Am611 Admin

Tivoli Access Manager for e-business® Version 6.1.1 Administration Guide SC23-6504-01 Tivoli Access Manager for e-business ® Version 6.1.1 Administration Guide SC23-6504-01 Note Before using this information and the product it supports, read the information in Appendix H, “Notices,” on page 379. Edition notice This edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions. All rights reserved. © Copyright IBM Corporation 1999, 2010. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this publication . . . . . . . . ix Intended audience . . . . . . . . . . . . ix Publications . . . . . . . . . . . . . . ix IBM Tivoli Access Manager for e-business library ix Related products and publications . . . . . . xi Accessing terminology online . . . . . . . xii Accessing publications online . . . . . . . xii Ordering publications . . . . . . . . . . xii Accessibility . . . . . . . . . . . . . . xiii Tivoli technical training . . . . . . . . . . xiii Tivoli user groups . . . . . . . . . . . . xiii Support information . . . . . . . . . . . xiii Conventions used in this publication . . . . . xiv Typeface conventions . . . . . . . . . . xiv Operating system-dependent variables and paths . . . . . . . . . . . . . . . xiv Web Portal Manager common tasks . . . . Starting Web Portal Manager . . . . . Logging in and signing off . . . . . . Accessing online help . . . . . . . . Customizing the Web Portal Manager interface Customizing the images . . . . . . . Self-registration tasks . . . . . . . . . Performing self-registration . . . . . . Changing Java Server Pages . . . . . . . . . . . . . . . . . . . . . . . . 26 26 27 27 28 28 28 28 29 Chapter 3. Tivoli Access Manager administration . . . . . . . . . . . 33 Domains . . . . . . . . . . . . Protected object space . . . . . . . . Users and groups . . . . . . . . . Security policy . . . . . . . . . . ACL policies . . . . . . . . . . . Using ACL policies with the authorization Evaluating ACL policies . . . . . . Protected object policies . . . . . . . Authorization rules . . . . . . . . . How authorization rules differ . . . . When to use authorization rules . . . Guidelines for a secure object space . . . . . . . . . . . . . . . . . . service . . . . . . . . . . . . . . . . . . 33 34 36 37 38 38 39 40 40 40 41 41 Chapter 1. Tivoli Access Manager overview . . . . . . . . . . . . . . 1 Core technologies. . . . . . . . . . . . Authentication. . . . . . . . . . . . Authorization . . . . . . . . . . . . Quality of Protection. . . . . . . . . . Scalability . . . . . . . . . . . . . Accountability . . . . . . . . . . . . Centralized management . . . . . . . . Security policy overview . . . . . . . . . Authorization API standard . . . . . . . . Authorization: conceptual model . . . . . . The benefits of a standard authorization service Tivoli Access Manager authorization service overview . . . . . . . . . . . . . Tivoli Access Manager authorization service . . . Components . . . . . . . . . . . . Authorization service interfaces . . . . . Replication for scalability and performance . . Implementing a network security policy . . . . Defining and applying security policy . . . The authorization process: step-by-step . . . Tivoli Access Manager authorization API . . . Using the authorization API: examples . . . Authorization API: remote cache mode . . . Authorization API: local cache mode . . . . External authorization capability . . . . . . Extending the authorization service . . . . Imposing conditions on resource requests . . The authorization evaluation process . . . . Implementing an external authorization service Deployment strategies . . . . . . . . . . . . . . . . . . . . 1 2 2 2 3 4 4 5 5 6 7 Chapter 4. Default security policy . . . 43 Default administration users and groups . . . . 43 iv-admin group . . . . . . . . . . . . 43 sec_master user . . . . . . . . . . . . 43 ivmgrd-servers group . . . . . . . . . . 43 Administration users . . . . . . . . . . 43 Defining and applying security policy . . . . . 45 ACL policies . . . . . . . . . . . . . 45 Protected object policies . . . . . . . . . 45 Authorization rules . . . . . . . . . . . 46 Sparse security policy model . . . . . . . . 47 Security policy inheritance . . . . . . . . 47 default-root ACL policy . . . . . . . . . 48 Control permission . . . . . . . . . . . 48 Traverse permission . . . . . . . . . . 48 Resolving an access request . . . . . . . . 49 Applying ACL policies to different object types 50 ACL policy inheritance example . . . . . . 50 Default ACL policies . . . . . . . . . . . 51 default-root ACL policy . . . . . . . . . 51 default-management ACL policy . . . . . . 52 default-replica ACL policy . . . . . . . . 52 default-config ACL policy . . . . . . . . 52 default-gso ACL policy . . . . . . . . . 52 default-policy ACL policy . . . . . . . . 52 default-domain ACL policy . . . . . . . . 53 default-proxy ACL policy. . . . . . . . . 53 /Management permissions . . . . . . . . . 53 /Management/ACL permissions . . . . . . 53 /Management/Action permissions . . . . . 54 . 8 . 9 . 9 . 10 . 10 . 11 . 11 . 13 . 14 . 14 . 15 . 16 . 17 . 17 . 18 . 18 20 . 20 Chapter 2. Web Portal Manager . . . . 23 Types of administration Delegate administration Self-care . . . . Self-registration . . . . tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 25 26 26 © Copyright IBM Corp. 1999, 2010 iii /Management/POP permissions . /Management/Server permissions. /Management/Config permissions /Management/Policy permissions . /Management/Replica permissions /Management/Users permissions . /Management/Groups permissions /Management/GSO permissions . /Management/Rule permissions . /Management/Domain permissions /Management/Proxy permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 55 55 56 56 56 57 58 58 59 59 Chapter 5. Managing domains. . . . . 61 Logging in to domains . . Creating a domain . . . . Modifying the description for Listing domains . . . . . Deleting a domain . . . . . . . . a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 61 62 63 64 Removing ACL entries from an ACL policy. . . Managing extended attributes in ACL policies . . . Creating extended attributes for an ACL policy Modifying extended attributes from an ACL policy . . . . . . . . . . . . . . . Listing extended attributes of an ACL policy . . Viewing extended attributes of an ACL policy . . Deleting extended attributes from an ACL policy Deleting extended attribute values from an ACL policy . . . . . . . . . . . . . . . Managing action groups . . . . . . . . . . Creating action groups . . . . . . . . . Listing action groups . . . . . . . . . . Deleting an action group . . . . . . . . . Managing actions . . . . . . . . . . . . Creating actions in an action group . . . . . Listing actions in an action group . . . . . . Deleting actions from an action group . . . . 91 92 92 93 93 94 94 95 95 96 96 97 97 97 98 98 Chapter 6. Managing object spaces . . 65 Creating an object space Listing object spaces . Copying an object space Importing object spaces Exporting object spaces Deleting an object space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 67 67 68 68 69 Chapter 9. Protected object policy management. . . . . . . . . . . . 101 Managing protected object policies . . . . . Creating a POP . . . . . . . . . . . Modifying a POP . . . . . . . . . . Listing POPs . . . . . . . . . . . Viewing a POP . . . . . . . . . . . Cloning a POP . . . . . . . . . . . Importing POPs . . . . . . . . . . Exporting all POPs . . . . . . . . . Export a single POP . . . . . . . . . Exporting multiple POPs . . . . . . . Attaching a POP to an object . . . . . . Detaching a POP from an object . . . . . Locating where a POP is attached . . . . Deleting a POP . . . . . . . . . . . Network-based authorization algorithm . . . Network-based authorization policy . . . . . Configuring POP attributes . . . . . . . . Setting a warning mode . . . . . . . . Setting an audit level . . . . . . . . . Setting a time-of-day restriction . . . . . Specifying IP addresses and ranges . . . . Setting a Quality of Protection level . . . . Step-up authentication . . . . . . . . . Configuring levels for step-up authentication Applying step-up authentication policy. . . Distinguishing step-up from multi-factor authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 102 104 105 105 106 106 107 107 107 108 108 109 109 110 110 111 111 111 112 113 114 114 115 . 115 Chapter 7. Managing protected objects Creating an object Listing objects . Importing objects Exporting objects Deleting an object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 71 73 73 74 74 Chapter 8. Managing access control . . 77 ACL policies . . . . . . . . . . . . . ACL entries . . . . . . . . . . . . . Type attribute . . . . . . . . . . . ID attribute . . . . . . . . . . . . Permissions attribute . . . . . . . . . Action groups and actions . . . . . . . . Default permissions in the primary action group Custom permissions in custom action groups . Managing ACL policies . . . . . . . . . Creating an ACL policy . . . . . . . . Modifying the description of an ACL policy . Listing ACL policies . . . . . . . . . Viewing an ACL policy . . . . . . . . Cloning an ACL policy . . . . . . . . Importing ACL policies . . . . . . . . Exporting all ACL policies . . . . . . . Exporting a single ACL policy . . . . . . Exporting multiple ACL policies . . . . . Attaching an ACL policy to an object . . . . Detaching an ACL policy from an object. . . Locating where an ACL policy is attached . . Deleting an ACL policy . . . . . . . . Managing ACL entries in ACL policies . . . . Creating an ACL entry . . . . . . . . Modifying permissions for an ACL entry . . . . . . . . . . . . . . . . . . . . . . . . . . 77 78 79 79 79 80 80 81 83 84 84 85 85 86 86 86 87 87 88 88 89 89 90 90 91 . 116 Chapter 10. Authorization rules management . . . . . . . . . . . . 119 Authorization rules overview . . . Access decision information . . . Sources for retrieving ADI . . . Volatile versus nonvolatile data . Authorization rule language . . . ADI XML document model. . . XML access decision information . Defining an XML namespace . . Authorization rules evaluator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 119 119 121 122 122 124 126 128 iv Administration Guide Format and constraints of rules . . . . . . Examples of authorization rules . . . . . . Methods of providing ADI to the rules evaluator . . . . . . . . . . . . . . Reason codes for rule failures . . . . . . . Configuration file and initialization attributes . . resource-manager-provided-adi . . . . . . dynamic-adi-entitlement-services . . . . . . input-adi-xml-prolog and xsl-stylesheet-prolog [xmladi-attribute-definitions] . . . . . . . Managing authorization rules . . . . . . . . Creating an authorization rule . . . . . . . Modifying an authorization rule . . . . . . Listing authorization rules . . . . . . . . Cloning an authorization rule . . . . . . . Importing authorization rules . . . . . . . Exporting all authorization rules . . . . . . Exporting a single authorization rule . . . . Exporting multiple authorization rules . . . . Attaching an authorization rule to a protected object . . . . . . . . . . . . . . . Detaching an authorization rule . . . . . . Locating where an authorization rule is attached Deleting an authorization rule . . . . . . . 129 131 133 135 135 136 136 136 137 137 138 139 140 140 140 141 141 141 142 143 143 144 Server dependencies . . . . . . . . . Tivoli Access Manager utilities . . . . . . Tivoli Access Manager servers tasks . . . . . Starting and stopping servers on Linux and UNIX operating systems. . . . . . . . Starting and stopping servers on Windows operating systems . . . . . . . . . . Server configuration file tasks . . . . . . . Changing configuration settings . . . . . Automating server startup at boot time. . . Policy server administration tasks . . . . . Replicating the authorization database . . . Using the server replicate command. . . . Setting the number of update-notifier threads Setting the notification delay time . . . . . 169 . 170 . 170 . 170 . . . . . . . 171 172 172 173 174 174 175 175 . 176 Chapter 14. High availability of the policy server. . . . . . . . . . . . 177 Data integrity . . . . . . . . . Primary and replica LDAP servers . . Active and passive policy servers. . . High availability management . . . . Verify the policy server setup for high availability . . . . . . . . . Review log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 177 177 178 Chapter 11. Managing users and groups . . . . . . . . . . . . . . 145 Managing users . . . . . . Creating a user . . . . . . Listing users. . . . . . . Changing a password . . . Setting user policy. . . . . Setting global user policy . . Importing users . . . . . Deleting a user . . . . . . Managing groups . . . . . . Creating a group . . . . . Listing groups . . . . . . Importing groups . . . . . Deleting a group . . . . . Enabling dynamic group support. LDAP registry . . . . . . Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 146 147 148 149 151 153 154 154 155 155 156 157 158 158 158 . 178 . 179 Chapter 15. Multiple-tenancy policy server . . . . . . . . . . . . . . 181 Chapter 16. Delegated administration Overview of delegated administration . . . . Delegated role administration . . . . . . . Administrative tasks for roles . . . . . . . Delegated object space management . . . . . Structuring the object space for management delegation . . . . . . . . . . . . Default administration users and groups . . Example of management delegation . . . . Delegated user and group management . . . Creating group container objects . . . . . Creating groups . . . . . . . . . . ACL policies affecting group management. . ACL policies affecting user management . . Security policy for delegated administration . . 183 . . . . . . . . . . . . . 183 185 186 186 187 187 187 188 189 190 191 192 193 Chapter 12. Certificate and password management. . . . . . . . . . . . 159 Initial configuration . . . . . . . . . . Key file and stash file renewal information . . Trust determination . . . . . . . . . . Reconfiguring the PDCA on the policy server Reconfiguring the PDCA on the runtime machines . . . . . . . . . . . . . Transferring the PDCA certificate to other machines . . . . . . . . . . . . . Server certificate revocation . . . . . . . Additional key and stash file considerations . . . 160 . 161 . 162 163 . 163 . 164 . 164 . 165 Chapter 17. Diagnostics and auditing Diagnostic events . Auditing events . . . . . . . . . . . . . . . . . . . . . 197 . 197 . 197 Appendix A. Guidelines for changing configuring files . . . . . . . . . . 199 General guidelines Default values . . Strings . . . . Defined strings . . File names . . . Integers . . . . Boolean values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 200 200 200 200 201 201 Chapter 13. Server management . . . 167 Tivoli Access Manager servers . Proxy server. . . . . . . . . . . . . . . . . . . 167 . 168 Contents v Appendix B. Configuration file reference . . . . . . . . . . . . . 203 Location of configuration files . . . . . . . Tivoli Access Manager runtime configuration file Authorization server configuration file . . . . Policy server configuration file . . . . . . Policy proxy server configuration file . . . . LDAP server configuration file . . . . . . LDAP client with Active Directory server configuration file . . . . . . . . . . . Active Directory server configuration file . . . Domino server configuration file . . . . . . Web Portal Manager configuration file . . . . Common audit service configuration files . . . Resource manager configuration files . . . . . 204 205 . 205 . 206 . 206 . 207 . . . . . . 207 207 208 208 208 209 Appendix C. Configuration file stanza reference . . . . . . . . . . . . . 211 [authentication-mechanisms] stanza . . . cert-ldap . . . . . . . . . . . cert-uraf . . . . . . . . . . . passwd-ldap. . . . . . . . . . passwd-uraf . . . . . . . . . . [aznapi-admin-services] stanza . . . . service-id . . . . . . . . . . . [aznapi-configuration] stanza . . . . . audit-attribute . . . . . . . . . azn-app-host . . . . . . . . . azn-server-name . . . . . . . . cache-refresh-interval . . . . . . . cred-attributes-entitlement-services . . db-file . . . . . . . . . . . . dynamic-adi-entitlement-services . . . input-adi-xml-prolog . . . . . . . listen-flags . . . . . . . . . . logcfg . . . . . . . . . . . . mode . . . . . . . . . . . . pd-user-name . . . . . . . . . pd-user-pwd . . . . . . . . . permission-info-returned . . . . . policy-cache-size . . . . . . . . resource-manager-provided-adi . . . xsl-stylesheet-prolog . . . . . . . [aznapi-cred-modification-services] stanza . service-id . . . . . . . . . . . [aznapi-entitlement-services] stanza . . . service-id . . . . . . . . . . . [aznapi-external-authzn-services] stanza . policy-trigger . . . . . . . . . . [aznapi-pac-services] stanza . . . . . service-id . . . . . . . . . . . [cars-client] stanza. . . . . . . . . compress . . . . . . . . . . . diskCachePath . . . . . . . . . doAudit . . . . . . . . . . . clientPassword . . . . . . . . . clientUserName . . . . . . . . errorFilePath . . . . . . . . . flushInterval. . . . . . . . . . keyFilePath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 212 213 213 214 215 215 217 217 218 218 219 219 220 221 221 222 222 223 224 224 224 225 225 226 227 227 228 229 230 230 231 232 233 233 233 234 235 235 235 236 236 lowWater . . . . . . . . . hiWater . . . . . . . . . maxCacheFiles . . . . . . . maxCacheFileSize . . . . . . maxErrorFiles . . . . . . . maxErrorFileSize . . . . . . maxTraceFiles . . . . . . . maxTraceFileSize . . . . . . numberCMThreads . . . . . numberEQThreads . . . . . numberRetries . . . . . . . queueSize . . . . . . . . rebindInterval . . . . . . . retryInterval . . . . . . . . serverURL . . . . . . . . stashFilePath . . . . . . . traceLevel . . . . . . . . traceFilePath . . . . . . . transferSize . . . . . . . . useDiskCache . . . . . . . [cars-filter] stanza . . . . . . . auditevent . . . . . . . . [configuration-database] stanza . . file . . . . . . . . . . . [delegated-admin] stanza . . . . authorize-group-list . . . . . [domains] and [domain=domain_name] allowed-registry-substrings . . . database-path . . . . . . . domain . . . . . . . . . [ivacld] stanza . . . . . . . . log-file . . . . . . . . . logcfg . . . . . . . . . . permit-unauth-remote-caller . . pid-file . . . . . . . . . tcp-req-port . . . . . . . . unix-user . . . . . . . . . unix-group . . . . . . . . [ivmgrd] stanza . . . . . . . provide-last-login . . . . . . provide-last-pwd-change . . . auto-database-update-notify . . ca-cert-download-enabled . . . database-path . . . . . . . log-file . . . . . . . . . logcfg . . . . . . . . . . max-notifier-threads . . . . . notifier-wait-time . . . . . . pid-file . . . . . . . . . standby . . . . . . . . . tcp-req-port . . . . . . . . unix-user . . . . . . . . . unix-group . . . . . . . . [ldap] stanza . . . . . . . . enhanced-pwd-policy. . . . . max-auth-connections . . . . enable-last-login . . . . . . auth-using-compare . . . . . authn-timeout . . . . . . . bind-dn . . . . . . . . . cache-enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . stanzas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 237 237 238 238 238 239 239 239 240 240 240 241 241 241 242 242 242 243 243 244 244 246 246 247 247 248 248 249 249 250 250 251 252 252 253 253 254 254 254 255 255 256 256 257 257 258 259 259 260 261 261 261 262 262 264 265 265 266 266 267 vi Administration Guide . ssl-authn-type . . . . . [ssl] stanza . . . . . . . . cache-group-membership . . . . . . . . . . . . . . . . . . . . . ssl-local-domain . . . . . . . . . . . ssl-local-domain . . . . . . . master-host . . . . . . . . . . . . . . . . . . [pdrte] stanza . . . ssl-pwd-life . enabled . . . . . . . . . . . . . . . . . . . . . . . ssl-keyfile-dn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ssl-keyfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . secauthority-suffix . . . . . . . . . . . . . domain . . . . . . . . . . . boot-start-ivmgrd . . . . . . . . . . . . . . . . . search-timeout . . . . . . . . . . . . . . . . . . . loginGif . . . . . . . . . . . . . . . .conf change-pwd-using-ldap-api. . . . . . . . . . . . . . . . enabled . . . . . enabled . . . . . . . . cache-lifetime . . . jrteProps . . . . . . . . . . . . aclMembership . . . . . . . . . . . . . . . . . . cache-policy-expire-time . . . . . [ssl] stanza for ldap. . cache-size . . . . . . . . port . . . . version . ssl-keyfile-stash. . . . . . . . . . . . . . . . connection-inactivity . . . . . . . . logcfg . . . . . port . . . . . . . . . . . . novell-suffix-search-enabled . . . . [uraf-registry] stanza for activedir. . . . . . . . . . . . . . . . uraf-return-registry-id . boot-start-pdproxyd . . . . . . . . . . . authMethod . server . . . . . . . . . management-domain . . . . . . . . . . . . . . ssl-keyfile-pwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . ignore-suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cache-group-size . cache-use-user-cache . . . . . . . . . . . . . . . . . . . . . . . . . user-reg-hostport . . . . . . . . . . . . . cache-enabled . . . . . . . jrteHost . . boot-start-ivacld . . . . . . . . . . . . . . . . . . . . . . . . . . useEncryption . . . . . . ssl-enabled . . . . . . . . . . . . cache-policy-size . . . . . . . . . . . . . [uraf-registry] stanza for domino. . . . . . . . . . . . . . . . . . pid-file . uraf-registry-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tcp-req-port . . . . debug . . . . [pdmgrproxyd] stanza . . . . . . . . . . . . . . . . . . . LdapSSLKeyFileDn . . . . . . . . . dnforpd . . . . . . . . . . . . user-reg-type . . . configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAB . . . . . . . . . . . . user-and-group-in-same-suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . use-email-as-user-id . . . ssl-cert-life . . . . . . . . . . . . . . master-port . 296 296 296 296 296 297 297 298 298 299 299 300 300 300 300 301 301 302 302 302 303 303 304 304 305 305 306 306 307 307 308 308 308 309 309 309 310 311 312 312 312 313 313 314 314 314 315 315 315 316 316 316 317 317 318 318 318 319 320 320 321 Contents vii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hostname. . . . . . . . . . . . max-search-size. . . 267 268 268 269 269 270 270 271 271 271 272 273 273 274 274 274 275 276 276 277 277 278 278 278 279 279 280 280 281 281 282 283 283 284 284 285 285 286 286 287 287 287 287 288 288 289 289 289 290 290 291 292 292 293 293 294 294 294 295 295 295 user-reg-host . . . . . . ssl-auto-refresh . . . . . . . . . . . [uraf-registry] stanza . . . . . . . . multi-domain . log-file . . . . . . . . . . ssl-v3-timeout . cache-user-size . . . . . . . cache-return-registry-id . ssl-maximum-worker-threads . . . . . tivoli_common_dir . . . . . max-server-connections . . . . . . . . . . . uraf-return-registry-id . . . . . [pdaudit-filter] stanza . . . . . . . . . . . . . . . . . . . . . . . . default-policy-override-support ldap-server-config . infoBarGif . . . . . . . . . . . . . . . unix-user . . . . . . . . . . . . host . . . . . . . . . . . . . . . . . . ldap-client-timeout . . . . . . . . . . . . . . . . . [pdconfig] stanza . . . . PDM . .conf. . . . . . . . . .conf . . . . . . . enabled . .conf . user-reg-server . . . . . . . . . . . . . . . . . . . . . . . . . . dnforpd . . . LdapSSLKeyFilePwd . . . . cache-database . . . . . . . . . . LdapSSL . . . . . . . . . . . . ssl-keyfile . . . . wasEmbedded . . [ldap] stanza for ldap. ssl-port . . . . . . . . . . . . .conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cache-mode . max-search-size. . . ssl-io-inactivity-timeout . . . . . . . . . . . . . . . . . . . [manager] stanza . dynamic-groups-enabled . . . . [pdwpm] stanza . . . . . . . . .cache-group-expire-time . . . . . . . . . . . . . . . dynamic-groups-enabled . . . . . . . . . . . . . . . . splashGif . bind-id . . . . . . . . . . LdapSSLKeyFile . . . . . . domain . changePassword . . . . . . . . . . . . . . . . . . . . . . . unix-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ssl-keyfile-label . . . . replica . . . . . . . . . . . . . . . . . . . . . . login-failures-persistent . . bannerFile . . . . . ssl-listening-port . . . . . . . . . [meta-info] stanza . . . . . . . . ssl-enable-fips . . . . . . . . . . . . . . . . . . cache-user-expire-time . . prefer-readwrite-server . dynamic-groups-enabled . . [uraf-registry] stanza for activedir_ldap. . . . . . . . . . . . . . . . . . . 362 Appendix H. . . . . . . Updating the eDirectory schema . . . . . . . . . ad-gc-server . . Searching information centers . . . . . . . . . . . . Active Directory-specific tasks . . . . . . . . . . . . . . . Setting up Microsoft Windows 2003 Domain Name System for Active Directory . . . ssl-keyfile . . . . 373 Searching knowledge bases . . . . . . . . 349 . . . . 329 . . . . . . . . . . . Searching the Internet . . . . Enabling change user password requests to be performed using LDAP APIs . . . . 345 . . . . . . . . . . 330 . . . . . . . . . . . . . . . . . . Applying Tivoli Access Manager ACLs to new LDAP suffixes . . . . . . . . . . . uraf-return-registry-id . . . . . . . . . . . . . . Microsoft Active Directory Application Mode (ADAM) concerns . . . . . . . . . . . . . . . Sun Java System Directory Server concerns . . . . . . 337 Appendix F. . . 329 . . . . . . Importing dynamic groups to Tivoli Access Manager . . . . . 393 viii Administration Guide . . . . . . . . ssl-keyfile-label . . . . . . . . . . . . . . . . . . . . . Notices . . . . . . . . use-email-as-user-id .max-connections-per-ad-domain . . . . . . . . . Lotus Domino Server concerns . Updating the Tivoli Access Manager schema Adding a Tivoli Access Manager user to the Active Directory system group . Microsoft Active Directory Server concerns . . . . . User registry differences General concerns . . . . . . . . . . . . . . . . . 379 Trademarks . . Using valid characters for Active Directory user. 345 . . . UseSSL . . . . . [xmladi-attribute-definitions] stanza . . . Setting the password history policy . . . . . . . . Describing problems and gathering information Submitting problems . . . . . Determining the business impact . . . . . . 383 Index . . Novell eDirectory maintenance activities that can damage schema modifications applied by Tivoli Access Manager . . . . . . . . . . . . URAF concerns. . . . 345 . group. . . LDAP concerns . . . . . . . . . . Using valid characters for LDAP user and group names . . . . . . . . . . . . . . . . . . . 373 373 373 373 374 374 375 375 376 376 Appendix E. . 361 . . . . . . . . . . . . . . . . . Enabling support for the use of email address or other alternate format as user identity . 350 . AttributeName . . Managing user registries LDAP-specific tasks . Length of names . . . . . LDAP failover configuration . . . . . . . Receiving weekly software updates . . . 321 321 322 322 323 324 324 324 325 325 326 326 327 Appendix D. Contacting IBM Software Support . . Registering with IBM Software Support . Novell-specific tasks . . . . . . . . . . . ad-gc-port . . . Obtaining fixes . . . . . . pdadmin to Web Portal Manager equivalents . 362 . . . . multi-domain . . . . . . . . . . . . . . . . . . . . . . . . . . 329 . ssl-keyfile-pwd . . . . . . . . 380 Glossary . Support information . . . . . . . and distinguished names . . . . . . . . . . primary-domain . . . . . . 330 331 331 331 334 Adding a new domain name to a DNS . . . . . . . . 363 363 364 364 366 366 367 368 368 370 Appendix G. . . . . . . . . . . 1999. Publications This section lists publications in the IBM Tivoli Access Manager for e-business library and related documents. digital signatures.1 to version 6. cryptographic algorithms.0. 6.About this publication IBM® Tivoli® Access Manager for e-business provides an access control management solution to centralize network and application security policy for e-business applications. v IBM Tivoli Access Manager for e-business: Release Notes. key exchange (public and private). and known installation and configuration problems. system requirements. IBM Tivoli Access Manager for e-business library The following documents are in the Tivoli Access Manager for e-business library: v IBM Tivoli Access Manager for e-business: Quick Start Guide. The section also describes how to access Tivoli publications online and how to order Tivoli publications. and certificate authorities. SC23-6503 Upgrade from version 5. v IBM Tivoli Access Manager for e-business: Upgrade Guide. GI11-9333 Provides steps that summarize major installation and configuration tasks. SC23-6504 © Copyright IBM Corp. GC23-6502 Explains how to install and configure Tivoli Access Manager for e-business.1. The IBM Tivoli Access Manager for e-business: Administration Guide provides a comprehensive set of procedures and for managing Tivoli Access Manager servers and resources. v IBM Tivoli Access Manager for e-business: Installation Guide. including HTTP and TCP/IP v Lightweight Directory Access Protocol (LDAP) and directory services v Authentication and authorization v Tivoli Access Manager security model and its capabilities You should also be familiar with SSL protocol. Intended audience This guide is for system administrators responsible for the deployment and administration of base Tivoli Access Manager software. 2010 ix . GC23-6501 Provides information about installing and getting started.0. v IBM Tivoli Access Manager for e-business: Administration Guide. This guide also provides you with valuable background and conceptual information about the wide range of Tivoli Access Manager functionality. or 6. Readers should be familiar with the following: v Microsoft® Windows® and UNIX® operating systems v Database architecture and concepts v Security management v Internet protocols.1. SC23-6516 Provides about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference. SC23-6507 Provides procedures and for securing your Web domain using a Web server plug-in. v IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference. and for using WebSEAL to manage the resources of your secure Web domain. v IBM Tivoli Access Manager for e-business: Command Reference. SC23-6515 Provides about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager security. v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration Guide. SC23-6512 Provides about the commands. You can also find information about installing and configuring the Common Auditing and Reporting Service. SC23-6506 Provides instructions for integrating Tivoli Access Manager with the IBM WebSphere® Edge Server application. v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide. v IBM Tivoli Access Manager for e-business: Shared Session Management Administration Guide. SC23-6510 Provides information for enabling SSL communication in the Tivoli Access Manager environment. SC23-6509 Provides deployment considerations and operational instructions for the session management server. v IBM Tivoli Access Manager for e-business: Auditing Guide. Provides instructions for performing tasks from the Web Portal Manager interface and by using the pdadmin utility. Use this service for generating and viewing operational reports. SC23-6505 Provides background material. x Administration Guide . SC23-6511 Provides information about configuring and managing audit events using the native Tivoli Access Manager approach and the Common Auditing and Reporting Service. utilities. administrative procedures. SC23-6513 Provides about using the C language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. v IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference. and scripts that are provided with Tivoli Access Manager. v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide.Describes the concepts and procedures for using Tivoli Access Manager. SC23-6514 Provides about using the Java™ language implementation of the administration API to enable an application to perform Tivoli Access Manager administration tasks. version 9. IBM Tivoli Directory Server IBM Tivoli Directory Server. gsk7ikm.ibm. SC23-6517 Provides programming and for developing authentication modules. You can find additional information about IBM Tivoli Directory Integrator at: http://www-306. version 6.1. GI11-8157 Provides explanations and recommended actions for the messages and return code.com/software/tivoli/products/directory-integrator/ IBM DB2 Universal Database IBM DB2 Universal Database™ Enterprise Server Edition. The IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide is available on the Tivoli Information Center Web site in the same section as the Tivoli Access Manager product documentation. as well as on the IBM Tivoli Access Manager Web Security CDs. and certificate requests. For z/OS LDAP servers.com/software/tivoli/products/directory-server/ IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator. v IBM Tivoli Access Manager for e-business: Error Message Reference. DB2® is required when using Tivoli Directory Server or z/OS® LDAP servers as the user registry for Tivoli Access Manager. GSKit is included on the IBM Tivoli Access Manager Base CD for your particular platform. and the IBM Tivoli Access Manager Directory Server CDs. v IBM Tivoli Access Manager for e-business: Performance Tuning Guide. you must separately purchase DB2. version 6. v IBM Tivoli Access Manager for e-business: Troubleshooting Guide. version 7.0. IBM Global Security Kit Tivoli Access Manager provides data encryption through the use of the Global Security Kit (GSKit). The GSKit package provides the iKeyman key management utility.1. is provided on the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the Tivoli Directory Server software. is included on the IBM Tivoli Directory Integrator CD for the required operating system. is included on the IBM Tivoli Access Manager Directory Server set of CDs for the required operating system. SC23-6518 Provides performance tuning information for an environment consisting of Tivoli Access Manager with the IBM Tivoli Directory Server as the user registry. You can find additional information about Tivoli Directory Server at: http://www.1.ibm. GC27-2717 Provides problem determination information.v IBM Tivoli Access Manager for e-business: Web Security Developer Reference.1. the IBM Tivoli Access Manager Shared Session Management CDs. Related products and publications This section lists the IBM products that are related to and included with a Tivoli Access Manager solution. You can find additional information about DB2 at: About this publication xi . public-private key pairs. which creates key databases. ibm. The product CD contains the publications that are in the product library. or both. set the option in the File → Print window that allows Adobe Reader to print letter-sized pages on your local paper.ibm. to the Tivoli Documentation Central Web site at http://www. which administers Tivoli Access Manager. v Web Administration Tool. as they become available and whenever they are updated. which processes and reports on audit events.ibm.com/software/data/db2 IBM WebSphere Application Server WebSphere Application Server. version 6. or both. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 xii Administration Guide . is included on the IBM Tivoli Access Manager WebSphere Application Server set of CDs for the required operating system. You can find additional information about WebSphere Application Server at: http://www. Note: If you print PDF documents on other than letter-sized paper.elink.ibm. HTML.com/software/webservers/appserv/infocenter. The format of the publications is PDF. The Tivoli Software Glossary is available at the following Tivoli software library Web site: http://publib.com/software/globalization/terminology .ibm. Refer to the readme file on the CD for instructions on how to access the documentation. which administers Tivoli Directory Server.html Accessing terminology online The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. IBM posts publications for this and all other Tivoli products.http://www.wss. Accessing publications online The documentation CD contains the publications that are in the product library.com/tivoli/documentation.com/tividd/glossary/tivoliglossarymst.ibmlink. v Session management server. Ordering publications You can order many Tivoli publications online at http:// www. The file is in the appropriate publications directory on the product CD.html file. To access the publications using a Web browser. The format of the publications is PDF. v Common Auditing and Reporting Service.1. v Attribute Retrieval Service. HTML. WebSphere Application Server enables the support of the following applications: v Web Portal Manager interface. open the infocenter. You can access the Terminology Web site at http://www.com/publications/servlet/pbi.ibm.htm The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location.boulder. which manages shared session in a Web security server environment. members can share information and learn from the knowledge and experience of other Tivoli users. Access the IBM Software Support site at http://www.com/software/support/ probsub.wss.com/alphaworks/topics/ accessibility/ for more information about IBM's commitment to accessibility. you want to resolve it quickly.ibm. Tivoli user groups Tivoli user groups are independent. user-run membership organizations that provide Tivoli users with information to assist them in the implementation of Tivoli Software solutions. perform the following steps: 1. contact your software account representative to order Tivoli publications.ibm. 3. Accessibility Accessibility features help users with a physical disability. Select your country from the list and click Go.com/e-business/linkweb/publications/servlet/pbi.ibm.000+ members v 144+ groups Access the link for the Tivoli Users Group at http://www. Tivoli user groups include the following members and groups: v 23. you can use assistive technologies to hear and navigate the interface. IBM provides the following ways for you to obtain the support you need: Online Access the Tivoli Software Support site at http://www.ibm.v In Canada: 800-426-4968 In other countries. refer to the following IBM Tivoli Education Web site at http://www. Through these groups. Visit the IBM Accessibility Center at http://www.org/. Go to http://www.html?ibmprd=tivman. to use software products successfully. such as restricted mobility or limited vision.com/software/tivoli/education.tivoli-ug. For additional information. To locate the telephone number of your local representative.html . 2.ibm. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. Tivoli technical training For Tivoli technical training information. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.com/software/ sysmgmt/products/support/index. Support information If you have a problem with your IBM software. With this product. IBM Support Assistant The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM software About this publication xiii . see the Accessibility Appendix in IBM Tivoli Access Manager for e-business Installation Guide. . fields. programming keywords. go to http://www. property sheets). see the IBM Tivoli Access Manager for e-business Installation Guide. Troubleshooting Guide For more information about resolving problems.. labels (such as Tip:. letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. For example. where myname represents.". The Support Assistant provides quick access to support-related information and serviceability tools for problem determination.ibm. The names of environment variables are not always the same in the Windows and UNIX environments. and paths. %TEMP% in Windows environments is equivalent to $TMPDIR in UNIX environments. icons. xiv Administration Guide .com/software/ support/isa. containers. and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options Operating system-dependent variables and paths This publication uses the UNIX convention for specifying environment variables and for directory notation. and CDs v Words defined in text (example: a nonswitched line is called a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause. items inside list boxes. When using the Windows command line.. tabs. list boxes. Typeface conventions This publication uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes. operating system-dependent commands. Conventions used in this publication This publication uses several conventions for special terms and actions. diskettes. To install the Support Assistant software. multicolumn lists. replace $variable with % variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths.products. Monospace v Examples and code examples v File names.. spin buttons. radio buttons. and Operating system considerations:) v Keywords and parameters in text Italic v Citations (examples: titles of publications. folders. push buttons. v Variables and values you must provide: .. menu names. menu choices. you can use the UNIX conventions. About this publication xv .Note: If you are using the bash shell on a Windows system. xvi Administration Guide . Tivoli Access Manager allows you to build secure and easy-to-manage network-based applications and e-business infrastructure. together with resource managers. IBM Tivoli Access Manager for Operating Systems Provides a layer of authorization policy enforcement on Linux® and UNIX operating systems in addition to that provided by the native operating system. provides permit and deny decisions on access requests for native Tivoli Access Manager servers and other applications. accessed through a standard authorization application programming interface (API). Tivoli Access Manager allows you to control user access to protected information and resources. 2010 1 . Tivoli Access Manager supports authentication. Tivoli Access Manager provides the following frameworks: Authentication framework The Tivoli Access Manager authentication service uses a wide range of built-in authenticators and supports external authenticators. Tivoli Access Manager overview Tivoli Access Manager is an authentication and authorization solution for corporate Web. provides a standard authorization mechanism for business network systems.Chapter 1. Authorization framework The Tivoli Access Manager authorization service. Core technologies The Tivoli Access Manager network security management solution provides and supports the following core technologies: v Authentication v Authorization v Quality of Protection © Copyright IBM Corp. Existing applications can take advantage of the Tivoli Access Manager authorization service as well as provide a common security policy for the entire enterprise. centralized policy management capability. authorization. By providing a centralized. and existing applications. The following resource managers are some of the existing resource managers: IBM Tivoli Access Manager WebSEAL Manages and protects Web-based information and resources. flexible. client/server. data security. WebSEAL is included with Tivoli Access Manager for e-business. You use Tivoli Access Manager in conjunction with standard Internet-based applications to build highly secure and well-managed intranets. and scalable access control solution. The authorization service. Tivoli Access Manager can be integrated into existing and emerging infrastructures to provide secure. 1999. and resource management capabilities. and authorization rules for fine-grained access control v Standards-based authorization API. Secure communication Tivoli Access Manager supports the data integrity and data privacy provided by the Secure Socket Layer (SSL) communication protocol and the Transport Layer Security (TLS) communication protocol. Applications can build any custom authentication mechanism that uses the authorization API. protected object policies (POPs). Tivoli Access Manager allows a highly flexible approach to authentication through the use of the authorization API. The resource manager is responsible for ensuring that the quality of data protection is enforced. During authentication. Authorization Authorization enforces the security policy by determining what objects a user can access and what actions a user can take on those objects and then granting appropriate access to the user. To learn about these encryption ciphers. 2 Administration Guide . and the Java Authentication and Authorization Service (JAAS) for Java language applications v External authorization service capability Quality of Protection Quality of Protection (QoP) is the degree to which Tivoli Access Manager protects any information that is transmitted between a client and a server. using the aznAPI for C language applications.v Scalability v Accountability v Centralized management Authentication Authentication is the first step a user must take when making a request for a resource that is protected by Tivoli Access Manager. a user identity is validated. Tivoli Access Manager supports the following levels of Quality of Protection: v Standard Transmission Control Protocol (TCP) communication (no protection) v Data integrity – protects messages (data stream) from being modified during network communication v Data privacy – protects messages from being modified or inspected during network communication Supported encryption ciphers Tivoli Access Manager uses encryption ciphers that are provided by GSKit and Java Secure Socket Extension (JSSE). Tivoli Access Manager provides built-in support of user name and password authentication through the authorization API. The authentication process is usually dependent on the specific requirements of the service-providing application. The quality of data protection is determined by the combined effect of encryption standards and modification-detection algorithms. Tivoli Access Manager handles authorization through the use of the following: v Tivoli Access Manager authorization service v Access control lists (ACLs). see the GSKit and JSSE documentation. Scalability Scalability is the ability to respond to increasing numbers of users who access resources in the domain. When FIPS mode is enabled. Note: SSL and TLS protocols cannot be mixed in a Tivoli Access Manager environment. If a previous release of Tivoli Access Manager runtime did not support TLS (currently communicating with SSL). Tivoli Access Manager for Business Integration. Tivoli Access Manager overview 3 . or other application servers – Mirrored resources (unified object space) for high availability – Additional content and resources – Load balancing of incoming requests v Optimized performance by allowing for the off-loading of authentication services and authorization services to separate servers v Scaled deployment of services without increasing management overhead Chapter 1. Tivoli Access Manager uses the following techniques to provide scalability: v Replication of services – Authentication services – Authorization services – Security policies – Data encryption services – Auditing services v Front-end replicated servers – Mirrored resources for high availability – Load balancing client requests v Back-end replicated servers – Back-end servers can be Tivoli Access Manager WebSEAL. Therefore. When FIPS mode is enabled in Tivoli Access Manager. Tivoli Access Manager generates keys and certificates using FIPS-approved operations. Tivoli Access Manager for Operating Systems. the desired protocol is TLS. To switch from SSL to TLS. but unclassified use of information technology products.and server-side keys and certificates are always FIPS approved. the desired protocol is SSL. these runtimes cannot communicate with a server that is enabled for FIPS (now communicating with TLS). SSL works by using public key for authentication and secret key to encrypt data that is transferred over the SSL connection. When FIPS mode is not enabled. the client. all server and remote runtime configurations must be changed. TLS version 1 (TLSv1) is used instead of SSL version 3 (SSLv3). The TLS protocol meets the Federal Information Processing Standards (FIPS) 140-2 standard that describes United States Federal government requirements for sensitive.The SSL handshake protocol provides security and privacy over the Internet. In Tivoli Access Manager this indicates whether FIPS mode is enabled or disabled in the environment. permissions. For specific task information. see the Web Portal Manager online help. roles. groups. and servers. groups. see the task-specific chapters in this guide. Both C and Java language versions of these functions are available. permissions. Details on the administration API are provided in the IBM Tivoli Access Manager for e-business: Administration C API Developer Reference and the IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference.Accountability Tivoli Access Manager provides a number of logging and auditing capabilities. Administration API The administration API provided by Tivoli Access Manager is a set of programming interfaces that allow you to write applications to manage users. Audit trail files monitor Tivoli Access Manager server activity. Centralized management The following methods are provided for managing security policy and the Tivoli Access Manager servers: v pdadmin command line interface v Web Portal Manager graphical user interface (GUI) v Administration API You can accomplish most tasks using any of these methods. policies. as well as for performing other tasks. roles. see the IBM Tivoli Access Manager for e-business: Command Reference. pdadmin command interface The pdadmin command line interface is used for Tivoli Access Manager administration. domains. This interface can be used in scripts or batch files to automate processing. This interface is installed as part of the Tivoli Access Manager runtime package. some tasks cannot be performed using Web Portal Manager. permissions. and servers. Log files capture any error and warning messages generated by Tivoli Access Manager servers. policies. A key advantage to using Web Portal Manager is that you can perform these tasks remotely using any supported Web browser. However. roles. This interface provides commands for managing users. For more information on using Web Portal Manager. and servers. policies. For detailed syntax information about the pdadmin command line interface. refer to chapters in this guide. Web Portal Manager allows you to perform administrative tasks. This optional interface must be installed separately from the Tivoli Access Manager Web Portal Manager CD for your operating system. groups. For specific task information. You do not need any special network configuration. Web Portal Manager Web Portal Manager is an optional Web-based interface used for Tivoli Access Manager administration. domains. such as managing users. 4 Administration Guide . domains. you must define what resources need to be protected. The resource manager then directs Todd's request to the appropriate back-end Web server. denied. For example. credentials. WebSEAL is a resource manager that is responsible for managing and protecting Web-based information and resources and must decide whether or not Todd can access that page. and the object to be accessed. The authorization service. The resource manager takes the recommendation of the authorization service. the type of access desired. You also need to decide what type of access to these resources should be permitted. or conditionally allowed pending additional verification by the resource manager. protected object policies (POPs). so it recommends to the resource manager that the request be granted. Authorization API standard Authorization services are a critical part of the security architecture of an application. such as files. thus eliminating the necessity for developers to write authorization code for each new application. uses the security policy to determine whether the request should be allowed. and delegation. The standards-based authorization API (aznAPI) allows applications to call the centralized authorization service. and privilege attributes of that user. First. acquired during authentication. auditing. or permits the request to be processed. network servers. Credentials can be used to perform a multitude of services. Then. authorization services proceed to enforce the business policy by determining what services and information the user can access. messages. The credential provides detailed information. Tivoli Access Manager overview 5 . a user accessing a Web-based retirement fund could view personal account information after an authorization server verifies the identity.Security policy overview The goal of any security policy is to adequately protect business assets and resources with a minimal amount of administrative effort. The resource manager obtains the credentials for Todd. The authorization service checks the security policy and determines that Todd should be permitted access. such as authorization. Finally. The enforcement of the security policy is the job of the resource manager. and authorization rules. that describes the user. any group associations. performs any additional verification actions. you must decide what users and groups of users should have access to these protected resources. or Web pages. which provides the Web page. The security policy in Tivoli Access Manager is defined through the use of access control lists (ACLs). and ultimately either denies the request. directories. After a user passes the authentication process. and then asks the authorization service whether Todd has read access to the Web page. you must apply the proper security policy on these resources to ensure that only the right users can access them. Chapter 1. The resource manager calls the Tivoli Access Manager authorization service with the credentials of the user making the request. and other security-related identity attributes. suppose that Todd wants to access a particular Web page that is located on a Web site protected by Tivoli Access Manager WebSEAL. databases. These could be any type of data object. For example. also known as the authorization engine. In security systems. Authentication ensures that the individual is who that individual claims to be.The authorization API allows businesses to standardize all applications on a trusted authorization framework. 6 Administration Guide . With the authorization API. Access to every resource in a domain is controlled by a server. security policy determines whether that client is permitted to perform an operation on a requested resource. The authorization process. So the demands on the server for authentication and authorization can provide comprehensive network security. as shown in Figure 1 on page 7. In turn. Authorization determines whether an authenticated client has the right to perform an operation on a specific resource in a domain. secret key. or customer-defined mechanisms. Users can authenticate their identity using either public/private key. each client must provide proof of its identity. authorization is distinct from authentication. authorization policy is implemented independently of the mechanism used for user authentication. businesses can provide more control over access to resources on their networks. It also defines the degree of protection that is surrounding each resource requiring protection. The security policy defines the legitimate participants of the domain. In the Tivoli Access Manager authorization model. Authorization decisions made by an authorization service are based on user credentials. Part of the authentication process involves the creation of a credential that describes the identity of the client. A component of the resource manager is a policy enforcer that directs the request to the authorization service for processing. The resources in a domain receive a level of protection as dictated by the security policy for the domain. authorization service An authorization service that performs the decision-making action on the request. includes the following basic components: resource manager A resource manager responsible for implementing the requested operation when authorization is granted. Authorization: conceptual model When servers enforce security in a domain. Examples of this structure include Tivoli Access Manager WebSEAL. are difficult to integrate. The independent functionality of these authorization components allows flexibility in the design of the security enforcement strategy. General authorization model Traditional applications bundle the policy enforcer and resource manager into one process. and result in higher costs of ownership. is tightly coupled to individual applications. and Tivoli Access Manager for Business Integration. Tivoli Access Manager for Operating Systems. Benefits of such a standard authorization service include: v Reduced cost of developing and managing access to applications v Reduced total cost of ownership and management of separate authorization systems v Use the existing security infrastructure v Allow new businesses to open more securely v Enable newer and different kinds of applications v Allow shorter development cycles v Share information securely Chapter 1.Authorization service Application server authorization check request for resource yes | no Policy enforcer Resources Resource manager Authenticated client Figure 1. Tivoli Access Manager overview 7 . Companies typically build applications over time to serve their business needs. such independence allows the security administrator to control: v Where the processes are located v Who writes the code for the processes v How the processes perform their tasks The benefits of a standard authorization service Authorization in most systems. Many of these applications require some specific form of authorization. These proprietary authorization implementations require separate administration. both existing and new. The result is often a wide variety of applications with differing authorization implementations. For example. A distributed authorization service can provide these independent applications with a standard authorization decision-making mechanism. and user-defined objects. provides a standard authorization mechanism for business network systems. The Tivoli Access Manager authorization service is also extensible and can be configured to call on other authorization services for additional processing using the external authorization service plug-in interface. v The service addresses the application of security services in a heterogeneous cross-platform environment. For more information on authorization API. v The service uses a standard authorization coding style that is language independent (the authorization API). management activities. rather than across multiple systems. The authorization API allows existing applications to call the authorization service which in turn makes decisions based on the corporate security policy. individual transactions or database requests. specific Web-based information. as shown in Figure 2: Web Portal Manager Policy server Master authorization database User registry Authorization server Replica authorization database Figure 2. together with resource managers. 8 Administration Guide . The addition of a new employee. The Tivoli Access Manager authorization service. Tivoli Access Manager server components Existing applications can take advantage of the authorization service.Tivoli Access Manager authorization service overview Tivoli Access Manager can be integrated into existing and emerging infrastructures to provide a secure. Authorization policy is based on user or group roles and can be applied to network servers. requires modifying the privilege database in one central location. v The service integrates existing non-Tivoli Access Manager authorization systems through an external authorization service capability. see “Tivoli Access Manager authorization API” on page 14. The authorization service provides the following benefits: v The service is application independent. centralized policy management capability. v The service is centrally managed and therefore easy to administer. v The service has a scalable and flexible architecture that can be easily integrated with existing infrastructure. for example. responds accordingly. Figure 3 on page 10 illustrates the main components of the authorization service: Chapter 1. Authorization decisions made by the authorization service result in the approval or denial of client requests to perform operations on protected resources in a domain. the pdadmin command-line interface.v The service enables multi-tiered authorization. Tivoli Access Manager authorization service The Tivoli Access Manager authorization service is responsible for the authorization decision-making process that helps to enforce a network security policy. contains the security policy information for all resources in a domain. in turn. Policy server The policy server maintains the policy databases. Each domain has its own policy database. Tivoli Access Manager overview 9 . The policy server also maintains location information about the other Tivoli Access Manager and non-Tivoli Access Manager resource managers operating in the domain. User registry replication parameters are configurable for each evaluator. Components The authorization service is made up of three basic components: v Master authorization policy database v Policy server v The authorization decision-making evaluator Policy database The policy database. A credentials packet can be passed through the multiple layers of an application process or transaction. v The service uses a common and effective auditing model. The contents of this database are manipulated using Web Portal Manager. replicates this policy information throughout the domains. and updates the database replicas whenever a change is made to the master. Authorization evaluator The authorization evaluator is the decision-making process that determines the ability of the client to access a protected resource based on the security policy. The evaluator makes its recommendation to the resource manager which. and the administration API. v The service is independent of any authentication mechanism. also referred to as the master authorization policy database and the master authorization database. and credentials.Authorization Service Web Portal Manager Policy Server (pdmgrd) Master Authorization Policy Management Interface Authorization Evaluator AuthAPI Resource Manager Replica Authorization Policy Figure 3. Authorization API The authorization API passes requests for authorization decisions from the resource manager to the authorization evaluator which then passes back a recommendation whether the request must be granted or denied. policies. Many applications can access a single authorization server. uses a local cache of the database The database is replicated for each resource manager that uses the authorization service in local cache mode. You can configure the master authorization policy database. 