domain). btvhBABACI
Ñ Tivoli Identity Manager tñAYΣñ@
íCC@zΓúiαzLkz°Σ
LzΓhBABACIC
(credential). e\sbß ID M
KXΩTC
Γz (domain administrator). oziHwqMzbΣzΓΩΘBhBABu@
ywqBñΓHA²u¡≤LvzΓ
d≥C
Q¡
fO² (audit trail). qútbYqñµ÷O
²C
oε (de-provision). úA%≤C±ΦíAoεbßOⁿqΩRúYbßC
(digital certificate). FwúqlTº≤C
(suspend). °bßA²bß LknJΩ@C
Ld (challenge response). oO@OΦkAªnDbnJ⌠⌠AúMΩTτ¡A
∩úXC
d≥ (scope). hαvTd≥C
qd≥Owqµ@l≡CpGd≥Qwqµ@d
≥AhhuvTwqªP@ΣñΩΘCpGd
≥Qwql≡Ahhú²vTwqªΣA
vTΣL≤hIΣΣC
(reconciliation). ±ñíΩxswMⁿzNztΩTAHOΓºítºC
°i (reconciliation report). o≈°iCFqW@⌡µºßAΣ tbßC
Q
zñ& (Certificate Authority). tdoX
CzñO ¡H
Wⁿ 145
vABoXsB≤sAH
oεúAvªC
(owner). Tivoli Identity Manager tñ bß
AHC
RAñΓ (static organizational role). uαHΓΦíⁿúñΓC
QC
ovQ (entitlement). bwzñANϕhΩTΩcBAMµC
mnD (pending request). wgeX tA².¿nDC
(restore). ½sbßC
QE
Wv¡ (signature authority). ov¡iHπeX u@ynDCsOQ
ⁿúu@y]pñPú7PAQ,
Wv¡C
÷Σr (keyword). bjM@ñAOh
C
GQ@
⌡µΦí (attribute enforcement). tzwqbßHwqºC
GQG
O (authentication). OH¡ (qO
WMKX[HO) CbwtñAOPv
OIMúPAvOⁿH¡Aw∩H,t
½≤svCOuOTwoHNOLn
¡A².ú ÷≤HsvΩTHC
A
ACI (ACI target). ACI εΩΘC
ACI I (ACI origin). ACI º≡¼cñ
ΣC
I
ITIM s (ITIM group). Tivoli Identity Manager °A
ñsC
tsMziHw∩ ITIM scA²OA
²π ITIM bßAαⁿú ITIM sCu
noHπF ITIM bßALNO@ ITIM A
iH[J ITIM sC
S
Secure Socket Layer (SSL). zL⌠ ⌠⌠ΘpKσ≤qT≤wCSSL kOQpK≈ANzL
SSL suαeΩ[KC
T
Tivoli Identity Manager Nzí (Tivoli IdentityManager Agent). ⁿztM Tivoli Identity
Manager °Aºíz¼Cªϕ≤HΩ z
ABOα½nD½n%≤AiHúU
twtmsvC
Tivoli Identity Manager °A (Tivoli Identity ManagerServer). Q]pníph¼MΦnΘMAM≤C
146 IBM Tivoli Identity Manager: °AtmΓU
HñσrAσrASϕº
CC
eTfu@ytmΩT 35
efe
@δ 4
@δΩw 7
H Tivoli Identity Manager GUI [Htm 12
[K 11
² 5
²suΩT 6
w 11
10
ßx 10
ßx 10
íT 5
Oⁿ 8
Oⁿh 8
l 8
KXµ 103
5
Mµjp 10
l≤ 8, 10
Ωw 6
Ωwxs 7
Ω¼sb¡ 5
í°A 5
í°Az 11
LDAP suxs 6
SMTP 10
Web °A 9
e
Mµ 3
Re 45
CustomLabels.properties 71
enRoleAuthentication.properties 47
enRoleDatabase.properties 50
enRoleLDAPConnection.properties 54
enRoleLogging.properties 57, 101
enRoleMail.properties 60
enrolepolicies.properties 62