10 Administration Guide . Resource managers that call the authorization service have two options for referencing this database information: v The application. Replication for scalability and performance Authorization service components can be replicated to increase availability in a heavy-demand environment. containing policy rules and credential information. when configured to work seamlessly with the authorization evaluator. Authorization service components Authorization service interfaces The authorization service has two interfaces where interaction takes place: Management interface The security administrator manages the security policy by using the Web Portal Manager or the pdadmin command-line interface to apply policy rules to resources in a domain. The security policy is managed in the policy database by the policy server. This interface is complex and involves detailed knowledge of the object space. to automatically replicate. v The application uses a shared replica cached by the remote authorization server component The database is replicated for each instance of the authorization server. which completes the response to the original request. Implementing a network security policy The security policy for a domain is determined by controlling user and group participation in the domain and applying rules to resources requiring protection. protected object policies (POPs). The result is fast response times (performance) for authorization checks. Replicated authorization service components Performance notes v You can update notifications directly from the policy server. You can apply ACLs. v The cached authorization policy information results in high system performance. a log entry is created. These rules are defined through the use of access control lists (ACLs). and authorization rules. it checks the policy in its own cached version of the database. Such a mechanism is called polling and is not enabled by default. as shown in Figure 4: Authorization Service Web Portal Manager Policy Server (pdmgrd ) Master Authorization Policy Replica Authorization Policy Replica Authorization Policy Authorization Evaluator AuthAPI Resource Manager Replica Authorization Policy Figure 4. For example.Update notification from the policy server (whenever a change was made to the master authorization policy database) triggers the caching process to update all replicas. and then applying these policies to the object representations of those resources in the object space. In both cases. Tivoli Access Manager overview 11 . The resulting recommendation is passed to the resource manager. This security policy is created by defining access control lists (ACLs). protected object policies (POPs). You can also configure the resource managers to verify the version of the master authorization policy database every few minutes to ensure that the update notification are not missed. The authorization service enforces these policies by matching the credentials of a user with the permissions in the policy assigned to the requested resource. v Individual authorization results are not cached by the calling application server. If an update notification fails to reach a server. POPs. Defining and applying security policy You protect system resources by defining a security policy. Chapter 1. WebSEAL does not have to access the network to obtain this information from the master database. when WebSEAL does an authorization check. a retry mechanism also ensures that the update happens in the future. and authorization rules. The administrator needs to apply explicit policies only at points in the hierarchy where the rules must change. 12 Administration Guide . and the administration API are used to define this policy. An ACL policy is made up of one or more entries that include user and group designations and either their specific permissions or rights. the Web Portal Manager. The pdadmin command-line interface. The authorization service performs authorization decisions based on the policies applied to these objects. ACL policy definitions are important components of the security policy established for a domain. Explicit and inherited policies Examples of policy types include: v Hardcoded rules v External authorization capability v Special secure labeling v Access control lists (ACLs). or ACL policy. The Tivoli Access Manager protected object space supports inheritance of ACLs. and authorization rules. One policy can dictate the protection parameters of many objects. is the set of actions. protected object policies (POPs). Explicit and inherited policy A security policy can be explicitly applied or inherited. and who can perform those operations. This factor is an important consideration for the security administrator who manages the object space. as shown in Figure 5: Inherited rule Explicit rule Management objects Web objects User-defined objects Figure 5. and authorization rules Access control lists An access control list (ACL) policy. An ACL policy specifically determines what operations can be performed on a resource. When a requested operation on a protected object (also referred to as a protected resource) is permitted. the resource manager responsible for the resource implements this operation. controls.and authorization rules to the same object. Any change to the security policy affects all objects to which the policy is attached. POPs. or permissions that specifies the conditions necessary for a particular user or group to perform certain operations on that resource. The Tivoli Access Manager authorization process 1. For example. Unlike ACLs. The authorization process: step-by-step Figure 6 illustrates the complete authorization process: Secure Domain Authorization Service 3. These conditions are evaluated as a Boolean expression to determine if the request must be allowed or denied. the resource manager passes the request on to the application responsible for the resource. and what type of action is being attempted. Request Policy Enforcer 5. HTTPS access or another application. 4. Chapter 1. 6. Authorized Operation Resources Client 6. For more information about the authorization API. which are dependent on what user or group is attempting the action. Rules allow you to make authorization decisions based on the context and the environment surrounding the request. The policy enforcer process uses the authorization API to call the authorization service for an authorization decision. Tivoli Access Manager overview 13 . It is the responsibility of Tivoli Access Manager and the resource manager to enforce the POP conditions. The authorization service performs an authorization check on the resource. The client receives the results of the requested operation. Authorization Check Authorization Policy / 2. see “Tivoli Access Manager authorization API” on page 14. The decision to accept or deny the request is returned as a recommendation to the resource manager (through the policy enforcer). 5. Response Resource Manager Figure 6. An authenticated client request for a resource is directed to the resource manager server and intercepted by the policy enforcer process. POPs affect all users and groups. If the request is finally approved. as well as who is attempting the access. Authorization rules Authorization rules are defined to specify further conditions that must be met before access to a resource is permitted. Request for Authorization (AuthAPI) 4. See page 37 for details on the algorithm used. the resource manager can be WebSEAL for Hypertext Transfer Protocol (HTTP). 3. 2. POPs also indicate whether requests must be audited.Protected object policies Protected object policies (POPs) contain additional conditions that must be met in order to be granted access. Authorization Decision (AuthAPI) Protected Object Space 1. The authorization API can be used in one of the following modes: Remote cache mode In this mode. Local cache mode provides better performance because the application performs all authorization decisions locally instead of across a network. see “Authorization API: local cache mode” on page 16. One of the primary values and benefits of the authorization API is its ability to shield the resource manager from the complexities of the authorization service mechanism itself. The authorization server maintains its own cache of the replica authorization policy database. 14 Administration Guide . but shields the application from the complexities of the actual decision-making process. credential formats. The authorization API makes it possible to request an authorization check and get a simple yes or no recommendation in return. and authentication methods are all hidden behind the authorization API. The authorization API also works independently from the underlying security infrastructure. the credential format. However. the API is initialized to call the (remote) authorization server to perform authorization decisions on behalf of the application. Using the authorization API: examples Applications can use the authorization API to perform access control on specific and specialized processes. For more information about local cache mode. the API is initialized to download and maintain a local replica of the authorization database for the application. according to the results of the authorization check. Example 1 A graphical interface can be designed to dynamically show task buttons as active or inactive. For more information about remote cache mode. The authorization API allows Tivoli Access Manager resource managers and other resource managers to ask for an authorization decision. caching. Issues of management. The details of the authorization check mechanism are invisible to the user. The authorization API provides a standard programming model for coding authorization requests and decisions. The authorization API lets you make standardized calls to the centrally managed authorization service from any existing or newly developed application.Tivoli Access Manager authorization API The Tivoli Access Manager authorization application programming interface (API) allows Tivoli Access Manager applications and other applications to query the authorization service to make authorization decisions. see “Authorization API: remote cache mode” on page 15. replication. Local cache mode In this mode. the overhead of database replication and the security implications of using this mode make it best suited for use by trusted application servers. and the evaluating mechanism. storage. The authorization API is the interface between the resource manager (requesting the authorization check) and the authorization service itself. This mode is best suited for handling authorization requests from application clients. This coarse-grained level of authorization only determines if the client can run the CGI program. illustrating a request for a Common Gateway Interface (CGI) transaction by a Web application. If access is allowed to the CGI application. Example use of the authorization API Authorization API: remote cache mode In remote cache mode. The Web application is configured to use the authorization API. access controls were set on resources that the CGI program manipulates. no further control is available to resources manipulated by the CGI application. There must be an authorization server running somewhere in a domain when using remote cache mode. The authorization server can be located on the same machine as the application or on another Chapter 1. as illustrated in Figure A of Figure 7. The authorization server functions as the authorization decision-making evaluator and maintains its own replica authorization policy database. The lowest level of authorization. involves an “all-or-nothing” access control on the uniform resource locator (URL). The authorization server makes the decision and returns a recommendation to the application through the API. as shown in Figure 8 on page 16. resource managers use the function calls provided by the authorization API to communicate to the (remote) authorization server. Figure A Authorization Service Coarse-grained Access Request Client Response Third-Party Application Web Application Objects Manipulated by CGI Figure B Authorization Service Function Call Request Client Response Third-Party Application A Web P Application I Fine-grained Authorized Access Objects Manipulated by CGI Figure 7. The server can also write an audit record containing the details of the authorization decision request. As illustrated in Figure B of Figure 7. Now the CGI program can call the authorization service to make authorization decisions on the resources it manipulates — based on the identity of the requesting client.Example 2 Another use of the authorization API is demonstrated in Figure 7. Tivoli Access Manager overview 15 . it checks for any updates to the master authorization policy database that might have occurred since the local replica was built. You can also install the authorization server on more than one machine in a domain to allow for high availability. the API downloads and maintains a replica of the authorization policy database on the local file system of the resource manager. When the API starts in replica mode. Authorization API: remote cache mode Authorization API: local cache mode In local cache mode. 16 Administration Guide . The authorization API transparently performs failover when a particular authorization server fails. The local replica is persistent across invocations of the application. It performs all authorization decisions in-memory.machine. which results in higher performance and better reliability. Authorization Service Policy Server (pdmgrd ) Master Authorization Policy pdacld Authorization Evaluator AuthAPI Replica Authorization Policy AuthAPI Third-Party Application Resources Authenticated Client Figure 8. Resource managers that use the authorization service. external. benefit from the additional.Authorization Service Policy Server (pdmgrd) Master Authorization Policy Authorization Evaluator AuthAPI Third-Party Application Replica Authorization Policy Resources Authenticated Client Figure 9. The external authorization service architecture allows the full integration of an existing security service. POPs. If you configure an external authorization service. Any addition to the security policy through the use of an external authorization service is transparent to these applications and requires no change to the applications. such as WebSEAL and any application using the authorization API. but seamless. the Tivoli Access Manager authorization service simply incorporates the access decision paths into its evaluation process. the standard Tivoli Access Manager policy implementations of ACLs. Authorization API: local cache mode External authorization capability In some situations. An external authorization service preserves a the initial Chapter 1. and authorization rules might not be able to express all the conditions required by the security policy of an organization. Tivoli Access Manager overview 17 . The external authorization service allows you to impose additional authorization controls and conditions that are dictated by a separate. Tivoli Access Manager provides an optional external authorization capability to accommodate any additional authorization requirements. contribution of a configured external authorization service. authorization service module. Extending the authorization service External authorization capability is automatically built into the Tivoli Access Manager authorization service. When indifferent is returned. the external authorization services that were configured for that condition are each called in turn to evaluate their own external authorization constraints. 3. Example Figure 10 on page 19 illustrates an authorization decision involving an application server and an external authorization service. The weighting of individual external authorization services is configured when the service plug-in is loaded. All authorization decision results are summed and combined with the decision made by the Tivoli Access Manager authorization service. Examples of such conditions include: v Causing an external auditing mechanism to record the successful or unsuccessful access attempt v Actively monitoring the access attempt and causing an alert or alarm whenever unacceptable behavior is detected v Conducting billing or micro-payment transactions v Imposing access quotas on a protected resource The authorization evaluation process An authorization decision that incorporates an external authorization server takes place in the following manner: 1. denied. If a trigger condition is met during an access decision. The resulting decision is returned to the caller. 2. 4. Each external authorization service returns a decision of permitted. or indifferent. Each external authorization service decision is weighted according to the level of importance that its decision carries in the process. Imposing conditions on resource requests An external authorization service can be used to impose more specific conditions or system-specific side effects on a successful or unsuccessful access attempt.investment that a company makes in security mechanisms by allowing existing servers to be incorporated into the Tivoli Access Manager authorization decision-making process. the external authorization service has determined that its functionality is not required for the decision process and that it does not participate. 18 Administration Guide . Invocation of the external authorization service occurs regardless of whether the necessary permission is granted to the user by the Tivoli Access Manager authorization service. Response: Denied Third-Party Resource Manager Resources Client Figure 10. Request for Authorization 6. The external authorization service was loaded with the default decision weighting of 101. the purpose of the external authorization service is to impose a quota restriction on how often a photo-quality printer resource can be accessed. which overrides any decision made by the Tivoli Access Manager authorization service if required. Request Authzn API 7. External Authorization Check Secure Domain 5. The photo printer resource is being accessed and an external authorization service trigger condition was attached to this object. External authorization service with an application server In this example. The resource manager server receives a request from a client for access to an online photo printing resource. The application server first consults the Tivoli Access Manager authorization service to determine whether the requesting user has permission to submit jobs to the printer. 4. The authorization service verifies the access permissions on the target requested object and compares the permissions against the capabilities of the requesting user: group GraphicArtists rx In the ACL on the printer resource. Denied Access 8. The service implementation imposes a limit on the number of job submissions that any one person can make to this printer in one week. The client is a member of the appropriate group GraphicArtists and so is normally permitted to submit jobs to the printer.External Authorization Service 4. 1. Tivoli Access Manager overview 19 . 3. the authorization service grants the user permission to submit the job. 2. An external authorization service trigger condition was attached to the photo printer resource so that the external authorization service is invoked anytime that the photo printer is accessed. Authorization Check (allowed +100) / 2. Chapter 1. Combined Authorization Decision (denied -1) Protected Object Space 1. External Authorization Results (denied-101) Authorization Policy Authorization Service 3. So a request is also made to the external authorization service configured for that trigger condition. Therefore. the x permission grants any user in the GraphicArtists group access to the resource. and any other resource manager applications that you create. Implementing an external authorization service Two general steps are required to set up an external authorization service: 1. 7. are combined. The result is access denied. other Tivoli Access Manager resource managers. the external authorization service interface is invoked to make an additional authorization decision. In this case. The external authorization service consults a record of previous accesses made by this user. Register the external authorization service with the resource manager so that the resource manager can load the plug-in service at initialization time. and the decision made by the Tivoli Access Manager authorization service. then the external authorization service returns a decision of access denied. 2. For this example. If the requesting user has not exceeded the quota for the week. which make requests to the authorization server for authorization decisions. 5. Applications that can load external authorization services include the authorization server. v Remote-mode authorization API clients. the results of each external authorization service is 20 Administration Guide . Registering the service sets a trigger condition for the invocation of the external authorization service. because the result of the external authorization service (–101) outweighs that of the Tivoli Access Manager authorization service (100). The implication is that the external authorization service is indifferent to the request and has no intention of participating in the access decision because its conditions for denying access have not been met. The results of the external authorization service decision. Deployment strategies Tivoli Access Manager allows you to implement an external authorization service in several ways: v Any number of external authorization services can be registered with resource manager applications. The resource manager server returns a response to the caller to indicate that the job was rejected. it is assumed that the requester has exceeded the quota and that the external authorization service detects this problem and returns an access denied decision. 8. it returns an access decision of indifferent. The resource manager server rejects the job submission to the photo printer resource. 6. v More than one external authorization service can be called for any single trigger condition. However. It then takes this decision and weights it with the default external authorization service weighting value of 101. The Tivoli Access Manager authorization service receives the access denied result from the external authorization service. automatically use any external authorization service that is loaded by the authorization server. When the trigger condition is encountered during an authorization check.The external authorization service receives all the Access Decision Information (ADI) that was passed in with the original access decision check by the resource manager server. Write an external resource manager service plug-in module with an authorization interface that can be referenced during authorization decisions. if the user has exceeded the quota. an external authorization service can be triggered specifically when a user requests a Write operation to a protected resource. Chapter 1. There is no requirement to make remote requests to the external authorization service and the overhead of making the call is equivalent to the overhead of a function call. For example. This feature greatly simplifies the task of external authorization service development. regardless of the operation that is being requested.v v v v weighted accordingly. using a POP trigger. Trigger conditions can also be placed on the operations requested by a user. The external authorization services are implemented as dynamically loadable library (dynamic link library (DLL)) modules. The combination of the authorization API and an external authorization service provides a highly extensible and flexible solution for implementing a complex security policy. Trigger conditions can be placed on objects. triggers a call to the external authorization services that are configured for the trigger. and then the results are combined with the result of the Tivoli Access Manager authorization service. but not for any other operation. It is then possible to develop sets of operations for which one or more external authorization services in combination are triggered according the set of operations requested. Tivoli Access Manager overview 21 . such that any request to an object. 22 Administration Guide . Web Portal Manager Tivoli Access Manager includes the following user interfaces that allow you to manage domains. The IBM Tivoli Access Manager for e-business: Command Reference provides detailed information about the pdadmin command-line interface. The pdadmin command-line interface is installed as part of the Tivoli Access Manager runtime package. For example. and other utilities. You can also automate certain management tasks by writing scripts that use the pdadmin utility. 1999. Tivoli Access Manager 6. The Integrated Solutions Console is a graphical administration console that provides a framework for administering multiple products.1 administrators do not have to be WebSphere Application Server administrators.Chapter 2. users and groups. and other resources in your enterprise: pdadmin pdadmin is a command-line interface that you can think about as the pdadmin shell. the commands that you can run from this interface. The following list describes the capabilities of each Web Portal Management role: Role name: wpmpolicyadmin wpmpolicyadmin is a Web Portal Manager policy administrator role. one Tivoli Access Manager administrator can manage policies and another administrator can manage WebSEAL junctions. Web Portal Manager Web Portal Manager is a management console that you can use to perform tasks that are like the commands provided by the pdadmin commands. your console enables you to administer Tivoli Access Manager and WebSphere Application Server. For example. an enterprise can limit the Tivoli Access Manager administrator access to management functionality. The Web Portal Manager is implemented as a plug-in to the IBM Integrated Solutions Console.1. permissions. The following is a list of tasks that the wpmpolicyadmin role performs: v Object Space: – Browse Object Space – Copy/Paste Object Space – Create Object – Import Object – Create Object Space v Access Control List (ACL): – List ACLs – – – – © Copyright IBM Corp. Web Portal Manager roles: Using Web Portal Management administrator roles. policies. 2010 Create ACL Import ACL Export All ACLs List Action Groups 23 . The following is a list of tasks that the wpmregistryadmin role performs: v User tasks: – Search Users – – – – Create User Import User Show Global User Policy Change My Password v Group tasks: – Search Groups – Create Group – Import Group Role name: wpmwebsealadmin wpmwebsealadmin is a Web Portal Manager WebSEAL administrator role.– Create Action Group v Protected Object Policy (POP): – List POPs – Create POP – Import POP – Export All POPs v Authorization (AuthzRules): – List AuthzRules – Create AuthzRule – Import AuthzRule – Export All AuthzRules v Global Sign-On (GSO) Resources: – List GSOs – Create GSO – List GSO Groups – Create GSO Groups v Secure Domain: – List Secure Domains – Create Secure Domain Role name: wpmregistryadmin wpmregistryadmin is a Web Portal Manager registry administrator role. The following is a list of tasks that the wpmdelegateadmin role performs: 24 Administration Guide . The following is a list of tasks that the wpmwebsealadmin role performs: v v v v v List Junctions Create Junctions List Virtual Host Junctions Create Virtual Host Junctions Dynamic URL Files Role name: wpmdelegateadmin wpmdelegateadmin is a Web Portal Manager delegate administrator role. This chapter contains the following sections: v “Types of administration” v “Delegate administration tasks” v “Web Portal Manager common tasks” on page 26 v “Customizing the Web Portal Manager interface” on page 28 v “Self-registration tasks” on page 28 Types of administration Tivoli Access Manager provides two types of administration: v Administration v Delegate administration You can use Web Portal Manager to perform both types of tasks. To use Web Portal Manager. thus supporting multilevel delegation and management hierarchy based on roles. group and role administration. Another difference between these interfaces is that when you use the pdadmin utility. you can copy and paste the contents of the file. only a subset of the management tasks can be performed using Web Portal Manager. The Integrated Solutions Console is automatically installed when you install WebSphere Application Server. Although you can manage your enterprise using either interface. see the IBM Tivoli Access Manager for e-business: Installation Guide. In some cases. you cannot specify a file name.” on page 337. Delegate administration tasks Web Portal Manager delegate administration provides a Web-based interface that includes a set of delegated management services. The delegate administration supports the following operations: v Creation of multiple enterprise domains Chapter 2. security administration. The delegated management services enable a business to delegate user administration. To compare the mapping between the pdadmin utility and Web Portal Manager tasks. see Appendix E. and application access provisioning to participants (subdomains) in the business system.v v v v Manage Enterprise Domains Manage Roles Domain User Search Change My Password Web Portal Manager is not installed as part of the Tivoli Access Manager runtime. Web Portal Manager 25 . The administrator uses the same URL to connect to Web Portal Manager for both administration and delegate administration. however. When using Web Portal Manager. These subdomains can further delegate management and administration to trusted subdomains under their control. you must install it separately. “pdadmin to Web Portal Manager equivalents. Note: For complete installation instructions. you can specify a file. As the number of users grows. Enterprise Edition (J2EE) servlets and Java Server Pages (JSPs) to implement self-registration. ensure that the WebSphere Application Server is running. and enabled SSL or FIPS. Users can go to the Web Portal Manager delegate administration page and manage their passwords. See “Self-registration tasks” on page 28. This sample is supported only on an LDAP registry. Domain Administrator. without the involvement of an administrator. not Domino® or Active Directory. and Support Administrator) and enforcement of the administrative tasks that can be performed with each administrator type v Use of self-registration. While the WebSphere server is running. and self-care to reduce the administration load. Administrator. “Delegated administration.v Assignment of users to be domain administrators v Assignment of administrator types (such as: Tivoli Access Manager Administrator. Self-care Web Portal Manager deployments can grow to support large number of users. type the following Web address: 26 Administration Guide . Self-registration and self-care are features of the Web Portal Manager that can be used to reduce the administration load. Web Portal Manager includes a sample application that allows end users to perform self-registration. use one of the following Web addresses to start Web Portal Manager for administration: v If you installed. the user must go to the Change My Password task. Self-registration Self-registration is the process by which a user can enter required data to become a registered Tivoli Access Manager user. Included with Web Portal Manager is sample code that implements a self-registration page. so does the number of administrators required to manage these users. After logging in. Web Portal Manager supports self-care operations by allowing Tivoli Access Manager users to change their Tivoli Access Manager password through Web Portal Manager. meaning to become a registered Tivoli Access Manager user without the involvement of an administrator. configured. Refer to Chapter 16. such as: v “Starting Web Portal Manager” v “Logging in and signing off” on page 27 v “Accessing online help” on page 27 Starting Web Portal Manager Before starting Web Portal Manager.” on page 183 for a complete description of Tivoli Access Manager delegate administration tasks. Senior Administrator. Web Portal Manager common tasks This chapter provides procedures for the more common Web Portal Manager tasks. The sample code shows how to use the Tivoli Access Manager Java Administration APIs along with Java 2 Platform. ibm. Chapter 2. In the navigation pane. For example: https://testgroup.austin. 3. and then expand Web Portal Manager or Delegate Administration. and then click Sign On: v Name of the domain in which you want to perform tasks v User name v Password associated with the user name 6. configured. 7. After the Tivoli Access Manager splash screen appears in the content pane.ibm. and 9060 is the non-secured port for the Integrated Solutions Console. Click Logout at the top right of the Integrated Solutions Console to terminate the session and log out of the Integrated Solutions Console. Users can go to the Web Portal Manager delegate administration page and manage their passwords. such as the following information. select and perform tasks. Logging in and signing off To log in to Web Portal Manager. click a task to display the Web Portal Manager Sign On fields.austin. and click Log in. expand Tivoli Access Manager. After logging in. Web Portal Manager 27 . 5. type the following Web address: http://hostname:9060/ibm/console where hostname is the machine where IBM HTTP server and WebSphere Application Server are running. see the WebSphere Application Server documentation. Refer to the help system when you enter information in fields or select or clear choices. the system might prompt you to log in again. v If you do not have SSL or FIPS installed. the user must select Delegate Administration > Change My Password. In the navigation panel. depending on the tasks you need to perform. Note: After a certain period of inactivity.com:9060/ibm/console The Web Portal Manager delegate administration tasks are accessed from the same Web address as are the Web Portal Manager administration tasks. complete the following steps: 1. as needed. 2. and enabled.com:9043/ibm/console Note: For information about enabling FIPS in a WebSphere environment.https://hostname:9043/ibm/console where hostname is the machine where IBM HTTP server and WebSphere Application Server are running. For example: http://testgroup. and 9043 is the secured port for the Integrated Solutions Console. Provide the appropriate user name. Accessing online help Instructions for completing tasks using Web Portal Manager are documented in the online help system. Launch the Integrated Solutions Console. 4. Provide Web Portal authentication. gif. 2. Place the new images in the following directory for administration: For Linux and UNIX operating systems websphere_install_dir/WebSphere/AppServer/systemApps/isclite. click the question mark icon on the right side of the page.war/images/en For Windows operating systems websphere_install_dir\Program Files\IBM\WebSphere\AppServer\ systemApps\isclite. the user 28 Administration Guide .war\images\en where websphere_install_dir is the directory where WebSphere is installed. 2. access online help. complete the following steps: Use Web Portal Manager to log in to the domain. splashGif Shows the specified image on the welcome page. 3. 4. Performing self-registration One possible scenario for implementing self-registration is where a user opens a Web browser to view a self-registration Web page. 3. Note: This sample is supported only when your Tivoli Access Manager user registry is an LDAP user registry.ear\ iscwpm. You cannot perform self-registration tasks for an IBM Lotus® Domino or a Microsoft Active Directory user registry. after the login page.To 1. The default value is accessmanager. Customizing the Web Portal Manager interface Web Portal Manager allows you to customize the interface. On this Web page. complete the following steps: 1. You can customize the branding of Web Portal Manager by modifying the configuration to specify which Web page (HTML or JSP file) or image (GIF file) must be loaded when Web Portal Manager starts. Restart the WebSphere server. Change the value of the following entries in the amconf. 4.gif. Customizing the images Customizing images in Web Portal Manager consists of placing new replacement images where the default images are currently located. create a locale-specific subdirectory under the /images directory and place the new images in this subdirectory.properties configuration file to specify the new images to display: loginGif Shows the specified image on the login page. The default value is accessmanager.ear/ iscwpm. Close the help window after you complete the task. To customize the images for Web Portal Manager. Select a task such as Group → Import Group. In the task title bar. Self-registration tasks Tivoli Access Manager provides a self-registration sample to demonstrate how it works. For locale-specific versions of these images. A help window contains the online information for completing the task. Because users do not typically have permission to create objects in Tivoli Access Manager. and password of the user. For example. this page is not shown again. The files are installed in the following directory: Chapter 2. If you use this sample as the basis for a production registration application. The sec_master administrator has the proper access by default. After the administrator information is entered. regProp. This value is used to construct the distinguished name (DN) of self-registered users. and a password.o=ibm. For this sample. enter o=ibm. the user would probably be added to some groups to have access to some applications. family name. cn=FirstnameLastname. the ID and password are not saved in a secure manner.c=us and the registered users are created in LDAP as. family name. The following information is requested the first time the self-registration sample is accessed. This page could also be a servlet class.c=us.jsp The page that is displayed to gather login information for the administrator. Any user who accesses the self-registration sample from the same browser can create a user in Tivoli Access Manager. Web Portal Manager 29 . the self-registration sample requires the ID and password of an administrator who has permission to create users. you must consider ways to secure the administrator login information. you are shown only the registration page where you can enter the given name. v Administrator name v Password v Registry container The administrator name and password must be the name of an administrator who has permission to create users in Tivoli Access Manager. The Registry Container field must be the base name in LDAP where user entries must go. The user is not added to any groups.jsp The code that creates the user. Changing Java Server Pages The provided sample application includes the following Java Server Pages (JSPs): regAdmin. regControl. The administrator login is saved in the servlet session. This page receives and processes the registration requests. In a real application. If you access the sample. You must restart the application server to clear the administrator login information. This login information is then used to create users when somebody enters the required information about the registration page. The identification information provided by the user is then validated and the user is created in the Tivoli Access Manager registry.jsp The page that is displayed to gather the given name.enters specific identification information (either company-specific or user-specific) with a Tivoli Access Manager user ID and password. This data is saved by the servlet in memory and then used to create users who request to be registered. desc = ldapcn + " " + ldapsn. ctx = (PDContext)session. } catch(PDException e) { // process exception .toCharArray().getParameter("ldapsn"). try { createUser(bundle. userid. profile_name is the name of the application profile.. adminPassword. String ldapSuffix = request. ldapcn = request. String adminPassword = request. // Save the PDcontext and the LDAP Suffix session. url). a PDContext object is created and stored in the user servlet session as shown in the following code sample: String adminid = request.setAttribute("regAdminCtx".. acc_valid. "userRegisteredMsg"). .. messages). the PDContext object is retrieved from the session and used to create the user as shown in the following code fragment: // Creating the Access Manager User pwd = request.ear/pdadmin.war\ register where websphere_install_dir is the directory where WebSphere is installed. pwd_valid.getParameter("admin"). ldapSuffix).For Linux and UNIX operating systems websphere_install_dir/WebSphere/AppServer/profile/profile_name/ installedApps/cell_name/TAMWPM.war/register For Windows operating systems websphere_install_dirProgram Files\IBM\WebSphere\AppServer\profile\ profile_name\ installedApps\cell_name\TAMWPM.getParameter("suffix"). ldapsn = request. 30 Administration Guide . usergroups. pwd. gso_user.getParameter("password"). // Try a login try { ctx = new PDContext(adminid. desc.getString(bundle.getParameter("password"). When the administrator login information is entered.getParameter("ldapcn")." + ldapSuffix. } After the user enters the new user information. ctx). succmsg = userid + ResourceFile.jsp" % <% } PDMessages messages = new PDMessages().war/images/ register. ldapdn. session. userid = ldapcn + ldapsn. ldapsn.. ctx. // Make sure the session has not timed out if ( ctx == null ) { %> <%@ include file="regAdmin. ldapcn. and cell_name is the name of the WebSphere cell.ear\register.setAttribute("ldapSuffix". } return. no_pwd_pol.getAttribute("regAdminCtx"). ldapdn = "cn=" + ldapcn + ldapsn + ". . Chapter 2.catch(PDException e) { // process exception .. Web Portal Manager 31 . } The new user ID is the given name and family name concatenated together. 32 Administration Guide . Any security policy that is implemented in a domain affects only the objects in that domain. 3. you can define the following characteristics: v Who is allowed access. Install and configure resource managers.Chapter 3. 1999. as necessary. automatically create a protected object space and create the required protected resources (also known as protected objects) when they are configured. a protected object policy (POP). Users with authority to perform tasks in one domain do not necessarily have the authority to perform those tasks in other domains. This domain is used by Tivoli Access Manager to manage the security policy of all domains and is available for managing other protected resources as well. these resources can be any physical or logical entity. business unit. For small and moderately sized enterprises. printer and network services. If only one domain is needed. In large enterprises. including objects such as files. The administrator can rename the management domain and change its location when the Policy Server is configured. and other components. Domains A domain consists of all the resources that require protection along with the associated security policy used to protect those resources. and message queues. For protected objects. Web pages. you might want to define two or more domains. v When that access is allowed. The resources that you can protect depend on the resource managers that are installed. The security administrator can define the resources in a domain based on geography. The default name of this management domain is Default. Each domain is given a name and is established with a unique set of physical and logical resources. however. and by default it is located in a stand-alone naming context. 6. Define protected objects in the object space. or major organizational division within the © Copyright IBM Corp. a suffix called secAuthority=Default. 2. to represent the resources that are to be protected. v What other conditions that must be met before permitting access. Create additional object spaces. as needed. Tivoli Access Manager administration The administration of Tivoli Access Manager involves the following major tasks: 1. such as plug-ins for Web Server. directories. no explicit action needs to be taken. All the Tivoli Access Manager resource managers. for management purposes. referred to as the management domain. v Whether the access request is audited. as part of its initial configuration. and an authorization rule to objects in the protected object space. Define users and groups that require access to the protected resources. Implement your security policy by attaching an access control list (ACL) policy. 5. such as WebSEAL or Tivoli Access Manager for Operating Systems. as needed. 2010 33 . Tivoli Access Manager creates a domain. one domain is typically sufficient. Depending on the resource managers that are installed. v What type of access is permitted. Creating domains and subdomains for management purposes. 4. an administrator wants to import a user or group from a different domain. and so on. user JDoe. Web pages.conf configuration file for the policy server. Likewise. see Chapter 5. can be granted access only by the unique identity by which the user is defined in the Advertising domain. by default. However. Simplified administration You can assign independent administrators to handle policy management tasks for each domain. An administrator assigned to a specific domain has authority only within that domain. A multiple domain environment can be invaluable when there is a business need to keep a physical separation between different sets of data. groups. Conversely. such as files. suppose that a user named John Doe is identified as JohnDoe in the Sales domain and as JDoe in the Advertising domain. The structure of the protected object space consists of two types of objects: Resource objects Resource objects are the logical representation of actual physical resources. in a domain. assigned to deploy Tivoli Access Manager from a single data center. “Managing domains. for example. This feature is beneficial if. 34 Administration Guide . division. The protected object space is the logical and hierarchical portrayal of resources belonging to a domain. For example. or resources change. Although the same person. message queues. For more information about managing domains. even though it is the same person. services.enterprise. an administrator can view users and groups defined in the user registry that are not necessarily Tivoli Access Manager users or groups. The security policy defined in the domain affects only the resources in that domain. each user ID is unique for each domain. you can add the allowed-registry-substrings stanza entry to the [domains] stanza in the ivmgrd. For example.” on page 61. Therefore resources available to user JohnDoe can be granted access only by the unique identity by which the user is defined in that domain (Sales) or by groups that are defined in the Sales domain that JohnDoe is a member of. As users. and resources that are defined within a domain cannot be associated with another domain. which allows data to be partitioned and managed independently. the assigned administrator is responsible for updating the security policy for that particular domain. or geographic area in your company. The following other benefits are associated with using multiple domains: Increased security Security policy data for each domain is mutually exclusive. assume that you are an IT specialist for a large corporation. You could create a separate domain (with a unique policy database and an administrator) for each organization. Protected object space Tivoli Access Manager represents resources within a domain using a virtual representation called the protected object space. This domain administrator can also delegate administration tasks to others within that specific domain. groups. if you are the administrator of the management domain and want to limit the registry data that a domain administrator can access. Users. Container objects Resource objects Figure 11. These resources can be resource objects or container objects. This object space consists of the objects that are used to manage Tivoli Access Manager itself. Tivoli Access Manager protected object space The structural top of the protected object space is the root container object. Tivoli Access Manager administration 35 . Below the root container object are one or more container objects. Figure 11 shows a logical representation of a protected object space with multiple container and resource objects. Each container object represents an object space that consists of a related set of resources.Container objects Container objects are structural components that allow you to group resource objects hierarchically into distinct functional regions. Chapter 3. the installation creates the following container objects: v /Users v /Groups v /POP v /Action v /ACL v /GSO v /Server v /Config v /Replica Figure 12 on page 36 shows the complete /Management object space that is created during the installation of Tivoli Access Manager. This illustration shows container objects as white boxes and resource objects as gray boxes. Under the /Management object space. The installation of Tivoli Access Manager creates the /Management object space. Security policy can be applied to both types of objects. The most common type of group maintains the group membership as an explicit list of members (users). Tivoli Access Manager supports two types of group definitions./ (root) Management Users Groups POP Action ACL GSO Server Config Replica Figure 12. The creation and management of a dynamic group can be complex and is specific to the vendor implementation. however. For instance. The vendor-specific tools must be used to create and maintain dynamic groups. The sec_master user and 36 Administration Guide . If a required user or group was not in the user registry before it was imported into Tivoli Access Manager or a new user or group needs to be added to the Tivoli Access Manager user registry. you can create it using Tivoli Access Manager. If an existing employee switches department. Regions of the Tivoli Access Manager protected object space Each resource manager that protects a related set of resources creates its own object space. you create a dynamic group for members of department XYZ. the installation of the WebSEAL component creates the /WebSEAL object space. the domain administrator is sec_master. Manual intervention is not required. This resolution is based on the results of a defined search filter. In you have a user registry that maintains users and groups for another application. When a domain is created. Tivoli Access Manager also supports the use of dynamic groups. dynamic groups cannot be created or maintained using Tivoli Access Manager utilities or user interfaces. the user is automatically added to the group. and Tivoli Access Manager for Operating Systems creates the /OSSEAL object space. you can import this user registry information into Tivoli Access Manager. the user is automatically removed from the group. Because of these variables. a special user known as the domain administrator is created. This type of group is sometimes referred to as a static group. For Active Directory and LDAP registry users. If you import a new user whose data matches an entry in the search filter. because it requires a search-like filter to be specified and used for group membership resolution. Tivoli Access Manager. For the management domain. Tivoli Access Manager supports different types of users. Dynamic groups are groups whose members are automatically resolved when the group is accessed. For example. because the membership is listed and maintained. can import and use these dynamic groups after they are created. Users and groups Tivoli Access Manager maintains information about Tivoli Access Manager users and groups in the user registry. ensure that you do not compromise the security of your domain. Chapter 3. The domain administrator is added as a member of the Tivoli Access Manager iv-admin group within the domain. POPs. For other domains. Security policy can be explicitly applied to an object or can be inherited by an object that is above it in the hierarchy. The Tivoli Access Manager authorization service decides whether to permit or deny access to objects based on the credentials of the user that is making the request and the specific permissions and conditions that are set in the ACL policies. The iv-admin group represents those users with domain administration privileges. or other external factors. a request to modify an object more than five times in an eight-hour period could be denied. the current environment. Tivoli Access Manager administration 37 . The authorization service uses the following algorithm to process the security policy that is attached to a protected object: 1. a time-of-day restriction can be placed on an object that excludes all users and groups from accessing that object during the specified time. any change to the security policy is reflected immediately throughout the domain. a specific set of groups or users can be granted read access to an object. When there is an authorization rule attached and the user cannot override it. and authorization rules to objects that require protection. Apply an explicit security policy in the protected object space only at those points in the hierarchy where the security policy must change. Check permissions in the ACL policy to determine whether the user can override the attached POP or authorization rule. 3. and authorization rules. For example.associated password are created during the configuration of the Tivoli Access Manager policy server. See “Evaluating ACL policies” on page 39 for information about the evaluation process. The data used to make this decision can be based on the context of the request. For example. the user ID and password of the domain administrator are established when the domain is created. After attaching a security policy to an object. Protected object policies A protected object policy (POP) specifies access conditions that are associated with an object. POPs. For example. Security policy Access to objects in a domain is controlled by attaching security policy to objects in the protected object space. The domain administrator has nearly complete control of the domain. A POP affects all users and groups. check the Internet Protocol (IP) endpoint authentication method policy. Authorization rules An authorization rule specifies a complex condition that is evaluated to determine whether access is permitted. When there is a POP attached. Each security policy can be defined using a combination of the following controls: Access control list policies An access control list (ACL) policy specifies what set of predefined actions that a set of users and groups can perform on an object. 2. When adding users to the iv-admin group. Security policy is implemented by strategically attaching ACL policies. Think of the domain administrator as the Tivoli Access Manager equivalent to the Linux or UNIX root account or the Microsoft Windows Administrator user. gather the Access Decision Information (ADI). 5. or role v The specific operations permitted to the special any-other and unauthenticated user categories Using ACL policies with the authorization service Tivoli Access Manager relies on ACL policies to specify the conditions necessary for a particular user to perform an operation on a protected object. Tivoli Access Manager requires that resource managers make calls to the authorization service before the requested operation is allowed to progress. The EAS can override this decision on its own. group. Each ACL policy has a unique name and can be applied to multiple objects within a domain. In addition. and audit the access decision. check the audit-level policy. Each permission is displayed (by the pdadmin utility or Web Portal Manager) with a label describing the operation it governs. invoke the EAS. Tivoli Access Manager uses a default set of actions that cover a wide range of operations. This call is made through the authorization application programming interface (authorization API) for both Tivoli Access Manager services and other applications. check the authorization rule policy. or permissions. Generic). check the time-of-day policy. the access request is denied. if it was designed to do. If any of the ACL policy. ACL policies The policy that defines who has access to an object. When an authorization rule is attached and the user cannot override the authorization rule. or authorization rule evaluations fail. are represented by single alphabetic ASCII characters (a-z. entries in the ACL specify what operations are allowed on this object and who can perform those operations. When there is a POP attached. 6. the Web Portal Manager groups the ACL policies according to their use in a particular part of the object space (such as WebSEAL) or their use across the entire object space (Base. An ACL policy consists of one or more of the following entries descriptions: v The names of users and groups whose access to the object is explicitly controlled v The specific operations permitted to each user. A resource manager software typically contains one or more operations that are performed on protected resources. POP. and what operations can be performed on the object. Actions. A-Z). does the user have the view (r) permission to view an object? 38 Administration Guide . The authorization service uses the information contained in the ACL entry to make a simple “yes” or “no” response to the following question: Does this user or group have the appropriate permission to perform the requested operation on the requested object? For example. When an ACL policy is attached to an object. When an external authorization service (EAS) operation or a POP trigger applies to this access decision. 7.4. is known as the ACL policy. When there is a POP attached. Successful match Evaluation stops here. Unsuccessful match Continue to the next step. Evaluating authenticated requests Tivoli Access Manager evaluates an authenticated user request in the following order: 1. If an ACL entry contains unauthenticated without any-other. you can determine how best to keep unwanted users from gaining access to resources. Evaluating unauthenticated requests Tivoli Access Manager evaluates an unauthenticated user by granting the permissions from the unauthenticated ACL entry. This implicit entry grants no permissions. 2. 4. the default response is to deny permissions to unauthenticated. Evaluating ACL policies Tivoli Access Manager follows a specific evaluation process to determine the permissions granted to a particular user by an ACL policy. Tivoli Access Manager administration 39 . Match the user ID with the user ACL entries. Chapter 3. if it exists. The unauthenticated entry is a mask (a bit-wise “and” operation) against the any-other entry when permissions are determined. A permission for unauthenticated is granted only if the permission also appears in the any-other entry. 3. Determine the groups to which the user belongs and match group ID with the group ACL entries. If more than one group entry is matched. Successful match No permissions granted. An implicit any-other entity exists when there is no any-other ACL entry. The authorization service is independent of the operations being requested. the resulting permissions are a logical “or” operation (most permissive) of the permissions granted by each matching entry. This independence is why it is easy to extend the benefits of the authorization service to other applications.The authorization service has no knowledge about the operation requiring the read (r) permission. Successful match Evaluation stops here. When you understand this process. Unsuccessful match Continue to the next step. Grant the permissions of the any-other entry. it makes little sense for an ACL entry to contain unauthenticated without any-other. Because unauthenticated depends on any-other. It is merely noting the presence or absence of the r action bit in the ACL entry of the requesting user or group. End of evaluation process. The permissions granted are the permissions in the matching entry. Unsuccessful match Continue to the next step. Successful match Evaluation stops here. authorization rules are defined to specify conditions that must be met before access to a protected object is permitted. Like ACL policies and POPs. Each authorization rule policy has a unique name and can be applied to multiple objects within a domain. and time-of-day. More details about these attributes are in “Configuring POP attributes” on page 111. More details about this policy are in “Network-based authorization policy” on page 110. the ability of a user to read data associated with an object is either granted or denied by an ACL policy. audit level. For example. 40 Administration Guide . The purpose of a POP is to impose access conditions on an object based on the time of the access and to indicate whether the access request must be audited. Rules give you the flexibility of the policy defined by an external authorization service without requiring that you develop and build the logic of an external authorization service into a shared library plug-in. These conditions are evaluated as a Boolean expression to determine if access to the object must be granted or denied. from the resource manager application or from the encompassing business environment. POPs apply to all users and groups and control conditions that are specific to a particular protected object. such as context and environment. An authorization rule is created using a number of conditions that are based on data supplied to the authorization engine within the user credential. the conditions you can apply are: v POP attributes. structured data. You can examine values in the rule data and make informed access decisions. v Network-based authentication POP. time-of-day access excludes all users and groups from accessing an object outside of the times set in the time-of-day policy. How authorization rules differ ACL policies take a given predefined set of operations and control which users and groups have permission to perform those operations on a protected object. Each POP has a unique name and can be applied to multiple objects within a domain. The language of an authorization rule allows you to work with complex. v Quality of Protection POP. The data used in an access decision can be defined statically within the system or defined during a business process. For example. Authorization rules An authorization rule policy specifies security policy that applies to an object based on various conditions.Protected object policies A protected object policy (POP) specifies security policy that applies to an object regardless of what user or what operation is being performed. Specifically. More details about this policy are in “Step-up authentication” on page 114. More details about this policy are in “Setting a Quality of Protection level” on page 114. v Authentication strength POP (step-up). such as warning mode. v Create a core set of ACL policies. these are not simply extensions of the existing policy types. and authorization rules. An ACL policy can grant a group permission to write to a resource. or authorization rule. v Arrange your protected object space so that most objects are protected by inherited. Set exceptions to this policy with explicit ACL policies. Access to an object by individual users can be efficiently controlled by adding users to or removing users from these groups.Rules allow you to make decisions based on the attributes of a person or object and the context and environment surrounding the access decision. Guidelines for a secure object space The following guidelines are applicable for a secure object space: v Set high-level security policy on container objects at the top of the object space. and reuse these policies wherever necessary. Inherited security policy lowers maintenance because it reduces the number of ACL policies. So any modification to the policy impacts all objects associated with the ACL policy. the entire security policy (ACL policies. where each subtree is governed by a specific access policy. POPs. However. This feature can reduce the complexity of the rule logic considerably. For example. Therefore. ACL policies. ACL policies. POPs. Tivoli Access Manager administration 41 . It is possible for an ACL policy to consist of only group entries. Reduce the risk of an error that could compromise your network by simplifying the maintenance of your tree. Chapter 3. Authorization rules provide the flexibility needed to extend an ACL policy or POP by tailoring security policy to your needs. POPs. using ACL policies and POPs generally provides better performance. An authorization rule is a policy type that is rich enough in functionality to replace the ACL policy and POP. You also can use an authentication rule to extend the controls that are provided by the ACL policies by implementing a more advanced policy. A rule can go a step further by allowing you to determine if a group has exceeded a specific quota for a given week before permitting that group to write to a resource. Authorization rules can also be written to consider any group memberships of an individual rather than the individual specifically. POPs. v Position new objects in the tree where they inherit the appropriate permissions. Authorization rules can be used to extend the policy implemented by other Tivoli Access Manager policy types. POPs. POPs. You determine the access policy for an entire subtree by setting explicit ACL policies. and authorization rules. When to use authorization rules In the Tivoli Access Manager authorization process. and authorization rule policies are a single-source definition. and authorization rules that you must maintain. you can use a rule to implement a time-of-day policy that depends on the user or group. Individual user entries are not required in the ACL policy when the users can be categorized into groups instead. use a rule to complement these policies instead of replacing them. POP. v Control user access through the use of groups. and authorization rules) must permit access to the protected object before access is granted. and authorization rules at the root of the subtree. such as one based on quotas. rather than explicit. POPs. and authorization rules on objects that are lower in the hierarchy. Arrange your object tree into a set of subtrees. However. 42 Administration Guide . Chapter 4. The following list illustrates possible administration roles: © Copyright IBM Corp. All members of this group are considered administrators of the domain by the default policy. or a member of the Microsoft Windows Administrator group. By default. 1999. Default security policy Tivoli Access Manager establishes a default security policy to protect all objects in a domain. the administrator (sec_master) user is created and added to the iv-admin group. Administration users You can create administration accounts with varying degrees of responsibility. these users and groups are given special permissions to control and manage all operations in a domain. Tivoli Access Manager provides several important administration groups. It is the combination of group memberships that grants sec_master complete rights for all operations within the management domain but only within the default policy. permitting it to perform all actions within Tivoli Access Manager. that user has full rights to perform administration operations on any object in the protected object space. The sec_master user does not have rights to new groups created outside of the default policy unless it is added as a user or a member of a group. Responsibility is delegated to administrators through strategically placed administration ACLs. and explain how to create administration users. The danger with this procedure is that as soon as a user becomes a member of this group (with the default ACLs). The following sections detail the specific roles assigned to each of these users and groups at installation time. By default. 2010 43 . members of this group are authorized to delegate requests to other Tivoli Access Manager servers on behalf of the requestor. When the policy server is configured. A set of administrative users and groups is established and granted a predefined set of permissions. Default administration users and groups At installation. ivmgrd-servers group The ivmgrd-servers group contains the policy servers and the policy proxy servers. Think of this account as the equivalent of the Linux or UNIX root account. The default policy makes the sec_master user a member of the iv-admin group. The default security policy is described in this chapter. iv-admin group This group represents the administrator group. sec_master user The sec_master user is created when Tivoli Access Manager is initially installed and configured. This default security policy is defined by the access control lists (ACLs) created during configuration. You can easily place users into an administration role by adding them to the iv-admin group. /Management/POP. 44 Administration Guide .Security policy administrator Security policy administrators are responsible for defining and organizing security policy in a domain. v Bypass POP (B) v Bypass rule (R) Protected resource administrator Protected resource administrators are responsible for adding and removing user access to one or more protected resources. and delete security policy. These administrators need the following permissions on the /Management/Server protected resource: v Traverse (T) v Browse (b) v View (v) v Modify (m) v Delete (d) These permissions give the ability to configure resource managers into and out of the domain as well as update their configuration. modify. these administrators need the following permissions on the /Management/ACL. These tasks include: v Adding users to and removing users from groups that are defined in the security policy v Adding permissions to and removing permissions from resources These administrators need the following permission on the /Management/Groups protected resource or on the individual groups that are defined in the /Management/Groups subtree: v Traverse (T) v Browse (b) v View (v) v Add (A) Deployment administrator Deployment administrators are responsible for installation and configuration of the resource managers in the domain. The administrator needs to be able to create. To perform these tasks. and /Management/Rule resources: v Traverse (T) v Browse (b) v View (v) v Modify (m) v Delete (d) These administrators need the following permissions to navigate their subtree of protected resources: v Traverse (T) v Browse (b) v View (v) These administrators need the following permission to ability to attach and detach security policy to the same subtree: v Attach (a) These administrators must have the following permissions so as not to be affected by security policies that apply to all users for the same subtree. user user group peter michael engineering ---------T---rx ---------T---rx ---------T---rx --------------- ACL unauthenticated Figure 13. One policy can dictate the protection parameters of many objects. or authorization rule affects all objects to which the policy is attached. ACL policies An ACL policy is the set of controls (permissions) that specifies the conditions necessary to perform certain operations on that resource. ACL policy Protected object policies ACL policies provide the authorization service with information that results in a yes or no answer on a request to access a protected object and perform some operation on that object. In contrast to ACL policies. protected object policies (POPs) contain additional conditions on the request that are passed back to Tivoli Access Manager and the resource manager along with the yes ACL policy decision from the authorization server. When a requested operation on a protected object is permitted. the resource manager responsible for the resource implements this operation. protected object policies (POPs). Chapter 4. and authorization rules that can be applied to the object representations of the system resources to be protected in the object space. The authorization service performs authorization decisions based on the policies applied to these objects. The following table lists the available attributes for a POP that are provided by Tivoli Access Manager. A security policy consists of the access control list (ACL) policies. POPs. You can apply ACL policies. POP. like all policies. Default security policy 45 . and authorization rules to the same object. ACL policies. ACL policies are important components of the security policy that is established for the domain. An ACL policy provides the following controls: v What operations can be performed on an object or resource v Who can perform an operation An ACL policy is made up of one or more entries that include user and group designations and their specific permissions. Any change to an ACL policy. are used to stamp the set of security standards for an organization on the resources that are represented in their protected object spaces. It is the responsibility of Tivoli Access Manager and the resource manager to enforce the POP conditions.Defining and applying security policy Security administrators protect system resources by defining a security policy. or privacy. Time-of-day places restrictions on the access to the object. Warning mode provides a way to test security policy before they are made active. integrity. none. Each authorization rule has a unique name and can be applied to multiple objects in a domain. or sparse ACLs as described in “Sparse security policy model” on page 47 also applies to POPs in the same manner. such as context and environment. Day and time restrictions for successful access to the protected object.Table 1. Like ACL policies and POPs. it only enforces the following attributes: v Name v Description v Warning mode v Audit level v Time-of-day access Each resource manager or plug-in can optionally enforce one or more of the following attributes: v IP endpoint authorization method policy v EAS trigger attributes v Quality of Protection The concept of inherited. Specifies authorization requirements for access from members of external networks. This attribute appears in the pop show command. or errors. successful access. This attribute relates to the pop-name variable in the pop command documentation. Audit level informs the authorizations service that extra services are required when permitting access to the object. Descriptive text for the policy. Audit level Time-of-day access IP endpoint authorization method policy EAS trigger attributes Quality of Protection Although Tivoli Access Manager provides these POP attributes. Specifies degree of data protection: none. Authorization rules An authorization rule specifies the policy that applies to an object and that is based on various conditions. An authorization rule is created using a number of Boolean conditions that are based on data that is 46 Administration Guide . authorization rules are defined to specify conditions that must be met before access to a protected object is permitted. Provides administrators a means to test ACLs. Specifies an External Authorization Service (EAS) plug-in that is invoked to make an authorization decision using the externalized policy logic of the customer. and authorization rules. Quality of Protections informs the authorizations service that extra services are required when permitting access to the object. POP attributes that are enforced by Tivoli Access Manager POP attribute Name Description Warning mode Description Name of the policy. Specifies the type of auditing: all. denied access. POPs. IP endpoint authentication method policy places restrictions on the access to the object. from the resource manager. This information can be defined statically within the system or defined during a business process. The authorization rule is stored as a text rule within a rule policy object and is attached to a protected object in the same way and with similar constraints as ACL policies and POPs. This section discusses the concepts of inherited. or sparse security policies. each object must be protected by security policy. Adopting an inherited security scheme can greatly reduce the administration tasks for a domain. The root ACL must always exist and can never be removed. You can assign security policy to an object in one of following ways: v Attach an explicit security policy on the object. and making informed access decisions. Security policy inheritance The power of security policy inheritance is based on the following principle: Any object without an explicitly attached security policy inherits the policy of its nearest container object with an explicitly set security policy. This interrupts the flow of inherited security policies from the primary object space root to that subtree. Authorization rules can be used to implement extensible attribute-based authorization policy using attributes within the business environment or attributes from trusted external sources. Security policy inheritance simplifies the task of setting and maintaining access controls on a large protected object space. or from the encompassing business environment. by examining the values in that data. The inheritance chain is broken when an object has an explicitly attached security policy. it is called a sparse security policy model. A typical object space begins with a single explicit security policy attached to the root container object. Normally. In a typical object space.supplied to the authorization service within the user credential. you need to attach only a few security policies at key locations to secure the entire object space. you attach an explicit security policy at the root of that subtree. All objects located in the object space inherit this ACL. Default security policy 47 . Sparse security policy model To secure network resources in a protected object space. v Allow the object to inherit its security policy from a preceding container object in the hierarchy. A new chain of inheritance begins from this newly created explicit security policy. the root ACL is an ACL with little restriction. Chapter 4. The language of an authorization rule allows customers to work with complex. When a region or subtree in the object space requires different access control restrictions. Therefore. structured data. regardless of any permissions that might be granted lower in the tree. but the administrator cannot completely remove the root ACL policy. because of its powerful ownership properties. You must use the control permission with great care. Being able to modify entries in the ACL policy means that you can create entries. the ACL policy for the entire object space is created and explicitly set. This user cannot gain access at all to the protected object space. Accessibility to protected objects is controlled by the traverse (T) permission. If you do not explicitly set an ACL policy on any other object in the tree. v The requested object must be accessible to the requesting user. A protected object is accessible if the requester possesses the traverse permission on each ACL attached to container objects above the requested resource on the path towards root and including root. Kate (user kate) is a member of the Sales 48 Administration Guide . This ACL policy is the default-root ACL policy and includes the following users and permissions: group iv-admin any-other unauthenticated TcmdbvaBR T T Tivoli Access Manager checks inheritance beginning with the root of the protected object space. which contains a TechPubs directory. the entire tree inherits this root ACL policy. and take away permissions. An administrator can replace this ACL policy with another ACL policy that contains different entries and permission settings. there is an Engineering container object (directory). The administrator who wants to delete a permission from an ACL policy must have an entry in that ACL policy and must have the control permission set in that entry. Traverse permission Tivoli Access Manager access control depends on the following conditions: v The permission that controls the requested object must contain appropriate access permissions for the requesting user. The traverse permission is applied only to container objects in the protected object space. Ownership allows you to modify entries in the ACL policy. There is always an explicit ACL policy set at the root of the protected object space. If there are no permissions defined for a user. The traverse permission specifies that a user or group that is identified in the ACL entry has permission to pass through this container object to gain access to a protected resource. Within the fictional ACME Corporation. such as the ability to attach or detach that ACL policy to objects. The control permission allows you to grant administration powers to another user. grant permissions.default-root ACL policy During the installation and initial configuration of Tivoli Access Manager. that user cannot even traverse the root container object. Figure 14 on page 49 illustrates how the traverse permission works. delete entries. Control permission The control (c) permission is a powerful permission that gives you ownership of an ACL policy. At this point. permission for all objects reverts to the nearest container object with an explicitly set ACL policy. A user is denied access to an object if any container object in the hierarchy above the protected object does not include the traverse permission for that user or is denied if the target object does not contain sufficient permissions to perform the requested operation. The administrator provides traverse permission for group sales on the Engineering directory. she can pass (traverse) through these directories to access the required file. the requestor must have both of the following permissions: Chapter 4. Resolving an access request Inheritance begins at the root of the protected object space and impacts all objects in the object space until it reaches an object with an explicit ACL policy. ACME Corporation / (root) any-authenticated -------T--------- Sales Engineering group sales -------T--------- TechPubs (ACL inherited) release_note user kate ---------------r- Figure 14. a new chain of inheritance begins.department and requires traversing to the Engineering/TechPubs/ directory tree to review a release note file (release_note). Although Kate has no other permissions in these two directories. The TechPubs directory inherits the ACL from the Engineering directory. Tivoli Access Manager checks each object along the object hierarchy for the proper inherited or explicitly set permissions. user kate could not access the release_note file even though the user has read permission for that file. When a user tries to access a protected object (such as a document). she can view the file. The administrator provides traverse for any-authenticated at the root. For example. even if those objects that contain other less restrictive ACL policies. Because this file has read permission for Kate. If you delete an explicit ACL policy. Default security policy 49 . Traverse permission You can easily restrict access to the hierarchy below a given container object without resetting individual permissions on these objects by deleting the traverse permission from the appropriate ACL policy. Tivoli Access Manager checks whether that user has the permissions to access the object. Objects below an explicitly set ACL policy inherit the new ACL policy. Deleting traverse permission on a directory object protects all objects lower in the hierarchy. To succeed an access check. if sales group did not have the traverse permission on the Engineering directory. If any of these checks fail. In an ACL inheritance model. Only a subset of these possible operations might be relevant for a specific object to which the ACL policy is attached. In summary. Whether read permission is set on the report. any object without an explicitly attached ACL policy inherits the policy definitions from the nearest attached ACL policy to an object above it in the hierarchy. The ytd. Tivoli Access Manager performs the following checks: 1.html file has an attached ACL policy that grants read permission to members of the sales-vp group (who are also members of the sales group). each individual object might be affected by only a few of these permissions. Whether traverse permission is set on the root (/). The ACL policy contains enough permissions to meet the requirements of all objects to which the ACL applies. Note: This ACL policy scheme does not need to be changed when users are added to or removed from the domain. project_Y. The reason for this behavior is related to the following Tivoli Access Manager features that are designed to make administration easier: v ACL policies v ACL inheritance ACL policies allow you to use the same set of permissions to multiple objects in the protected object space. 3. ACL policy inheritance example Figure 15 on page 51 illustrates the impact of a mixture of inherited and explicit ACL policies in the fictional ACME corporate object space. The ACL policy on this subtree no longer acknowledges the unauthenticated or any-other entry types. Applying ACL policies to different object types Permissions for various operations can be set in an ACL policy.html resource in the /acme/engineering/project_Y/current/ object. v Appropriate permissions on the requested object. However. and current directories. A corporate object space has a general security policy set at the root object. to determine whether a user can read the report. In this example. engineering. 2. the user is denied access. Root is followed by the /WebSEAL container object and individually controlled departmental subtrees. For example. the sales group is given ownership of its departmental subtree. not just the object to which it is attached.htmlfile. Whether traverse permission is set on the acme. Users can be added to or removed from the 50 Administration Guide . an ACL policy has to describe the necessary permissions for all object types to which it can apply.v Permission to traverse the path to the requested object. html Note: group sales includes members of group sales-vp. ACL inheritance example Default ACL policies You can add entries for users.html manager.html ytd. group iv-admin group ivmgrd-servers group webseal-servers unauthenticated any_authenticated -abc---Tdm----lrx -------T------l--a--g--Tdm----lrx -----------------------T-------r- WebSEAL server (www.com/) Production Departments Inventory Personnel Sales group group group group iv-admin ivmgrd-servers webseal-servers sales -abc---Tdm----lrx -------T------l--a--g--Tdm----lrx -------T------lrx staff. groups. Users and groups with the control (c) permission own the ACL and have the power to modify the ACL entries.html group group group group iv-admin ivmgrd-servers webseal-servers sales-vp -abc---Tdm----lrx -------T------l--a--g--Tdm----lrx -------T-------r- Figure 15. any-other (any-authenticated).existing groups. and unauthenticated to provide a broader range of control and better meet the requirements of your protected object space. The following default ACL policies are suggested starting points for securing management operations in a domain: v default-root v default-management v default-config v default-gso v default-policy v default-domain v default-management-proxy default-root ACL policy The ACL policy for the entire object space is the default-root ACL policy.html sales. This ACL policy includes the following users and permissions: group iv-admin any-other unauthenticated TcmdbvaBR T T Chapter 4. A detailed description of permissions can be found in “Default permissions in the primary action group” on page 80.html president.html products.acme.html tele. Default security policy 51 . clientA. This ACL policy includes the following users and permissions: group group group group iv-admin ivmgrd-servers secmgrd-servers ivacld-servers TcbvaBR m mdv mdv default-config ACL policy The default ACL policy for the /Management/Config container object is the default-config ACL policy. default-management ACL policy The default ACL policy of the /Management container object is the default-management ACL policy. Typically. This ACL policy includes the following users and permissions: group iv-admin any-other unauthenticated TcmdbvaBNR Tv Tv 52 Administration Guide . Consider the following entry in the default-root ACL policy: user john ----------------- The user john has no permissions. this ACL policy is attached to the /Management container object in the object space.The default-root ACL policy is a basic policy that enables everyone to traverse the object space. but they cannot perform any other actions. At installation. This ACL policy includes the following users and permissions: group iv-admin group ivmgrd-servers any-other TcmdbsvaBtNWAR Ts Tv default-replica ACL policy The default ACL policy for the /Management/Replica container object is the default-replica ACL policy. you would not need to change this setting. This ACL policy includes the following users and permissions: group iv-admin any-other unauthenticated TcmdbvaBNR Tv Tv default-policy ACL policy The default ACL policy for the /Management/Policy container object is the default-policy ACL policy. So this user cannot even traverse the root container object and cannot access the protected object space regardless of any permissions that are granted lower in the tree. This ACL policy includes the following users and permissions: Group iv-admin Any-other Unauthenticated TcmdbsvaBR Tv Tv default-gso ACL policy The default ACL policy for the /Management/GSO container object is the default-gso ACL policy. One useful function of the default-root ACL policy is that it allows you to quickly deny access to the entire object space for an individual user or group. this object defines. v If you do not apply any other explicit permission. Default security policy 53 . The /Management region contains the following container objects that each requires a specific set of permissions: v “/Management/ACL permissions” v “/Management/Action permissions” on page 54 v “/Management/POP permissions” on page 55 v “/Management/Server permissions” on page 55 v “/Management/Config permissions” on page 55 v “/Management/Policy permissions” on page 56 v “/Management/Replica permissions” on page 56 v “/Management/Users permissions” on page 56 v v v v v “/Management/Groups permissions” on page 57 “/Management/GSO permissions” on page 58 “/Management/Rule permissions” on page 58 “/Management/Domain permissions” on page 59 “/Management/Proxy permissions” on page 59 /Management/ACL permissions This object allows administration users to perform high-level ACL management tasks that can affect the security policy for the domain. the security ACL policy for the entire /Management object space.default-domain ACL policy The default ACL policy for the /Management/Domain container object is the default-domain ACL policy. Create an ACL policy. Permission d (delete) m (modify) Operation Delete an existing ACL policy. The following security considerations apply for the /Management region of the protected object space: v The /Management object begins the chain of permission inheritance for the entire /Management region of the object space. v The traverse (T) permission is required for access to /Management. Chapter 4. through inheritance. This ACL policy includes the following users and permissions: group iv-admin TcmdbvaBNR group ivmgrd-servers v default-proxy ACL policy The default ACL policy for the /Management/Proxy container object is the default-proxy ACL policy. This ACL policy includes the following users and permissions: group iv-admin Tcbv group ivmgrd-servers Tg /Management permissions The /Management region of the protected object space contains multiple container objects. The ACL entry of an administrator might contain any of the permissions listed in the table. Define the object space for the resource manager 2. You must create ACL administrator entries in the effective ACL policy for the /Management/ACL object. with TcmdbsvaBIR permissions. sec_master can create an ACL policy. if sec_master is an administrator entry in the default-management ACL. Apply permissions on resources and objects that need protection The administrator of a resource manager object space can use the pdadmin utility to define new permissions and actions. These permissions give the administrator powers to create. For example. The following steps are required to integrate a resource manager with the authorization service: 1. no special permissions are required. The acl find command shows the list of protected resources where this ACL is attached. The administrator must have the m and d permissions on the Management/Action object to create and delete these new permissions or actions. and delete ACL policies. Resource managers generally define the actions and action groups that are applicable to the resources that they are protecting. Ownership of the default-management ACL itself is given to the iv-admin group by default. You must have the view (v) permission on those protected resources before they can be shown. with m permission. view. Define the action groups and actions for the resource manager 3. Action tasks and associated permissions include: Permission d (delete) m (modify) Operation Delete an existing action or action group. Create an action or action group. Resource managers can call the authorization service through the authorization API. To view an action or action group.Permission v (view) Operation List and find view ACLs. This permission must be in an entry of an ACL attached to /Management/ACL object. Only the owner of an ACL can modify its entries. The creator of a new ACL policy (m on /Management/ACL) becomes the first entry in that ACL with the TcmdbsvaBIR permissions set by default. 54 Administration Guide . /Management/Action permissions This object allows administration users to manage custom actions and action groups. show ACL details. User sec_master becomes the first entry in the new ACL. An ACL administrator cannot modify an existing ACL unless there is an entry in that ACL for the administrator containing the control (c) permission. Override the POP on an object. or update the configuration of a resource manager. Server management controls are used to determine whether a user has permission to view configured resource managers. Resource managers are removed when they are unconfigured. Chapter 4. Enable dynamic trace or statistics administration. Permission s (server) v (view) t (trace) Operation Replicate the resource manager or the authorization database. The definition for a server is deleted when the server is unconfigured. Default security policy 55 . Resource managers become available in the list of resource managers after they are configured into the domain. Action tasks and associated permissions include: Permission d (delete) m (modify) v (view) B (bypass POP) Operation Delete a POP. List registered servers and display server properties. /Management/Server permissions The /Management/Server container object of the protected object space allows administrators to perform server tasks when the appropriate permissions are set. to locate and communicate with that resource manager. and to enable runtime tracing features on behalf of resource managers. unconfigure. initiate a replication of one or more resource managers. All permissions must appear in entries for ACLs on /Management/POP. particularly the policy server. The pop find command shows the list of protected resources where this POP is attached./Management/POP permissions This object allows administration users to manage protected object policies. Create POPs and modify POP attributes. Configuration management controls are used to determine whether a user has permission to configure. /Management/Config permissions The /Management/Config container object of the protected object space allows administrators to perform configuration tasks when the appropriate permissions are set. You must have the view (v) permission on those protected resources before they can be shown. The viewable resource manager information allows other Tivoli Access Manager servers. Find and list POPs and show POP details. A server definition is created for a particular resource manager or the authorization server as part of the configuration process. particularly the policy server.Server definitions contain information that allows other Tivoli Access Manager servers. /Management/Replica permissions The /Management/Replica container object of the protected object space controls the replication of the master policy database. 56 Administration Guide . The replication process requires that these processes be allowed to view and access entries out of the master policy database. This group. /Management/Users permissions This object allows administration users to manage user accounts. Create a user and optionally assign that user to one or more groups. Required for policy set commands. must be granted view (v) permission on the /Management/Replica object. to locate and communicate with that resource manager. by default. Permission v (view) Operation Read the master policy database. /Management/Policy permissions The /Management/Policy container object of the protected object space allows administrators to authorize the policy get and policy set commands when the appropriate permissions are set. When a resource manager is configured into the domain. The Tivoli Access Manager installation automatically grants read permission to any server requiring access to the master policy database. All Tivoli Access Manager servers that maintain a local replica of the policy database. Import group data from the user registry. Unconfigure a resource manager from a domain. is given permission to download the master policy database. High-level controls on this object affect the operation of the policy server and the resource managers in the domain. Replica management controls are used to determine which resource managers are allowed to download the master policy database to their local file system. Action tasks and associated permissions include: Permission d (delete) m (modify) N (create) Operation Delete a user account. which includes all resource managers and the authorization servers. Permission m (modify) d (delete) Operation Configure a resource manager into a domain or update the configuration of a resource manager. it is automatically added as a member to the ivacld-servers group. Modify the details of a user account. Permission v (view) m (modify) Operation Required for policy get commands. Use the user create command. that administrator can only view information about users in the Accounting group. see Chapter 16. which is a global setting. If an administrator has view (v) permission to any group that the user is a member of. To limit the scope of administrator control to a specific group. This action allows the user to log on and then forces the user to immediately apply a new password. to create new users and optionally place them in one or more existing groups. The password (W) permission allows password resets and is appropriate to give to help desk administrators so that they can assist users who have forgotten their passwords. For information about delegated administration. Add one or more users to a group. For example. The ability for an administrator to manage all user accounts is controlled by permissions on the /Management/Users object. For example. The policy set max-password-age command sets the maximum time before a password expires. Modify group descriptions. the administrator can view the information for that user. Adding the view (v) permission to the /Management/Groups object itself allows an administrator to view information about any user who is a member of any group. if an administrator has view (v) permission on the /Management/Users object. Setting user modify password-valid to no for a user does not indicate if the password is not valid due to the maximum password age policy. if an administrator is given view (v) permission on the /Management/Groups/Accounting object. The add (A) permission is required on your entry in the ACL on a group to allow you to add existing users to your group. which requires the N permission. Chapter 4.” on page 183. Remove one or more user members of a group. Import group data from the user registry. /Management/Groups permissions This object allows administration users to manage groups and group membership.Permission v (view) W (password) Operation List user accounts and show details for a user account. Default security policy 57 . that administrator can view information about all users. “Delegated administration. Reset and validate a user password. Create a group. remove the administrator permissions from the /Management/Users object and apply permissions to the /Management/Groups object that is associated with the group to be managed. Access granted by the /Management/Users object overrides any access restrictions imposed by delegated administration policy ACLs under /Management/Groups/ group_name. Permission d (delete) m (modify) N (create) v (view) A (add) Description Delete a group. This permission allows an administrator to reset the password and then to use the user modify password-valid command to set a value of no. List groups and show group details. If you. if an administrator has delete (d) permission on the /Management/Groups object. as the owner of the group. resource groups. resource group. The authzrule find command shows the list of protected resources where this rule is attached. List or show resources. For example. that administrator can delete any group. Permission N (create) Operation Create a resource. 58 Administration Guide . Permissions on /Management/Groups objects affect the ability of an administrator to manage users who are part of those groups. resource group. If an administrator has view (v) permission on a group. The ability for an administrator to manage all groups is controlled by permissions on the /Management/Groups object. or resource credential also require the m (modify) permission. To limit the scope of administrator control to a specific group. Deleting a resource. Find and list authorization rules and show authorization rule details. Giving an administrator delete (d) permission on a group allows that administrator to delete a user who is a member of the group. All permissions must appear in entries for ACLs on /Management/Rule. Creating a resource. you can delete this user from the entire domain. and resource credentials. or resource credential also require the m (modify) permission. or resource credential. /Management/GSO permissions The /Management/GSO container object of the protected object space allows administrators to perform Global Sign-On (GSO) tasks when the appropriate permissions are set. apply permissions to the object that is associated with the group. Delete an authorization rule. Create authorization rules and modify authorization rule attributes. d (delete) m (modify) v (view) /Management/Rule permissions This object allows administration users to manage authorization rule policies.The capability of adding existing users to your group is powerful because the owner of a group has control over all user members of the group. You must have the view (v) permission on those protected resources before they can be shown. For example. if an administrator is given delete (d) permission on the /Management/Groups/Travel/Europe object. resource group. Modify a resource group or resource credential. that administrator can view information about the users that are part of those groups. or resource credential. resource group. Permission R (bypass rule) d (delete) m (modify) v (view) Operation Override the authorization rule policy on an object. that administrator can delete any group within that object. also have the delete (d) permission. Delete a resource. Permission g (delegate) Operation Allows administrators and resource managers to act on the behalf of the specified credential. Chapter 4. /Management/Proxy permissions The /Management/Proxy container object of the protected object space allows administrators or resource managers to perform delegated management tasks when the appropriate permissions are set. Delete a domain. List and show domains. Default security policy 59 ./Management/Domain permissions The /Management/Domain container object of the protected object space allows administrators to perform domain tasks when that appropriate permissions are set. Permission m (modify) v (view) d (delete) Operation Modify or create a domain. 60 Administration Guide . these users and groups can be imported into other domains. complete the following steps: 1. Resources that are defined and access controls for resources that are protected by Tivoli Access Manager are maintained on a per domain basis. The default user ID is sec_master. 1999. Users and groups are specific to their domain and are not allowed to access resources that are contained in other domains. enter the following command: pdadmin login -a myadmin_id -p 12A345 -d Domain-ABC For more information. an administrator can create users. see the IBM Tivoli Access Manager for e-business: Command Reference. © Copyright IBM Corp. Resources and access controls for resources cannot be shared among domains. Web Portal Manager To log in to the domain that you created. and other objects. Domain administrators can perform administrative tasks only within their own domains. Creating a domain Any number of additional domains can be created in addition to the management domain. If users and groups are created outside of Tivoli Access Manager. use the login command. groups. 2. for the myadmin_id administrator to log in interactively to the Domain-ABC domain using the login command. For example.Chapter 5. Type the password associated with the user ID. The default domain name is Default. 3. 2010 61 . and a domain administrator must be specified when the domain is created. type the domain name that you created. pdadmin To log in to a domain using the pdadmin utility. Within a domain. You can perform the following domain tasks: v “Logging in to domains” v “Creating a domain” v “Modifying the description for a domain” on page 62 v “Listing domains” on page 63 v “Deleting a domain” on page 64 Logging in to domains You can log in to a domain using Web Portal Manager or the pdadmin utility. A domain is given a unique name. Managing domains An administrator in the management domain can create additional domains. and do not have the authority to perform tasks in other domains. From the login screen. Type the user ID that was created for this domain. ).Only an administrator who is logged in to the management domain is authorized to create additional domains. Passwords must adhere to the password policies set by the domain administrator. type Domain-ABC. "at" symbol (@). underscore (_). 3. Type a New Administrator Password. You can create a domain using Web Portal Manager or the pdadmin utility. 0–9. 8. period (. such as: Test Domain. A domain can be created only by an administrator with the appropriate permissions within that management domain. You can modify a domain description using Web Portal Manager or the pdadmin utility. enter the following command on a single line: pdadmin sec_master> domain create Domain-ABC myadmin_id 12A345 -desc "Test Domain" For more information. see the IBM Tivoli Access Manager for e-business: Command Reference. A domain can be modified only by an administrator with the appropriate permissions within the management domain. Use Web Portal Manager to log in to the management domain as a domain administrator. The following restrictions apply to the domain name: v The maximum length is limited to 64 characters. Note: You must create an administrator ID for the domain. Type a New Domain Administrator ID. For example. 5. Click Secure Domain → Create Secure Domain. type myadmin_id. Type the password again in Confirm Password. For example. or ampersand (&) characters. For example. Click Create. Use Web Portal Manager to log in to the management domain as a domain administrator. For example. 7. to create a domain named Domain-ABC. Click Secure Domain → List Secure Domain. Web Portal Manager To modify a domain description. Type the Secure Domain Name that you want to create. 2. type 12A345. hyphen (-). Modifying the description for a domain Only an administrator who is logged in to the management domain is authorized to modify a domain description. A–Z. Web Portal Manager To create a domain. complete the following steps: 1. complete the following steps: 1. 2. 4. v The name can contain a-z. 62 Administration Guide . 6. log in to the management domain and use the domain create command. Optional: Type a Description of the domain. v The name can contain any character from a double-byte character set. pdadmin To create a domain using the pdadmin utility. Use Web Portal Manager to log in to the management domain as a domain administrator. edit the Description field to add a new description or change the existing description. see the IBM Tivoli Access Manager for e-business: Command Reference. type new test domain description to change the existing description. For example. except for the management domain. Listing domains You can list all domains. enter the following command: pdadmin sec_master> domain list For more information. 2. click Domain-ABC. 5. To list domains. From the Secure Domain Properties page. Managing domains 63 . except for the management domain. enter the following command on a single line: pdadmin sec_master> domain modify Domain-ABC description "new test domain description" For more information. The administrator must have the appropriate permissions to list domains within the management domain. click the name of the domain that you want to change. log in to the management domain as a domain administrator and use the domain list command. using the pdadmin utility. You can filter the domain names to view only the domain names that meet the criteria you specify. Only an administrator who is logged in to the management domain is authorized to list domains. 4. For example. log in to the management domain as a domain administrator and use the domain modify command. complete the following steps: 1. For example. Click Secure Domain → List Secure Domain. From the Manage Secure Domains page. The Manage Secure Domains page displays all the domain names. pdadmin To list all domains. as links. except for the management domain. using Web Portal Manager or the pdadmin utility.3. Web Portal Manager To list all domains. Chapter 5. except for the management domain. see the IBM Tivoli Access Manager for e-business: Command Reference. pdadmin To modify a domain description using the pdadmin utility. to change the description of the domain named Domain-ABC to new test domain description. Click Apply. all user and group information. complete the following steps: 1. including associated ACL entries. enter the following command: pdadmin sec_master> domain delete Domain-ABC –registry Note: If you unconfigure the management domain using the pdconfig utility. Note: The delete operation cannot be reversed. To permanently remove domain information from the user registry. click Delete Registry Entry. pdadmin To delete a domain using the pdadmin utility. Otherwise. Click Secure Domain → List Secure Domain. use the –registry option. For example. For more information. 3. You can delete a domain using Web Portal Manager or the pdadmin utility. From the Domain Properties page click Delete. Deleting a domain deletes the specified Tivoli Access Manager group. log in to the management domain as a domain administrator and use the domain delete command. the user and group information for the domain remains in the user registry and can be used if the domain is created again. A domain can be deleted only by an administrator with the appropriate permissions within the management domain. 64 Administration Guide . If you specify the optional registry entry option. Web Portal Manager To delete a domain. Otherwise. see the IBM Tivoli Access Manager for e-business: Command Reference. 2. the user and group information for the domain remains in the user registry and can be used if the domain is created again. Use Web Portal Manager to log in to the management domain as a domain administrator. are deleted from the user registry when the domain is deleted. to delete the domain named Domain-ABC and permanently remove the domain information from the user registry. From the Domain List page select the domain you want to delete 4.Deleting a domain Only an administrator who is logged in to the management domain is authorized to delete domains. To permanently remove domain information from the user registry. any additional domain that exists is deleted. if it does not exist v The /WebSEAL object space during the installation of Tivoli Access Manager for e-business v The /OSSEAL object space during the installation of Tivoli Access Manager for Operating Systems v The /PDMQ object space during the installation of Tivoli Access Manager for Business Integration You can perform the following object space tasks: v “Creating an object space” v “Listing object spaces” on page 67 v v v v “Copying an object space” on page 67 “Importing object spaces” on page 68 “Exporting object spaces” on page 68 “Deleting an object space” on page 69 In the following sections. The following object spaces are created during the installation of Tivoli Access Manager products: v The /Management object space during the installation of any Tivoli Access Manager product. An object space consists of resource objects and container objects. Note: There are no equivalent pdadmin commands for importing. Security policy is applied by attaching access control list (ACL) policies. instructions are provided for using either Web Portal Manager or pdadmin. 1999. and authorization rules to the objects within the object space that represent the physical resources to be protected. For online help while using Web Portal Manager. Container objects allow you to group resource objects and other container objects hierarchically into logical groups or regions. exporting. 2010 65 . To perform this task. or both. The Tivoli Access Manager authorization service decided whether to permit or deny access to resources based on user credentials and the conditions specified by the security policy. and copying object spaces. protected object policies (POPs). Resource objects are logical representations of resources to be protected. Managing object spaces Tivoli Access Manager represents resources to be protected using a virtual representation of the object space that is called the protected object space. the administrator requires the following permissions: v Create (N) v Modify (m) © Copyright IBM Corp. click the question mark to open a separate help window for the current page. Grouping similar objects makes it easier for you to administer a consistent security policy. Creating an object space You can create an object space using Web Portal Manager or the pdadmin utility.Chapter 6. log in to the domain as a domain administrator and use the objectspace create command. browse the object space. 2. “Protected object space” on page 34 discusses the two general types of objects: resource objects and container objects. you do not have to specify an object type when using Web Portal Manager. 3. The 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 following object space types are valid for Tivoli Access Manager: Unknown Secure domain File Executable program Directory Junction WebSEAL server Unused Unused HTTP server Nonexistent object Container object Leaf object Port Application container object Application leaf object Management object 66 Administration Guide .Web Portal Manager To 1. which is for an application container object. To see the /Test-Space object space in the hierarchical structure. This field is required. create an object space. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. The following object spaces are created by Tivoli Access Manager: v /Management v /WebSEAL v /OSSEAL v /PDMQ For example. an object type must be specified. You can select any of the listed object space types. to create the /Test-Space object space that is an application container object. Note: Do not use the objectspace command on object spaces that are created by or developed using Tivoli Access Manager. For example: New Object Space 5. Because an object space consists of resource objects and container objects. enter the following command: pdadmin sec_master> objectspace create /Test-Space "New Object Space" 14 When creating an object space. Click Object Space → Create Object Space. Type a Description for the object space. Click Create. or use any unused category number listed in the following list to designate the object space type and assign a meaning to it. For example: /Test-Space 4. pdadmin To create an object space in the domain using the pdadmin utility. which is object type 14. See “Listing object spaces” on page 67. This object space example assigns an object type of 14. Type an Object Name. Click Object Space → Browse Object Space to display the Browse Object Space page. Listing object spaces You can list all object spaces using Web Portal Manager or the pdadmin utility. 4. Web Portal Manager To copy an object space. pdadmin sec_master> objectspace list For more information. navigate the object space and select the object-specific check boxes in the Copy column. navigate to the object space and select the object-specific check boxes in the Paste column. To select which objects to copy. pdadmin To list all object spaces in the domain using the pdadmin utility. Click Object Space → Copy/Paste Object Space to display the Copy/Paste Object Space page. the administrator requires the following permissions: v Browse (b) v View (v) Web Portal Manager To list all object spaces. Each object space and the corresponding object are displayed as a link. complete the following steps: 1. complete the following steps: 1. see the IBM Tivoli Access Manager for e-business: Command Reference. Click Copy/Paste to copy the selected object space hierarchies to the designated locations.17 Unused For more information. log in to the domain as a domain administrator and use the objectspace list command. When you select any link. 5. see the IBM Tivoli Access Manager for e-business: Command Reference. To validate. Copying an object space You can copy an object space using Web Portal Manager only. the Protected Object Properties page for that object or object space is displayed. To select where these objects are to be pasted. Managing object spaces 67 . 2. 2. Use Web Portal Manager to log in to the domain as a domain administrator. To perform this task. the copied object space is shown under the pasted location. click Refresh. Chapter 6. All object spaces appear at the same structural level as the default /Management object space. If successful. Use Web Portal Manager to log in to the domain as a domain administrator. The Browse Object Space page displays all the objects in the domain in a hierarchical structure. 3. v Click Browse to select a file name. 68 Administration Guide . Click Object Space → Browse Object Space to display the Browse Object Space page. type objectImport. 5. Click Object Space → Import Object.Importing object spaces You can import an object space using Web Portal Manager only.xml. 4. complete one of the following steps: v In the Object File Name field. 3. 10. Optional: In the Encryption String text field. the exported file is in plain text. From the Import Protected Object From File page. the exported XML description file is available in the specified location. 