enroleworkflow.properties 64
enRole.properties 103
fesiextensions.properties 66
UI.properties 68
Σ, p vii
σ≤
suW vii
≤Uuπ vii
÷ v, vi
IBM DB2 vi
IBM Directory Server vi
IBM HTTP Server vi
Oracle vi
SQL Server 2000 vi
Sun ONE Directory Server vi
Web Proxy °A vi
WebLogic Application Server vi
WebSphere Application Server vi
WebSphere Embedded Messaging Σ vi
Θx 8
e¡f[KΩT 33
nΘ
σ≤ v
e f@KXVX 42
w 11
qO≈ε, tm 48
eCf°A
Web 9, 10
OΘΩT 24
te
Fe 14, 46
u@ytmΩT 35
[KΩT 33
@KXVX 42
OΘΩT 24
ttmí 34
nDz UI tm 44
KXµ÷°]w 30
ΩT 29
l≤Atm 39
TΩT 25
w] Tenant ΩT 22
ΩT 40
í°AΩT 21
enRole.properties 13
© Copyright IBM Corp. 2003 147
te ( ≥)
LDAP °AΩT 23
LDAP suxsΩT 32
SSL VOe 43
WebLogic Mtm 15
WebSphere Mtm 18
XML M DTD ΩT 31
ttmuπ
u@δv
ΩTµ 5
í 4
í°AΩT 5
u²v
²°AsuΩTµ 6
í 5
LDAP suxsΩTµ 6
uwv
í 11
uOⁿv
uOⁿhvµ 8
ulº¼pvµ 8
í 8
UNIX ¼ 3
Windows ¼ 4
ul≤v
D≈ΩTµ 10
ul≤ΩTvµ 10
í 8
uWeb °AΩTvµ 9
uΩwv
@δΩwΩTµ 7
ΩwxsΩTµ 7
í 6
í 2
sΦte 2
UI
ußxvµ 10
ußxvµ 10
uMµjpvµ 10
í 10
ttmí 34
eKf≤Uuπ, σ≤ vii
eEfíT 5
÷σ≤ v, vi
nDz UI tm 44
eQfy
nΘ v
suW vii
≤Uuπ vii
D vii
÷ vi
IBM DB2 vi
IBM Directory Server vi
IBM HTTP Server vi
Oracle vi
SQL Server 2000 vi
Sun ONE Directory Server vi
Tivoli Identity Manager v
Web Proxy °A vi
WebLogic Application Server vi
WebSphere Application Server vi
WebSphere Embedded Messaging Σ vi
Oⁿ
[í
k 102
d 102
u² 102
qll≤q 101
tmqO≈ε 48
eQ@fKX
rσ 105
KXµ÷°]w 30
ΩT 29
Θr viii
Θr viii
eQGf°ií°A (RAS) 123
ÑerΘ viii
l≤Atm 39
±í SSL 74
eQTfTΩT 25
Re 45
CustomLabels.properties 71
enRoleAuthentication.properties 47
enRoleDatabase.properties 50
enRoleLDAPConnection.properties 54
enRoleLogging.properties 57
enRoleMail.properties 60
enrolepolicies.properties 62
enroleworkflow.properties 64
148 IBM Tivoli Identity Manager: °AtmΓU
Re ( ≥)
fesiextensions.properties 66
UI.properties 68
Ωw
@δΩT 7
tme 7
í 7
xs 7
Ω¼sb¡ 5
qll≤T
qd 101
q 101
w] Tenant ΩT 22
eQfD, ñ vii
eQ¡fΩT 40
, úbß 105
eQ f (SSL)
Dnµí 74
Nzíl SSL 86
ú JNDI 86
ADK ¼Nzí 86
IDI ¼Nzí 86
°A Nzí SSL 83
µV SSL 84
CertTool 84, 85
pK≈M 74
tm 73
tmNzí 85
tmKn 76
º[ 73
zñ (CA) 77