3. the imported object space is available when you browse the object space. 2. complete the following steps: 1. in the Confirm Encryption String text field. Web Portal Manager To 1. Click Save to create the file that contains the exported description. If the file containing the object space was encrypted when it was exported. in the Encryption String text field. Click Export to display the File Download window.xml. Optional: Select the Export Object including Children check box to descend the object hierarchy and export all child objects. click Export to display the Export Object to File page. If not specified. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. If successful. type the string again. 4. For example. From the Protected Object Properties page. 2. type the name of the object to import. When the Create Groups box is selected. type the string that was used to encrypt the XML file. 7. Click Save to display the Save As window. Optional: Select the Create Groups check box to trigger the creation of a group for associated ACLs with entries with the type Group. For example. Web Portal Manager To export an object space. Use Web Portal Manager to log in to the domain as a domain administrator. When an Encryption String is provided.c=us. 6. Exporting object spaces You can export an object space using Web Portal Manager only. 8. If successful. import an object space. type the name of the registry container. in the Registry Container text field. type o=ibm. 5. The default file name is objectExport. 7. Click Import. 6. type the string to use to encrypt the XML file. Navigate the hierarchy and select the object that you want to export. 9. a message displays indicating that the object space was deleted. the name of the object space is displayed in the Object Name field. Chapter 6. the administrator requires the following permissions: v Delete (d) v Modify (m) Web Portal Manager delete an object from the object space. 4. To confirm the deletion. Click Delete. click Delete again. see the IBM Tivoli Access Manager for e-business: Command Reference. Click Object Space → Browse Object Space. To 1. to delete the object space named /Test-Space.Deleting an object space You can delete an object from the object space using Web Portal Manager or the pdadmin utility. Managing object spaces 69 . 3. 2. expand and click the object space that you want to delete. enter the following command: pdadmin sec_master> objectspace delete /Test-Space For more information. From the Browse Object Space page. From the Protected Object Properties page. pdadmin To delete an object space in the domain using the pdadmin utility. log in to the domain as a domain administrator and use the objectspace delete command. For example. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. To perform this task. If successful. 5. 70 Administration Guide . For example. 2. 3. 2010 71 . Click Create. Type the full path of the object in the Object Name text field. For information about creating an object space. Managing protected objects An object is a logical representation of a system resource. 5. or both. The Browse Object Space page provides a hierarchical view of all © Copyright IBM Corp. click the question mark to open a separate help window for the current page. To protect objects. For online help while using Web Portal Manager. the administrator requires the following permissions: v Create (N) v Modify (m) Web Portal Manager. Creating an object You can create an object using Web Portal Manager or the pdadmin utility. from root To create an object specifying the path from root. Optional: In the Description text field. After an object space is created. You can perform the following object tasks: v “Creating an object” v “Listing objects” on page 73 v “Importing objects” on page 73 v “Exporting objects” on page 74 v “Deleting an object” on page 74 In the following sections. you can populate it with objects and then manage these objects. Web Portal Manager provides two ways of creating objects: v Specifying the fully qualified path of the new object starting at root v Specifying the new object from the provided path of the parent object To perform this task. Use Web Portal Manager to log in to the domain as a domain administrator. type a description for the object. Security policies are the combination of access control list (ACL) policies. For example. type /Management/Groups/test-object. and authorization rules that you can attach to an object. type Test Object. Click Object Space → Create Object to display the Create Protected Object page.Chapter 7. click Object Space → Browse Object Space. protected object policies (POPs). you need to apply security policies. Note: There are no equivalent pdadmin commands for importing and exporting objects. instructions are provided for using either Web Portal Manager or pdadmin. To be able to attach a policy to this protected object. see “Creating an object space” on page 65. 1999. complete the following steps: 1. 4. Optional: In the Description text field. from parent object To create an object when using the parent object as the base path. 7. select the link that is associated with the /Management/Groups object. After the object is created. For example. Click the link for an object to go to its Protected Object Properties page. 4. modify the description for the object. 2. Click Object Space → Browse Object Space to display the Browse Object Space page. Click the Create Child Object link to display the Create Protected Object page where the Object Name and Description text fields contain the values of the parent object. For example.the objects in the domain as links. a dialog is displayed with the link to this object. For example. 3. pdadmin To create an object in the domain using the pdadmin utility. Navigate the object hierarchy and select the link of the parent object to display the Protect Object Properties page. append a slash and the name of the new object. From this page. complete the following steps: 1. 5. type Test Object. to create the object named /Management/test-object that is an application container object (14). select the Can Policy be attached to this object check box and click Apply. enter the following command: pdadmin object create /Management/test-object “Test Object” 14 ispolicyattachable yes The 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 type can be one of the following object type categories: Unknown Secure domain File Executable program Directory Junction WebSEAL server Unused Unused HTTP server Nonexistent object Container object Leaf object Port Application container object 72 Administration Guide . From this page. In the Object Name text field. To attach a policy to this protected object. Click Create. For example. click this link to display its Protected Object Properties page. Web Portal Manager. 6. log in to the domain as the domain administrator and use the object create command. Use Web Portal Manager to log in to the domain as a domain administrator. select the Can Policy be attached to this object check box and click Apply. append /test-object to the provided parent path of /Management/Groups. see the IBM Tivoli Access Manager for e-business: Command Reference. log in to the domain as the domain administrator and use the object list command. pdadmin To list all objects in the domain using the pdadmin utility. The Browse Object Space page displays all the objects in the domain in a hierarchical structure. Each object space and each object are displayed as a link. For example. enter the following command: pdadmin sec_master> object list /Management For more information. or use any number to designate the object type and assign a meaning to it. Click Object Space → Browse Object Space. Use Web Portal Manager to log in to the domain as a domain administrator. this command assumes that you intended to use the objectspace create command. If the ispolicyattachable option is omitted from the object create command. You can select an appropriate category. Importing objects You can import an object using Web Portal Manager only. see the IBM Tivoli Access Manager for e-business: Command Reference. For more information. An object space is created rather than an object. When you select any link. Listing objects You can list objects in the domain using Web Portal Manager or the pdadmin utility. Use Web Portal Manager log in to the domain as a domain administrator.15 16 17 Application leaf object Management object Unused When creating an object. a type must be specified. complete the following steps: 1. 2. Managing protected objects 73 . To perform this task. Chapter 7. complete the following steps: 1. Web Portal Manager To import an object. to list the objects under the /Management object space. the Protected Object Properties page for that object or object space is displayed. the administrator requires the following permissions: v Browse (b) v View (v) Web Portal Manager To list objects. 2. All object spaces appear at the same structural level as the default /Management object space. Click Object Space → Import Object. 10. 2. 5.c=us. If not specified. in the Confirm Encryption String text field.3. 4. in the Encryption String text field. 6. Click Object Space → Browse Object Space to display the Browse Object Space page. v Click Browse to select a file name. the imported object is available when you browse the object space. From the Protected Object Properties page. in the Registry Container text field. 6. The default file name is objectExport. type the name of the object to import. Optional: Select the Create Groups check box to trigger the creation of a group for associated ACLs with the type Group. the exported file is in plain text. For example. 5. complete one of the following steps: v In the Object File Name field. Click Import.xml. Web Portal Manager To export an object. To perform this task. Click Save to display the Save As window. If successful. type objectImport. 4. Optional: In the Encryption String text field. 7. For example. 8. When an encryption string is provided. type the string again. Exporting objects You can export an object using Web Portal Manager only. When the Create Groups box is selected. If the file containing the object space was encrypted when it was exported.xml. 9. 7. Use Web Portal Manager to log in to the domain as a domain administrator. Optional: Select the Export Object including Children check box to descend the object hierarchy and export all child objects. type the string that was used to encrypt the XML file. the administrator requires the following permissions: v Delete (d) v Modify (m) 74 Administration Guide . Click Save to create the file that contains the exported description. click Export to display the Export Object to File page. Deleting an object You can delete an object using Web Portal Manager or the pdadmin utility. type the name of the registry container. type o=ibm. 3. If successful. Navigate the hierarchy and select the object that you want to export. From the Import Protected Object From File page. type the string to use to encrypt the XML file. Click Export to display the File Download window. the exported XML description file is available in the specified location. complete the following steps: 1. Click the link for an object to see its properties. to delete the object named /Management/test-object. 2. 4. For example. and authorization rules are attached to the object and whether the object has extended attributes. log in to the domain as the domain administrator and use the object delete command. Use Web Portal Manager log in to the domain as a domain administrator. These properties include whether ACL policies. Click Object Space → Browse Object Space. Managing protected objects 75 . see the IBM Tivoli Access Manager for e-business: Command Reference. enter the following command: pdadmin object delete /Management/test-object For more information. Chapter 7. click the /Management/text-object link to display its properties.Web Portal Manager To delete an object. 3. complete the following steps: 1. For example. pdadmin To delete an object in the domain using the pdadmin utility. ensure the object named is the one you want to delete and click Delete. The Browse Object Space page provides a hierarchical display of all objects in the domain as links. POPs. From the Protected Object Properties page. 76 Administration Guide . For more information about ACL policies. see “ACL policies. see “Managing action groups” on page 95. additional action groups might be created. An ACL entry defines a user or group and which actions each can perform against a protected object. see “ACL entries” on page 78. A domain administrator can assign another user administrative authority. An action group is a set of permissions. see “Action groups and actions” on page 80. Managing access control A domain administrator can use access control list (ACL) policies to control access to objects. see “Managing actions” on page 97. A permission is an action that is defined by an action bit in an action group. In this situation. To define another administrative user. and contains 17 permissions. For details about the action tasks that a domain administrator can perform. a domain administrator can create additional action groups and add new actions to previously created action groups. Each ACL policy contains one or more ACL entries that affect only that object. These permissions are defined using action bits. the domain administrator sets the ACL entries for that user to match the ACL entries of the domain administrator. see “Managing ACL policies” on page 83. A domain administrator can add to or remove from an ACL entry. ACL policies can be attached to resource objects and container objects. When Tivoli Access Manager is installed. a domain administrator adds or removes permissions (actions) for specific users or groups. Any change to the ACL entry affects only the access that these users and groups have against a specific domain resource to which the ACL policy is attached. ACL policies contain ACL entries that control who can access which domain resources and perform which actions. 1999. To define ACL entries. As additional resource managers are installed.” For details about the ACL policy tasks that a domain administrator can perform. and modifying the ACL entries in the ACL policies. A domain administrator can manage these ACL entries before or after the ACL policy is attached to domain resources. For more information about ACL entries in an ACL policy. For details about the action group tasks that a domain administrator can perform. For additional information about actions and action groups. As needed. both the new administrative user and the domain administrator have the same authority. the ACL policy that is attached to the docs_repository object might allow all requesters the following permissions: v List v Read © Copyright IBM Corp. the ACL policy that is attached to the spooler object might allow all requesters the following permissions: v Execute v List v Read v Write However. A domain administrator manages the ACL policies by adding. the primary action group is created. 2010 77 . For example.Chapter 8. removing. ACL policies Within the protected object space. v The traverse permission allows a requester to pass through a container object to the requested object. v Through inheritance. the root object defines the security policy for the entire object space. see “Action groups and actions” on page 80. Figure 16. Each ACL entry contains attributes that identify the user or group and the actions that this user or group can perform. Container objects represent specific regions in the protected object space.In this case. Actions bits are defined in action groups. Permissions are defined using action bits. remove the traverse permission (T action bit) from the ACL entry. the ACL policy serves the following important security tasks: v The root (/) container object begins the chain of ACL inheritance for the entire protected object space. see “ID attribute” on page 79. The number of required attributes for an ACL entry depends on the ACL entry type. Figure 16 shows the attributes of an ACL entry. After a domain administrator creates an ACL policy and attaches it to a container object. For additional information about action bits and action groups. For additional information about the ID attribute. The ID attribute is the unique identifier (name) of the user or group that is specified with the type attribute. v The traverse permission does not grant any other access controls to the container object. ID Permissions The permissions attribute defines the set of permissions (actions) that are permitted on the resource by this user or group. v Unless an explicit ACL policy is attached to a contained object. or special) for which the ACL entry was created. ACL entry attributes 78 Administration Guide . The any-other and unauthenticated special entry types do not require the ID attribute. For additional information about the type attribute. To deny access to all objects in a region. ACL entries Each ACL policy can contain one or more ACL entries. the ACL policy that is attached to these objects are both for all requesters. group. see “Permissions attribute” on page 79. For additional information about the permissions attribute. The general format of an ACL entry contains the following attributes: Type The type attribute specifies the entity category (user. the ACL policy for the container object defines the security policy for all resources in that container object. see “Type attribute” on page 79. but the permissions that are defined in the ACL entry for all requesters is different. The behavior of certain permissions varies according to where the permissions are applied. For example. Managing access control 79 . the resulting action set is read only. The any-other and unauthenticated special entry types do not use the ID attribute.Type attribute The type attribute of an ACL entry type identifies the user. A permission for unauthenticated is granted only if the permission also appears in the any-other entry. or special entity for a specific ACL entry. when unauthenticated has read and write permissions and any-other has transverse and read permissions. Permissions attribute Each ACL entry contains a set of permissions (actions) that describes the specific operations that are permitted on the object by the user or group. The user entry type requires a user name (ID). No ID designation is required. The following types are supported: user Sets permissions for a specific user in a domain. The group entry type requires a group name (ID). The entry format is unauthenticated permissions as shown in the following example: unauthenticated -------T-----r- This ACL entry is a mask (a bit-wise and operation) against the any-other ACL entry to determine the action set. the modify permission (m action bit) behaves differently for protected resources in the /WebSEAL object space than for protected resources in the /Management object space. This example is shown in the following equation: + unauthenticated -------------rw any-other -------T-----r-------------r- ID attribute Each user ACL entry and each group ACL entry have unique identifiers (name). The entry format is user ID permissions as shown in the following example: user anthony -------T-----r- group Sets permissions for all members of a specific group in a domain. Permissions are context sensitive. The entry format is group ID permissions as shown in the following example: group engineering -------T-----r- any-other Sets permissions for all authenticated users. The user must be a member of the domain with an account in the registry. These names must represent valid users or groups that are created in a domain and have an account in the registry. The entry format is any-other permissions as shown in the following example: any-other -------T-----r- The any-other entry type is also known as any-authenticated. No ID attribute is required in the ACL entry. Chapter 8. unauthenticated Sets permissions for those users who have not been authenticated by the policy server. For example. group. permissions. a domain administrator can create custom permissions by defining new action bits.Permissions control protected resources in the following ways: v Determine whether a user can perform operations on protected objects v Determine whether an administrator can change security policy on the object and any object that inherits permissions v Determine whether Tivoli Access Manager itself can delegate credentials for a user Action groups and actions A domain administrator defines the actions that requesters can perform on objects in the protected object spaces. This action group contains 17 permissions. and its category as shown in Web Portal Manager. Default permissions in the primary action group Tivoli Access Manager defines permissions using action bits. and Web Portal Manager category of the default primary action group Action bit a A b B c d g l m N R Description of permission Attach Add Browse Bypass protected object policy (POP) Control Delete Delegation List directory Modify Create Bypass rule Base Base Base Base Base Generic Base Application Generic Base Base Category 80 Administration Guide . A domain administrator modifies the ACL entries in an ACL policy before or after the ACL policy is attached to an object. a domain administrator can create additional action groups. As additional applications and resource managers are installed. additional action groups might be created. an action group that is created during the installation of an application or resource manager. In the primary action group. Web Portal Manager divides these permissions into the following categories. the primary action group is created. a brief description of its associated permission. When you install Tivoli Access Manager. v Base v Generic v Application Table 2 shows the action bit in the primary action group. Action bits. When Tivoli Access Manager is installed. Table 2. The actions that can be defined in an ACL entry must be previously defined in an action group. or a custom action group. An action is a permission in an action group that is defined in the action group by an action bit. the default primary action group is created. Independent of whether additional action groups are created during subsequent installations. the read permission (action bit r) must be used only by an action that requires read-only access to a protected object. the associated actions must closely match that of the actual operation that is performed by an action in the primary action group. A print spooling service is written with the authorization application programming interface (authorization API) so that it can call the authorization service to perform ACL checks on requests made to the printer. The default permissions do not include a permission for protecting printers. Chapter 8. If the authorization service returns an unfavorable response. a domain administrator can define a new action bit for a permission that can be used and be recognized by the authorization service. If a user requests the use of this protected printer. For details. the printer can be protected by a custom action bit (p in this example). see “Managing action groups” on page 95. Custom permissions in custom action groups The default permissions in the primary action group are available to all applications. Action bits. An ACL policy is attached to the printer object. For example. So a custom action group can reuse an action bit from the primary action group to create an action in a custom action group for an unrelated operation. the printing operation is not allowed to proceed. permissions. see “Managing action groups” on page 95. this situation might cause difficulty for a domain administrator who must be able to distinguish between two dissimilar uses of the same action bit. The authorization service does not know or care about the action. If a custom action group uses an action that is not appropriately represented by a default permission.Table 2. and Web Portal Manager category of the default primary action group (continued) Action bit r s t T v W x Read Server administration Trace Traverse View Password Execute Description of permission Category Application Generic Base Base Generic Base Application Tivoli Access Manager provides the capability to define additional permissions for use by resource managers. that user must have an ACL entry that contains the p action bit. When to create custom permissions To protect a printer from unauthorized use. For more information. The authorization service returns a favorable response if the p action bit is present and the printing operation proceeds. Managing access control 81 . a domain administrator can create a custom action. However. However. If a custom action group uses these default permissions. Figure 17 on page 82 shows an example of this requirement. and the set of permissions (action bits). s. b.. Action group groupC contains action bits that use the same letters for action bits as used in the primary action group. The action bits are associated with a specific action group (groupC). T. So the a and b action bits have unique identities and can represent different permissions from those action bits in the primary action group. Scenario using custom actions The following scenarios show how to add custom actions to an ACL policy that is attached to a protected object: 1. Permissions that represent the action bits from multiple action groups are presented in the following format: bits[group_1]bits_1. The primary action group is the default action group. v The groupC action group contains the a and b action bits.[group_n]bits_n The following example is an example of the permissions attribute: abgTr[groupA]Pq[groupB]Rsy[groupC]ab The previous permissions attribute has the following interpretation: v The primary action group contains the a. To list permissions in the test-group action group. v The groupB action group contains the R. To list ACL policies. To show action groups. enter the following command: pdadmin sec_master> action list test-group P S Test-Action Test-Action2 Special Special 3. ACL entries contain an entry type. enter the following command: pdadmin sec_master> action group list primary test-group 2. and r action bits. and y action bits. v The groupA action group contains the P and q action bits.Print spooler service A P I C an Iuse t s hi prnt ? i er Authorization service "YES" Authorization policy database Printer ACL User michael p Figure 17. You must use a special syntax to identify custom action bits that belong to action groups other than the primary action group. enter the following command: pdadmin sec_master> acl list default-webseal 82 Administration Guide .. an ID for user and group types. Permissions for a custom print spooler Representation of custom actions and action groups As discussed in “ACL entries” on page 78. g. enter the following command: pdadmin sec_master> acl show test-acl ACL Name: test-acl Description: Entries: User sec_master Tcmdbva Group ivmgrd-servers Tl Any-other r 5. enter the following command: pdadmin sec_master> acl show test-acl ACL Name: test-acl Description: Entries: User sec_master Tcmdbva Group ivmgrd-servers Tl Any-other r User kathy Tbr[test-group]PS Managing ACL policies You can create and configure an ACL policy and attach it to objects in the protected object space. Managing access control 83 . You can perform the following ACL policy tasks: v “Creating an ACL policy” on page 84 v “Modifying the description of an ACL policy” on page 84 v “Listing ACL policies” on page 85 v “Viewing an ACL policy” on page 85 v “Cloning an ACL policy” on page 86 v “Importing ACL policies” on page 86 v “Exporting all ACL policies” on page 86 v v v v v v “Exporting a single ACL policy” on page 87 “Exporting multiple ACL policies” on page 87 “Attaching an ACL policy to an object” on page 88 “Locating where an ACL policy is attached” on page 89 “Detaching an ACL policy from an object” on page 88 “Deleting an ACL policy” on page 89 Chapter 8. To add an ACL entry for the user named Kathy that contains permissions from the action groups named primary and test-group. The master policy database is controlled by the policy server. To validate this addition. ACL policies are placed in the master policy database on a domain-by-domain basis.default-root default-gso default-policy default-config test-acl default-replica default-management 4. enter the following command: pdadmin sec_master> acl modify test-acl set user kathy brT[test-group]PS 6. To show details about the ACL name test-acl. For example. exporting. You must modify this ACL policy by adding ACL entries for the additional users and groups that need to manage this ACL policy and manage the objects to which this ACL policy is attached. Modifying the description of an ACL policy You can modify an ACL policy using Web Portal Manager or the pdadmin utility. 2. it contains an entry for as the logged in user who created the ACL policy. log in to the domain as a domain administrator and use the acl create command. Click Create. 3. you might need to remove the ACL entry for the user who created the ACL policy. instructions are provided for using either Web Portal Manager or pdadmin. a link for this ACL policy is available when you list all ACL policies. Web Portal Manager To 1. Creating an ACL policy You can create an ACL policy using Web Portal Manager or the pdadmin utility. You can now add and remove ACL entries from the ACL policy. 2. pdadmin To create an ACL policy in the domain using the pdadmin utility. or cloning ACL policies. After creating an ACL policy. For example. Use Web Portal Manager to log in to the domain as a domain administrator. Click ACL → Create ACL. see the IBM Tivoli Access Manager for e-business: Command Reference. 4. enter the following command: pdadmin sec_master> acl create Test-ACL For more information. If successful. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. For example. This ACL entry has all the defined permissions. In the ACL Name file. modify the description of an ACL policy. For online help while using Web Portal Manager. complete the following steps: 1. Click ACL → List ACL. Note: There are no equivalent pdadmin commands for importing. Web Portal Manager To create an ACL policy.In the following sections. see “Creating an ACL entry” on page 90 and “Removing ACL entries from an ACL policy” on page 91. From the Manage ACLs page. click the link for the ACL policy that you want to change. 84 Administration Guide . 5. to create an ACL policy named Test-ACL. type Test of new ACL. For details about adding and removing ACL entries. 3. click the question mark to open a separate help window for the current page. type the name of the ACL policy. Optional: In the Description field. type a description of the ACL. type Test-ACL. or both. After adding the appropriate ACL entries for these users and groups. to modify the description of the ACL named Test-ACL to be ACL for Test resources. as appropriate. Chapter 8. complete the following steps: 1. Click ACL → List ACL. enter the following command: pdadmin sec_master> acl show Test-ACL ACL Name: Test-ACL Description: ACL for Test resources Entries: User maryj r For more information. Listing ACL policies You can list all ACL policies using Web Portal Manager or the pdadmin utility. click the link for the ACL policy that you want to view. 3. For example. Managing access control 85 . The Manage ACLs page displays all the ACL policies in the domains. log in to the domain as a domain administrator and use the acl modify command with the description option.4. pdadmin To modify the description of an ACL policy in the domain using the pdadmin utility. Click Set. 2. 2. Web Portal Manager To list all ACL policies in the domain. pdadmin sec_master> acl list For more information. Viewing an ACL policy You can view an ACL policy using Web Portal Manager or the pdadmin utility. 5. Use Web Portal Manager to log in to the domain as a domain administrator. For example. pdadmin To list all ACL policies in the domain using the pdadmin utility. Click ACL → List ACL. view an ACL policy in the domain. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. to show the ACL named Test-ACL. enter the following command: pdadmin sec_master> acl modify Test-ACL description "ACL for Test resources" To show the modifications to the ACL. log in to the domain as a domain administrator and use the acl list command. From the ACL Properties page. Web Portal Manager To 1. see the IBM Tivoli Access Manager for e-business: Command Reference. From the Manage ACLs page. modify the text in the Description field. see the IBM Tivoli Access Manager for e-business: Command Reference. use the acl show command. For example. complete the following steps: 1. 2. Exporting all ACL policies You can export the definitions of all ACL policies using Web Portal Manager only. 6. type the name of the ACL to import. 86 Administration Guide . To export the definition of all ACL policies in the domain. type the name of the registry container for the ACL. For example. If the file containing the ACL was encrypted when it was exported. type Clone of new ACL. Use Web Portal Manager to log in to the domain as a domain administrator. Click ACL → List ACL. 4. select the ACL policy you want to clone. click Clone. in the Encryption String text field. Cloning an ACL policy You can clone an ACL policy using Web Portal Manager only. log in to the domain as a domain administrator and use the acl show command. From the Manage ACLs page. type an ACL Name.xml. see the IBM Tivoli Access Manager for e-business: Command Reference. Importing ACL policies You can import an ACL policy using Web Portal Manager only. If successful. Optional: Type a Description of the ACL policy For example. 4. Click Import. type aclImport. The default value is the name of the original ACL with the prefix Clone. a link for the cloned ACL policy is created and a success message is displayed. 7. type Test-ACL. When Create Groups is selected: In the Registry Container text field. Optional: Select the Create Groups check box to create a group for ACL entries with the type Group.c=us. To import an ACL policy in the domain. pdadmin sec_master> acl show test-acl For more information. The default value is the description of the original ACL. v Click Browse to select a file name.pdadmin To view an ACL policy in the domain using the pdadmin utility. For example. 3. If successful. 7. Click ACL → Import ACL. From the Clone ACL page. 3. 5. the imported ACL policy is available when you list all the ACL policies. From the Import ACL page. complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. Use Web Portal Manager to log in to the domain as a domain administrator. type the string that was used to encrypt the XML file. 2. From the ACL Properties page. complete one of the following steps: v In the ACL File Name field. Click Clone. 6. 5. To clone an ACL policy in the domain using Web Portal Manager: 1. type o=ibm. 2. When an encryption string is provided. Optional: In the Encryption String text field. the exported XML description file is available in the specified location. 3. type the string again. the exported file is in plain text. 8. If successful. 4. 6. Click ACL → Export All to display the Export ACL to File page. Click Export to display the File Download window. If not specified. To export the definition of a single ACL policy in the domain. 2. 7. 3. in the Confirm Encryption String text field. 6. To export the definition of ACL policies from the list in the domain. type the string again. Click Save to display the Save As window. select the ACLs that you want to export. in the Confirm Encryption String text field. Optional: In the Encryption String text field. Click Save to create the file that contains the exported description. the exported XML description file is available in the specified location. 4. 2. the exported file is in plain text. From the Manage ACLs page.xml. Click Save to display the Save As window. type the string to use to encrypt the XML file. type the string again. Click Export to display the File Download window. 7. 9. When an encryption string is provided. 5. If successful. Optional: In the Encryption String text field. 7.xml. 6. Chapter 8. in the Confirm Encryption String text field. the exported file is in plain text. 3. If not specified. 8. From the Manage ACLs page. Click ACL → List ACL. Click Export to display the Export ACL to File page. Click Export to display the File Download window. type the string to use to encrypt the XML file. Use Web Portal Manager to log in to the domain as a domain administrator. Click Save to create the file that contains the exported description. 5. complete the following steps: 1. complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. Exporting a single ACL policy You can export the definition of a single ACL policy using Web Portal Manager only. select the ACL that you want to export. Managing access control 87 . Click Save to display the Save As window. When an encryption string is provided. 4. Exporting multiple ACL policies You can export the definition of ACL policies from a list using Web Portal Manager only. type the string to use to encrypt the XML file. Click ACL → List ACL. From the ACL Properties page. The default file name is aclExport. click Export to display the Export ACL to File page. 5. The default file name is aclExport. If not specified. 88 Administration Guide . click the link for the ACL policy to detach. 2. 5. Web Portal Manager To detach an ACL from a protected object in the domain. and use the acl attach command. Attaching an ACL policy to an object You can attach an ACL to a protected object using Web Portal Manager or the pdadmin utility. From the Manage ACLs page. attach an ACL to a protected object. Use Web Portal Manager to log in to the domain as a domain administrator. Detaching an ACL policy from an object You can detach an ACL from an object using Web Portal Manager or the pdadmin utility. 4. The default file name is aclExport. If successful. pdadmin To attach an ACL to a protected object in the domain using the pdadmin utility. Web Portal Manager To 1. 4. click the link for the name of the ACL that you want to attach to a protected object. the administrator requires the attach (a) permission.xml. the administrator requires the attach (a) permission. Click Save to create the file that contains the exported descriptions. To perform this task. From the ACL Properties page. For example. Click Attach. From the ACL Properties page. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. Click ACL → List ACL. see the IBM Tivoli Access Manager for e-business: Command Reference. From the Attach ACL page. to attach an ACL named Test-ACL to a protected object named /Management/test-object. Click Attach. the protected object is displayed as a protected object link for the named ACL.9. enter the following command: pdadmin sec_master> acl attach /Management/test-object Test-ACL For more information. From the Manage ACLs page. To perform this task. Click ACL → List ACL. click the Attach tab. click the Attach tab. complete the following steps: 1. 6. 7. 3. 3. If successful. the exported XML description file is available in the specified location. type /Management/test-object. type a Protected Object Path. log in to the domain. For example. 2. Use Web Portal Manager to log in to the domain as a domain administrator. Click Delete. log in to the domain as a domain administrator and use the acl find command. Web Portal Manager To delete an ACL policy. If the ACL is attached to protected objects. see the IBM Tivoli Access Manager for e-business: Command Reference. Click ACL → List ACL. From the ACL Properties page. click the Attach tab. pdadmin To find where an ACL is attached in the domain using the pdadmin utility. 4. Click Detach. pdadmin To detach an ACL from a protected object in the domain using the pdadmin utility. 2. and then confirm the deletion by clicking Delete again on the Delete confirmation page. select one or more check boxes for the protected objects from which you want to detach the ACL. log in to the domain. 3. For example. Web Portal Manager To find where an ACL is attached. You are asked to confirm the detachment. complete the following steps: 1. From the Manage ACLs page. enter the following command: pdadmin sec_master> acl find Test-ACL For more information. 6. enter the following command: pdadmin sec_master> acl detach /Management/test-object For more information. click the link for the name of the ACL. Deleting an ACL policy You can delete an ACL policy using Web Portal Manager or the pdadmin utility. see the IBM Tivoli Access Manager for e-business: Command Reference. select one or more check boxes of the ACL policies that you want to delete. If successful. For example. Locating where an ACL policy is attached You can find where an ACL is attached using Web Portal Manager or the pdadmin utility. Chapter 8. to find where the ACL named Test-ACL is attached. complete the following steps: 1. the ACL policy is no longer included in the list of ACL policies in the Manage ACLs page. Click ACL → List ACL. Use Web Portal Manager to log in to the domain as a domain administrator. 3. 2. to detach the ACL from the protected object named /Management/test-object.5. 4. A list of ACL names is displayed. From the Manage ACLs page. Managing access control 89 . and use the acl detach command. 7. to show the ACL named Test-ACL. or both. enter the following command: pdadmin sec_master> acl modify Test-ACL set user maryj r To show the modifications to the ACL. For user or group. instructions are provided for using either Web Portal Manager or the pdadmin utility. Use this procedure to create the ACL entry for any user. to delete the ACL named Test-ACL. Click Apply. enter the following command: 90 Administration Guide . From the ACL Properties page. For online help while using Web Portal Manager. For example. click Create. Creating an ACL entry You can create an ACL entry for an ACL policy using Web Portal Manager or the pdadmin utility. log in to the domain as a domain administrator and use the acl delete command. For example. group. 3. Web Portal Manager To create an ACL entry.pdadmin To delete an ACL policy in the domain using the pdadmin utility. Select the check box for each permission to enable. or special ACL entry type (any-other and unauthenticated). click the question mark to open a separate help window for the current page. to create the permissions for user maryj for the Test-ACL ACL policy to have r (read) action bit. any-other. 6. Select the appropriate entry type: user. specify the name. 5. log in to the domain as a domain administrator and use the acl modify command with the set option. complete the following steps: 1. Managing ACL entries in ACL policies You can perform the following ACL entry tasks on ACL policies: v “Creating an ACL entry” v “Modifying permissions for an ACL entry” on page 91 v “Removing ACL entries from an ACL policy” on page 91 In the following sections. 8. For example. or unauthenticated. 4. Use Web Portal Manager to log in to the domain as a domain administrator. From the Manage ACLs page. enter the following command: pdadmin sec_master> acl delete Test-ACL For more information. group. click the link for the ACL policy you want to change. use the acl show command. see the IBM Tivoli Access Manager for e-business: Command Reference. 2. pdadmin To create an ACL entry for an ACL policy in the domain using the pdadmin utility. Click ACL → List ACL. group. For example. or special ACL entry type (any-other and unauthenticated). From the ACL Properties page. 4. Use Web Portal Manager to log in to the domain as a domain administrator. 6. click the permission link. Use this procedure to remove the ACL entry for any user. group. Web Portal Manager To modify permissions in an ACL entry. Click Apply. 5. 3. click the link for the ACL policy you want to change. complete the following steps: 1. use the acl show command. Chapter 8. Use this procedure to modify the permissions for any user. Web Portal Manager To remove an ACL entry. log in to the domain as a domain administrator and use the acl modify command with the set option.pdadmin sec_master> acl show Test-ACL ACL Name: Test-ACL Description: Entries: User maryj r For more information. For example. enter the following command: pdadmin sec_master> acl modify Test-ACL set user maryj rw To show the modifications to the ACL. Removing ACL entries from an ACL policy You can remove ACL entries from an ACL policy using Web Portal Manager or the pdadmin utility. see the IBM Tivoli Access Manager for e-business: Command Reference. see the IBM Tivoli Access Manager for e-business: Command Reference. 2. complete the following steps: 1. 2. Click ACL → List ACL. to show the ACL named Test-ACL. From the ACL Entry Properties page. select the check box for each permission to enable or clear the check box for each permission to disable. to modify the permissions for user maryj for the Test-ACL ACL policy to have r (read) and w (write) action bits. Managing access control 91 . Modifying permissions for an ACL entry You can modify permissions for an ACL policy using Web Portal Manager or the pdadmin utility. Click ACL → List ACL. Use Web Portal Manager to log in to the domain as a domain administrator. or special ACL entry type (any-other and unauthenticated). From the Manage ACLs page. enter the following command: pdadmin sec_master> acl show Test-ACL ACL Name: Test-ACL Description: Entries: User maryj rw For more information. pdadmin To modify an ACL policy in the domain using the pdadmin utility. 3. complete the following steps: 1. Click ACL → List ACL. or special ACL entry type to remove. 92 Administration Guide . select the user. 5. For example. 4. From the Manage ACLs page. or both. 5. Click Create.3. Managing extended attributes in ACL policies You can perform the following extended attribute tasks on an ACL policy: v “Creating extended attributes for an ACL policy” v “Modifying extended attributes from an ACL policy” on page 93 v “Listing extended attributes of an ACL policy” on page 93 v “Viewing extended attributes of an ACL policy” on page 94 v “Deleting extended attributes from an ACL policy” on page 94 v “Deleting extended attribute values from an ACL policy” on page 95 In the following sections. Creating extended attributes for an ACL policy You can create an extended attribute for an ACL policy using Web Portal Manager or the pdadmin utility. see the IBM Tivoli Access Manager for e-business: Command Reference. enter the following command: pdadmin sec_master> acl show Test-ACL ACL Name: Test-ACL Description: Entries: For more information. enter the following command: pdadmin sec_master> acl modify Test-ACL remove user maryj To show the modifications to the ACL. to show the ACL named Test-ACL. 4. From the ACL Properties page. For example. click the link for the ACL policy that you want to remove. Web Portal Manager To create an extended attribute for an ACL policy. Click Delete. pdadmin To remove an ACL entry from an ACL policy in the domain using the pdadmin utility. For online help while using Web Portal Manager. to remove the ACL entry for user maryj from the Test-ACL ACL policy. log in to the domain as a domain administrator and use the acl modify command with the remove option. From the Manage ACLs page. From the ACL Properties page. click the link of the ACL policy for which you want to create an extended attribute. click the question mark to open a separate help window for the current page. Use Web Portal Manager to log in to the domain as a domain administrator. use the acl show command. click the Extended Attribute tab. group. 2. instructions are provided for using either Web Portal Manager or pdadmin. Web Portal Manager To list all the extended attributes of an ACL policy in the domain. complete the following steps: 1. When you select the “Generic Attribute” attribute type. see the IBM Tivoli Access Manager for e-business: Command Reference. enter the following command: pdadmin sec_master> acl modify Test-ACL set attribute Dept_No 445 For more information. Chapter 8. c. From the Manage ACLs page. To use Web Portal Manager. 4. From the Create Extended Attribute page. select the type of attribute. For example. type the value for the attribute. From the ACL Properties page. to create a generic attribute named Dept_No with a value of 445 and associate it with the ACL named Test-ACL. In the Attribute Name field. b. log in to the domain as a domain administrator and use the acl modify command with the set attribute option. Managing access control 93 . log in to the domain as a domain administrator and use the acl modify command with the set attribute option. Web Portal Manager does not support modifying attributes. Listing extended attributes of an ACL policy You can list the extended attributes of an ACL policy using Web Portal Manager or the pdadmin utility. For example. This field is displayed only when the attribute type is “Generic Attribute”. click the Extended Attribute tab. In the Attribute Type field. to modify a generic attribute named Dept_No and add a value of 445 and associate it with the ACL named Test-ACL. pdadmin To create an extended attribute for an ACL policy in the domain using the pdadmin utility. 7. type the name of the attribute. an administrator needs to delete the attribute and then create the attribute again. pdadmin To modify an extended attribute for an ACL policy in the domain using the pdadmin utility. define the extended attribute: a. click the link for name of the ACL policy that you want to view.6. Modifying extended attributes from an ACL policy You can modify extended attributes for an ACL policy using the pdadmin utility only. unless the selected attribute type is “Generic Attribute”. 2. Click ACL → List ACL. In the Attribute Value field. enter the following command: pdadmin sec_master> acl modify Test-ACL set attribute Dept_No 445 For more information. see the IBM Tivoli Access Manager for e-business: Command Reference. 3. Use Web Portal Manager to log in to the domain as a domain administrator. select the value for the attribute. Click Apply. The ACL Properties page displays all the extended attributes for the selected ACL policy. pdadmin To list all the extended attributes for an ACL policy using the pdadmin utility, log in to the domain as a domain administrator and use the acl list command with the attribute option. For example, to list the extended attributes of the ACL policy named pub_acl_3, enter the following command: pdadmin sec_master> acl list pub_acl_3 attribute For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Viewing extended attributes of an ACL policy You can view the extended attributes of an ACL policy using Web Portal Manager or the pdadmin utility. Web Portal Manager To view the extended attributes of an ACL policy in the domain, complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. 2. Click ACL → List ACL. 3. From the Manage ACLs page, click the link for the ACL policy that you want to view. 4. Click the Extended Attribute tab. pdadmin To view the extended attributes for an ACL policy using the pdadmin utility, log in to the domain as a domain administrator and use the acl show command with the attribute option. For example, to show the myAttribute attribute of the test-acl ACL policy, enter the following command: pdadmin sec_master> acl show test-acl attribute myAttribute For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Deleting extended attributes from an ACL policy You can delete an extended attribute for an ACL policy using Web Portal Manager or the pdadmin utility. Web Portal Manager To delete an extended attribute for an ACL policy, complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. 2. Click ACL → List ACL. 3. From the Manage ACLs page, click the link for the ACL policy from which you want to delete extended attributes. 4. From the ACL Properties page, click the Extended Attributes tab. 5. Select the extended attributes. 6. Click Delete. 94 Administration Guide pdadmin To delete an extended attribute for an ACL policy in the domain using the pdadmin utility, log in to the domain as a domain administrator and use the acl modify command with the delete attribute option. For example, to delete the extended attributed named Dept_No from the ACL named Test-ACL, enter the following command: pdadmin sec_master> acl modify Test-ACL delete attribute Dept_No For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Deleting extended attribute values from an ACL policy You can delete a value for an extended attribute from an ACL policy using the pdadmin utility only. pdadmin To delete an attribute value, log in to the domain as a domain administrator and use the acl modify command with the delete attribute attribute_name attribute_value options. For example, to delete the value 445 from the extended attributed named Dept_No from the ACL named Test-ACL, enter the following command: pdadmin sec_master> acl modify Test-ACL delete attribute Dept_No 445 Only the attribute value is deleted. For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Managing action groups Permissions are used to grant access to perform a specific operation on resources that are protected by Tivoli Access Manager. Tivoli Access Manager provides 17 predefined permissions for immediate use. These permissions are stored in the predefined action group named primary. Each permission is associated with an action bit. These predefined permissions are described in “Default permissions in the primary action group” on page 80. Tivoli Access Manager provides the ability to create resource manager-specific permissions. For example, Tivoli Access Manager for Business Integration defines Enqueue and Dequeue permissions to grant access to put messages in a message queue or to get messages from the message queue. Tivoli Access Manager supports a total of 32 action groups, including the primary action group. When you define an action group, the following guidelines and limitations apply: v Each action group can hold up to 32 action bits (including the action bits for the 17 predefined permissions). v An action bit is made up of a letter: a-z, A-Z. v Each action bit character can be used only once within an action group. v You can reuse the same action bit in other action groups. Chapter 8. Managing access control 95 You can perform the following action group tasks: v “Creating action groups” v “Listing action groups” v “Deleting an action group” on page 97 Creating action groups You can create an action group using Web Portal Manager or the pdadmin utility. Web Portal Manager To 1. 2. 3. create an action group, complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. Click ACL → Create Action Group. Type the new Action Group Name. For example, type test-group. 4. Click Create. If successful, a message is displayed when the action group is created. pdadmin To create an action group in the domain using the pdadmin utility, log in to the domain as a domain administrator and use the action group create command. For example, to create an action group named test-group, enter the following command: pdadmin sec_master> action group create test-group The primary action group always appears in a group listing and cannot be deleted. You must have an entry in an ACL on the /Management/ACL object with the modify (m) action to create action groups and the delete (d) permission to delete action groups. For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Listing action groups You can list all action groups using Web Portal Manager or the pdadmin utility. Web Portal Manager To list all action group, complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. 2. Click ACL → List Action Groups. The Manage Action Groups page displays a list of all action groups in the domain. pdadmin To list all action groups in the domain using the pdadmin utility, log in to the domain as a domain administrator and use the action group list command. For example, to list all action groups, enter the following command: pdadmin sec_master> action group list For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. 96 Administration Guide Deleting an action group You can delete an action group using Web Portal Manager or the pdadmin utility. Web Portal Manager delete an action group, complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. Click ACL → List Action Groups. From the Manage Action Groups page, select one or more check boxes for the action groups that you want to delete. 4. Click Delete. 5. Confirm the deletion by clicking Delete again on the Delete Action Groups page. To 1. 2. 3. pdadmin To list action groups in the domain using the pdadmin utility, log in to the domain as a domain administrator and use the action group delete command. For example, to delete the action group named test-group, enter the following command: pdadmin sec_master> action group delete test-group For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Managing actions You can perform the following action tasks: v “Creating actions in an action group” v “Listing actions in an action group” on page 98 v “Deleting actions from an action group” on page 98 Creating actions in an action group You can create an action in an action group using Web Portal Manager or the pdadmin utility. Web Portal Manager To create an action in an action group, complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. 2. Click ACL → List Action Groups. 3. From the Manage Action Group page, click the link for the action group name in which to create the permission. For example, select the Test-Group link. 4. From the Action Group Properties page, click Create to display the Create Action page. The Action Group Name is automatically completed. 5. Type a single character Action Name. For example, type x. 6. In the Action Label field, type a short description of the permission. For example, type Execute. 7. In the Action Type field, type a description of the permission, such as the application to which the permission is specific. For example, type WebSEAL. 8. Click Create. If successful, a message is displayed when the permission is created. Chapter 8. Managing access control 97 pdadmin To create an action in an action group using the pdadmin utility, log in to the domain as a domain administrator and use the action create command. For example, to create an x action bit in the Test-Group action group, enter the following command: pdadmin sec_master> action create x Execute WebSEAL Test-Group For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Listing actions in an action group You can list all actions in an action group using Web Portal Manager or the pdadmin utility. Web Portal Manager To list all actions in an action group, complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. 2. Click ACL → List Action Groups. 3. From the Manage Action Group page, click the link for the action group name. pdadmin To list the actions in an action group using the pdadmin utility, log in to the domain as a domain administrator and the action list command. For example, to list the actions in the Test-Group action group, enter the following command: pdadmin sec_master> action list Test-Group For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Deleting actions from an action group You can delete an action from an action group using Web Portal Manager or the pdadmin utility. Web Portal Manager To delete an action from an action group, complete the following steps: 1. Use Web Portal Manager to log in to the domain as a domain administrator. 2. Click ACL → List Action Groups. 3. From the Manage Action Group page, click the link for the action group name that contains the permission to be deleted. 4. From the Action Group Properties page, select the permission to delete. 5. Click Delete. 6. Confirm the deletion by clicking Delete on the Delete Action page. pdadmin To delete an action from an action group using the pdadmin utility, log in to the domain as a domain administrator and the action delete command. For example, to delete the x action bit from the Test-Group action group, enter the following command: 98 Administration Guide pdadmin sec_master> action delete x Test-Group For more information, see the IBM Tivoli Access Manager for e-business: Command Reference. Chapter 8. Managing access control 99 100 Administration Guide Chapter 9. Protected object policy management While the access control list (ACL) policies provide the authorization service with information to make a yes or no answer on a request to access a protected object and perform some operation on that object, a protected object policy (POP) contains additional conditions on the request that are passed back to the resource manager along with the yes ACL policy decision from the authorizations service. It is the responsibility of Tivoli Access Manager and the resource manager to enforce the POP conditions. Table 3 lists the available attributes for a POP that are provided by Tivoli Access Manager. Table 3. POP attributes that are enforced by Tivoli Access Manager POP attribute Name Description Specifies the name of the policy. This attribute relates to the pop-name variable in the pop command documentation. Specifies the descriptive text for the policy. This attribute appears in the pop show command. Provides administrators a means to test ACLs, POPs, and authorization rules. Warning mode provides a way to test the security policy before it is made active. Specifies the type of auditing: all, none, successful access, denied access, or errors. Audit level informs the authorizations service that extra services are required when permitting access to the object. Day and time restrictions for successful access to the protected object. Time-of-day places restrictions on the access to the object. Specifies authorization requirements for access from members of external networks. The IP endpoint authentication method policy places restrictions on the access to the object. Specifies an External Authorization Service (EAS) plug-in that is invoked to make an authorization decision using the externalized policy logic of the customer. Specifies the degree of data protection: none, integrity, or privacy. Quality of Protections informs the authorizations service that extra services are required when permitting access to the object. Description Warning mode Audit level Time-of-day Access IP endpoint authorization method policy EAS trigger attributes Quality of Protection Although Tivoli Access Manager provides these POP attributes, it only enforces the following attributes: v Name v Description v Warning mode v Audit level v Time-of-day Access © Copyright IBM Corp. 1999, 2010 101 For information about attaching a POP. see “Attaching a POP to an object” on page 108. which is controlled by the policy server. Note: There are no equivalent pdadmin commands for importing. You can perform the following POP tasks: v “Creating a POP” v “Modifying a POP” on page 104 v “Listing POPs” on page 105 v “Viewing a POP” on page 105 v v v v v v “Cloning a POP” on page 106 “Importing POPs” on page 106 “Exporting all POPs” on page 107 “Export a single POP” on page 107 “Exporting multiple POPs” on page 107 “Attaching a POP to an object” on page 108 v “Locating where a POP is attached” on page 109 v “Detaching a POP from an object” on page 108 v “Deleting a POP” on page 109 In the following sections.n are allowed to access the protected resource. For online help while using Web Portal Manager. click the question mark to open a separate help window for the current page. exporting. Creating a POP You can create a POP using Web Portal Manager or the pdadmin utility. or cloning POPs. v You can define that an additional authentication level is required to access this protected resource based on the IP address that is used by the identity. The step-up level authentication is described in “Configuring levels for step-up authentication” on page 115 and the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. only users from IP address 9. For example. you can attach it to an object. instructions are provided for using either Web Portal Manager or the pdadmin utility. POPs are placed in the master authorization database on a per domain basis.18.n.Each resource manager or plug-in can optionally enforce one or more of the following attributes: v IP endpoint authorization method policy v EAS trigger attributes v Quality of Protection For Tivoli Access Manager IP address support: v You can grant access to a protected resource based on the IP address that is used by the identity. Managing protected object policies You create and configure a protected object policy (POP) and then attach the POP to objects in the protected object space. or both. 102 Administration Guide . After creating a POP. Privacy Requires data encryption for Secure Sockets Layer (SSL). Use Web Portal Manager to log in to the domain as a domain administrator. In the Description field. For more information. refer to “Setting a time-of-day restriction” on page 112. Deny Error Admin Audits not used by Tivoli Access Manager. Integrity Uses some mechanism to ensure that the data has not changed. Click POP → Create POP to display the Create POP page. Select the Warn Only On Policy Violation check box to enable warning mode attributes. Audits all requests on a protected object that result in denial of access. An auditable failure is an access attempt to a resource. you must also specify the Local Time or UTC Time (Coordinated Universal Time). The following choices are available: None Requires no Quality of Protection. Protected object policy management 103 . In the POP Name field. to which this POP is attached. 4. 3. is accessed. complete the following steps: 1. Optional: For Time of Day Access. A warning mode attribute indicates whether a policy violation that is related to a resource results in denial of access or in an auditable failure. refer to “Setting an audit level” on page 111 6. For more information. refer to “Setting a warning mode” on page 111. 2. Select one or more check boxes for the appropriate audit levels. For more information. The following choices are available: Permit Audits all requests on a protected object that result in successful access. not denied. type a description of the POP. Chapter 9. However. Select a type of Quality of Protection. For example. v Select either All Day or Between hours of for the access times that the resource can be accessed on the selected days. refer to “Setting a Quality of Protection level” on page 114. you must also specify the Start time and End time. type poptest1. v If you select Between hours of. this option can be used by custom applications. The audit level is the level of auditing that applies when a resource. 8. 5. type the name for the POP. v If you select Between hours of. is accessed. For more information.Web Portal Manager To create a POP. v Select the check boxes for the days of the week that the resource can be accessed. to which this POP is attached. 7. to which a POP applies. You can select more than one audit level. specify the days and times of the day that the resource can be accessed. Audits all internally generated error messages resulting from a denial of access to the protected object. that results in the access being audited. The level of protection that applies when a resource. If successful. Web Portal Manager To modify a POP. see the IBM Tivoli Access Manager for e-business: Command Reference. 3. 2. as needed. a message confirming that the POP was created is displayed. Click the Extended Attributes tab to change an extended attribute. 5. to create a POP named poptest1. change the description from Test POP to Test 1 for POP. Use Web Portal Manager to log in to the domain as a domain administrator. log in to the domain as a domain administrator and use the pop create command. complete the following steps: 1. Click the IP Auth tab to change the IP authentication. to show the modifications to the poptest1 POP. Click Create or click Create Another if you want to create another POP. sat: anytime:local IP Endpoint Authentication Method Policy Any Other Network 0 For more information. and then click Apply. use the pop show commands. 6. select poptest1 to display the POP Properties page. For example. repeat this procedure starting at step 3 on page 103 to create another POP. log in to the domain as a domain administrator and use the pop modify commands. Modifying a POP You can modify a POP using Web Portal Manager or the pdadmin utility. 10. Click the link for the POP. 7. thu. 4. Click the Attach tab to change the protected object attachments. If you clicked Create. For example. For example.9. Click the General tab to change the information pertaining to the POP. mon. pdadmin To create a POP in the domain using the pdadmin utility. fri. wed. click Done. pdadmin To modify a POP using the pdadmin utility. Click POP → List POP to display the Manage POPs page. enter the following commands: pdadmin sec_master> pop modify poptest1 set warning yes pdadmin sec_master> pop modify poptest1 set audit-level permit. enter the following command: pdadmin sec_master> pop create poptest1 The new POP contains the following default settings: pdadmin sec_master> pop show poptest1 Protected object policy: poptest1 Description: Warning: no Audit level: none Quality of protection: none Time of day access: sun. Otherwise. enter the following command: 104 Administration Guide .deny To show these modifications. tue. For example. For example to enable the warning mode and set the audit level to permit and deny for the poptest1 POP. For example. For example. Protected object policy management 105 . complete the following steps: 1. Click the Extended Attributes tab to view all extended attributes. All the POPs for the domain are listed as links. Use Web Portal Manager to log in to the domain as a domain administrator. mon. Web Portal Manager To view a POP. sat: anytime:local IP Endpoint Authentication Method Policy Any Other Network 0 For more information. 5. Click the Attach tab to view the protected object attachments. Click the link for the POP. tue. Click POP → List POP to display the Manage POPs page. Web Portal Manager To view a list of all POPs. Listing POPs You can list all POPs using Web Portal Manager or the pdadmin utility. to list all POPs. 4. pdadmin To view a POP using the pdadmin utility. 2. wed. 3. thu. fri. enter the following command: pdadmin sec_master> pop list For more information. Click POP → List POP to display the Manage POPs page. On the General tab. 2. see the IBM Tivoli Access Manager for e-business: Command Reference. Click the IP Auth tab to view the IP authentication. Chapter 9. see the IBM Tivoli Access Manager for e-business: Command Reference. log in to the domain as a domain administrator and use the pop list command. select poptest1 to display the POP Properties page. pdadmin To list all POPs in the domain using the pdadmin utility. change the description from Test POP to Test 1 for POP.pdadmin sec_master> pop show poptest1 Protected object policy: poptest1 Description: Test 1 for POP Warning: yes Audit level: permit. complete the following steps: 1. Viewing a POP You can view a POP using Web Portal Manager or the pdadmin utility. deny Quality of protection: none Time of day access: sun. 6. For example. as needed. change the information pertaining to the POP. log in to the domain as a domain administrator and use the pop show commands. and then click Apply. 7. Use Web Portal Manager to log in to the domain as a domain administrator. in the POP Name text field. 2. 7. enter the following command: pdadmin sec_master> pop show poptest1 Protected object policy: poptest1 Description: Test 1 for POP Warning: no Audit level: none Quality of protection: none Time of day access: sun. Optional: In the Description text field. Click POP → List POP. If the file containing the POP was encrypted when it was exported. 6. 5. 4. 2. From the POP Properties page. From the Manage POPs page. 4.For example. wed. 5. a link for this cloned POP is created and a success message is displayed. From the Clone POP page. complete one of the following steps: v In the POP File Name field. If successful. Click POP → Import POP. Use Web Portal Manager to log in to the domain as a domain administrator. The default value is the description of the original POP. thu. click Clone. This field is required. type Test-POP. For example. type the description of the POP. Cloning a POP You can clone a POP using the Web Portal Manager only. 3. type popImport. see the IBM Tivoli Access Manager for e-business: Command Reference. select the POP you want to clone. tue. To import a POP in the domain. the imported POP is available when you list all the POPs. The default value is the name of the original POP with the prefix Clone. Use Web Portal Manager to log in to the domain as a domain administrator. Click Import. From the Import POP page.xml. in the Encryption String text field. complete the following steps: 1. If successful. To clone a POP in the domain. type the name of the POP. Importing POPs You can import a POP by using Web Portal Manager only. type the name of the POP to import. Click Clone. to show the modifications to the POP name poptest1. complete the following steps: 1. sat: anytime:local IP Endpoint Authentication Method Policy Any Other Network 0 For more information. type Clone of new POP. fri. For example. 3. mon. 106 Administration Guide . For example. type the string that was used to encrypt the XML file. v Click Browse to select a file name. select the POP that you want to export. complete the following steps: 1. type the string again. Click Save to create the file that contains the exported POP description. in the Confirm Encryption String text field. 2. Exporting multiple POPs You can export POPs using Web Portal Manager only. 6. 4. the exported file is in plain text. 7. 5. If successful. Click Save to display the Save As window. type the string again. From the Manage POPs page. complete the following steps: 1. the exported POP description is available in the specified location. To export a single POP in the domain. type the string to use to encrypt the XML file. 6.xml. select the POPs that you want to export. type the string to use to encrypt the XML file. From the Manage POPs page. the exported file is in plain text. If not specified. The default file name is popExport. Use Web Portal Manager to log in to the domain as a domain administrator. 7. When an encryption string is provided. Click Export to display the Export POP to File page. If not specified. 5. Click POP → List POP. Click Export to display the File Download window. 6. 2. 3. the exported file is in plain text. If successful. in the Confirm Encryption String text field. If not specified. Optional: In the Encryption String text field. Protected object policy management 107 . in the Confirm Encryption String text field. Click Export to display the File Download window. Export a single POP You can export a single POP using Web Portal Manager only. Use Web Portal Manager to log in to the domain as a domain administrator. complete the following steps: 1. Chapter 9. the new XML file is available in the specified location. 9. Use Web Portal Manager to log in to the domain as a domain administrator. Click Save to create the file that contains the exported POP description. When an encryption string is provided.Exporting all POPs You can export all POPs using Web Portal Manager only. type the string to use to encrypt the XML file. 7. 4. From the POP Properties page. 3. 2. Click Export to display the File Download window. 3. Optional: In the Encryption String text field. Click POP → Export All POPs to display the Export POP to File page. Optional: In the Encryption String text field. Click Save to display the Save As window. click Export to display the Export POP to File page. 8.xml. The default file name is popExport. When an encryption string is provided. To export all POPs in the domain. Click Save to display the Save As window. 4. Click POP → List POP. 5. type the string again. To export POPs in the domain from a list. 8. Select one or more check boxes for the protected objects from which you want to detach the POP. click the Attach tab. Click Object Space → Browse to display the Browse Object Space page. Click the link for the POP. type /WebSEAL/serverA/index. Web Portal Manager To 1. From the POP Properties page. Attaching a POP to an object You can attach a POP to an object using Web Portal Manager or the pdadmin utility. pdadmin To attach a POP to a protected object in the domain by using the pdadmin utility. If successful. Type the Protected Object Path for the protected object to which to attach the POP. 4. To perform this task.html enter the following command: pdadmin sec_master> pop attach /WebSEAL/serverA/index. For example. to attach a POP named poptest1 to a protected object named /WebSEAL/serverA/index. 5.9. 108 Administration Guide . Click Attach. Click Attach to display the Attach POP page. see the IBM Tivoli Access Manager for e-business: Command Reference. the administrator requires the attach (a) permission. 6. The default file name is popExport. 2. From the POP Properties page. Click Save to create the file that contains the exported POP descriptions. detach a POP from a protected object. 2. Click the link for the POP.html.xml. To perform this task. attach a POP to an object. 7. the administrator requires the attach (a) permissions. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. log in to the domain as a domain administrator and use the pop attach command. Click POP → List POP to display the Manage POPs page. Detaching a POP from an object You can detach a POP from a protected object using Web Portal Manager or the pdadmin utility. the new XML file is available in the specified location. If successful. Express the path as the full path name.html poptest1 For more information. Web Portal Manager To 1. the protected object is added to the list at the POP Properties–Attach page. For example. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. click the Attach tab. 3. 3. 5. 4. Deleting a POP You can delete a POP using Web Portal Manager or the pdadmin utility. 2. Click ACL → List POP. Web Portal Manager To locate where a POP is attached. pdadmin To detach a POP from a protected resource in the domain by using the pdadmin utility. For example. Locating where a POP is attached You can locate where a POP is attached using Web Portal Manager or the pdadmin utility. Select one or more check boxes for the POPs that you want to delete. log in to the domain as a domain administrator and use the pop find command. see the IBM Tivoli Access Manager for e-business: Command Reference. 3.html For more information. pdadmin To delete a POP in the domain using the pdadmin utility. Protected object policy management 109 . Use Web Portal Manager to log in to the domain as a domain administrator. to find where the POP named poptest1 is attached.6. Click POP → List POP to display the Manage POPs page. complete the following steps: 1. 4. Click the Attach tab. enter the following command: pdadmin sec_master> pop find poptest1 /WebSEAL/serverA/index. Click Delete to confirm the deletion. see the IBM Tivoli Access Manager for e-business: Command Reference.html For more information. 3. Click Delete to display the Delete Pop page. enter the following command: pdadmin sec_master> pop detach /WebSEAL/serverA/index.html. Use Web Portal Manager to log in to the domain as a domain administrator. Click Detach to display the Detach POP from Object page. 2. For example. log in to the domain as a domain administrator and use the pop detach commands. log in to the domain as a domain administrator and use the pop delete command. Web Portal Manager To delete a POP. complete the following steps: 1. 5. to detach the POP from the protected object named /WebSEAL/serverA/index. where you are prompted to confirm or cancel the detachment. Chapter 9. pdadmin To locate where a POP is attached in the domain using the pdadmin utility. A list of POP names is displayed. Each POP name is a link that you can click to display the POP properties page. Verify whether a rule is attached to the object. see the IBM Tivoli Access Manager for e-business: Command Reference.For example. the server must be IPv6. You cannot provide an IPv6 address to an IPv4 server. then verify that all the access decision information (ADI) is present for the coming rule evaluation. 4. v For C APIs. If an external authorization service (EAS) operation or POP trigger applies to this access decision. you can apply requisite step-up configuration. 3. This permission must be used only by a high-level administrator who needs full access to the protected object space. then invoke the EAS that applies. When an environment contains both IP version 4 (IPv4) and IP version 6 (IPv6) address formats. This authorization policy uses the IP endpoint authentication method policy POP attribute. then find it by querying one of the available sources. IPv4 clients must provide addresses in IPv4 format even with IPv6 servers. pop modify set ipauth). Check the IP endpoint authentication method policy on the POP. Network-based authorization algorithm The authorization server uses the following algorithm to process the conditions in a POP: 1. to delete the POP named poptest2. enter the following command: pdadmin sec_master> pop delete poptest2 For more information. You can use this functionality to prevent specific IP addresses or IP address ranges from accessing any resources in your domain. IPv4 clients can provide addresses in IPv4 or IPv6 format to IPv6 servers. be aware of the following restrictions: v For administration commands (for example. 2. Check the time-of-day policy on the POP. Check ACL permissions. 110 Administration Guide . If it is not. both IPv4 and IPv6 clients must provide addresses in IPv4 format to IPv4 servers. For an IPv6 address to be accepted (commands. C APIs. IPv6 clients can provide addresses in IPv4 or IPv6 format to IPv6 servers. 7. Note: The ACL policy bypass (B) permission overrides POP authorization conditions on an object. v For C APIs. Check the audit level policy on the POP. v For Java methods. Network-based authorization policy The network-based authorization policy allows you to control access to objects based on the IP address of the user. IPv4 clients must provide addresses in IPv4 format even with IPv6 servers. 5. Check the authorization rule policy if a rule is attached to the object. and Java methods). When setting an authorization policy. v For Java methods. 6. For example: pdadmin sec_master> pop modify poptest1 set warning yes For more information about the pop commands. For more information about authentication levels. ensure that those network clients are connecting directly to the resource manager. if auditing is set to record unsuccessful events. For example. Setting a warning mode The pop modify set warning command defines the warning mode attribute to allow a security administrator to debug or troubleshoot the accuracy of the authorization policy set on the protected object space. the address that appears to the resource manager might be the IP address of the policy proxy server. Note: The IP address used by the resource manager for enforcing the network-based authorization policy must be the IP address of the originator of the connection. specify the two parts for the attribute: v Step-up authentication v Allowed networks You can also apply step-up authentication configuration to this policy and require a specific authentication method for each specified IP address range. Any access to an object is permitted even if the security policy that is attached to the object is set to deny this access.The network-based authorization policy is set in the IP endpoint authentication method attribute of a POP. When you define a network-based authentication policy. the administrator can determine if the policy is set and enforced correctly. Chapter 9. If your network topology uses proxies. see IBM Tivoli Access Manager for e-business: Command Reference. The audit log shows the outcome of an authorization decision as if the warning attribute was set to no. When you set the warning mode attribute to yes. Audit records are generated that capture the results of all security policies with warning mode set throughout the object space. Protected object policy management 111 . Configuring POP attributes POP attributes impose access conditions on an object based on the time of the access and to indicate whether the access request must be audited. Therefore. Setting an audit level The pop modify set audit-level command specifies the granularity level of auditing for a POP. In this case. When setting a network-based authorization policy that depends on specific client IP addresses. see “Step-up authentication” on page 114. the resource manager cannot definitively identify the true IP address of the client. you can use the results to detect an unusual number of failed access attempts on a particular resource. any action is possible by any user on the object where the POP is attached. You can apply any combination of these values or specify either all to audit all requests or none to audit no requests. thu. For example: pdadmin sec_master> pop modify pop_name set audit-level permit. For more information about the pop commands. sat. 112 Administration Guide . wed.deny Table 4. pdadmin sec_master> pop modify pop_name set tod-access time_of_day_string The time-of-day-string argument includes a day-range and a time-range and uses the following format: {anyday|weekday|day_list}: {anytime|time_spec-time_spec} [:{utc|local}] The day_list variable can be any combination of the following values: mon. Audit levels Value permit deny error Description Audit all requests on a protected object that result in successful access. specify one or more of the following values: v permit v deny v error When you specify multiple granular values. see IBM Tivoli Access Manager for e-business: Command Reference. sun The time_spec range variable must be expressed (using 24 hour time) in the following format: hhmm-hhmm For example.Auditing records are written in a standard Extensible Markup Language (XML) format that allows easy parsing to extract whatever information is required. use a comma as a separator character between these values. When enabling granular auditing. you can specify the time range using the following string: 0700-1945 The optional time zone [:{utc|local}] for the server (not the client) is local by default. This type of condition might be useful to limit access to information that regularly requires periods of inactivity for modification and updates. Audit all internally generated error messages resulting from a denial of access to the protected object. fri. Setting a time-of-day restriction The pop modify set tod-access command defines the time-of-day (TOD) attribute that allows you to place specific day and time conditions on the access to a protected object. Audit all requests on a protected object that result in denial of access. tue. local time for the POP named poptest1.tue. The enforcement of step-up authentication is the responsibility of resource managers. due to limitations in the operating system functions provided to Tivoli Access Manager.For example to change the time-of-day attribute to Monday. mon. The anyothernw entry appears in a POP as Any Other Network in the output of the pop show command: pdadmin sec_master> pop show poptest1 Protected object policy: poptest1 Description: Test POP Warning: no Audit level: none Quality of protection: none Time of day access: sun. tue. For more information about step-up authentication.m. see the IBM Tivoli Access Manager for e-business: Command Reference. A forbidden authentication level indicates that authentication is denied. Authentication level 0 adds no additional requirement for authentication. sat: anytime:local IP Endpoint Authentication Method Policy Any Other Network 0 For more information about setting the IP authentication mechanism using the pop modify command. IPv4 addresses must be specified in IPv4 format. to 5:30 p. The network (or network range) can be an IP version 4 (IPv4) or an IP version 6 (IPv6) address. Note: When adding addresses to a POP. Protected object policy management 113 . Specifying an authentication greater than 0 provides the ability to step-up a user to an authentication level. Specifying an authentication level of 0 indicates that authentication is allowed. fri. and Friday from 1:15 p. Note: When adding addresses to a POP. thu. IPv4 addresses must be specified in IPv4 format.m. see IBM Tivoli Access Manager for e-business: Command Reference. The anyothernw entry applies to all networks not specified in the POP. specify network (or network range) with an authentication level as a number or as forbidden. Adding IP entries To add IP entries to a POP. Tuesday. see “Step-up authentication” on page 114.fri:1315-1730 For more information about the pop modify commands. Chapter 9. wed. All POPs have an anyothernw (any other network) IP entry whose default authentication level is 0. due to limitations in the operating system functions provided to Tivoli Access Manager. enter the following command: pdadmin sec_master> pop modify poptest1 set tod-access mon. Specifying IP addresses and ranges The pop modify set ipauth command allows the specification of a network (or network range) and the required authentication level in the POP. The following example adds an IP entry for identities from IPv4 addresses that begin with 9. The anyothernw authentication level can be modified to a non-zero number or to forbidden. 0. to ensure that users accessing more sensitive resources use a stronger authentication mechanism.0 255.0.0. see the IBM Tivoli Access Manager for e-business: Command Reference. Setting a Quality of Protection level The Quality of Protection POP attribute allows you to specify what level of data protection is required when performing an operation on an object.0.0.pdadmin sec_master> pop modify poptest1 set ipauth add 9.0. the request is denied. You might want this condition because of the greater threat of improper access to certain resources. If the resource manager cannot guarantee the required level of protection. You can use this functionality. The Quality of Protection POP attribute permits a single transaction where the yes response to the ACL decision also includes the required Quality of Protection level. For more information about removing IP entries from a POP using the pop modify command.0. see the IBM Tivoli Access Manager for e-business: Command Reference. 114 Administration Guide . sometimes known as step-up authentication. Use the following pop modify command syntax to modify the QoP level for an object: pdadmin sec_master> pop modify pop-name set qop {none|integrity|privacy} QoP level privacy integrity Description Data encryption is required for Secure Sockets Layer (SSL). to modify the POP named poptest1 to set the Quality of Protection level to use SSL data encryption. Use some mechanism to ensure that the data has not changed. enter the following command: pdadmin sec_master> pop modify poptest1 set qop privacy Step-up authentication You can use protected object policies (POPs) to enforce certain access conditions on specific resources.0.0 5 The following example adds an entry for an IPv6 network range: pdadmin sec_master> pop modify poptest1 set ipauth add \ fedc:ba98:7654:3210:fedc:ba98:7654:3210 ffff:ffff:ffff:ffff:ffff:ffff:ffff:0 6 The following example prevents all users (except users specified like in the examples above) from accessing the object: pdadmin sec_master> pop modify poptest1 set ipauth anyothernw forbidden For more information about adding IP entries to a POP using the pop modify command. For example.0 Only network entries that were previously added can be removed.0 255. Deleting IP entries The following example deletes an IPv4 entry from the poptest1 POP: pdadmin sec_master> pop modify poptest1 set ipauth remove 9. The authentication strength policy makes it possible to control access to objects based on authentication method. and Chapter 9. the access decision is still permitted by the authorization engine but the resource manager is presented with a required authentication level as an output of the authorization decision. Note: When specifying an IPv4 address it must be in IPv4 format. in one environment. The pop modify set ipauth command specifies both the allowed networks and the required authentication level in the IP endpoint authentication method attribute. Configuring levels for step-up authentication The first step in configuring authentication-specific access is to configure the supported authentication methods and determine the order in which these authentication methods must be considered stronger.. Rather than forcing clients to restart their sessions with the resource manager when they do not meet the required level of authentication. Any client accessing a resource manager has an authentication level. The resource manager can then decide how to further authenticate the user to gain the required level of authentication needed for the user to access the protected object. Protected object policy management 115 . For all cases. it might be necessary to enforce minimum safe levels of authentication required to access certain resources. you can set a single entry for anyothernw (any other network).x) from that point forward. authentication by token pass code might be considered more secure than authentication by user name and password.For example. You use the IP endpoint authentication method attribute of a POP policy. the step-up authentication mechanism provides clients a second chance to authenticate using the required method of authentication (level). For example. which indicates the method with which the client was last authenticated by the resource manager. Another environment might require different standards. Step-up authentication allows resource managers to control how users access protected resources. the absolute minimum acceptable method of authentication must be set as level 0 with more secure methods being mapped to integral numbers in ascending order (1. such as “unauthenticated” or “password”. If filtering users by IP address is not important. Applying step-up authentication policy Step-up authentication is implemented through a POP policy placed on the objects requiring authentication-sensitive authorization. The authentication strength policy is set in the IP endpoint authentication method attribute of a POP policy. you can provide greater security to a junctioned region of the protected object space by applying a step-up POP policy that requires a stronger level of authentication than the client used when initially entering the domain. This method is intended to provide management flexibility. This setting affects all accessing users. The configured authentication levels can be linked to IP address ranges. How a particular authentication method is mapped to an authentication level is determined by the resource manager application. regardless of IP address. In some situations. If step-up authentication is required because the user has not authenticated with the sufficient method. The following output shows a sample for the poptest1 POP: pdadmin sec_master> pop show poptest1 Protected object policy: poptest1 Description: Test POP Warning: no Audit level: none Quality of protection: none Time of day access: sun. 116 Administration Guide . the /WebSEAL/hostA/junction object is protected by a POP requiring authentication level 1. For example.requires the users to authenticate at the specified level. anyothernw appears in a POP with an authentication level index of 0. the access control on a protected resource can require the user to authenticate with both user name and password (level 1) and also require the user to authenticate with user name and token passcode (level 2). Step-up authentication does not force the user to authenticate using multiple levels of authentication to access any given resource. This method can be used to create a default entry that could either deny all unmatched IP addresses or allow anyone access who can meet the authentication level requirement. Distinguishing step-up from multi-factor authentication Tivoli Access Manager step-up authentication and multi-factor authentication are two different mechanisms for controlling access to resources. The entry appears as Any Other Network in the output of the pop show command. fri. Tivoli Access Manager provides only step-up authentication functionality. wed. The anyothernw entry is used as a network range that matches any network not otherwise specified in the POP. and the /WebSEAL/hostA/junction/ applicationA object is protected by a POP requiring authentication level 2. see the IBM Tivoli Access Manager for e-business: Command Reference. mon. tue. Multi-factor authentication forces a user to authenticate using two or more levels of authentication. Tivoli Access Manager step-up authentication relies on a pre-configured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource. sat: anytime:local IP Endpoint Authentication Method Policy Any Other Network 0 For more information about the pop modify set ipauth command. step-up authentication requires the user to authenticate at a level at least as high as the level required by the policy protecting the resource. Instead. thu. This method is the most common method for implementing step-up authentication. By default. The following example shows the series of commands that are needed to define step-up authentication: pdadmin > pop create test1 pdadmin > pop modify test1 set ipauth anyothernw 1 pdadmin > pop attach /WebSEAL/hostA/junction test1 pdadmin > pop create test2 pdadmin > pop modify test2 set ipauth anyothernw 2 pdadmin > pop attach /WebSEAL/hostA/junction/applicationA test2 In the previous example. Chapter 9. If the user is currently logged in with a user name and password. Protected object policy management 117 . access to applicationA is immediate (assuming a successful ACL check). However. a prompt appears requesting user name and token passcode information (the step-up). Multi-factor authentication requires both level 1 and level 2 authentication for access to applicationA. if the user initially logged in to WebSEAL using a user name and a token passcode. user name/token passcode (level 2) authentication is required to access /WebSEAL/hostA/junction/applicationA.Under step-up authentication. However. user name/password (level 1) authentication is required to access /WebSEAL/hostA/junction. 118 Administration Guide . authorization policy by using attributes within the business environment or attributes from trusted external sources. 1999. from the resource manager application. or from the encompassing business environment. structured data by examining the values in that data. and making informed access decisions. form the basis of all ADI that can be referenced in a rule or presented to the authorization engine. 2010 119 . Authorization rules are conditions contained in an authorization policy that are used to make access decisions based on attributes such as user. Authorization API attributes. Access decision information The data and attributes that are used in rule conditions collectively are called access decision information (ADI). The language of an authorization rule allows customers to work with complex.Chapter 10. application. Authorization rules management This chapter provides information about Tivoli Access Manager authorization rules. Sources for retrieving ADI The authorization engine can gather ADI from the following sources: v User credential entitlements v Application context information passed in by the Tivoli Access Manager resource manager © Copyright IBM Corp. The rule is stored as a text rule within a rule policy object and is attached to a protected object in the same way and with similar constraints as ACLs and POPs. and environment context. Rules can also be used to implement extensible. A rule is created using a number of Boolean conditions that are based on data supplied to the authorization engine within the user credential. which are name and value pairs. This chapter contains the following sections: v “Authorization rules overview” v “Access decision information” v “Authorization rule language” on page 122 v “Authorization rules evaluator” on page 128 v “Examples of authorization rules” on page 131 v “Methods of providing ADI to the rules evaluator” on page 133 v “Reason codes for rule failures” on page 135 v “Configuration file and initialization attributes” on page 135 v “Managing authorization rules” on page 137 Authorization rules overview Authorization rules are defined to specify conditions that must be met before access to a protected object is permitted. attribute-based. A Tivoli Access Manager authorization rule is a policy type like an access control list (ACL) or a protected object policy (POP). This information can be defined statically within the system or can be defined during a business process. attributes such as the user name. the authorization decision is returned with an error status. Authorization engine context information Authorization engine context information is provided automatically by the authorization engine. For more information about defining entitlement services. All credential attribute names begin with azn_cred_ (for example. You can configure entitlement services to run during credential acquisition. such as the user name (or the principal UUID) and the groups (or the group UUID) of which the user is a member. you can define your own entitlement services. Tivoli Access Manager provides a credential attributes entitlement service that retrieves entitlements data from the user registry.v Tivoli Access Manager authorization engine context v Dynamic ADI retrieval entitlement services User credential entitlements Additional entitlements data can be inserted as attribute name-value pairs into the client credential by a Tivoli Access Manager authorization client during the user authentication process or at any time during the process of the transaction. azn_cred_principal_uuid). except attributes related to a the identity of a user. collect entitlements data. the authorization engine requires all ADI to be present before a rule can be evaluated. For example. Context information includes information that is not an entitlement but is specific to the current transaction or operation. The built-in credential attributes include items of information. There are also attributes that are built into the Tivoli Access Manager user credential when it is created by the authorization engine. If the ADI is not available. The ADI provided by the authorization engine includes the name of the protected 120 Administration Guide . Any attribute added to the user credential can be used as ADI in a rule definition. as well as the LDAP DN for LDAP configurations are not available in an unauthenticated credential. refer to IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. Or. See the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference for a table of valid credential attribute names. such as purchase price or transfer amount. Many attributes in this table are also available in an unauthenticated user credential. For example. This table lists attribute names available within the Tivoli Access Manager authenticated user credential. and group UUID. if required. Tivoli Access Manager WebSEAL also uses this mechanism to pass the values of certain HTML tags and HTML request data (from a get or post request) into the access decision for use in a rule evaluation. the built-in credential attributes can be used in authorization rules. their value. When developing rules that use these particular attributes. and then append the data to the credential. group name. before the authorization rule is evaluated. This requirement can be achieved using an ACL entry on the object that requires authenticated access. An example is a transaction amount. This information is passed to the decision through the app_context attribute list of the azn_decision_access_allowed_ext() call. principal UUID. Just like attributes that can be added to the credential by the resource manager. and a description. Tivoli Access Manager can be configured to gather entitlements at the time that a user is authenticated. Application context information Authorization rules might require application context information to complete an evaluation. Requiring the user to authenticate before accessing the protected object with such a rule attached ensures that the authenticated credential information is available. Authorization rules management 121 . and AMWebARS. These services can be developed to retrieve ADI from an enterprise database containing employee. refer to “Format and constraints of rules” on page 129. Volatile versus nonvolatile data In general. such as quotas. Application-specific data that is nonvolatile and not user-specific is provided by the resource manager application. and of the authorization APIs that are used to manipulate them. Calling both at the same time has the benefit of being able to retrieve volatile data. AMWebARS is the official package name for a Tivoli Access Manager J2EE Web service that implements a dynamic ADI retrieval service. at a time when its value is most current. their formats. The most important question is whether the data is volatile. See the IBM Tivoli Access Manager for e-business: Administration C API Developer Reference for an in-depth discussion of attribute lists. including the target protected object and permissions. partner. The set of data provided by the authorization engine. is it important to use the most up-to-date information when it does? Volatile data must be retrieved using a dynamic ADI retrieval service unless the resource manager application can provide this data. This class of authorization entitlement services is designed to retrieve ADI from an external source. or inventory information. if so. The Tivoli Access Manager Attribute Retrieval Service (AMWebARS) is an example of a service that can retrieve ADI from external sources. For more information about the constraints and format for ADI. The following attribute names are reserved for these data items: v azn_engine_target_resource v azn_engine_requested_actions Dynamic ADI retrieval entitlement services The final source for retrieving ADI is the dynamic ADI retrieval entitlements service. which is performed using SOAP over HTTP. Chapter 10. For example.object that is the target of the access decision and the string of operations that the requesting user wants to perform on the protected object. is fixed and cannot be changed. The dynamic ADI retrieval service is called to retrieve ADI when the access decision is being made. customer. To facilitate communication between the resource manager. which is invoking the rules engine. See the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference for more information about developing and using dynamic ADI retrieval entitlement services to fetch ADI when the rule is evaluated. the Access Manager runtime environment (pdrte package) provides an authorization entitlement service called azn_ent_amwebars. is it possible for the data to change during the lifetime of the session of the user and. Data that is nonvolatile and user-specific is loaded into the user credential when the user is authenticated and is kept with the credential for the lifetime of the user session. the source for any particular piece of ADI depends largely on what the data is. The model constrains the authorization rules to function within a predetermined XML document format with the same top-level XML document element for all rules. XSL possesses an inherent ability to analyze and evaluate XML data. the XPath to the data used in an authorization rule must include the prefix /XMLADI to access a particular data element within the model. see “Format and constraints of rules” on page 129. including the requirements that the output of the rule evaluation are simple text and that the output conforms to one of a known set of result strings. if an ADI item of JohnSmith is added to the document to access the fields of JohnSmith within the ADI XML document. Similarly to simplify the process of defining rules. For more information about the format and constraints of authorization rules. <XMLADI> <!-XML formatted ADI are inserted here. or from other data sources must be inserted into this XML document before authorization rules can use the data. XSL is a functional stylesheet language that can be used to perform simple tasks or complex tasks depending on your needs. which is becoming the standard for data representation in e-business models. The ADI XML model requires the XML document to contain the following top-level XML element into which all target ADI for a particular rule evaluation is inserted. 122 Administration Guide . </XMLADI> --> As a result of this restriction. The combination of XML and XSL provides a platform independent way to express both the inputs to the rules evaluator and the rules themselves. The XML ADI that is imported by the rules evaluator from credential attributes. ADI XML document model The ADI XML document model (or ADI XML model) is a set of restrictions placed on the XSL/XML model by the authorization rules implementation to enable the interface to be simple and yet functional for authorization purposes. the authorization rules must operate within the confines of the ADI XML model.Authorization rule language Extensible Style Language (XSL) is the language used to specify rules and Extensible Markup Language (XML) is the language used for the data that forms an input to the rules. it is necessary to impose a number of constraints on the XSL rules. The XMLADI element is created automatically as part of the rule evaluation process by the authorization engine. The ADI XML document model enables the authorization engine to detect when ADI is missing and when it needs to be requested from the resource manager or an external entity through the dynamic ADI retrieval service interface. This text format allows rules for processing the XML data to be written without having to cater to platform and programming language specifics. you have to specify the XPath /XMLADI/JohnSmith to access the data contained in the XML object JohnSmith. from application context. For example. It is also necessary to impose constraints on the XML input document that is built as input to the rule evaluation. XML also provides the ability to express complex data types in a structured and standard manner in text format. To implement rules-based authorization policy. which is the expression language at the core of an authorization rule. XSL is built on other XML-based standards such as XPath. you would use the following XPath: "/XMLADI/JohnSmith/CreditCard/Balance" XPaths like this example are the means by which authorization rules access the ADI data values that are needed to make attribute-based authorization decisions. Therefore. Much like a directory path on a hard disk drive is used to access a specific file. Returning to the example ADI item JohnSmith. For additional information. if two different data providers provide a data item called Chapter 10. an XPath designation starts from the root of the document (in this case /XMLADI) and traces a path from this root down through its child elements to the specific element that is being referenced.An XPath is the path to a particular child element within the hierarchy of a structured XML data object. the JohnSmith XML object defined in “XML entitlement example” on page 125 is an example of an ADI container. The default template match statement matches the ADI XML document from /XMLADI. the top-most element in the definition of an item of ADI is referred to as the container name of that item of ADI. Containers and XML ADI container names When data is requested from a resource manager. To access Balance under the CreditCard element of JohnSmith. see “Format and constraints of rules” on page 129. see “Format and constraints of rules” on page 129. the XPath specification must be prefixed with JohnSmith. All data elements are restricted to work within the ADI XML model. When defining an authorization rule. XSL template match statements are also restricted to matching XPaths starting from /XMLADI within the ADI XML document. This convention was adopted for the ADI XML model as well. Authorization rules management 123 . the JohnSmith XML object has a child element called CreditCard. you can assume there is a container received from the data provider named JohnSmith. The child elements of the CreditCard element are attributes which are common to most credit cards. which is XMLADI (for example. The container is normally also the smallest data element (for example. For example. JohnSmith/CreditCard/AcctNumber refers to the AcctNumber value. For example. the granularity of the XML data returned is at the level of a single container of information. So JohnSmith can be referred to either with a relative reference or with an absolute reference that is prefixed with /XMLADI. However. To access any element within the JohnSmith container. For example. the XPath to the XML definition of data in any ADI container must always be referenced using the name of the container as the first element /XMLADI in the XPath specification for the data element. this XPath must also be prefixed by the top-level element of the XML target ADI input document. using the example entitlement JohnSmith in the “XML entitlement example” on page 125 as a reference. Limitations of container names One restriction imposed by the ADI XML document model is that each item of ADI that can be consumed by the rules evaluator must have a unique container name that cannot be confused with containers provided by other entitlements data providers. elements that might be considered for billing purposes). So the authorization rules must also be restricted to operate on or match XPaths within the model. For example. To access this information from within an authorization rule. both of these XPaths are valid when used in an authorization rule due to the default template match statement that is added to all authorization rules that do not explicitly include one. To this end. /XMLADI/JohnSmith/CreditCard/AcctNumber). The ADI that is used in authorization rules is also defined and manipulated as containers of XML data. For additional information. TxInfo. the attribute name is used as the container name of the XML data item and the attribute value is converted into an XML value. XML access decision information By default. The namespace ID of the namespace can then be used to differentiate one ADI element from another. non-XML attribute values starting with a less than character cannot be used by the application and results in an error status that is returned from the authorization decision. TxInfo). if the engine encounters multiple instances of the same item of ADI (for example. and the Tivoli Access Manager authorization API attribute list interfaces do not permit the administrator to define rules that contain invalid XML container names. the data is not considered to be an XML data item and the evaluator attempts to convert the data item to XML format automatically. see “Defining an XML namespace” on page 126. On the contrary. For example. XML provides the ability to define namespaces for data. there is no way for the rules evaluator to know which provider it must make a request to in order to get this item of data. the command-line interface. For example. a particular application request might involve a number of individual transactions each with its own transaction amount. To help differentiate items of ADI with the same name. This means of identification is used only on attributes or application context identified as target ADI for the access decision. the XSL processor fails and returns an error to denote the failure. The evaluator identifies XML format data by locating the less than (<) character at the beginning of the attribute value. the authorization rules evaluator expects the data to be of type azn_string_t and expects the format of the string to be XML. For TxInfo. 124 Administration Guide . For more information about namespace definitions. there can be two items of ADI data with the same container name within the ADI XML input document. When transforming the attribute to XML. The graphical user interface. The container name of an item of ADI equates to the XML element name in the XML definition. If the attribute value does not begin with a less than character. This restriction on container naming among data providers is not enforced by the authorization engine. “Example: ADI from dynamic ADI retrieval services” on page 132 in the “Examples of authorization rules” on page 131 section in this chapter shows an example rule that sums multiple transaction elements in this way and even counts the number of instances of a particular ADI element. Therefore. we could define a namespace companyA and reference this instance of ADI with companyA:TxInfo. The assumption is then made that they are structured in the exact same way. In the ADI XML document. The attribute name must match the container name of the XML data item. the following XML data is generated for attribute name VPS_CREDIT_CARD with a string attribute value of 5517 3394 8324 0965: <VPS_CREDIT_CARD>5517 3394 8324 0965</VPS_CREDIT_CARD> The container name and XML element name in this case is VPS_CREDIT_CARD. An authorization rule can be formulated to add all these items together and compare the sum of the items to a predefined total transactions limit or to a per-transaction limit using an XSL node select statement. If the application passes entitlements or application context that have already been formatted as XML for an access decision. the rule evaluator automatically transforms into XML format any name/value pair attributes passed to it by the calling application that were identified as target access decision information (ADI) for the current evaluation. it adds them all to the ADI XML document for use in the evaluation. the evaluator does not evaluate the rule correctly. If the data is not correct XML. If the names do not match. the evaluator converts each attribute value as a separate instance of ADI. For more information about XML namespaces. Chapter 10. XML. If TxData is compared to a value. see “Defining an XML namespace” on page 126. you must add an attribute with the attribute name MY_CREDIT_CARD_NUM. Authorization rules management 125 . The AmountReqd container is translated to XML from an incoming string application context attribute. The attribute value of the container JohnSmith is defined in XML. <MY_CREDIT_CARD_NUM CardType="visa"> 5517 3394 8324 0965 </MY_CREDIT_CARD_NUM> The ability to add XML attributes to an element definition is useful when it comes to defining a namespace for the data item. or any combination). XML entitlement example The following example is an ADI XML document that might be passed to the XSL processor from the rules evaluator during the evaluation of an authorization rule. use the not() function instead. If the ADI attribute contains multiple attribute values (string. the CardType XML attribute has the value of "visa". the required XPath would be: /XMLADI/MY_CREDIT_CARD_NUM/CardType XML attributes must not be confused with the authorization API attributes and attribute lists that are used to carry data into and out of the authorization process. For example. the TxData attribute has values of 100 and 500. Node set comparisons have slightly different behavior than expected when using the != operator. The attribute value for MY_CREDIT_CARD_NUM is the following: <MY_CREDIT_CARD_NUM>5517 3394 8324 0965</MY_CREDIT_CARD_NUM> By defining the XML element as opposed to only defining its value. For information about when to use != and not() when comparing a node set. XML attributes can be added to the element definition without affecting the name by which the ADI is referred to when talking with data providers. XML attributes are defined in the element start tag of the element to which they apply.Data items that must be defined in XML must be entirely defined in XML and must not rely on the translation mechanism for non-XML items to generate the appropriate XML element name automatically. The container JohnSmith is an entitlement and the container AmountReqd is an item of transaction context. see “Example: ADI from dynamic ADI retrieval services” on page 132. For example. In the following definition of the XML item MY_CREDIT_CARD_NUM. To reference the attribute CardType. to define an attribute to contain the XML definition of MY_CREDIT_CARD_NUM. The evaluator inserts the following XML item declarations into the ADI XML document: <TxData>100</TxData> <TxData>500</TxData> The policy administrator can then design an authorization rule that uses XSL language node selection statements to work with these two values independently or to add the values and compare the sum total with some predefined limit. it is treated as a node set comparison where each TxData value is compared to the data in turn with success being indicated if any of the TxData values equal the target data. The document contains two containers: JohnSmith and AmountReqd. XML attributes are equivalent to any other first-level child element of the XML object. In most cases. a customer database and a product inventory database might both define ADI called name that could be used in authorization rules. The authorization application cannot start.00</AmountReqd> </XMLADI> When referencing a particular ADI item within the XMLADI document available to a rule. the Tivoli Access Manager authorization engine does not permit two namespace IDs to be assigned the same URI value. By defining an XML namespace with the namespace ID item. the ADI container names are JohnSmith and AmountReqd. Unlike the XML and XSL processors. they can do so. you can differentiate between the two instances of name by calling the ADI from the product database item:name. The source must be able to make the connection between the item:name requested by the authorization 126 Administration Guide . The source from which the item name is to be obtained must be aware of this relationship. This example provides a namespace definition for the item namespace: xmlns:item="http://mycompany/namespaces/items where xmlns is a standard XML attribute name and item is the namespace ID chosen for the namespace. This namespace declaration associates the namespace ID item with the URI string: http://mycompany/namespaces/items The value of the URI string is of no consequence to the XML and XSL processors but it must be unique. for example. The same principles can be used with ADI that is defined for use with authorization rules.00</Limit> <Balance>2000. The URI following the = is used to distinguish one namespace ID from another. For example. as the default template rule matches the /XMLADI element automatically. so this top-level element was added for clarity. Defining an XML namespace XML namespaces are used to differentiate between XML items with the same name or are used to group XML data of the same type or function. see “Format and constraints of rules” on page 129. If the callers want to specify their own template match statement explicitly. JohnSmith. and an error is logged to the error log of the application. The XML document that is passed to the evaluation routines by the authorization rules evaluator is as follows: <XMLADI> <JohnSmith> <CreditCard> <AcctNumber>0123456776543210</AcctNumber> <Limit>10000. In this example. For additional information. The Tivoli Access Manager authorization engine uses the URI to uniquely identify the namespaces. the XPath path specifier can begin from the container name of the XML element.The authorization rules evaluator automatically encompasses all the data under the XML top-level node declaration XMLADI when the ADI XML document is created.00</Balance> </CreditCard> <MileagePlus> <MemberStatus>100k</MemberStatus> <CardNumber>12345678</CardNumber> <MileagePlus> <JohnSmith> <AmountReqd>500. Defining two namespaces with the same URI results in an initialization error. engine and the name data stored in the product database. The [xmladi-attribute-definitions] stanza was added to the configuration file to allow customers to define namespaces globally for use within the XMLADI document. There are some drawbacks to defining the XML namespace within the XML definition of each ADI item rather than defining it globally for the entire XMLADI document. refer to “[xmladi-attribute-definitions]” on page 137. v Define it individually within those ADI items that use the prefix. The source must also be able to provide this data to the authorization engine in an attribute called item:name when it is needed. For instance.w3. The service needs to return the data to the authorization engine in an attribute called item:name. For information about how to add a namespace definition to the [xmladi-attribute-definitions] stanza. To define a namespace for the XSL processor. For example. any ADI items in the document whose names are prefixed with this namespace ID do not have to have the namespace definition added to their own element start tag.0’ encoding=’UTF-8’?