nD (CSR) 77
s²∩ Web °A SSL (WebLogic) 81
s²∩ Web °A SSL (WebSphere) 77
iKeyman í 77
SSL Ω@ 74
zñ (CA) 77
nD (CSR) 77
q
eqll≤ 102
tm 101
eQCfí°AΩT 21
pΣ vii
eGQGfO≈ε, tmq 48
eGQ¡f[ v
AACI Synchronizer
²°A changelog 108
w 107
wb WebLogic/UNIX 113
wb WebLogic/Windows 115
wb WebSphere/UNIX 109
wb WebSphere/Windows 111
107
]ⁿOµí 118
]íí 117
CCA]zñ 77
CertTool 84, 85, 86
changelog 108
Crystal Reports 121
tm 123
Bzy 122
RAS]°ií°A 123
CSR]nD 77
CustomLabels.properties 71
EenRoleAuthentication.properties 47
tmqO≈ε 48
enRoleDatabase.properties 50
enRoleLDAPConnection.properties 54
enRoleLogging.properties 57
enRoleMail.properties 60
enrolepolicies.properties 62
enroleworkflow.properties 64
enRole.properties 13
u@ytmΩT 35
[KΩT 33
@KXVX 42
OΘΩT 24
ttmí 34
nDz UI tm 44
KXµ÷°]w 30
ΩT 29
l≤Atm 39
TΩT 25
w] Tenant ΩT 22
149
enRole.properties ( ≥)
ΩT 40
í°AΩT 21
LDAP °AΩT 23
LDAP suxsΩT 32
SSL VOe 43
WebLogic Mtm 15
WebSphere Mtm 18
XML M DTD ΩT 31
Ffesiextensions.properties 66
GGSKit (IBM Global Security Toolkit) 74
GUI
q
r¼ 99
Γm 99
100
Mµπe 100
x 99
IIBM DB2 σ≤ vi
IBM Directory Integrator (IDI) 86
IBM Directory Server
σ≤ vi
IBM Global Security Toolkit (GSKit) 74
IBM HTTP Server
σ≤ vi
IDI (IBM Directory Integrator) 86
iKeyman 86
iKeyman í 77
LLDAP °AΩT 23
LDAP suxs
Wqp 6
xsjpW¡ 6
xsljp 6
LDAP suxsΩT 32
LDIF
KXrσ 105
106
Log4j 57
OOracle σ≤ vi
RRAS]°ií°A 123
RSA SSL-C 74
RSA SSL-J 74
runConfig í 2
sΦte 2
SSQL Server 2000 σ≤ vi
SSL
Dnµí 74
Nzíl SSL 86
ú JNDI 86
ADK ¼Nzí 86
IDI ¼Nzí 86
°A Nzí SSL 83
µV SSL 84
CertTool 84, 85
pK≈M 74
tmNzí 85
tmKn 76
º[ 73
tm 73
zñ (CA) 77
nD (CSR) 77
s²∩ Web °A SSL (WebLogic) 81
s²∩ Web °A SSL (WebSphere) 77
iKeyman í 77
SSL Ω@ 74
SSL VOe 43
Sun ONE Directory Server
σ≤ vi
UUI.properties 68
WWeb Proxy °A
σ≤ vi
Web (Tivoli Identity Manager) 12
WebLogic Application Server σ≤ vi
WebLogic Mtm 15
WebSphere Application Server σ≤ vi
WebSphere Embedded Messaging Σ
σ≤ vi
WebSphere Mtm 18
XXML M DTD ΩT 31
150 IBM Tivoli Identity Manager: °AtmΓU
íX: 5724–C34
Denmark by IBM Danmark A/S
SC40-1843-02