> <xsl:stylesheet xmlns:xsl=’http://www.org/1999/XSL/Transform’ xmlns:item="http://mycompany/namespaces/items" version=’1. when it is asked for item:name. The second method of specifying an XML namespace definition to the XML processor is to add the definition to the XML value of the ADI element. to add the XML namespace definition to the item:name XML item with a string value of Widget A.0’> <xsl:output method = ’text’ omit-xml-declaration=’yes’ encoding=’UTF-8’ indent=’no’/> <xsl:template match=’text()’> </xsl:template> There are two ways to define a namespace prefix to the XML processor: v Define the namespace globally for the entire XMLADI document. For example. a dynamic ADI retrieval service must understand that. This method does not suffer any of the drawbacks of defining the namespace by using the second method. the value of any ADI items that use a namespace ID prefix must be in XML because the namespace definition can only be added to the XML definition of the value of the item. the namespace declaration must be included in the start tag for the XML element. When an application uses namespaces to differentiate or aggregate ADI items. it is required to define the namespace for both the XML and XSL processors. you would define item:name in XML as follows: <item:name xmlns:item="http://mycompany/namespaces/items"> Widget A </item:name> The ADI item:name must be added to an attribute list with the item:name attribute name and its value is the entire XML element definition in the example entered as a single contiguous text string. add the namespace definition to the xsl-stylesheet-prolog configuration file entry discussed in “input-adi-xml-prolog and xsl-stylesheet-prolog” on page 136. as Chapter 10. Adding the definition to the XMLADI document element start tag is easiest to do because it automatically defines the namespace for the entire document. Authorization rules management 127 . In both cases. it must fetch the required value by looking for name in the product database. Therefore. This is an example of how to add a namespace definition for the item namespace to the xsl-stylesheet-prolog entry: xsl-stylesheet-prolog = <?xml version=’1. The first and simplest method of defining a namespace for the XML processor is to add the namespace definition to the XMLADI document element start tag. all these complications can be avoided. As a result. or during rule evaluation if the XML processor has not been notified. it must be changed so that it does. The rules engine has no opinion. String identifiers returned by rules evaluation Delimiter !TRUE! !FALSE! !INDIFFERENT! Access is permitted. By defining the namespace globally. If a value other than the defined valid values or an empty document is returned. the maximum length of any result text that is returned by a rule evaluation is limited to 1023 characters. Meaning The identifiers must be the only text in the output document. If a namespace has not been defined for either the XML or XSL processors. When the service does not normally return XML formatted data and is not aware of namespace prefixes. The value of the item must be an XML fragment. such as the string <prefix:adi_name>100</prefix:adi_name>. items of ADI with namespace prefixes cannot simply have the value 100. This problem might occur during the creation of the rule if the XSL processor has not been notified of the new namespace. The format of an authorization rule is outlined in “Format and constraints of rules” on page 129. which translates to increased processing overhead for dynamic ADI retrieval services. Access is denied. These identifiers ensure uniqueness when an XSL rule is written incorrectly and the evaluation returns incorrect information. Rules returning more text than this limit causes the access decision to fail at runtime with a minor error code of ivacl_s_rule_result_string_too_large. Delimiting the identifiers with an exclamation point (!) enables the evaluator to identify errant cases. an error is logged to the application error logs to the effect that the namespace ID does not have an associated URI mapping.demonstrated for item:name in the example. any ADI source that can provide values for namespace prefixed ADI items would need to ensure that the appropriate namespace definitions for the item are added to each XML formatted value that it returns. The input XML document for the transformation contains a definition for how the authorization engine can retrieve one of the following sources for the ADI: v User credential entitlements that is requesting the authorization v Application context information that is passed in by the access decision call (passed in by the resource manager) v Tivoli Access Manager authorization engine context v Dynamic ADI retrieval entitlement services The authorization engine expects the rules evaluation to result in the return of one of the string identifiers as shown in Table 5. The authorization rules evaluator takes the rule policy that is attached to the target protected object and evaluates the rule by calling the XSL processor. although they can be surrounded by white space. 128 Administration Guide . the access decision fails and an error code is returned to the resource manager to indicate that the rule is not compliant. Table 5. In addition. Also. Authorization rules evaluator The authorization rules evaluator evaluates authorization rules within the constraints that are required by the authorization engine. The default template match statement of the ADI XML model matches from the top of the XMLADI document by specifying the XPath /XMLADI. For authorization decisions. All ADI that is passed to the rules evaluator must be specified in XML. no additional transformation is required to pass these entitlements into the rules evaluator as ADI. which is set to /XMLADI. as follows: if ((AmountReqd + Credit Card Balance) < Credit Card Limit && MileagePlus Status is "100k") The corresponding authorization rule is: <xsl:if test="(AmountReqd + JohnSmith/CreditCard/Balance) &lt.Format and constraints of rules An authorization rule must be defined as an XSL template in an XSL stylesheet using the stylesheet prolog that is specified in the configuration file. The following example references the XML data item that is defined in JohnSmith. see “Authorization rules evaluator” on page 128. the access decision fails and an error code is returned to the resource manager indicating that the rule is not compliant. are applied. Template match statements are an XSL language construct that is used to select the point in the hierarchy of an XML document at which the XSL rules. which are contained within the template match statement. The condition that the following example rule evaluates is expressed. the rule must return the expected decision data to the rules evaluator. The result of the XSL transformation performed by an XSL authorization rule must be a text output document that contains only one of the supported string identifiers. To add your own template match statement to a rule definition. Authorization rules management 129 . For example. Non-XML ADI that is passed to the access decision or retrieved from the credential is formatted into XML by the evaluator before an authorization rule can be evaluated. The rule must be written in a valid XSL template rule format and must return a text document that contains one of the following string identifiers: v !TRUE! v !FALSE! v !INDIFFERENT! The identifiers must be the only text in the output document but they can be surrounded by white space. only two additional lines are needed. The identifiers are not case-sensitive. thus. Many data providers return entitlements data in XML format. For more information about string identifiers. It does not include its own template match statement and it accepts the default template match statement. The data that is returned from the rules-driven entitlements interface must be able to be expressed as a text name-value attribute pair in the entitlements output parameter of the azn_entitlement_get_entitlements() method. If a value other than one of the identifiers listed or an empty document is returned. JohnSmith/CreditCard/Limit and JohnSmith/MileagePlus/MemberStatus = ’100k’"> !TRUE! </xsl:if> This example rule is the simplest form for specifying an authorization rule. to rewrite the example to include your Chapter 10. is from the current point in the tree.Required for XSLT language --> <?xml version="1.w3. For example. 130 Administration Guide . that prolog is imported into the empty stylesheet.Need this to ensure default text node printing is off --> <xsl:template match="text()"></xsl:template> v Among other things. which is supported by the embedded XSL processor. This acceptance allows the rule creator to specify the level within the ADI XML document at which the rule matches data items.own explicit template match statement that matches from the root of the XMLADI document.0. The <xsl:template match="/XMLADI"> statement tells the XSL processor that all relative XPaths within the bounds of the template statement must be assumed to be relative to the node XMLADI. used to access the XML data nodes and subnodes. The current point in the tree is selected by using the template match statement. the credit card balance could be referred to as CreditCard/Balance.org/1999/XSL/Transform" version="1. the rule is returned as invalid. the XPath to each node must include the XMLADI node. this prolog sets the XSL stylesheet syntax to version 1. which requires that all XSL language-specific identities be prefixed by xsl:. the following default prolog is used instead: <!-. you would modify the rule as follows: <xsl:template match="/XMLADI"> <xsl:if test="(AmountReqd + JohnSmith/CreditCard/Balance) &lt. The prolog sets the namespace for XSL documents to xsl. JohnSmith/CreditCard/Limit and JohnSmith/MileagePlus/MemberStatus = ’100k’) !TRUE! </xsl:if> </xsl:template> To reference any data item in the document. the results that are returned from the rules evaluator do not conform to the expected results. v All authorization rules must be enclosed in an xsl:template match statement. if not. the full path would be /XMLADI/JohnSmith/CreditCard/Balance. Most attributes in this prolog must be in the stylesheet or. the rule writer must understand what the correct XPath. If the rule is defined with its own xsl:template match statement.Required to constrain output of rule evaluation --> <xsl:output method="text" omit-xml-declaration="yes" encoding=’UTF=8’ indent="no"/> <!-. When a rule is built. If there is a match statement but the match statement does not begin with the /XMLADI absolute path. the template match statement could be set at /XMLADI/JohnSmith in which case. But in this case. Relative match statements are not accepted at this level.0"> <!-. If no prolog is specified.0" encoding=’UTF-8’?> <xsl:stylesheet xmlns:xsl="http://www. To shorten the XPaths even further. Policy administrators must also make the following assumptions about the XSL stylesheet document that is created by the rules evaluator to contain the rule that they devise: v If a stylesheet prolog is specified in the azn client configuration file. the rule is accepted as is. This prefix is the standard mode of operation for XSL stylesheets. to access the credit card balance. The template match statement allows an XSL programmer to shorten the XPath to each data element by specifying that the XPath processing occur further down the XML document tree. the match statement must be the first statement encountered by the evaluator when validating the rule or it is assumed that there is no template match statement. . The access decision logic defined by this rule is to permit access only when one of the following conditions is true: v The user is in the printUsers group v The user has requested a print operation (p) v The user has requested to queue a print job for printing later (q) and the print quota is less than 20 <xsl:if test=’azn_cred_groups = "cn=printUsers.20’> !TRUE! </xsl:if> The test condition for the group name returns an appropriate result regardless of the number of groups that the requesting user is in."p") or contains(azn_engine_requested_actions. The XPath expression for any ADI item must begin with the container name of the item and must be fully qualified.c=us" and (contains(azn_engine_requested_actions. because it is a node test. Examples of authorization rules Following are example rules that demonstrate how rules can be implemented. The first statement with conditions that are all true returns a result.v If no match statement is specified in the rule..Example choose rule --> <xsl:choose> <!-. Each condition tested has a comment that explains its action. <xsl:template> v Therefore."q")) and printQuota &lt. It is important to note that the syntax for determining the opposite case (for example. Authorization rules management 131 . See “Example: ADI from entitlement data” for an example of how to test for whether a set of values like the azn_cred_group_names attribute does not contain a certain member. The condition is an XSL node test that compares each value within the XML element azn_cred_groups with the DN string. v “Example: ADI from resource manager” v “Example: ADI from entitlement data” v “Example: ADI from dynamic ADI retrieval services” on page 132 Example: ADI from resource manager The following example relies mostly on ADI that is passed in to the access decision call but it also requires an ADI container called printQuota to be stored in the requesting user credential or passed in as application context. all rules devised without an explicit template match statement must use XPath expressions that assume the XML context node is /XMLADI. <!-. that the requesting user is not in the printUsers group) requires a slightly different expression.Explicitly allow if the requesting user is myuser0 --> Chapter 10. the rule works on data that is within the authorization credential. the rule is automatically enclosed in the following match statement: <xsl:template match="/XMLADI"> . Example: ADI from entitlement data In the following example.o=ibm. It evaluates the following attributes: v azn_cred_principal_name v azn_cred_groups v azn_cred_registry_id Each of the xsl:when statements are evaluated. the result of the node test is always !TRUE!. To test the nonexistence of something in a node-set. the following XML object could be used as input for making the authorization decision: <!-. For example.Explicitly deny if the requesting user is myuser1 --> <xsl:when test="azn_cred_principal_name = ’myuser1’"> !FALSE! </xsl:when> <!-.This rule permits access to any user who is a member of mygroup1 --> <!-. other than mygroup2. to be tested by the condition. Multi-valued attributes like azn_cred_groups return a set of values. Each node value in the set is tested against the condition individually and !TRUE! is returned if any of the conditions evaluate to true. where the user is in more than one group.but is not a member of mygroup2 --> <xsl:when test="azn_cred_groups = ’mygroup1’ and not (azn_cred_groups = ’mygroup2’)"> !TRUE! </xsl:when> <xsl:otherwise> !FALSE! <xsl:otherwise> </xsl:choose> The fourth xsl:when statement uses the not() function to negate the Boolean result of the following test: azn_cred_groups = ’mygroup2’ The not() function is used instead of the valid authorization rule operator != operator because. Example: ADI from dynamic ADI retrieval services The following example evaluates an application-defined XML input document that is provided by a dynamic entitlement service that was written using the dynamic ADI retrieval service. you can test that the condition group is mygroup2 is not true. in this case.is the same as that specified --> --> <xsl:when test="azn_cred_registry_id = ’cn=myuser3.<xsl:when test="azn_cred_principal_name = ’myuser0’"> !TRUE! </xsl:when> <!-. Each transaction consists of an item and the amount of those items to order. use the not() function instead of the != operator. the azn_cred_groups attribute is a multi-valued attribute.batched transaction --> <batch> <max_tx_count>5</max_tx_count> <max_tx_amount>150</max_tx_amount> <account>customerA</account> <transaction> <item>widgetA</item> 132 Administration Guide . The code that must be written might create a batch object that contains a list of operations that are to be performed together. With these assumptions. referred to as a node-set in XSL. The batch object consists of a number of transaction elements.secAuthority=Default’"> !TRUE! </xsl:when> <!-.Explicitly allow if the requesting user’s LDAP DN <!-. In any case. the user is not authorized to submit batch requests on behalf of customerA.= batch/max_tx_amount"> !TRUE! </xsl:if> The authorization rule checks that the requesting user is a member of a group whose name matches the name of the account in the transaction (in this example. The rule calls the count() and sum() functions. The count() function counts the number of instances of a transaction element within the batch. Alternatively.--> <xsl:if test="azn_cred_groups = batch/account and count (batch/transaction) &lt. Methods of providing ADI to the rules evaluator A resource manager application can provide ADI from the resource manager to the rules evaluator in one of the following ways: v Adding the attributes to the application context parameter v Configuring the rules evaluator to supply the missing ADI to the authorization engine only when it is explicitly requested The first method is to provide the ADI by adding the attributes to the application context parameter passed to the azn_decision_access_allowed_ext() method. Authorization rules management 133 . it is customerA). For additional information of creating authorization rules. The problem with this method is that the resource manager must either know which ADI is going to be needed by a particular access decision. you can provide all the ADI for all known rules to the authorization engine for every access decision call regardless of whether a rule is involved in the decision. the rule checks that the total number of transactions within the batch is less than or equal to the max_tx_count element of the batch object and that the total number of items ordered in the entire request is less than the max_tx_amount element of the batch object. Then. The sum() function totals the value of all the amount elements within all transaction elements in the batch. If the requesting user is not a member of this group. Chapter 10.<amount>10</amount> </transaction> <transaction> <item>widgetB</item> <amount>20</amount> </transaction> <transaction> <item>widgetC</item> <amount>30</amount> </transaction> <transaction> <item>widgetD</item> <amount>40</amount> </transaction> <transaction> <item>widgetE</item> <amount>50</amount> </transaction> </batch> With this expected XML object.= batch/max_tx_count and sum (batch/transaction/amount) &lt. you could create the following authorization rule: <!--Compare group to batch customer and num tranactions and total tx amounts to limits. see the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. The unique prefix added to the attribute name is used to identify the ADI. ADI prefixes must be unique to identify them as resource manager ADI and to avoid conflict with ADI provided in the credential from the authorization engine or from an external data provider. are added to the returned permission information object. for a larger and more varied set of possible ADI. 134 Administration Guide . The authorization engine fails the access decision and notifies the resource manager of the ADI it needs in a permission information attribute returned by the azn_decision_access_allowed_ext() method. see the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. The authorization engine attempts to anticipate the need to request information from the resource manager by obtaining the rule policy object on the protected object early in the access decision process. scans the list of ADI names in the attribute and gathers the requested data to try the access decision with this additional data again. which are missing from the application context and which are specific to the resource manager. For more information about the initialization attribute. You can configure the resource manager to supply the missing ADI to the authorization engine only when it is explicitly requested. the authorization engine can be configured with a set of ADI prefixes that can be provided by the resource manager upon request. All resource managers that provide data to the evaluation process in this manner must define a unique prefix by which their ADI data set can be identified. The ADI names. the name of this attribute must either be added to the azn_init_set_perminfo_attrs initialization attribute or the equivalent permission-info-returned entry in the [aznapi-configuration] stanza. see “resource-manager-provided-adi” on page 136. The attribute contains a list of the ADI that is needed to successfully evaluate the rule. The ADI was not found in the application context that was passed in and did not have a prefix matching those that the resource manager identified as its own. a second method is needed. If the requested data cannot be provided.The first method might be acceptable and even desirable for a smaller set of ADI. To activate the return of the azn_perminfo_rules_adi_request permission information attribute. Permission information is returned to a resource manager application only when the authorization client was configured that way. the resource manager must deny access and log the problem as a failure due to insufficient rules data. The permission information attribute is named azn_perminfo_rules_adi_request and contains a text attribute value for each item of ADI required. The requested list contains only the ADI items that are identified as being provided by the resource manager. However. The resource manager looks for this attribute when the access decision fails. The ADI prefixes that are recognized by the resource manager can be configured using the resource-manager-provided-adi entry or the azn_init_resource_mgr_provided_adi initialization attribute. With this method. and when it is present. The authorization engine then compares the required ADI in the rule with the ADI names in the application context parameter that is passed by the resource manager. For more information about the configuration entry. The only constraint on the value of the reason code is that the value must be a string. The resource manager does not need to check for the attribute on a successful access decision call. the application must check the permission_info attribute list returned from the access decision call to determine if a rule failure reason code was returned from the access decision. If the rule evaluation fails. The rule failure reason code is not returned if the rule failed due to a rule syntax error or if there was insufficient ADI to perform the rule evaluation. The Tivoli Access Manager for e-business application is an example of an aznAPI resource manager that can make use of the rule failure reason code. When configured. v The aznAPI application must be enabled to return the rule failure reason as permission information.Reason codes for rule failures When this mode of operation is selected. v There must be a reason code set in the attached rule policy object. The protected Web application must be mounted through a secure junction to have access to the reason code defined for the authorization rule. The use of rule failure reason codes in Tivoli Access Manager for e-business is limited to the protected object space of junctioned Web applications. For more information about permission information attributes and how to configure the authorization engine to return them. An example of this aznAPI. the authorization engine processes all policies for the access decision as normal. the authorization decision is failed with an error status. Configuration file and initialization attributes A number of configuration file entries and initialization attributes are available to control aspects of the initialization of the rules evaluator within the authorization engine. The attribute value (the reason code) of the azn_perminfo_reason_rule_failed attribute is a single string whose value is determined and defined by the policy administrator and is set in the rule policy object when it is first created. When access is denied. In the latter cases. Tivoli Access Manager for e-business forwards the reason code to the protected Web application. This feature allows the target application to fail or permit the access request based on the rule failure reason code it is given by the resource manager. The reason code is not returned when the rule evaluation succeeds. the engine returns access denied with a reason code in the azn_perminfo_reason_rule_failed permission information attribute list. Configuration files are also used by Tivoli Access Chapter 10. either the azn_init_set_perminfo_attrs initialization parameter or the equivalent configuration file entry in the [aznapi-configuration] stanza (stanza entry permission-info-returned) must include the attribute name azn_perminfo_reason_rule_failed. To perform this action. but not for every case in which access is denied.conf configuration file is provided in the example/authzn_demo/cpp directory of the Tivoli Access Manager Application Developer Kit (ADK) package. The following conditions must be met before a rule failure reason code is returned to the caller: v The reason code is returned only when the access request is denied and the rule policy evaluation denies access. Authorization rules management 135 . refer to the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. This feature enables the attribute to be returned by the authorization engine in the permission information output parameter (perminfo) of azn_decision_access_allowed_ext(). The configuration entries are in the configuration file of the resource manager. This value is set in the rule policy using the admin API or the pdadmin utility. it returns the requested data to the authorization engine in the entitlements parameter. For more information about the authorization-rule-specific initialization attributes and the process of developing a custom resource manager aznAPI application. see the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. Initialization attributes are the programmatic equivalent of configuration attributes and are intended to be used to develop a custom resource manager application. dynamic-adi-entitlement-services The dynamic-adi-entitlement-services configuration entry lists the service IDs of the dynamic ADI retrieval entitlement services that must be called by the authorization engine if ADI is missing from the requesting user credential or from the application context. Any entitlement service configured under this entry is called by the authorization engine using the azn_entitlement_get_entitlements() interface and is passed the azn_perminfo_rules_adi_request attribute. ADI items named sales_customer_name. Examples of entitlement services that can be used in this manner are the Cred Attributes Entitlement Service and the Entitlement Service Demo. The following examples demonstrate how to specify the service IDs of two different entitlement services for use as dynamic ADI entitlement services. such as Tivoli Access Manager for e-business. and these configuration entries can be added to the configuration file of these applications. dynamic-adi-entitlement-services = ent_cred_attrs_id dynamic-adi-entitlement-services = ent_svc_demo_id input-adi-xml-prolog and xsl-stylesheet-prolog The input-adi-xml-prolog and xsl-stylesheet-prolog configuration entries were defined to allow augmentation of the XML and XSL prolog statements that are 136 Administration Guide . sales_customer_address.Manager resource management applications. If the dynamic ADI retrieval service can fulfill the request. This entry uses a string prefix as its value. For more information about configuring and using entitlement services. The string values of this attribute are the container names of the ADI that are still required. resource-manager-provided-adi The resource-manager-provided-adi configuration stanza entry defines the prefixes that the authorization engine uses to determine the set of missing ADI that is provided by the resource manager. To specify that the authorization engine must call multiple dynamic ADI retrieval services. Refer to the documentation for the specific Tivoli Access Manager application for more information about the application configuration file. sales_item_count. both of which are provided with Tivoli Access Manager. To specify more than one prefix you must add multiple stanza entries as in the following examples: resource-manager-provided-adi = sales_customer_ resource-manager-provided-adi = sales_item_ These examples notify the authorization engine that any ADI it requires that begins with sales_customer_ or sales_item_ be provided by the resource manager application. and sales_item_price are examples of ADI that the authorization engine would request from the resource manager. see the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. you must specify multiple entries. and cannot be gathered from the resource manager. The service IDs must correspond to valid entitlement service definitions in the [aznapi-entitlement-service] stanza. The benefit of adding definitions to the XMLADI document start tag is that the attribute definitions are available for all ADI items that are defined in the XMLADI document. [xmladi-attribute-definitions] The [xmladi-attribute-definitions] stanza enables customers to add XML attribute definitions. whether their values were retrieved from the credential.mycompany.) If any of these attributes are changed or omitted from the entry.Account Management Web Portal Server #1.w3.’> Both the namespace ID myNS and the attribute appID are defined globally in the XMLADI document. The namespace definition can be added to this stanza. such as XML namespace definitions. and the use of prolog statements before any attempt is made to change these entries from the defaults provided. For example: [xmladi-attribute-definitions] xmlns:myNS = "http://myURI. the Xerces XML processor. as discussed in “Defining an XML namespace” on page 126.mycompany. there are a number of prolog attributes that are required by the authorization engine (all of which are specified in the default prolog entries.com" appID = ’"Jupiter" .Account Management Web Portal Server #1. when an application wants to use namespaces to differentiate or aggregate ADI items. the authorization client fails to start and returns an error.0" encoding="UTF-8"?> and xsl-stylesheet-prolog=<?xml version="1. Note: Ensure that you are familiar with the Xalan XSL processor. Authorization rules management 137 .’ The XMLADI element start tag that results from these definitions is: <XMLADI xmlns:myNS="http://myURI.appended to the ADI XML document and authorization rule stylesheet before they are passed to the rules evaluator for processing.0" encoding=’UTF-8’?> <xsl:stylesheet xmlns:xsl=’http://www. and it is automatically added to the XMLADI document element start tag.0’> <xsl:output method = ’text’omit-xml-declaration=’yes’ encoding=’UTF-8’indent=’no’/> <xsl:template match=’text()’> </xsl:template> Due to the constraints imposed by the authorization rule model. generated by the authorization engine or retrieved by a dynamic ADI entitlement service. The format and defaults for each of these entries are: input-adi-xml-prolog=<?xml version="1. Managing authorization rules You can perform the following authorization rule tasks: v “Creating an authorization rule” on page 138 v “Modifying an authorization rule” on page 139 v “Listing authorization rules” on page 140 v “Cloning an authorization rule” on page 140 v “Importing authorization rules” on page 140 Chapter 10. For example.com" appID=’"Jupiter" .org/1999/XSL/Transform’ version=’1. the XML processor must be notified of the namespace by using an XML namespace definition. to the XMLADI document start tag. complete the following steps: 1. Note: Do not use the following characters in the name of a rule: ! " # & ( ) * + . Double quotation marks embedded within the rule text must be escaped with a backward slash (\) so that they are ignored by the pdadmin utility. 138 Administration Guide . click the question mark to open a separate help window for the current page. or both. : < > = @ \ | 4. type the text that you want to be returned to the resource manager if the rule denies access to a protected object. For example. type the following text: time-of-day rule for engineering object space 5. In the Fail Reason field. type error. When providing rule text with the pdadmin utility.v v v v v “Exporting all authorization rules” on page 141 “Exporting a single authorization rule” on page 141 “Exporting multiple authorization rules” on page 141 “Attaching an authorization rule to a protected object” on page 142 “Detaching an authorization rule” on page 143 v “Locating where an authorization rule is attached” on page 143 v “Deleting an authorization rule” on page 144 In the following sections. . type a description of the authorization rule. Click AuthzRule → Create AuthzRule to display the Create AuthzRule page. There are no equivalent pdadmin commands for importing. exporting. 3. 2. but they must always be paired appropriately. For example: pdadmin sec_master> authzrule create testrule1 "<xsl:if test=’some_piece_of_ADI =\"any string\"’>!TRUE!</xsl:if>" Creating an authorization rule You can create an authorization rule using Web Portal Manager or the pdadmin utility. In the Description field. type the following information: <xsl:template match="/XMLADI"> <xsl:if test="(AmountReqd +JohnSmith/CreditCard/Balance) <JohnSmith/CreditCard/Limit and JohnSmith?mileagePlus/MemberStatus=’100k’> !TRUE! </xsl:if> </xsl:template> 6. Web Portal Manager To create an authorization rule. instructions are provided for using either Web Portal Manager or the pdadmin utility. or cloning authorization rules. Use Web Portal Manager to log in to the domain as a domain administrator. Notes: 1. Type the AuthzRule Name for the authorization rule that you want to create (for example. For online help while using Web Portal Manager. 2. For example. In the AuthzRule Text field. For example. The XSL processor treats single and double quotation marks equally for defining text strings so they can be used interchangeably. r2). type the text of the rule policy. enclose the rule text in double quotation marks ("). Click the authorization rule link for the rule that you want to change. add a description. change the authorization rule description by typing the new description in the Description field (for example. If successful. enter the following command: pdadmin sec_master> authzrule modify r2 failreason warning For more information. 3. 2. Click Create. Each rule is a link that displays properties for that rule when selected. enter the following command on a single line: pdadmin sec_master> authzrule create r2 -rulefile engineering. As needed. Use Web Portal Manager to log in to the domain as a domain administrator. log in to the domain as a domain administrator and use the authzrule modify command. the new rule is displayed as a link on the Manage AuthzRules page. see the IBM Tivoli Access Manager for e-business: Command Reference. adding the words updated June 23 2003): updated June 23 2003 time-of-day rule for engineering object space 5. 4. to create a rule named r2 with a rule file named engineering. Click Apply for the changes to take effect. Modifying an authorization rule You can modify an authorization rule using Web Portal Manager or the pdadmin utility.xsl that implements the time-of-day rule for the engineering object space and returns a fail reason code of error. For example. log in to the domain as a domain administrator and use the authzrule create command. change the following information: v The description v The authorization rule text v The fail reason For example.7. If you select the authorization rule link. Chapter 10. The AuthzRule Properties page is displayed. see the IBM Tivoli Access Manager for e-business: Command Reference. complete the following steps: 1. pdadmin To modify an authorization rule in the domain using the pdadmin utility. A list of authorization rules that were created in Tivoli Access Manager are displayed. pdadmin To create an authorization rule using the pdadmin utility. the properties of that rule are displayed. If a description currently exists.xsl -desc "time-of-day rule for engineering object space" -failreason error For more information. Web Portal Manager To modify an authorization rule. to change the rule named r2 to return a fail reason code of warning. if no description currently exists. Authorization rules management 139 . Click AuthzRule → List AuthzRule to display the Manage AuthzRules page. For example. If successful. 3. see the IBM Tivoli Access Manager for e-business: Command Reference. pdadmin sec_master> authzrule list For more information. The default value is the name of the original authorization rule with the prefix Clone. 2. For example. Web Portal Manager To clone an authorization rule in the domain. For example.xml. v Click Browse to select a file name. type Clone of new authorization rule. Click AuthzRule → List AuthzRule to display the Manage AuthzRules page.Listing authorization rules You can list the authorization rules that were created using Web Portal Manager or the pdadmin utility. complete the following steps: 1. Click AuthzRule → Import AuthzRule. select the authorization rule you want to clone. 2. Importing authorization rules You can import an authorization rule by using Web Portal Manager only. Use Web Portal Manager to log in to the domain as a domain administrator. 3. Use Web Portal Manager to log in to the domain as a domain administrator. If you select an authorization rule link. 140 Administration Guide . This field is required. A list of names for authorization rules that were created in Tivoli Access Manager are displayed as links. 2. complete the following steps: 1. complete the following steps: 1. Cloning an authorization rule You can clone an authorization rule using Web Portal Manager only. 7. a link for this cloned authorization rule is created and a success message is displayed. Click Clone. type the name of the authorization rule to import. Click AuthzRule → List AuthzRule. log in to the domain as a domain administrator and use the authzrule list command. pdadmin To list authorization rules in the domain using the pdadmin utility. From the AuthzRule Properties page. Web Portal Manager To list all existing authorization rules. complete one of the following steps: v In the AuthzRule File Name field. Optional: Type a Description of the authorization rule. Web Portal Manager To import an authorization rule in the domain. type ruleImport. type Test-AuthzRule. Use Web Portal Manager to log in to the domain as a domain administrator. 5. 6. From the Manage AuthzRules page. the properties of that rule are displayed. From the Clone AuthzRule page. The default value is the description of the original authorization rule. click Clone. type an AuthzRule Name For example. From the Import AuthzRule page. 4. Exporting multiple authorization rules You can export multiple authorization rules using Web Portal Manager only. 3. If successful. the exported rule descriptions are available in the specified location. Click AuthzRule → List AuthzRule. the exported file is in plain text. If the file containing the authorization rule was encrypted when it was exported. 4. Click Save to create the file that contains the exported rule descriptions. The default file name is ruleExport. 4. From the AuthzRule Properties page.xml. type the string again. type the string to use to encrypt the XML file.xml. 8. type the string again. Click Import. If not specified. 9. the exported file is in plain text. Exporting a single authorization rule You can export a single authorization rule using Web Portal Manager only. in the Confirm Encryption String text field. From the Manage AuthzRules page. If not specified. Web Portal Manager To export all authorization rules in the domain. When an encryption string is provided. complete the following steps: 1. Click Save to create the file that contains the exported authorization rule description. The default file name is ruleExport. in the Confirm Encryption String text field. Click Save to display the Save As window. 2. If successful. Exporting all authorization rules You can export all authorization rules by using Web Portal Manager only. 6. Click Save to display the Save As window. in the Encryption String text field.4. Use Web Portal Manager to log in to the domain as a domain administrator. Web Portal Manager To export a single authorization rule in the domain. Use Web Portal Manager to log in to the domain as a domain administrator. 2. 5. 5. complete the following steps: 1. click Export to display the Export AuthzRule to File page. type the string to use to encrypt the XML file. 5. type the string that was used to encrypt the XML file. the exported rule description is available in the specified location. Click Export to display the File Download window. If successful. When an encryption string is provided. Optional: In the Encryption String text field. Click Export to display the File Download window. select the authorization rule that you want to export. 6. 7. the imported rule is available when you list all the rules. 3. Authorization rules management 141 . Chapter 10. Click AuthzRule → Export All AuthzRules to display the Export AuthzRule to File page. 7. Optional: In the Encryption String text field. The AuthzRule Properties page is displayed. 4. Click Save to create the file that contains the exported authorization rule descriptions. Click Export to display the Export AuthzRule to File page. enter the following command: pdadmin sec_master> authzrule attach /WebSEAL/tivoli.html. to attach a rule named r2 to a protected object named /WebSEAL/tivoli. 9. Click Export to display the File Download window. complete the following steps: 1. complete the following steps: Use Web Portal Manager to log in to the domain as a domain administrator. From the Manage AuthzRules page. Click Attach to display the Attach AuthzRule page. 5. When an encryption string is provided. 3. type the string again. the new protected object is added as a link to the list of objects to which the authorization rule is attached on the AuthzRule Properties–Attach page. 3. Click the link for the authorization rule that you want to attach to an object.html 7. log in to the domain as a domain administrator and use the authzrule attach command.com/w3junction/index. 4. 8. in the Confirm Encryption String text field. 6. type the string to use to encrypt the XML file.Web Portal Manager To 1. if any. This field is required. Click AuthzRule → List AuthzRule. 5. Attaching an authorization rule to a protected object You can attach an authorization rule to a protected object using Web Portal Manager or the pdadmin utility. For example. the r2 authorization rule. Each rule is a link that displays properties for that rule when selected. export authorization rules in the domain. Web Portal Manager To attach a rule to a protected object. pdadmin To attach an authorization rule to a protected object using the pdadmin utility. Optional: In the Encryption String text field. the exported file is in plain text. Type the Protected Object Path of the protected object to which you want to attach the authorization rule. 2. select the authorization rule that you want to export. type the following path: /WebSEAL/tivoli.com/w3junction/index. the new XML file is available in the specified location. 6. 2. Be sure to type the full path name. If successful. Click AuthzRule → List AuthzRule to display the Manage AuthzRules page.com/w3junction/index. For example. If successful.html r2 142 Administration Guide . Click Save to display the Save As window. A list of authorization rules that were created in Tivoli Access Manager are displayed.xml. The default file name is ruleExport. Use Web Portal Manager to log in to the domain as a domain administrator. Click the Attach tab to view a list of protected objects to which the authorization rule is already attached. For example. 7. Click Attach. If not specified. complete the following steps: 1. For example. Each rule is a link that displays properties for that rule when selected. to detach a rule from a protected object named /WebSEAL/tivoli. complete the following steps: 1. 2. Click AuthzRule → List AuthzRule to display the Manage AuthzRules page. A list of authorization names is displayed. 3. Web Portal Manager To find protected objects that are attached to a rule. see the IBM Tivoli Access Manager for e-business: Command Reference. 5. Select one or more check boxes for the protected objects from which you want to detach the authorization rule. Detaching an authorization rule You can detach an authorization rule from a protected object using Web Portal Manager or the pdadmin utility. log in to the domain as a domain administrator and use the authzrule detach command. 6. 2.html. Use Web Portal Manager to log in to the domain as a domain administrator. Locating where an authorization rule is attached You can find the protected objects that have an authorization rule attached using Web Portal Manager or the pdadmin utility. Click the Attach tab to view a list of protected objects to which the authorization rule is already attached. 3. see the IBM Tivoli Access Manager for e-business: Command Reference. Chapter 10. Click the Attach tab. pdadmin To detach a rule from a protected object in the domain using the pdadmin utility.html For more information.com/ w3junction/index.For more information. Click the link for the authorization rule that you want to detach from an object. 4. Authorization rules management 143 . Each authorization rule name is a link that you can click to display the AuthzRule Properties page.com/w3junction/index. The AuthzRule Properties page is displayed. enter the following command: pdadmin sec_master> authzrule detach /WebSEAL/tivoli. Click AuthzRule → List AuthzRule. Click Detach to display the Detach AuthzRule from Object page where you are prompted to confirm or cancel the request. pdadmin To find all the protected objects to which an authorization rule is attached in the domain using the pdadmin utility. A list of authorization rules that were created in Tivoli Access Manager are displayed. if any. Use Web Portal Manager to log in to the domain as a domain administrator. Web Portal Manager To detach a rule from a protected object. log in to the domain as a domain administrator and use the authzrule find command. 2. log in to the domain as a domain administrator and use the authzrule delete command. enter the following command: pdadmin sec_master> authzrule find r2 For more information.For example. Web Portal Manager To delete an authorization rule. Click Delete to display the Delete AuthzRules page where you are prompted to confirm or cancel the deletion. enter the following command: pdadmin sec_master> authzrule delete r2 For more information. Deleting an authorization rule You can delete an authorization rule using Web Portal Manager or the pdadmin utility. pdadmin To delete an authorization rule in the domain using the pdadmin utility. For example. A list of authorization rules that were created in Tivoli Access Manager are displayed. 144 Administration Guide . complete the following steps: 1. to delete a rule named r2. Each rule is a link that displays properties for that rule when selected. Click AuthzRule → List AuthzRule to display the Manage AuthzRules page. to find the protected objects attached to a rule named r2. see the IBM Tivoli Access Manager for e-business: Command Reference. 3. Use Web Portal Manager to log in to the domain as a domain administrator. see the IBM Tivoli Access Manager for e-business: Command Reference. For example. Select one or more check boxes for the links that you want to delete. 4. you might select the check box for the authorization rule named r2. For registry UIDs and GIDs. Groups can represent organizational divisions or departments within a domain.dc=Austin. Tivoli Access Manager allocates a new registry UID to this user. groups. you must type the full path name for the new user or group. A registry unique identifier (UID) specifies the location in the user registry where the new user is created. Because the registry UID is new. resources.c=us Active Directory cn=IBM-Support.dc=US IBM-Support/Austin/US The registry UID or registry GID provides extra security in the case where a user or group is deleted from the domain and then recreated with the same name. these authenticated identities represent network users or resource managers. and can delegate administration tasks within the domain as required. Group membership eliminates the need to create new ACL entries for each new user. even though a new user has the same name as the deleted user. A user represents any authenticated Tivoli Access Manager identity. New users to the domain gain access to objects by becoming members of groups. The path format depends on the type of registry that the product is using.Chapter 11. 1999. The domain administrator has the necessary privileges to manage the domain.o=ibm. Similarly. Managing users You can perform the following user tasks: v “Creating a user” on page 146 v “Listing users” on page 147 v “Changing a password” on page 148 v “Setting user policy” on page 149 v “Setting global user policy” on page 151 v “Importing users” on page 153 v “Deleting a user” on page 154 © Copyright IBM Corp. a registry group unique identifier (GID) specifies the location in the user registry where the new group is created. and applications. The domain administrator can create and configure users.dc=Austin.dc=US Domino cn=IBM-Support. any existing ACL entries that refer to the old user name do not grant any rights to the new user. Managing users and groups An initial domain administrator is created when a new domain is created. 2010 145 . A group is a collection of one or more users. An administrator can use group ACL entries to assign the same permissions to multiple users. Groups are also useful in defining roles or functional associations. Stale UIDs from deleted users and groups are silently removed by the policy server. Typically. For example. An account refers to users and groups collectively. The following list shows sample formats for different user registries: LDAP cn=IBM-Support. In the Password text field. type the name of the user (for example Mary).c=us. A registry user identifier. type the password. the user is informed that the password has expired. 15. type the user name (for example maryj). Click Create. If this option is not selected. 2. is also assigned to uniquely identify the user definition in the user registry. 6.In the following sections. type the registry UID. Creating a user You can create a user using Web Portal Manager or the pdadmin utility. 14. Click User → Create User. In the Description text field. Click No Password Policy to indicate that you do not want the initial password to conform to the password policies that are set by the domain administrator. Select the Password Valid check box to force a password change the next time the user logs in to the domain. or both. which is sometimes referred to as a principal name. Member of Marketing Group. The registry UID specifies the location in the user registry where the new user is created. 4. 12. Note: When Active Directory Application Mode (ADAM) is used as the user registry. The user name must be unique within the domain. 3. complete the following steps: 1. 7. 10. Also assigned are the common name (CN) and surname (SN) of the user being defined. For online help while using Web Portal Manager. the new user account is not valid and the user cannot log in. instructions are provided for using either Web Portal Manager or the pdadmin utility. In the Confirm Password text field. 146 Administration Guide . 8.o=ibm. the domain administrator assigns a user name. known as a distinguished name (DN). Passwords must adhere to the password policies that are set by the domain administrator. 13. Click Group Membership to search for groups in which the user can be a member. In the User Id text field. Use Web Portal Manager to log in to the domain as a domain administrator. Select the GSO User check box to indicate the use of global sign-on (single sign-on) for Tivoli Access Manager. For example: Mary Jones/IBM/US 11. In the First Name text field. click the question mark to open a separate help window for the current page. In the Registry UID text field. Lotus Notes® users require the full path name for the user being created. For example: cn=maryj. When a user is created. 9. 5. If this option is not selected. users must be created within the same ADAM partition in which Tivoli Access Manager was configured. type the family or surname of the user (for example Jones). Web Portal Manager To create a user in a domain.dc=mkt. type the description for the user (for example. because it is used by Tivoli Access Manager to identify this user. Select the Account Valid check box to indicate that the new user can participate in the domain. The format of the DN depends on the registry type being used. type the password again. In the Last Name text field. use a search filter that is as specific as possible. Listing users You can search for users using Web Portal Manager or the pdadmin utility. 3. see the IBM Tivoli Access Manager for e-business: Command Reference. specifying a single wildcard (“*”). enter the following command: pdadmin sec_master> user create –gsouser maryj "cn=Mary Jones. finds all 10. limit the search results by specifying the number of records to return.o=IBM. the command attempts to find all user definitions that match the specified pattern. Web Portal Manager To search for and list up to a maximum of 100 users: 1. For more information. When a pattern includes one or more wildcard characters. but displays only the specified number of matching definitions in the user registry. 4.000 definitions. avoid using the global wildcard (*). Click Search to display a table of user IDs.000). For example if the user registry contains 10. specify the pattern to filter user ID names. This number limits the number of user IDs that are displayed. 2. delete one or more existing users. Chapter 11. you can perform these tasks: create a user. see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. For example. Instead. or qualify the search pattern to limit the search results. to create the user named maryj with global sign-on capability. Use wildcard characters with discretion. use wildcard characters with discretion. when the user registry contains a large number of user definitions. Managing users and groups 147 . Note: If a large number of users are defined in the user registry (for example. if you are using the pdadmin tool and listing users whose names start with John. 5.c=us. Click User → Search Users to display the User Search page.dc=mkt" \ "Mary Jones" Jones pwd2pwd2 The format of the distinguished name depends on the type of user registry. For example.A message is shown if the user ID is created. Use Web Portal Manager to log in to the appropriate domain as a domain administrator. At the User Search page. see the IBM Tivoli Access Manager for e-business: Command Reference. more than 100. 000 definitions but displays only the first 100 matching definitions. log in to the appropriate domain as a domain administrator and use the user create command to create the user. pdadmin To create a user using the pdadmin utility. From the User Search page. However. with a limit of 100. Use the default value of 100 or type another value in the Maximum Results field. and click the link to view user properties. For more specific information about tuning the directory server to achieve best results. Each user ID is displayed as a link. as in the following command: pdadmin user list john* 100 For the specific syntax of the user list command. 6. see the following Web page: http://support. 2. Use the default value of 15 user IDs per page. to search for and list up to a maximum of 100 users. validation might fail against the password policy of the underlying operating system or user registry. the password must comply with the following policies: v The defined Tivoli Access Manager password policy v The password policy for the underlying operating system v The password policy for the underlying user registry When enforcing the password policy. enter the following command: pdadmin sec_master> user list * 100 For more information. Toggle back by clicking Hide Filters.com/?id=906305 When setting or changing a password. meaning that no text is used for filtering. start with. Use Web Portal Manager to log in to the domain as a domain administrator. or click Options to type the number of user IDs to view per page. Use the default value of None. complete the following steps: 1. Click User → Change My Password. Tivoli Access Manager validates compliance in the following sequence: 1. log in to the domain as a domain administrator and use the user list command to list users. old passwords might still be able to be used after a password change. 7. or end with the text that you specify. see“Setting global user policy” on page 151. or. Changing a password You can change a user password using Web Portal Manager or the pdadmin utility. Web Portal Manager To change the password for the specified user ID. For additional information. click Filters to find user IDs that contain. Toggle back by clicking Hide Options. 148 Administration Guide . Against the underlying user registry Although a password complies to the defined Tivoli Access Manager password policy. pdadmin To search for a list of users using the pdadmin utility. The new password must comply with the password policies that are currently in effect. For additional information about setting the password policy for Tivoli Access Manager users. Against the Tivoli Access Manager password policy currently in effect 2. Note: When using Active Directory as your user registry and the Active Directory server is running on Windows 2003 SP1 or later.microsoft. For example. see the IBM Tivoli Access Manager for e-business: Command Reference. access policies. For additional information about setting the password history policy when using Tivoli Directory Server as your user registry. 2. such as password policies. 4. Setting user policy You can change the user policy settings for specific users. complete the following steps: 1. and account expiration policies using Web Portal Manager or the pdadmin utility. From the list of matching users. see “Setting the password history policy” on page 361. Managing users and groups 149 . However. pdadmin To change the password for the user using the pdadmin utility. Use Web Portal Manager to log in to the domain as a domain administrator. Click User → Search Users to display the User Search page. 4. either accept the default value of 10 or change the value to a number equal to or greater than zero. Web Portal Manager To change policy settings for a specific user. 5. v When using Tivoli Directory Server as your user registry. Verify that the User ID identifies the login identifier for the user whose password you want to change. ensure that this definition complies with the password policy of the underlying operating systems and user registries. If you select Set. use a reasonable number for the task that you want to perform. For example. Note: v The valid range for numbers can be any number. Modify the following policies as needed: v For Max Login Failures. see the IBM Tivoli Access Manager for e-business: Command Reference. 3. v When defining the password policy. a minimum password length must be long enough to protect your system but not so short as to make it easy for someone to determine your password by trying different combinations. log in to the domain as a domain administrator and use the user modify command with the password option. login-failure policies. type the existing password for the specified user ID. type the new password for the specified user ID. select Unset or Set to set or unset the maximum number of login failures before the account is no longer allowed to participate in the secure domain. Click the Policy tab. to change the password for the user dlucas to newpasswd. In the Current Password text field. Click Apply. type the password again. The User Properties page for that user is displayed. Chapter 11. For example. In the New Password text field. you can take advantage of its password history policy. enter the following command: pdadmin sec_master> user modify dlucas password newpasswd For more information. In the Confirm New Password text field. 7. 6.3. select the user whose policy needs to be changed. 5. If you select Set. select Displace. If you select Set. in seconds. either accept the default value of eight alphanumeric characters or change the value to a number greater than zero. select Unset or Set to set the minimum number of characters required for the password. specified as Month DD:hh:mm:ss. 150 Administration Guide . You can change the value to Yes to allow spaces in passwords or to No to not allow spaces in passwords. or Set to set the time. type the four-digit year in the Year field. You can change these values: – Select the days of the week from the choices provided. Unlimited. Disable. Note: This policy applies only to certain components. or Set to set the account expiration date. If you select Set. You can change it to Unlimited or Set. If you select Set. – Select All Day or Between hours of. A value of 0 (000-00:00:00) indicates that the password never expires. Either accept the default value of Jan 01-00:00:00 or change the value to the date and time. 09 for 9:00 a. or 14 for 2:00 p. select Unset. v For Max Password Repeated Characters. either accept the default settings or change them. v For Account Expiration Date. Unlimited. select Unset or Set to set the maximum time a password can be used before it expires. select Unset or Set to set the minimum number of alphabetic characters required in a password. select Unset or Set to set the minimum number of non-alphabetic characters required in a password. v For Password Spaces Allowed. select Unset. v For Minimum Password Length. You can accept the default setting of Unset. either accept the default value of 180 seconds or change the value to a number equal to or greater than zero. You can accept the default setting of Unset. select Unset or Set to set the time of day access policy. If you select Set.v For Disable Time Interval. or No to determine whether spaces are allowed in passwords. either accept the default value of one non-alphabetic character or change the value to a number greater than one. either accept the default value of four alphabetic characters or change the value to a number greater than zero.m. v For Time of Day Access. Yes.m. If you select Set. Unset. either accept the default value of 91 days (91-00:00:00) or change the value to a number equal to or greater than zero. Refer to the component administration guides to see if this setting is applicable and whether specific configuration options are required to enforce this policy. The maximum password age is relative to the last time the password was changed. v For Minimum Password Non-Alphas. select Unset. select Unset or Set to set the maximum number of repeated characters allowed in a password. or Set to set the maximum number of concurrent Web sessions allowed. either accept the default value of two repeated characters or change the value to a number greater than two. or to disable each user account when the maximum number of login failures is exceeded. v For Max Concurrent Web Sessions. v For Maximum Password Age. The hours must be entered using a 24-hour clock (for example. A Web session is a user session that is maintained by the Web security solutions. If you select Set. type a number equal to or greater than one. If you select Set. such as WebSEAL and plug-in for Web Servers.). v For Minimum Password Alphas. If you select Set. Setting global user policy You can change global user settings. such as password policies. ensure that this definition complies with the password policy of the underlying operating systems and user registries. also select the Start Time.If you select Between hours of. UTC is Coordinated Universal Time. log in to the domain as a domain administrator and use the policy set command. 2. Managing users and groups 151 . pdadmin To set or change user policy settings using the pdadmin utility. Click User → Show Global User Policy. Use Web Portal Manager to log in to the domain as a domain administrator. If you select Between hours of. enter the following command: pdadmin sec_master> policy set max-password-age 031-08:30:00 -user bsmith For more information. a minimum password length must be long enough to protect your system but not so short as to make it easy for someone to determine passwords by trying different combinations. use a reasonable number for the task that you want to perform. For Disable Time Interval. Click Apply. Notes: v The valid range for numbers can be any number. Disable. and account expiration policies using Web Portal Manager or the pdadmin utility. The end time is expressed by using a 24-hour clock. also select the End Time. v When using Tivoli Directory Server as your user registry. For Max Login Failures. select Unset. The end time format is specified as hours and minutes. see the IBM Tivoli Access Manager for e-business: Command Reference. Web Portal Manager To change global user settings. For additional information about setting the password history policy when using Tivoli Directory Server as your user registry. see “Setting the password history policy” on page 361. 3. to set the maximum password age of 31 days 8 hours and 30 minutes for user bsmith. either accept the default value of 180 seconds or change the value to a number equal to or greater than zero. you can take advantage of its password history policy. complete the following steps: 1. or Set to set the time. For example. If you select Between hours of. The start time is expressed by using a 24-hour clock. or to disable each user account when the maximum number of login failures is exceeded. 4. If you select Set. For example. v When defining the password policy. The start time format is specified as hours and minutes. either accept the default value of 10 or change the value to a number equal to or greater than zero. login-failure policies. in seconds. The time zone is local by default. access policies. 6. also select Local Time or UTC Time. However. select Unset or Set to set or clear the maximum number of login failures before the account is no longer allowed to participate in the secure domain. Chapter 11. If you select Set. m. 6. If you select Between hours of. select Unset or Set to set the time of day access policy. The end time format is specified as hours and minutes. You can change these values: v Select the days of the week from the choices provided. type a number equal to or greater than one. For Maximum Password Age. For Account Expiration Date. select Unset or Set to set the maximum number of repeated characters allowed in a password. A Web session is a user session that is maintained by the Web security solutions. You can change the value to Yes to allow spaces in passwords or to No to not allow spaces in passwords. If you select Set. Unset. The maximum password age is relative to the last time the password was changed. For Max Password Repeated Characters. For Minimum Password Non-Alphas. also select the Start Time. v Select All Day or Between hours of. Note: This policy applies only to certain components. The start time is expressed by using a 24-hour clock. such as WebSEAL and plug-in for Web Servers. 10. either accept the default settings or change them. select Unset or Set to set the maximum time a password can be used before it expires. If you select Set. 12. For Password Spaces Allowed. Either accept the default value of Jan 01-00:00:00 or change the value to the date and time. If you select Set. 11. For Minimum Password Alphas. For Minimum Password Length. 09 for 9:00 a. select Unset. either accept the default value of eight alphanumeric characters or change the value to a number greater than zero. Refer to the component administration guides to see if this setting is applicable and whether specific configuration options are required to enforce this policy. If you select Set. For Max Concurrent Web Sessions. 8. You can accept the default setting of Unset. If you select Set. The hours must be entered using a 24-hour clock (for example. or 14 for 2:00 p. For Time of Day Access. specified as Month DD:hh:mm:ss. select Displace. either accept the default value of one non-alphabetic character or change the value to a number greater than one. select Unset or Set to set the minimum number of characters required for the password. or No to determine whether spaces are allowed in passwords. You can accept the default setting of Unset. or Set to set the account expiration date. also select the End Time. select Unset or Set to set the minimum number of alphabetic characters required in a password.5. The end time is expressed by using a 24-hour clock. 9. If you select Set. The start time format is specified as hours and minutes. If you select Set. select Unset or Set to set the minimum number of non-alphabetic characters required in a password. 7. or Set to set the maximum number of concurrent Web sessions to allow. either accept the default value of four alphabetic characters or change the value to a number greater than zero. You can change it to Unlimited or Set. select Unset. either accept the default value of two repeated characters or change the value to a number greater than two. Yes. 152 Administration Guide .m.). If you select Set. Unlimited. 13. either accept the default value of 91 days (91-00:00:00) or change the value to a number greater than zero. If you select Between hours of. Unlimited. type the four-digit year in the Year field. Web Portal Manager To import a user that exists in a user registry and make that user a Tivoli Access Manager user. For example: cn=maryj. Chapter 11. 4. Click Create.If you select Between hours of. Click Apply. If this option is not selected. When a user is imported. UTC is Coordinated Universal Time. the new user account is not valid and the user cannot log in. Select the Account Valid check box to indicate that the new user can participate in the domain. Use Web Portal Manager to log in to the domain as a domain administrator. The user name must be unique within the domain because it is used by Tivoli Access Manager to identify this user. 2. For example. 5. to set a global user policy to a maximum password age of 31 days 8 hours and 30 minutes. the user is informed that the password has expired. Select the Password Valid check box to force a password change the next time the user logs in to the domain. Type a Registry UID. The time zone is local by default.c=us. also select Local Time or UTC Time. Managing users and groups 153 . you can import only existing users defined within the same ADAM partition in which Tivoli Access Manager was configured. Type a User Id (for example maryj). Select the GSO User check box to indicate that the user can use the global sign-on (single sign-on) for Tivoli Access Manager. 8. enter the following command: pdadmin sec_master> policy set max-password-age 031-08:30:00 For more information. Importing users You can import a user that exists in a user registry and make that user a Tivoli Access Manager user using Web Portal Manager or the pdadmin utility. Click Group Membership to search for groups in which the user can be a member. Click User → Import User. 3. 7.o=ibm. If this option is not selected. Lotus Notes users require the full path name for the user being imported.dc=mkt. see the IBM Tivoli Access Manager for e-business: Command Reference. 9. the domain administrator assigns a user name. 14. log in to the domain as a domain administrator and use the policy set command. Note: When ADAM is used as the user registry. complete the following steps: 1. A message is shown if the user ID is created. The registry UID specifies the location in the user registry to be imported. which is sometimes referred to as a principal name. For example: Mary Jones/IBM/US 6. pdadmin To set or change global user settings using the pdadmin utility. Managing groups You can perform the following group tasks: v “Creating a group” on page 155 v “Listing groups” on page 155 v “Importing groups” on page 156 v “Deleting a group” on page 157 154 Administration Guide . enter the following command: pdadmin sec_master> user delete –registry jdoe For more information. this user is removed from all objects with which it is associated.o=IBM.c=us. Before deleting a user. if this user is the only ACL entry that is associated with an ACL policy. click Delete Users to confirm the deletion or click Delete Users and Registry Entries to also remove the registry entries associated with the selected users. 5. From the Delete Selected Users page. Select the check boxes next to the user names to delete and then click Delete. see the IBM Tivoli Access Manager for e-business: Command Reference. Any resource credentials associated with a user account are automatically removed when the user account is deleted.dc=mkt" Note: When using an LDAP user registry and if necessary. log in to the appropriate domain as a domain administrator and use the user import command to import the user. Deleting a user You can delete a user using Web Portal Manager or the pdadmin utility. the user information that is imported to the domain can be imported again to another domain. to delete the user named jdoe and the associated information from the user registry. pdadmin To delete a user from the domain using the pdadmin utility. enter the following command: pdadmin sec_master> user import –gsouser maryj "cn=Mary Jones. log in to the domain as a domain administrator and use the user delete command to delete a user. see the IBM Tivoli Access Manager for e-business: Command Reference. Search for one or more user names to delete and click Search. When you delete a user. complete the following steps: 1.pdadmin To import a user that exists in a user registry and make that user a Tivoli Access Manager user using the pdadmin utility. For example. you must validate that there are other users or groups that can manage this ACL policy. no other user or group can manage this ACL policy. User Web Portal Manager to log in to the domain as a domain administrator. Click User → Search Users. to import the user information for the user named maryj from the existing user registry definition. For more information. 4. 3. Web Portal Manager To delete a user from a domain. an error is displayed. If the user does not exist in the user registry. For example. For example. 2. sales). 5. complete the following steps: Chapter 11. Click Group → Create Group. 7. or both. instructions are provided for using either Web Portal Manager or the pdadmin utility. Click Create. Listing groups You can search for group names using Web Portal Manager or the pdadmin utility. 3. The new group is displayed as a link.dc=mkt" Sales For more information. see “Creating groups” on page 190. groups must be created within the same ADAM partition in which Tivoli Access Manager was configured. The registry GID specifies the location in the user registry where the new group is created. Optional: Type the path in the Object Container field to the Tivoli Access Manager object space where the group is to be created. 2. For example. 6. Managing users and groups 155 . Creating a group You can create a group using Web Portal Manager or the pdadmin utility.o=ibm.In the following sections. see the IBM Tivoli Access Manager for e-business: Command Reference. Sales). Note: When Active Directory Application Mode (ADAM) is used as the user registry.c=us. Web Portal Manager To search for and list up to a maximum of 100 groups. Use Web Portal Manager to log in to the domain as a domain administrator. The group name must be unique within the domain because it is used by Tivoli Access Manager to identify this group. If the container object does not currently exist. to create the group named sales. the domain administrator assigns a group name. For online help while using Web Portal Manager.dc=mkt. click the question mark to open a separate help window for the current page. enter the following command: pdadmin sec_master> group create sales "cn=sales. For more information about groups. Web Portal Manager To create a group in the domain. When a group is created. Type a Registry GID. it is automatically created. 4. pdadmin To create a group in the domain using the pdadmin utility. Optional: Type a Description for the group (for example. log in to the domain as a domain administrator and use the group create command to create a group and optionally place this group in a group container object. Select the link and the properties for the new group are displayed.o=IBM. complete the following steps: 1.c=us. Lotus Notes users require the full path name for the group being created. Type a Group Name for the group (for example. For example: cn=Sales. For example: Sales/IBM/US. enter the following command: pdadmin sec_master> group list * 100 For more information. Each group name is displayed as a link. use the special character (*) to filter group names. complete the following steps: 1. For example. Use the default value of 15 group names per page. delete one or more existing groups. Toggle back by clicking Hide Options. the domain administrator assigns a group name. Use the default value of None. or. click Filters to find group names that contain. 156 Administration Guide . For blade systems to benefit from dynamic group support. you can perform these tasks: create a group. pdadmin To search for a list of groups using the pdadmin utility. Click Search Groups. Use the default value of 100 or type a Maximum Results number to limit the number of group names that you want to view. 2. 3. The group name must be unique within the domain because it is used by Tivoli Access Manager to identify this group. to search for and list up to a maximum of 100 groups. 7. When a group is imported. For details about enabling the policy server for dynamic groups. 5. For example. From the Group Search page. Type a Group Name for the group. you can import only existing groups defined within the same ADAM partition in which Tivoli Access Manager was configured. type sales. or end with the text that you specify. Use Web Portal Manager to log in to the domain as a domain administrator. ensure that the policy server is enabled for dynamic group support. also enable this stanza entry on each blade system. or click Options to enter the number of group names you want to view per page. Importing groups You can import an existing group from a user registry into the domain and make that group a Tivoli Access Manager group using Web Portal Manager or the pdadmin utility. Toggle back by clicking Hide Filters.Use Web Portal Manager to log in to the domain as a domain administrator. meaning that no text is used for filtering. Click Search to display a table of group names. 2. see the IBM Tivoli Access Manager for e-business: Command Reference. Web Portal Manager To import an existing group from a user registry into the domain and make that group a Tivoli Access Manager group. start with. 3. and click the link to view group properties. 6. 1. Note: When ADAM is used as the user registry. log in to the domain as a domain administrator and use the group list command to list groups. At the Group Search page. Attention: If you import a dynamic group. see “Enabling dynamic group support” on page 158. 4. Click Group → Import Group. 2.c=us. if this group is the only ACL entry that is associated with an ACL policy. Select the link to display the properties for the new group. click Delete Groups to confirm the deletion or click Delete Groups and Registry Entries to also remove the registry entries associated with the selected groups. Click Group → Search Groups.o=IBM. Lotus Notes users require the full path name for the group being imported. From the Delete Selected Groups page. it is automatically created. 5. type cn=sales. and click Delete. For example. complete the following steps: 1. 6.4. enter the following command: pdadmin sec_master> group delete –registry sales Chapter 11. 5. if necessary. to delete the group named sales and the associated information from the user registry. When you delete a group. Select check boxes next to the group names to delete. For example. For more information. this group is removed from all objects with which it is associated.c=us. pdadmin To import an existing group from a user registry into the domain and make that group a Tivoli Access Manager group using the pdadmin utility. Use Web Portal Manager to log in to the domain as a domain administrator.c=us. Search for one or more group names to delete and click Search. see the IBM Tivoli Access Manager for e-business: Command Reference.dc=mkt. enter the following command: pdadmin sec_master> group import sales "cn=sales. 4. log in to the domain as a domain administrator and use the group import command to import an existing group and optionally place this group in a group container object. log in to the domain as a domain administrator and use the group delete command to delete a group.dc=mkt" Note: The group information that is imported to the domain can be imported again to another domain. to import the existing group named "cn=sales. no other user or group can manage this ACL policy. Web Portal Manager To delete a group from the domain.o=ibm. The registry GID specifies the location in the user registry of the group to be imported. Optional: Type the path in the Object Container field to the Tivoli Access Manager object space where the group is to be imported. The new group is displayed as a link. Type a Registry GID. you must validate that there are other users or groups that can manage this ACL policy. For example: sales/IBM/US. For example. Managing users and groups 157 .o=IBM. Before deleting a group in this case. Deleting a group You can delete a group using Web Portal Manager or the pdadmin utility. If the container object does not currently exist. Click Import. pdadmin To delete a group from the domain using the pdadmin utility. For example.dc=mkt" from the user registry. 3. Note: Dynamic groups are not supported for the ADAM registry. modify the dynamic-groups-enabled entry in the [ldap] stanza of the ldap. LDAP registry For LDAP registry users. restart the server. edit the configuration files with a text editor or use the pdadmin utility as follows: pdadmin sec_master> config modify keyvalue set "c:\Program Files\Tivoli\Policy Director\etc\ldap. edit the configuration files with a text editor or use the pdadmin utility as follows: pdadmin sec_master> config modify keyvalue set "c:\Program Files\Tivoli\Policy Director\etc\activedir. Active Directory For Active Directory registry users. To do so. you must restart the updated server. see the IBM Tivoli Access Manager for e-business: Command Reference. For configuration changes to take effect. use the pdadmin utility. 158 Administration Guide .conf files. modify the dynamic-groups-enabled entry in the [uraf-registry] stanza in the activedir.conf file. Microsoft supports Active Directory dynamic groups only for Windows Server 2003 and beyond. Enabling dynamic group support To enable dynamic group support on the policy server and all servers where dynamic groups are supported. For more information.conf "ldap" "dynamic-groups-enabled" yes For configuration changes to take effect.conf" "uraf-registry" "dynamic-groups-enabled" yes Note: Do not change this value if Active Directory cannot handle dynamic groups. consult the Microsoft Web site. To do so.For more information.conf and activedir_ldap.conf" "uraf-registry" "dynamic-groups-enabled" yes pdadmin sec_master> config modify keyvalue set "c:\Program Files\Tivoli\Policy Director\etc\activedir_ldap. The command you run depends on the type of user registry. For information about setting up your environment to enable an Active Directory registry to handle dynamic groups. see “Importing dynamic groups to Tivoli Access Manager” on page 366. system authentication. because they contain © Copyright IBM Corp. the trusted signer is the policy server itself. using the Tivoli Access Manager certificate authority (PDCA) certificate. and the initial configuration settings. Key files have a . it tries to map that certificate to a Tivoli Access Manager user. Federal Information Processing Standards (FIPS) must be enabled. For example. and application-level authentication. Tivoli Access Manager provides a Java runtime for performing the same tasks. This chapter includes the following information: v “Initial configuration” on page 160 v “Key file and stash file renewal information” on page 161 v “Trust determination” on page 162 v “Server certificate revocation” on page 164 v “Additional key and stash file considerations” on page 165 Tivoli Access Manager can use Secure Sockets Layer (SSL) for encryption. However. Certificate and password management This chapter describes how Tivoli Access Manager uses server-side and client-side certificates for authentication. the configuration settings for the default lifetime for both the certificates and the key file passwords. 2010 159 . when the authorization server wants to communicate with the policy server. The Tivoli Access Manager runtime package (PDRTE) relies on only SSL server-side authentication and does not require a client-side certificate. key files and stash files. Tivoli Access Manager can also use Transport Layer Security (TLS) version 1 instead of SSL. SSL uses certificates for operation that help to ensure a secure environment. and the resource manager servers rely on client-side certificates to operate. This chapter describes certificate and password management from the perspective of the administration C API runtime. In this case. In this example.ks extension for Java keystores). the policy server can be considered the server and the authorization server as the client. When installed and configured. The policy server verifies that the certificate is valid and is signed by a trusted signer. If the authentication succeeds. In the secure environment.kdb extension (or . the authorization server. For more information about the administration Java runtime and classes. 1999. all the Tivoli Access Manager servers. The certificates used by Tivoli Access Manager are kept in key files.Chapter 12. the servers can communicate. To use TLS. see the IBM Tivoli Access Manager for e-business: Administration Java Classes Developer Reference and the IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference. it presents its client-side certificate. after the policy server determines that the authorization server certificate is good. As part of the Tivoli Access Manager application-level authentication. However. The authorization server does the same for the certificate presented by the policy server. the policy proxy server. The Tivoli Access Manager servers use certificates to authenticate themselves. Key files must be secured and protected by the strictest operating system controls available. the policy server acts as the certificate authority (CA) and is responsible for the creation and renewal of certificates. such as the policy server. such as WebSEAL. Furthermore.kdb and. both the certificates and the key file passwords can be set to expire after a configurable amount of time.sth files are created and the PDCA certificate is included in the key files as a trusted certificate. a manual refresh is warranted to keep the Tivoli Access Manager domain secure. the Tivoli Access Manager runtime key file pd.kdb key file. When opening the security context. The Tivoli Access Manager calculates the life span of the certificate when you open the PDContext.kdb file is accessible by the user ivmgr (or all users). the key file for the policy server is ivmgrd.sth and its permissions are the same as the ivmgrd. The certificate files in a directory need to be accessible to the user ivmgr (or all users). By default. the stash file is ivmgrd. to facilitate unattended server operation. When new resource managers. For example. If there is a need to refresh the certificate. the svrsslcfg utility or an equivalent application programming interface (API) is run. This utility 160 Administration Guide . If the servers are not running within a specified time frame. Both of these certificates are located in the ivmgrd. The default lifetime for a certificate is four years. Initial configuration The certificates used by the Tivoli Access Manager servers are created as part of their initial configurations. the Tivoli Access Manager verifies the need to refresh the context. As part of its configuration. as part of this configuration. ensure that these users have the appropriate permissions for this file. as part of the policy server configuration. The refresh process reissues a new certificate with a new lifetime and generates a new password with the configured lifetime. their certificates or passwords can expire. For the policy server. For security reasons.kdb is created. The fixed lifetime for the PDCA certificate is 20 years. these stash files must be secured using native standard operating system measures. and the stash files are denoted by a . and a personal certificate that is used by the policy server is created and signed by the PDCA certificate. see “Key file and stash file renewal information” on page 161. it can be read and written to by only the ivmgr user. the Tivoli Access Manager runtime package is configured first. a manual refresh is necessary.sth file extension. Again. Furthermore. then Tivoli Access Manager creates an SSLContext with the new certificate and processes the request. In other words. These versions are called stash files. the system pd. there are files that contain an obfuscated (not encrypted) version of the password to the key files. The default lifetime for a key file password is 183 days.kdb and pd. When new systems are added to the Tivoli Access Manager domain. if a certificate or a password or the entire key file is damaged.the private keys for the certificates. In a brand-new Tivoli Access Manager installation.kdb key file.kdb file and the directory or folder that contains the ivmgrd. For information about performing a manual refresh. the PDCA certificate is created. the Tivoli Access Manager servers refresh the certificates and passwords automatically while they are running. Ensure that the ivmgrd. Again. and the PDCA certificate is inserted into it as a trusted certificate. by default. In this case. the policy server is the first server configured. Also. are configured. Java key files that are generated by Tivoli Access Manager do not have corresponding stash files. 5 Before running this command.kdb and pd. The policy server log file contains a message stating when the server needs to be restarted. It also describes how they are created and refreshed.” on page 203. The utility also inserts the PDCA certificate as a trusted certificate in the key file. except it cannot issue or renew certificates for other servers until it is recycled. 3 Before running this command. The configuration files and certificate-related stanza entries. 6 Java resource managers have an equivalent to key files.creates a key file (such as pdacld.kdb ivacld.sth configuration Running the pdmgrproxyd1 command Running the pdacld1 command Authorization server ivacld.sth (does not contain a client-side certificate) ivmgrd. where the application personal certificate and the PDCA certificate Chapter 12. It continues to operate normally until it is recycled.sth During server configuration Resource manager The key files and stash file names are resource manager-dependent.2 command How manually updated Running the bassslcfg utility with the –chgpwd option Running the mgrsslcfg utility with the -chgpwd3 and -chgcert3 options Running the svrsslcfg utility with the –chgpwd4 and the –chgcert5 options Running the svrsslcfg utility with the -chgpwd4 and -chgcert5 options Running the svrsslcfg utility with the –chgpwd7 and –chgcert8 options Proxy server pdmgrproxyd. and the authorization server must be stopped.kdb and ivmgrd. and the file name is configurable. “Configuration file reference. Certificate and password management 161 . Table 6. the authorization server must be stopped. the policy server must be running. Server key and stash files Server Tivoli Access Manager runtime package Policy server Key and stash files pd. 2 Because the policy server also acts as the CA for the secure domain.kdb) and places a personal certificate for the server in it. 4 Before running this command.sth How created During runtime configuration During server configuration How automatically updated Running the pdadmin1 utility Running the pdmgrd1. such as the configured key file and the configured stash files. it must be recycled after a refresh.6 Running the svrsslcfg Running an instance utility with the of the resource –config option manager1 Table notes: 1 Automatic certificate and password refresh can be turned off by setting the ssl-auto-refresh stanza entry to no in the [ssl] stanza in the respective configuration file. Key file and stash file renewal information The following table lists the servers and their associated key files and stash files. the policy server must be stopped. These two certificates are obtained from the policy server and are transported to the client machine over SSL using the Tivoli Access Manager runtime key file. known as Java keystores.kdb During server and pdmgrproxyd. are discussed in Appendix B. v If auto-download is set to on (enabled) and the policy server is running. If the compromise happens.) This command updates both the server certificate for the authorization server and its trusted certificate (the new PDCA certificate). the resource manager must be stopped. After obtaining the CA certificate. If it is compromised. For Tivoli Access Manager. each key file except for ivmgrd. Before running this command. Regenerate the Tivoli Access Manager runtime certificates on the policy server by running the bassslcfg –config utility. It is important to protect the ivmgrd. the CA certificate is automatically obtained. auto-download is enabled. 6. Use the following process for regenerating these files in the domain: 1. Before running this command. If the PDCA certificate is compromised and must be regenerated. On each resource manager in the domain. Trust determination Each key file contains a list of trusted certificate authorities (CAs). (The policy server must be running. (The policy server must be running. and the resource manager must be stopped. regenerate its key files by running the svrsslcfg –config utility.kdb file using the mgrsslcfg –config utility.kdb key file has the Tivoli Access Manager certificate authority (PDCA) certificate as a trusted CA.7 8 are stored. 3. it must be regenerated. (The policy server must be stopped. you can choose to automatically download the CA certificate or manually copy the file. the policy server must be running.b64 on the policy server. Regenerate the PDCA certificate and policy server certificate by generating a new ivmgrd. 4. the base-64 DER encoded version of the PDCA certificate must be copied to the machine.kdb file to keep the private key in the PDCA certificate from being compromised. 5. The names of keystores are created by running the Java SvrSslCfg class with the –action config option.) This command updates both the server certificate for the authorization server and its trusted certificate (the new PDCA certificate).) 2. regenerate its key files by running the svrsslcfg –config utility. Java resource managers do not have a stash file equivalent. 162 Administration Guide . From the Java perspective. By default.kdb file. run the bassslcfg –config utility. This CA is the certificate that is used to sign all the other Tivoli Access Manager certificates. This CA is created during policy server configuration and is placed in the ivmgrd. All resource managers that were previously configured with the SvrSslCfg class must also be reconfigured. the Tivoli Access Manager runtime also stores the PDCA certificate. all servers that are configured to use Tivoli Access Manager Runtime for Java must be reconfigured. On each runtime machine. v If auto-download is set to off (disabled). On each authorization server in the domain. This file is stored as pdcacert. each key file and each certificate in the domain needs to be regenerated. stash file.b64 7. After regenerating the PDCA certificate on the policy server. Rename the ivmgrd.kdb. you need to reconfigure the PDCA on the policy server.b64 8.kdb key file.Reconfiguring the PDCA on the policy server When the certificate is compromised or has expired.old 4. Stop all Tivoli Access Manager services that are running on the machine by entering the following command: pd_start stop 2. To reconfigure the PDCA. enter the following command: cd /opt/PolicyDirector/sbin 5.old mv ivmgrd. complete the following steps on each runtime machine: 1. Change the ownership of the newly created key file. For example. Assuming the default directory on a Linux or UNIX operating system.sth stash file. Configure the Tivoli Access Manager runtime using the bassslcfg –config utility. enter the following command: cd /var/PolicyDirector/keytab 3. you do not need to copy the file. you might need to copy the PDCA certificate to each runtime machine in the domain. Assuming the default directory on a Linux or UNIX operating system. enter the command but replace the values for the –c and –h options. Start the Tivoli Access Manager services on the machine by entering the following command: pd_start start The management environment must be running. Assuming the default directory on a Linux or UNIX operating system.b64 PDCA file by entering the following commands: mv ivmgrd.kdb ivmgrd. Certificate and password management 163 . If auto-download is enabled. Change to the PolicyDirector/sbin directory.sth chown ivmgr:ivmgr /var/PolicyDirector/keytab/pdcacert. Stop all Tivoli Access Manager services that are running on the machine by entering the following command: pd_start stop 2.b64.sth ivmgrd.sth.kdb chown ivmgr:ivmgr /var/PolicyDirector/keytab/ivmgrd. ivmgrd. Change to the directory where the key files are located. and pdcacert. complete the following steps: 1. enter the following command: cd /opt/PolicyDirector/sbin Chapter 12. and certificate to ivmgr:ivmgr by entering the following commands: chown ivmgr:ivmgr /var/PolicyDirector/keytab/ivmgrd. Reconfiguring the PDCA on the runtime machines After reconfiguring the policy server and transferring the newly generated PDCA certificate to each runtime machine. Configure the policy manager server to create a new key file and stash file by entering the following command: mgrsslcfg -config 6. bassslcfg -config -h myhostname -c /var/PolicyDirector/keytab/pdcacert. Change to the PolicyDirector/sbin directory.b64 pdcacert.old mv pdcacert. To illustrate. you can use one of the following FTP option: v Use the put command from the policy server to transfer the certificate to the other machine v Use the get command from the other machine to retrieve the certificate from the policy server The following steps assume that the pdcacert.3.b64 7. For Java-based resource managers. you can run the svrsslcfg –chgcert utility to replace the existing server certificate and update the PDCA certificate. end the FTP session by entering the following command: quit Server certificate revocation If the certificate on a C-based resource manager is compromised. Similarly. Make sure that the policy server is running. Configure the Tivoli Access Manager runtime using the bassslcfg –config utility.replaceAppSvrCert() method must be used. 3. enter the following command: hash 6. Connect to the runtime machine by opening an FTP session. Start the Tivoli Access Manager services on the machine by entering the following command: pd_start start Transferring the PDCA certificate to other machines After regenerating the PDCA certificate.b64 4. You can also unconfigure and reconfigure the server by running the svrsslcfg –unconfig and svrsslcfg –config utilities. enter the command but replace the values for the –c and –h options. To view the transfer process visually. Indicate that the file to be transferred is a text (ASCII) file by entering the following command: ascii 5. a Java-based resource manager can be unconfigured and reconfigured using the Java SvrSslCfg class. Change to the directory where the certificate is stored. These commands update both the server certificate for the authorization server and its trusted certificate (the new PDCA certificate). For example. Assuming the default directory on a Linux or UNIX operating system.b64 certificate is retrieved from the policy server: 1. 164 Administration Guide . ftp pdruntime1 2. the PDAppSvrConfig. you need to copy the file manually to each machine. After the transfer completes. If the File Transfer Protocol (FTP) is supported in your environment. enter the following command: cd /var/PolicyDirector/keytab 4. When auto-download is disabled. Start the transfer by entering the following command: put pdcacert. bassslcfg -config -h myhostname -c /var/PolicyDirector/keytab/pdcacert. pdruntime1 is the name of the runtime machine. Log in to the remote machine using the appropriate user ID and password. you might need to transfer it to each machine in the domain. For certificates that are not managed by Tivoli Access Manager.conf. For manual password renewal. and /opt/PolicyDirector/etc/pd. this communication uses server-side authentication only. The new certificate can be replaced in the key file by running the svrsslcfg –modify –C new_cert_filename utility. To increase or decrease this value. the value is dictated by the value supplied to the svrsslcfg –chgpwd utility. is protected by the password). The maximum key length is 2048 Chapter 12. change the value and restart the policy server. The expiration and management of these certificates are not handled by Tivoli Access Manager. If the blade server is not running during the second half of the password life. on an AIX® system. v Both the public keys that are included in certificates and the private keys that might be stored in key files have key lengths. Any certificates that are issued or renewed use this value. in turn. using the SSL connection protected by the certificate (which. the policy server. v The key file password refresh occurs after half the lifetime of the password expiration date.Additional key and stash file considerations Additional considerations for key file and stash file renewal include: v When a certificate and the password to the key file containing that certificate are both expired. /opt/PolicyDirector/etc/ivacld. the Tivoli Access Manager server needs only the CA certificate that signed the LDAP server certificate or the LDAP server certificate itself. an ACL update is unable to refresh the password because this operation uses the connection from the management server to the blade server. for the authorization server. the key files and stash files can be found in the install_dir/keytabs directory. However. For example. v The configuration files mentioned are found in the install_dir/etc directory. because a valid password is needed to open the key file to obtain the certificate. the value for the lifetime of a password is controlled by the value of the ssl-pwd-life entry in the [ssl] stanza that is in effect when the server is started. and runtime configuration files are /opt/PolicyDirector/etc/ivmgrd. v After running the bassslcfg –config utility. For Java-based encryption. run the svrsslcfg –chgpwd utility and then the svrsslcfg –chgcert utility. v Tivoli Access Manager servers can also communicate with Lightweight Directory Access Protocol (LDAP) using SSL.sth files. v For automatic password renewal. For example. Certificate and password management 165 . The new value is in effect only for certificates that are issued or renewed from that point onward. There is no set length for keys generated by the Tivoli Access Manager runtime.conf file when the policy server is started. you might need to change the permissions on the pd. This value is also written into the appropriate configuration file. The actual time used is the lesser of the value specified in the ivmgrd. v Tivoli Access Manager does not distinguish between export and domestic encryption.conf configuration file and the number of days before the policy server CA certificate expires. You must run these utilities. Therefore.kdb and pd.conf.conf. authorization server. In the standard configuration. it is possible to include the LDAP certificate in the key file for a resource manager by running the svrsslcfg –config utility with the -C option. these certificates must be refreshed by using the same mechanism used to create the initial certificate. the password must be refreshed. v The value for the lifetime of a certificate is controlled by the value of the ssl-cert-life entry in the [ssl] stanza of the ivmgrd. the strength is regulated by the jurisdiction files that are present in the Java runtime environment. Similarly. or svrsslcfg). mgrsslcfg. Public keys having 2048 bit key lengths can be generated by using the configuration utilities (bassslcfg.bits. 166 Administration Guide . © Copyright IBM Corp. pdmgrproxyd The server process for the policy proxy server Web Portal Manager Policy server Master authorization database User registry Authorization server Replica authorization database Figure 18. also called the master authorization database. There must be at least one policy server defined for each domain. 2010 167 . or daemons: pdmgrd The server process for the policy server. This chapter contains the following information: v “Tivoli Access Manager servers” v “Tivoli Access Manager utilities” on page 170 v “Tivoli Access Manager servers tasks” on page 170 v “Server configuration file tasks” on page 172 v “Policy server administration tasks” on page 174 Tivoli Access Manager servers Tivoli Access Manager consists of the following server processes. 1999.Chapter 13. Server management This chapter provides detailed information for performing general administration and configuration tasks on the Tivoli Access Manager servers. Tivoli Access Manager server components The policy server manages the policy database. and maintains location information about other Tivoli Access Manager servers in the domain. pdacld The server process for the authorization server. the policy proxy server. Figure 19 on page 169 shows the interaction between applications. In this deployment scenario the proxy is deployed in what is commonly called the demilitarized zone (DMZ). only one copy of the policy is transmitted from the policy server to the proxy. Proxy server A policy proxy server is a server that acts as an intermediary between a less trusted network and a more trusted network so that the enterprise can ensure security. such as the pdadmin commands. The policy proxy server helps support several network deployment strategies for the policy server and the resource managers. administrative control. This protects the policy server in the more trusted network from denial-of-service attacks and other similar attacks. The proxy can be used to terminate any connections from a less trusted network and to pass those requests to a policy server in a more trusted network using a different connection. the proxy is useful in a wide-area network (WAN) deployment where the policy server and several applications are deployed at separate locations across a slow connection.The authorization server allows other applications to make authorization calls to Tivoli Access Manager using the authorization application programming interface (API). v This configuration can also improve security because firewalls between the locations can be configured to only allow the proxy to contact the policy server and not the applications. 168 Administration Guide . The policy proxy server serves many important functions in a Tivoli Access Manager environment. This configuration is important for the following reasons: v The policy proxy server can be configured to cache security policy such that when a policy update occurs at the policy server. and the policy server. and caching service. The proxy then provides the policy to all the applications. each individual application would request and receive the policy from the policy server. Also. If the proxy was not there. significantly increasing the network traffic. A policy proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion. In a Tivoli Access Manager environment. such as WebSEAL servers or Authorization API applications. A resource manager can be any server or application that uses the Authorization API to process client requests for access to resources. only the proxy contacts the policy server instead of each application. The authorization server also acts as a logging and auditing collection server to store records of server activity. the policy proxy server runs on behalf of the policy server for a given number of resource manager and administrative tasks. If a proxy is deployed on the same network as the applications and the applications are configured to go through the proxy. Typically this happens when the policy server and the applications are deployed in different geographical locations. such as Tivoli Access Manager WebSEAL. You can have a single policy server and create as many domains as you want. The single policy server can access any of the distinct policy databases. v The policy server manages the policy database. or Tivoli Access Manager for Operating Systems. v There must be at least one policy server defined.Central Office Internet Internet Policy Proxy Server Policy Server Internal Network Subnet DMZ Firewall Application Application Application Policy Proxy Server Branch Office Figure 19. The administrator can specify the location for the backup files. Proxy server Server dependencies Take the following dependencies into account during your server configuration: v There must be at least one instance of the policy server. v The policy database must reside on a highly available policy server with a robust file system. v Each resource manager. v Each policy database is subject to a regular backup procedure. Server management 169 . applies security policy based on information from either the policy database or from a replicated authorization database. v There must be only one policy database (master authorization database) in a domain. Tivoli Access Manager for Business Integration. a separate policy database is also created for each domain. When a domain is created. v The policy servers provide authorization database replication services to all other Tivoli Access Manager servers in the domain running in local cache mode. Chapter 13. For example. the pdadmin utility includes the server task stats and server task trace commands that allow you to enable statistics gathering and capture information about error conditions. This technique is useful when you need to customize an installation or when you need to perform troubleshooting tasks. Tivoli Access Manager servers tasks This section describes the following server processes: v “Starting and stopping servers on Linux and UNIX operating systems” v “Starting and stopping servers on Windows operating systems” on page 171 Starting and stopping servers on Linux and UNIX operating systems Server processes are normally enabled and disabled through automated scripts that run at system startup and shutdown.Tivoli Access Manager utilities The Tivoli Access Manager utilities are discussed in detail in the IBM Tivoli Access Manager for e-business: Command Reference. This utility is located in the following directory: /opt/PolicyDirector/bin/ Starting the Tivoli Access Manager servers using the pd_start utility Use the pd_start utility to start all Tivoli Access Manager servers not currently running on a particular machine: # pd_start start This utility waits until all servers have started before returning the prompt. enter the following command: 170 Administration Guide . you can also use the pd_start utility to manually start and stop the server processes. In Linux and UNIX environments. provides commands that assist in troubleshooting problems. The table at the beginning of the utilities section lists available utilities and their purposes. In addition. the IBM Tivoli Access Manager for e-business: Troubleshooting Guide provides further diagnostic information for using the Tivoli Access Manager pdadmin utility and other utilities. Starting individual servers manually You can manually start the servers individually by running the server-specific utilities. The pdadmin utility. The syntax for the pd_start utility is as follows: # pd_start {start|restart|stop|status} You can run the pd_start utility from any directory. Start the Tivoli Access Manager servers in the following order: 1. You must run the start commands as an administration user. For the policy server. You can run scripts only on the local machine. such as root. which is also discussed in IBM Tivoli Access Manager for e-business: Command Reference. Administrative privileges are required to use this utility. The servers must be stopped and started in the correct order. or you can start and stop them individually. Proxy server 3. Server management 171 .install_path/bin/pdmgrd 2. Authorization server The servers must be stopped in the following order: 1. enter the following command: install_path/bin/pdmgrproxyd 3. Proxy server 3. For the policy proxy server. The servers must be started in the following order: 1. Stopping the Tivoli Access Manager servers using the pd_start utility Use the pd_start utility to stop all Tivoli Access Manager servers on a particular machine in the correct order: pd_start stop This utility waits until all servers have stopped before returning the prompt. You can start and stop all Tivoli Access Manager servers. enter the following command: install_path/bin/pdacld Restarting the Tivoli Access Manager servers using the pd_start utility Use the pd_start utility to stop all Tivoli Access Manager servers on a particular machine and then restart the servers: pd_start restart This utility waits until all servers have started before returning the prompt. Policy server 2. Policy server Chapter 13. use the Services window that is accessed from the Control Panel window to start and stop the server processes manually and to control whether these servers are started when the system is booted. This capability can be useful when customizing an installation or when troubleshooting problems. Authorization server 2. For the authorization server. Displaying server status using the pd_start utility Use the pd_start command to display server status: pd_start status Tivoli Access Manager Servers: Server Enabled Running pdmgrd webseald pdacld pdmgrproxyd yes no yes no yes no no no Starting and stopping servers on Windows operating systems On Microsoft Windows operating systems. Note: The servers must be stopped in the following sequence: v Authorization server v Proxy server v Policy server Repeat the last step until all servers are stopped. Stopping the Tivoli Access Manager servers from the Services window You can also use the Services Control Panel to manually stop the individual servers: 1. Double-click Services. Various server configurations are discussed in Appendix B. After the servers start. right-click the Tivoli Access Manager servers to start. use the startup properties to set that server Startup Type to Disabled.The AutoStart Service automatically starts each of the Tivoli Access Manager servers whenever the Startup Type is set to Automatic. select Settings Control Panel. Double-click Administrative Tools. 2. and click Stop. the AutoStart Service exits. From the Name column. stanzas. From the Start menu. Note: The servers must be started in the following sequence: v Policy server v Proxy server v Authorization server Repeat the last step until all servers are started. 4. and click Start. select Settings Control Panel. “Configuration file reference. Double-click Services.” on page 203. Changing configuration settings The configuration files. and stanza entries are described in Appendix B. 2. From the Start menu. From the Name column. “Configuration file reference. Starting the Tivoli Access Manager servers from the Services window You can also use the Services Control Panel to manually start the individual servers: 1. right-click the Tivoli Access Manager servers to stop. complete the following steps: 172 Administration Guide . Server configuration file tasks You can use the server configuration files to customize the operation of Tivoli Access Manager and its servers.” on page 203. Double-click Administrative Tools. 3. To prevent automatic starting of a Tivoli Access Manager server by the AutoStart Service. 4. To change a configuration setting. 3. v Use the appropriate configuration tool for your server to change the configuration settings: – For the ivmgrd.conf file is installed at the following location for Windows operating systems: c:\Program files\tivoli\Policy Director\etc\pd. Having a backup copy allows you to return the configuration file to a known working state. Stop the Tivoli Access Manager servers that are affected.conf file. 4. if you want to change the ivmgrd. Server management 173 . you must stop the policy servers.conf file is installed at the following location for Linux and UNIX operating systems: /opt/PolicyDirector/etc/pd. the authorization server automatically starts after each system reboots: [pdrte] boot-start-ivacld = yes To prevent the authorization server from automatic startup.conf file. and then restart all the policy servers for the change to become effective.conf Policy server When the PDMgr package is installed. Start the Tivoli Access Manager servers that are affected. – For all other configuration files. 3. the pd.conf By default. use the bassslcfg utility. By default. For example.conf file. set: boot-start-ivmgrd = no Authorization server When the PDAcld package is installed. the policy server automatically starts after each system reboots: [pdrte] boot-start-ivmgrd = yes To prevent the policy server from automatic startup. make the change. use the svrsslcfg utility.conf configuration file. Use one of the following mechanisms to modify the configuration file: v Use the pdadmin config commands to modify the configuration file. use the mgrsslcfg utility. Automating server startup at boot time Stanza entries for automating server startup are located in the [pdrte] stanza of the pd. Some values are completed automatically after the configuration is completed. Make a backup copy of the configuration file that you plan to modify. Note: Many stanzas or values are created or modified only by using Tivoli Access Manager configuration utilities. Do not modify these values. set: boot-start-ivacld = no Chapter 13. – For the pd. 2.1. if you encounter an error. the pd. When the policy server modifies the master authorization database. is explained in the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide. For more information about these entries. see “Setting the number of update-notifier threads” on page 175 and “Setting the notification delay time” on page 176.conf configuration file. for example. The auto-database-update-notify stanza entry is located in the [ivmgrd] stanza of the ivmgrd. This section describes configuration tasks available to the administrator. Tivoli Access Manager allows you to configure update notifications from the policy server to be an automatic process or a manually controlled task. The policy server typically requires little administration or configuration. manual application of the server replicate command controls this event. By default. the stanza entry value is set to yes (update notification is automatically performed by the policy server): [ivmgrd] auto-database-update-notify = yes This automatic setting is appropriate for environments where database changes are few and infrequent. Polling configuration for a WebSEAL client. When you configure update notification to be automatic. it can send out notification of this change to all resource manager servers (with replica databases). v “Replicating the authorization database” v “Setting the number of update-notifier threads” on page 175 v “Setting the notification delay time” on page 176 Replicating the authorization database A Tivoli Access Manager domain administrator can make security policy changes to a domain at any time. When you configure update notification to be manual. set: boot-start-pdmgrproxyd = no Policy server administration tasks The policy server manages the policy database (or databases). and maintains location information about other Tivoli Access Manager servers in each domain.Proxy server When the PDMgrProxyd package is installed. Note: Additionally. The authorization servers must then request a database update from the policy server. you must also correctly configure the max-notifier-threads and notifier-wait-time stanza entries. [ivmgrd] auto-database-update-notify = no 174 Administration Guide . resource manager servers can check for database updates by polling the policy server at regular intervals. the policy proxy server automatically starts after each system reboots: [pdrte] boot-start-pdmgrproxyd = yes To prevent the policy proxy server from automatic startup. A primary responsibility of the policy server is to make the necessary adjustments to the domain master authorization database to reflect these changes. regardless of the value of this stanza entry. If there are more than 30 replicas. The manual control of update notification allows you to complete the process of modifying the master authorization database before update notifications are sent out to authorization servers with database replicas. The performance goal of the update-notifier threads value is to announce a database change as quickly as possible.” Using the server replicate command When you configure update notification to be manual. All replicas are guaranteed to be notified. ivmgrd. all configured resource manager servers receive update notifications. see “Setting the number of update-notifier threads. the manual mode setting is affected by the max-notifier-threads stanza entry value. When the -server option is not specified. These obsolete notifications cause unnecessary network traffic and impair the performance of resource managers because of continued requesting and processing of policy updates. For more information about this stanza entry.conf. the thread pool must be set to at least 30. Therefore. to concurrently notify 30 replicas of a database change. notification threads announce this change to all replicas configured to receive update notifications. contains a stanza entry for setting the maximum number of update-notifier threads. Server management 175 . pdadmin_secmaster> server replicate -server test_server When the -server option (test_server in the previous example) is specified.This manual setting is appropriate for environments where database modifications occur frequently and involve substantial changes. A successful response indicates only that the policy server has begun sending out update notifications. The policy server configuration file. In manual mode. manual application of the server replicate command controls this event. For more information about the server replicate command. Each replica must then download the new information or the changes from the master. 30 at a time). Generally the value must be set to equal Chapter 13. another round of notifications occurs (in this example. only that server is notified of changes to the master authorization database. Setting the number of update-notifier threads The policy server is responsible for synchronizing all database replicas in the domain. The authorization required to run this command is the s action bit on the /Management/Server object. In some cases several database modifications can generate many update notifications that soon become obsolete because of the continuing changes to the master database. This pool of threads allows simultaneous (parallel) notification. A response is returned indicating the success or failure of the notification and the replication. The response does not indicate success or failure of the actual notification and replication processes. update notification uses the notifier thread pool (as it does in automatic mode). For example. see the IBM Tivoli Access Manager for e-business: Command Reference. When a change is made to the master database. It is not efficient for policy changes to be sent to database replicas until all changes are made. The purpose of the time delay is to prevent the policy server from sending individual replica notifications for each change in a series of database changes. This time delay is reset with each subsequent change to the database. the value is set to 15 seconds. When the auto-database-update-notify entry is set to yes. The time delay helps to ensure optimal performance of the Tivoli Access Manager system. You can override this default notification time delay by changing the notifier-wait-time entry value in the [ivmgrd] stanza of the ivmgrd. For example: [ivmgrd] notifier-wait-time = 20 By default. See also “Setting the number of update-notifier threads” on page 175. This results in the performance advantage of a single pool of threads quickly accomplishing the notification task to all replicas at once. it waits for a default period of time before sending out notifications to database replicas. The default time delay is set at 15 seconds.the number of existing replicas. This performance feature is particularly important for environments where batch changes are made to the authorization database. The default event notifier thread pool is set as the following: [ivmgrd] max-notifier-threads = 10 When the auto-database-update-notify stanza entry is set to yes. you must configure this entry and the max-notifier-threads entry. 176 Administration Guide .” Setting the notification delay time When the policy server is instructed to make a change to the master authorization database. you must correctly configure this stanza entry and also the notifier-wait-time stanza entry. See also “Setting the notification delay time.conf configuration file. all data should be stored on data devices that are Redundant Array of Independent Disks (RAID) secured. To provide the redundancy for the shared data and for the functions that are provided by the Tivoli Access Manager policy server. To ensure data redundancy. See IBM Tivoli Access Manager for e-business: Command Reference for more information on this utility. and extract capabilities for Tivoli Access Manager data. The policy server also maintains location information about other servers in the domain. 2010 177 . © Copyright IBM Corp. Primary and replica LDAP servers Tivoli Access Manager allows primary and replica LDAP servers. This chapter includes the following information: v “Data integrity” v “Primary and replica LDAP servers” v “Active and passive policy servers” v “High availability management” on page 178 Data integrity You should ensure that the data that is needed by Tivoli Access Manager is always available. The standby server takes over policy server functions in the event of a system or primary policy server failure. you can install and configure a primary policy server and a standby policy server. Authorization information and decision making can be off-loaded to authorization servers. All data should be subject to a robust backup process to ensure that you can recover the data in the event of a hardware or software error. restore. Refer to the LDAP server documentation for complete information about high availability of LDAP servers. Only read-only LDAP server operations are permitted during failover.Chapter 14. 1999. When the policy server fails or when the system on which the policy server is located become unavailable. an outage might result because of the lack data redundancy. High availability of the policy server This chapter provides information on ensuring that Tivoli Access Manager provides high availability for the policy server should a server failure occur. can assume LDAP server operations if the primary LDAP server fails. Active and passive policy servers The policy server manages the master policy database and the policy databases for the other secure domains. During failover. no write operations can occur. This chapter describes how Tivoli Access Manager supports the replication capability of the LDAP directory server to ensure that its data is always available. The replica LDAP server. on a different node. The pdbackup utility provides backup. which are used by the policy server. v Make sure that you have modified the appropriate configuration options in the ivmgrd. v Back up any shared data or any shared policy database before configuring the primary and standby servers to the shared file system. Follow the procedure in the IBM Tivoli Access Manager for e-business: Installation Guide for setting up a policy standby server.1 or later 2-node environment. or Lotus Domino) must be on a machine other than the machines where the primary and standby policy servers are installed. must be located on a shared disk array. and the policy server to the shared file system. ensure that the following primary tasks are completed: v Make sure that you have set up the required soft links from the active primary server to the standby server. v A primary and a standby policy servers must be installed and configured on separate machines. the following rules apply: v A 2-node IBM AIX High-Availability Cluster Multiprocessing (HACMP) environment consisting of one active server and one standby server was tested. If you plan to set up a primary and standby policy server. that the shared file system is located on a common directory. Verify the policy server setup for high availability To verify that the installation and configuration procedures were correctly followed. and both policy servers must be within the AIX HACMP cluster environment. Therefore. The standby server reverts back to serving as the failover server. v The user registry servers (such as an LDAP server. High availability management The procedure for setting up a standby policy server is discussed in the IBM Tivoli Access Manager for e-business: Installation Guide.conf configuration files on both the primary and standby policy servers. The following tasks are procedures to ensure that you correctly followed the initial Tivoli Access Manager configuration procedures for setting up HACMP Tivoli Access Manager primary and standby servers. and that each user and group has the necessary access permissions. v Both the policy database and the configuration files. 178 Administration Guide . IBM supports only an AIX HACMP version 5. These configuration files must have the same default settings for the following required user and group IDs: – The ivmgr user ID – The tivoli user ID – The ivmgr group ID – The tivoli group ID v Make sure you copy files from the local AIX file system for the primary server.The standby policy server acts as the primary policy server until the original primary policy server is up and running again. v Each AIX system must have access to a shared disk array that is configured for data redundancy. v The primary and a standby policy server must be configured to the shared file system. and the shared file system must be mountable by each server.conf and pd. the standby server. Active Directory. High availability of the policy server 179 .If any of these items are incorrectly set. The procedure for reviewing HACMP logs can be found in the in the HACMP documentation. return to the procedure for setting up a standby policy server in the IBM Tivoli Access Manager for e-business: Installation Guide. you can review the primary policy server log files. This log is usually found in the /tmp directory. If a read or write operation error occurred during the policy server failover. Chapter 14. Review log files You can monitor the transition process of the primary policy to the standby server by examining the hacmp. The location of the Tivoli Access Manager log files depends on whether Tivoli Common Directory is used.log file to verify that all HACMP failover operations occurred. See the IBM Tivoli Access Manager for e-business: Troubleshooting Guide for information about these log files and the XML log file viewer. 180 Administration Guide . you must somehow ensure that these two customers cannot get access to the other company's data or applications. For example.db file.). you might create two domains uniquely named smithdavis and systemsinc. Systems. to specify the sde0001. A multiple-tenancy server does not have to be less secure than the traditional one-server. Before you add data and information that belongs to another customer (for example. your company might be sharing applications or data on your company's server with your customer (for example. Extra layers of security for multiple-user applications are designed into Tivoli Access Manager. Using technologies such as SSL and restricted access. For example. Replacing multiple servers with one server reduces the costs to your company for the services you provide to your customers. For example. Tivoli Access Manager compartmentalizes each domain to seal users off from one another rather than using the multiple-user security provisions that are provided by the native operating system. Using a multiple-tenancy (multi-domain) server. The domain membership information accompanies each subsequent request from the client to the policy server. Running in an isolated or partitioned server environment replaces the need to use multiple physical servers for each customer and their applications. you can host multiple clients on a single server. you can run each company's applications or data in an isolated server environment. It is easier to manage a single server than it is to manage multiple servers. respectively: [domains] domain = smithdavis domain = systemsinc [domain=smithdavis] [domain=systemsinc] The multi-tenancy domains implemented by Tivoli Access Manager results in separate databases for each protected object space. specify the file name and directory in this stanza entry: [domain=smithdavis] database-path = D:\smithdavis\sde0001. The Tivoli Access Manager runtime clients must be configured into a specific domain at installation time. one-client approach.db © Copyright IBM Corp.conf configuration file for the multiple-tenancy policy server contains a list of valid existing domains. For example. Inc. fewer servers reduce hardware costs and reduce IT personnel burden. Each domain must have its own [domain=domain_name] stanza. Smith-Davis Enterprises). Multiple-tenancy policy server A multiple-tenancy server refers to a server that permits the hosting of multiple customers on a single server instead of on multiple client machines.. Depending on the demands of your customers and their applications. you can protect two customers (users) on the same server from one another.Chapter 15. 1999. 2010 181 . All of the databases can use the same underlying user registry (one LDAP registry with distinct and separate distinguished names). Inc. The [domains] stanza in the ivmgrd. to set up separate domains for Smith-Davis Enterprises and Systems. See “[domains] and [domain=domain_name] stanzas” on page 248 for an explanation of each stanza entry. c=US The previous distinguished name has the following representation: cn = common name (sdeuser1) for K.c=US directory container for the smithdavis domain. for example: cn=sdeuser1. Logan ou = organizational unit (sde) for Smith-Davis Enterprises dc = domain component (mkt) for Marketing Group c = country (US) for United States To restrict user accounts to be created in the dc=mkt. The distinguished name substrings must appear in the user's distinguished name.db allowed-registry-substrings = "dc=mkt.ou=sde. regardless of where that container exists within the registry.L. specify the following stanza entry: [domain=smithdavis] allowed-registry-substrings = "dc=mkt" A completed [domains] stanza in the ivmgrd.db allowed-registry-substrings = "dc=sales.c=US" 182 Administration Guide .c=US" To restrict user accounts to be created in the dc=mkt directory container for the smithdavis domain.The distinguished name (DN) can be used to restrict the registry into which users can be created or imported.conf configuration file might look like the following stanza example for the policy server: [domains] domain = smithdavis domain = systemsinc [domain=smithdavis] database-path = D:\smithdavis\sde0001.c=US" [domain = systemsinc] database-path = D:\systemsinc\sysinc0001. you would specify to allow this registry substring in this stanza entry: [domain=smithdavis] allowed-registry-substrings = "dc=mkt.dc=mkt. © Copyright IBM Corp. v Delegated management of groups and users Administration capabilities are restricted to a portion of the user population. can create a number of enterprise domains and assign one or multiple types of administrators to each enterprise domain. add existing users to additional domains. Tivoli Access Manager administrators can create and manage as many domains under their authority as necessary to fulfill their unique business needs. The Tivoli Access Manager administrator for the enterprise domain (the domain's superdomain) also has authority to administer the domain. Administrators of the new domains can then create new users in their own domain. This chapter contains the following sections: v “Overview of delegated administration” v “Delegated role administration” on page 185 v “Delegated object space management” on page 186 v “Delegated user and group management” on page 188 v “Security policy for delegated administration” on page 193 Overview of delegated administration Delegated administration provides a Tivoli Access Manager administrator the ability to create delegate user domains. This capability is vital to successfully manage large domains that are composed of numerous departments. such as sec_master. 2010 183 . each Tivoli Access Manager user can be managed only by the administrators for the domain of which the user is a member or by the administrators for the super domains (explained later in this chapter). The administrator for an enterprise domain can create new users in the domain and add existing Tivoli Access Manager users to the domain. Tivoli Access Manager administrators can create new domains below the enterprise domain level (subdomains) and assign users to be the administrators for these new domains (domain administrators). A Tivoli Access Manager administrator. Delegated administration Tivoli Access Manager allows high-level administrators to delegate management responsibilities of the domain to lower-level administrators. In addition to this user-related task. In this hierarchical arrangement. The actual tasks that administrators can perform depend on their assigned administrator types. create new users. and assign various types of administrators to the domains.Chapter 16. This concept of delegate user administration can be applied to all Tivoli Access Manager users so that a hierarchy of user domains is formed. Tivoli Access Manager supports delegated administration in the following areas: v Delegated management of resources in subregions of the object space Administration capabilities are restricted to a portion of the object space. These delegate administrators can then perform a subset of administrative tasks on the users in their assigned domain. 1999. both the domain administrators for domain D and the domain administrator for enterprise domain B can create users (or perform other administrative tasks) for domain E. Senior administrator A senior administrator has the same authority as a domain administrator. Because a domain administrator for a domain can also administer that domain's subdomains. Domain administrators can create new users and administrators in their own domain. except that a senior administrator cannot assign additional administrators. . predefined administrator types can be assigned in that domain. . Delegate administrators . and Z within domain E. Domain administrator The domain administrator can perform administrative tasks for the users in their domain.. . Domain C Domain D Domain E (Users X. As an example of this type of multiple domain administration in Figure 20. The Tivoli Access Manager administrator can perform all delegate administration tasks. Y. and assign an existing domain user to be an administrator (of any type except domain administrator) for the domain. The domain administrator for domain E can then create new users X. Secure domain Enterprise domain A Enterprise domain B (Users P. The domain administrator for enterprise domain B can create new users P and Q. A Tivoli Access Manager administrator can create domains C and D below the enterprise domains A and B. and assign a domain administrator to E..) Figure 20. . a Tivoli Access Manager administrator can create enterprise domains A and B and assign an administrator for each domain. Z.) . Q. The following are the various administrator types and the set of administrative tasks that can be performed by administrators assigned to each of these types: Tivoli Access Manager administrator The Tivoli Access Manager administrator is a member of the iv-admin group. . For each delegate user domain (including the enterprise domain). and assign domain administrators to C and D. The Tivoli Access Manager administrator can then create domain E below domain D. .. and any domain created below an enterprise domain level is just called a domain.Note: An enterprise domain is basically the top-level domain. Y.. 184 Administration Guide . but interconnecting these two disparate points of view is challenging. When an administrator logs in. and therefore perform the job responsibility defined by the role. and modify the Is Password Valid? flags for users. simplicity. and permission 5 for object 3. A role is activated when a Tivoli Access Manager administrator enables its definition in the Tivoli Access Manager namespace. or skills required to fulfill a specific job requirement. For example: v object 1: permission 1 v object 2: permission 2. The policy then must be put into action by local members of the organization. thus. except that an administrator cannot create new domain users. To successfully deploy Tivoli Access Manager. that employee can create. modify. When this definition is contrasted against the access control list (ACL) model. Delegated role administration Another part of the Tivoli Access Manager delegate administration system is role administration. change users’ passwords. the first concept that must be defined is a role. the user has permission 1 for object 1. Delegated administration 185 . performing the job that an accountant is expected to perform. 3. a role becomes a list of one or more pairs of objects and one or more access permissions that are applied to the object. The access permissions for these objects allow the user to access the objects.Administrator An administrator has the same authority as a senior administrator. To understand role administration. who see the lower-level details and implementation concerns. administrative tasks become available in accordance to the administrator type of that user. permissions 2. Chapter 16. a security policy must be defined that regulates access to objects. responsibilities. After a role is activated and a user is assigned to the role. 3. and 4 v object 3: permission 5 For a role to be used it must be activated. Support Administrator A support administrator serves the user in a help desk role and can view users’ properties. An administrator can modify existing users' properties. and flexibility. The delegate user administration tool enforces the administrative tasks that can be performed with each administrator type. Often these two groups have similar goals for overall organizational security. Role-based administration provides an enhanced ability for organizational security to meet the requirements of today’s complex security requirements for scalability. an accountant role can be defined to consist of the following two pairs of objects and permissions: v Payroll check object: create/modify/delete v Reimbursement request object: approve When this role is activated and an employee in the accounting department is assigned to this role. Execution of this policy is usually difficult because the security policy is often defined by high-level members of an organization with an emphasis on global security issues. A role consists of a number of tasks. or delete a payroll check and approve a reimbursement request. and 4 for object 2. For example. and the actions that can be performed on those objects. When a role is assigned to a subdomain. senior administrators. The object/permissions pair information for the role is stored in the extended attributes associated with the group object. it can be assigned to an enterprise domain. Domain administrators can in turn assign any of the roles within that domain to any subdomain. The purpose behind assigning users to roles is to let those users have access permissions on objects defined in the role.Administrative tasks for roles To successfully administer roles. This process of assigning roles to subdomains can be repeated as needed so that roles can be made available to the appropriate users. 186 Administration Guide . Because a user was added to the group when the user is assigned to the role. This function reduces the workload involved in maintaining user-permission-object relationships. because role assignment is separated from object/access permission management. When a role is activated in Web Portal Manager. When a user is assigned to a role in Web Portal Manager. Delegated object space management The distribution of administration responsibilities within a domain is called management delegation. Only a Tivoli Access Manager administrator can activate a role. A role is an entity that can be delegated and administered. A corresponding group object in the management object space is also created. When a role is created. an ACL entry that contains the group that represents the role and the access permissions defined in the role are added to the ACL for each object defined in the role. the user does not have access permissions for the objects defined in the role until the role is activated. an administrator must be able to perform three types of tasks: Role creation Role creation involves defining a role so that it has a list of one or more pairs of Tivoli Access Manager objects and permissions that can be applied to the objects. The need for management delegation generally arises from the growing demands of a large site containing many distinct departmental or resource divisions. and administrators of a domain can assign users in their domains to a role. the user is added as a member of the group that represents the role. Role activation Role activation enables a newly created role to function. an administrator for that subdomain can assign any subdomain users to that role. a Tivoli Access Manager group is created to represent the role. Role assignment to an enterprise domain can be performed only by the Tivoli Access Manager administrator. Domain administrators can assign a role to their subdomains. that user has permissions to access the objects only after a role is activated. Role assignment Role assignment consists of assigning a user to a role that was already created. When a role is created. Only a Tivoli Access Manager administrator can create a role. After a role is created and a user is assigned to that role. Domain administrators. In Figure 21. c. Create an administration group account. Each distinct region of the domain is usually better organized and maintained by a manager who is more familiar with the issues and needs of that branch. Structuring the object space for management delegation Structure your object space to contain distinct regions. a large object space can be organized into regions representing these departments or divisions. T. with traverse permission. Remove the administration group ACL entry (and any other entry) from the root. 4. 5. or branches. For information on these user and groups. Add all new administration users to this group. /WebSEAL Engineering server Marketing server Resources Publications Object space Figure 21. In this scenario. Delegated administration 187 .Typically. At each branch root ACL. Add this group as an ACL entry (with traverse) to the directories leading to each subbranch that requires management delegation. see “Default administration users and groups” on page 43. 2. where submanagement responsibilities specific to that branch can be carried out. plus other appropriate permissions). For a site with many administration users. The following technique resolves the problem of numerous ACL entries for administrators: 1. both the Engineering and Publications regions of the object space require separate management control. Example of management delegation A large object space might require many administration users to manage a variety of subbranches. these ACLs could contain a long list of entries representing all these administration accounts. create an administration group for each subbranch and add the appropriate user to the appropriate subbranch administration group (with b. 3. the access control lists (ACLs) for the directories on the path to each of these branches must contain entries for each account. Control of these regions begins with the root of each region and extends to all objects below the root. Structuring the object space for management delegation Default administration users and groups Tivoli Access Manager provides several important administration groups during installation. Chapter 16. When an administrator is given policy management control of a group. 2. refers to the responsibilities and controls granted to an otherwise typical user.. Create appropriate administration groups within these container objects. only that user has control over the root and all objects below the root. has the traverse permission required to navigate to the/Publications directory. 3. Because pub-manager is the delegated administrator of this branch (with the appropriate permissions). Create group container objects that reflect this hierarchy. Setting up delegated group management requires the following steps: 1. the term. you can delegate the management of specific groups of users to lower-level administrators. The pub-manager user is a member of this group and therefore. Delegated group management defines: v Who has administration responsibility for a specific group (and the user members of that group). An administrator of delegated duties is a normal user with additional powers to perform certain management tasks. administrator. Determine a logical and practical hierarchy of the users and user types who are members of the domain. The /Publications directory includes the pub-manager user entry in its ACL. user pub-manager bT abcTdmlrx Figure 22. 188 Administration Guide . /WebSEAL user sec_master group iv-admin abcTdmlrx bT /Marketing user sec_master group iv-admin AbcTdmlrx bT Explicit ACL /Resources Inherited ACL /Publications group iv-admin . Management Delegation Example Delegated user and group management In order to manage a large or complex set of users. v What level of group and user control was given to this administrator. In this discussion.Now.. the iv-admin group contains all administration users. In Figure 22. pub-manager can remove the iv-admin group account (and any other ACL entries) from the /Publications ACL to gain total control over this branch of the Web space. that administrator has policy management control over the user members of that group. Add the appropriate user to the appropriate administration group with the specific permissions needed to perform the required tasks. log in to the domain as a domain administrator. to create the new /Management/Group/Accounting delegate container object for the Accounting department and allow delegate administrators to attach ACL policies. complete the following steps: 1. For example. In the Object Name text field. In the Description text field. browse the object space. 3. For example: /Management/Groups/Travel 4. See “Listing object spaces” on page 67. Click Create. For example: Travel Container Object 5. Container objects are structural designations that allow you to organize the object space into distinct and hierarchical functional regions. the /Management region of the Tivoli Access Manager object space has a Groups container object that you can use to organize the hierarchy of groups in your domain. Web Portal Manager To create a new group container object using Web Portal Manager. - /Management + /Management/Groups /Management/Groups/Travel Figure 23. Log in to the domain. Delegated administration 189 . Group container objects allow you to define distinct categories of group types. Click Object Space → Create Object. Creating group container objects By default. 2. To create actual groups within each specific group container object using Web Portal Manager or the pdadmin utility. Group container object pdadmin To create a new group container object using the pdadmin utility. log in to the domain and use the object create command. enter the following command: pdadmin>object create /Management/Group/Accounting "Accounting Department" 14 ispolicyattachable yes Chapter 16. type the description for the object space.4. To see the new object in the hierarchical structure. type the full path for the object name. the group is placed under /Management/Groups. group1). log in to the domain and use the group create command. The new group is displayed as a link. 7.You can also use the group create command to create a group container object. Travel group 1). log in to the desired domain as a domain administrator. it is created. 5. If no group container object is specified. type the registry GID. This command has the following syntax: pdadmin>group create group_name dn cn [group_container] Argument group_name dn cn group_container Description Name of the new group object. Click Create. 2. type the description for the group (for example.” For more information about the object create command.c=us. 3. 190 Administration Guide . Creating groups To create a new group and optionally place this group in a group container object using Web Portal Manager or the pdadmin utility. For example: travel/US. pdadmin To create a new group and optionally place this group in a group container object using the pdadmin utility. Optional: In the Object Container text field. If the container object does not currently exist. type the name for the group (for example. Click Group → Create Group. Select the link and the properties for the new group are displayed. This field is required. Lotus Notes users require the full path name for the user being created. Distinguished name for the new group. Relative path name for the group container object where this new group should be located. complete the following steps: 1. See “Creating groups. type the path to the Tivoli Access Manager object space where the group is to be created. For example: cn=travel. In the Group Name text field. see the IBM Tivoli Access Manager for e-business: Command Reference. Be sure to type the path using a leading backward slash (/): /Travel The path is created under /Management/Groups (for example. Use Web Portal Manager to log in to the domain as a domain administrator. 4. 6. Optional: In the Description text field. The registry GID specifies the location in the user registry where the new group is created. Web Portal Manager To create a new group and optionally place this group in a group container object. /Management/Groups/Travel). Common name for the new group. In the Registry GID text field. As soon as a group is created. The placement of a new group in the object space is fixed on creation. 5. should contain the appropriate permissions for the actions that must be performed by the delegated administrator of that group (or groups). At installation. ACL policies affecting group management Authorization to control a group of users is obtained by attaching an appropriate ACL to the group object or group container object.c=us” Group1 Travel pdadmin>group create group2 “cn=travel. The group create command does not allow you to create a group container object without a group. constructed and attached by a higher-level administrator. To create a container at another sublevel. see the IBM Tivoli Access Manager for e-business: Command Reference. the ACL would impact all other group container objects located below /Management/Groups in the object space. 4. Delegated administration 191 . All new group container objects that you create appear under the default /Management/Groups container. If no group container object is specified. a single default ACL (default-management).For example: pdadmin>group create group1 “cn=travel. You must add explicit ACLs to customize this control. the ACL must be attached to /Management/Groups or the group itself. which is attached to /Management. use a relative path name for the group_container variable. 2. If the group is located under the /Management/Groups section of the object space. defines the permissions on all groups and group containers. The ACL on the group container object controls (through inheritance) all groups located under the container object. For more information about the group create command. If you attach the ACL to the /Management/Groups container object. the administrator must have create (N) permission on the ACL governing the associated group container object. To add a new group to the object space. If the group is located under a group container object. The ACL. The container object and its groups are now the domain of the administrator with the delegated responsibilities. the ACL must be attached to the group container object or the group itself. The ACL that is attached to one of these locations (or inherited from above) determines: v Who controls the group object and the users in the group v What actions can be performed on the group and its users Chapter 16.c=us” Group2 Travel Notes: 1. the administrator ACL entry (with the create permission) must be specified in the ACL governing the /Management/Groups container. You can add multiple groups to a single group container. you can move its position only by deleting the group from the object space (but not LDAP) and then importing the group to a new location (users in the group are maintained). 3. N. W. If an outside user is placed in a group. or the group object itself. All other permissions listed can be located in an ACL attached to /Management/Groups. A delegated administrator with the A permission should not have m. The following operations and ACL permissions are appropriate for user management: Operation create (a new user within one or more specified groups) import (user data from the user registry) delete (a user) show (user details) modify (user description) account valid reset password password-valid N (create) d (delete) v (view) m (modify) m (modify) W (password) W (password) Permission 192 Administration Guide . Notes: 1. Attention: The add (A) permission allows you to add any existing user to your groups. a group container object. the administrator of that group has control of the user (and might share control of the user with administrators of other groups where that user is a member). or d permissions. This permission is should be granted only to high-level administrators who are responsible for user and group organization and corporate policy. 2. ACL policies affecting user management The group administrator can perform an action on a user if the administrator has the appropriate permission defined on any of the groups where that user is a member.The following operations and ACL permissions are appropriate for group management: Operation create (a new group) import (group data from the user registry) delete (a group) show (group details) modify (group description) add (an existing user to a group) remove (a user member of the group) N (create) d (delete) v (view) m (modify) A (add) A (add) Permission You can use the pdadmin utility or Web Portal Manager to perform these operations. The create (N) permission must be located in an ACL that is attached to /Management/Groups or on a group container object. Use caution when assigning an administrator the A permission. 6. The consequence of granting the A and m permissions together are similar except that an administrator with both of these permissions needs only this combination to disable any account in the group. that group or user is filtered from the output. the create (N) permission must be located in an ACL on the /Management/Users container object. user show groups. If the user does not have view permission on a group or user that is being returned by the command. 3. group list. This action forces the user to change the password at the next login. Notes: 1. If a user is not a member of any group. The create (N) permission (in the group ACL or group container ACL) allows you to create or import a user and enter that user into the groups you control. however. the A permission should never be granted together with the m. The view (v) permission is used to control the output of user list. A group administrator can perform an operation on a user if that administrator has the appropriate permission defined in any group where that user is a member. user list-dn. including a more senior administrator or even sec_master.c=us” group1 2. and then set user modify password-valid (pdadmin) to no. 4. W.You can use the appropriate pdadmin utility or Web Portal Manager to perform these operations. The operator can reset the forgotten password to some known value. The policy set max-password-age command sets the maximum time before a password expires. The view permission is used to filter the output of these commands. Be careful which permissions you grant in combination with each other. Security policy for delegated administration The previous sections described how to delegate administration of security policy for protecting resources and delegating management of the users who access those resources. 5. Setting user modify password-valid to no for a user does not indicate if the password is not valid due to the max-password-age policy. These two aspects of delegated administration often need to be combined to establish a complete delegated administration security policy. The consequence of granting the A and d Chapter 16. a malicious administrator could gain full access to the system by logging in as the senior user. and group list-dn commands. In this case. The password (W) permission is appropriate for help desk operators who must assist users who have forgotten their passwords. The ACL attached to /Management/Users defines the permissions for all users (whether they are members of a group or not). Delegated administration 193 .c=us” user1 user1 adcde group1 user import user2 “cn=user2. In this way. You can also create a user without designating a group. or d permissions except to the most trusted administrators. an administrator must have appropriate permissions in an ACL on /Management/Users to perform operations on that user. The consequence of granting both A and W to administrators is that the administrators can add any user to the group for which they have these permissions and then change that user’s password. Any user can be chosen. For example. which is a global setting. user create user1 “cn=user1. company_ibm. d.com/ customers/ sales/ An ACL at the root of the www. and v permissions to create. d.com/customers /WebSEAL/www. These groups are used only for delegating user management. These groups are used to control access to resources that need protecting.company_ibm. You must establish groups that you use to delegate user management tasks. Sales people (members of the sales group) are allowed to create new accounts for 194 Administration Guide .com Web space allows public access to everything in the Web space. Another ACL at sales allows access only to sales people.company_ibm. m. delete.company_ibm. W. Administrators controlling security policy for these groups should have the A and v permissions but none of the N. m. You must also establish groups that you use to delegate management of a security policy for protected resources within the domain. These groups should not be used for protecting other resources in the domain.company_ibm. modify (disable or change description). deleting users and resetting passwords. Example: Suppose that you have a Web space accessible to the Internet with resources that should be: v Publicly accessible v Accessible only to customers and employees v Accessible only to employees The space can be structured as follows: /WebSEAL/ www. respectively. or W permissions. to the following objects: /WebSEAL/www. These tasks include creating new users. An ACL at customers allows access to customers and sales people. and view users they are responsible for managing. These ACLs might look like the following example: public-access user sec_master any-other unauthenticated customer-access user sec_master group customers group sales any-other unauthenticated sales-access user sec_master group sales any-other unauthenticated abcTdmlrx Tlrx Tlrx abcTdmlrx Tlrx Tlrx abcTdmlrx Tlrx These ACLs would be attached. Administrators that perform user administration tasks should have the N.permissions together are similar except that an administrator with both of these permissions needs only this combination to delete any user ID in the group. reset or invalidate passwords.com /WebSEAL/www.com/sales Suppose that you have the following delegated user administration policy. customers-admin group super-admin group sales Tabc TAv The customers-users-admin ACL. is used to control access to the sales-people-only portion of the Web space.ACL sales-users-admin customers <. customers-users-admin group super-admin group sales group admin Tabc TNWdmv TNWdmv In each ACL. The view (v) permission is also useful to administrators to allow them to view group membership and users in the group. Members of the super-admin group are responsible for administering these ACLs. is used to control access to the customers-only portion of the Web space.ACL customers-admin customers-users <. a super-admin group entry is granted attach.ACL sales-admin sales-users <. Chapter 16.customers and grant them access to the customers portion of the Web space. controls who can manage users who are members of the sales-users group (this is the sales-admin group again). and control permissions. which in turn. controls who can manage the members of the customers-users group (this the sales group again). browse. by attachment to the customers-users group. the customers-admin ACL is used to administer membership to the customers group. sales-users-admin group super-admin group admin Tabc TNWdmv Similarly. which in turn. by attachment to the sales-users group. Members of the sales-admin group can manage customers. The only permission required is for the sales-admin group to be able to add and remove users from this group. Delegated administration 195 . The following group structure implements this policy: /Management/ Groups/ sales <. sales-admin group super-admin group admin Tabc TAv The sales-users-admin ACL. Only administrators (members of the sales-admin group) are allowed to manage accounts for new sales people.ACL customers-users-admin The sales-admin ACL is used to administer membership of the sales group. 196 Administration Guide . Beyond these destinations. When using a native installation. the installation uses the operating system logs. For native Tivoli Access Manager auditing. You define the statements for message events by severity level. To enable diagnostics and auditing. The statements in these routing files are for both message events and trace events. define entries in the [cars-filter] stanza. see the IBM Tivoli Access Manager for e-business: Auditing Guide. Diagnostic events For diagnostics. to the standard error (STDERR) device. or to a combination of these destinations. or other type of events to capture. see the IBM Tivoli Access Manager for e-business: Troubleshooting Guide. to the standard output (STDOUT) device. For information about installation logs. define stanza entries in the configuration files. Depending on your desired approach. define different stanza entries in different configuration files. when events are captured. statistic. During the installation of the Tivoli Access Manager servers. When using the installation wizard. define which message events and which trace events to capture. You can log audit events using either the native Tivoli Access Manager approach or IBM Common Auditing Service. To configure auditing events. For the Common Auditing Service. Auditing events For auditing purposes. These events do not pertain to the installation of the these servers. each server has its own log file. For additional information about audit events. © Copyright IBM Corp. see the IBM Tivoli Access Manager for e-business: Troubleshooting Guide. Diagnostics and auditing Tivoli Access Manager provides ways to collect events that you can use for diagnostic and auditing purposes of the servers. To configure diagnostic events. Each server has an associated routing file. 1999. they can be redirected to a remote server or redirected to an application for processing using log agents. These events allow you to create snapshots of a variety of server activities. they can be written to log files. the installation logs capture all messages for that specific installation. define statements in the server-specific routing files. For additional information about message and trace events. Events for diagnostics and auditing pertain to the operations of the Tivoli Access Manager servers. you define which types of events to capture. When events are captured. You define the statements for trace events by trace level and optionally by component. These events can help you troubleshoot problems. you define logcfg entries in the appropriate stanza of the server-specific configuration files.Chapter 17. 2010 197 . define which audit. 198 Administration Guide . my_ad_domain.conf" "uraf-registry" "domain" "dc=my_ad_domain. 2010 199 . v Stanza entries and key names are case-sensitive.Appendix A. dc=com|myhost. © Copyright IBM Corp. dc=com|myhost2. – To modify a single key/value pair.conf" "uraf-registry" "domain" "dc=my_ad_domain2. use the pdadmin (local login) config modify command with the set option.conf file on a Windows platform: pdadmin> login local pdadmin local> config modify keyvalue set "C:\Program Files\Tivoli\Policy Director\etc\activedir.my_ad_domain2.com v There is no order dependency or location dependency for stanzas in any configuration file.conf" "uraf-registry" "dynamic-groups-enabled" yes – To modify multiple key/value pairs. Changing the name of the key might cause unpredictable results for the servers. The following command is an example that modifies multiple values for the domain option in the uraf-registry stanza of the activedir_ldap.com pdadmin local> config modify keyvalue append "C:\Program Files\Tivoli\Policy Director\etc\activedir_ldap. Guidelines for changing configuring files These guidelines are provided to help you make changes to the Tivoli Access Manager configuration files. For example. See "config modify" in the IBM Tivoli Access Manager for e-business: Command Reference for more information and instructions for using these commands.conf file on a Windows platform. use the pdadmin (local login) config modify command with the append option. v Stanza entries are marked as required or optional. usessl and UseSSL are treated as different entries. The following command is an example that modifies the dynamic-groups-enabled value in the uraf-registry stanza of the activedir. When an entry is required. pdadmin> login local pdadmin local> config modify keyvalue append "C:\Program Files\Tivoli\Policy Director\etc\activedir_ldap. The guidelines are divided into the following categories: v v v v v v v General guidelines Default values Strings Defined strings File names Integers Boolean values General guidelines Use the following general guidelines when making changes to the configuration settings: v Use the config modify command in the pdadmin command line interface to update configuration files for Tivoli Access Manager. the entry must contain a valid key and value. v Spaces are not allowed for names of keys. v Do not change the names of the keys in the configuration files. 1999. For example. Default values Use the following guidelines when changing default configuration settings: v Many values are created or modified only by using configuration programs. File names Some values are file names. v Some values are filled in automatically during configuration. but the value must be one of a set of defined strings. v Additional or different restrictions on the set of allowable string characters might be imposed. for Active Directory the maximum length is 256 alphanumeric characters. many strings are restricted to ASCII characters. Some key value pairs are not applicable to certain servers and are omitted from the default configuration file for this server. make sure that the string value you type matches one of the valid defined strings values. depending on the server configuration. Any other value is invalid and results in an error.v For the key value pair format of key = value. but they are recommended. Do not manually edit these stanzas or values. carriage returns. When you manually edit the configuration file. Non-printable characters are ASCII characters with a decimal value less than 32. v Double quotation marks are sometimes. For each stanza entry that expects a file name as a value. v Non-printable characters (such as tabs. but not always. v The minimum and maximum lengths of user registry-related string values. These values are needed for the initialization of the server after the configuration. Strings Some values accept a string value. Defined strings Some values accept a string value. For example. Consult each stanza entry description for any restrictions. For example. if there are limits. required when you use spaces or more than one word for values. Refer to the descriptions or examples for each stanza entry when in doubt. the [aznapi-configuration] stanza section contains the following entry: mode = {local|remote} The value for mode is expected to be local or remote. are imposed by the underlying registry. 200 Administration Guide . v The default values for a stanza entry might be different. and line feeds) that occur at the end of a stanza entry are ignored. the description of the stanza entry specifies which of the following constructs are valid: Filename No directory path included. use the following guidelines to change configuration settings that require a string: v String values are expected to be characters that are part of the local code set. When you manually edit the configuration file. the spaces surrounding the equal sign (=) are not required. For example. For this type of entry. For some entries. Integers Many stanza entries expect the value for the entry to be expressed as an integer. However. The set of characters permitted in a file name can be determined by the file system and by the local code set. in the [ivmgrd] stanza.Relative filename A directory path is allowed but not mandatory. the entry tcp-req-port = 0 disables the port number. The stanza entry for each relative path name lists the root directory to which the file name is relative. This number can vary. the maximum number is limited only by the size of memory allocated for an integer data type. as the administrator. use a number that represents the value that is most logical for the value you are trying to set. For systems that allocate 4 bytes for an integer. For example. and the minimum value is 1. such as timeout = number in the [ldap] stanza. For example. v Boolean values Many stanza entries represent a Boolean value. a minimum integer value of 0 is allowed. v For some entries requiring integer values. a question mark (?). When defining an entry with an integer. consider the following guidelines: v Some stanza entries that take an integer value expect integer values within a valid range. there is typically no maximum for timeout-related values. Some of these other programs recognize additional Boolean characters: v yes or true v no or false Appendix A. Fully qualified absolute path An absolute directory path is required. Some stanza entries allow more than one of the above choices. These files typically are expected to be located relative to the location of a standard Tivoli Access Manager directory. Some of the entries in the configuration files are read by other servers and utilities. For example. an integer value of 0 might disable the function that is controlled by that stanza entry. The range is described in terms of a minimum value and a maximum value. For Windows operating systems. Tivoli Access Manager recognizes the Boolean values yes and no. For example. the entry max-search-size = 0 means there is no limit to the maximum search size. Use caution when setting an integer value to 0. an integer value of 0 might indicate that the number is unlimited. Tivoli Access Manager does not impose an upper limit for the maximum number allowed. in the [ldap] stanza. Or. For other entries. Guidelines for changing configuring files 201 . or double quotation marks ("). a colon (:). the max-notifier-thread stanza entry has a minimum value of 1 thread and a maximum value of 128 threads. the integer value must be positive. this value is 2147483647. many entries in the [ldap] stanza are read by the LDAP client. For example. in the [ivacld] stanza. based on the type of operating system. file names cannot have a backward slash (\). Anything other than yes|true. is interpreted as no|false. 202 Administration Guide . The recognized Boolean entries are listed for each stanza entry. including a blank value. Refer to the individual descriptions to determine when true or false are also recognized. amconf. Server configuration files are ASCII text-based and contain stanza entries. see “Domino server configuration file” on page 208. see “LDAP client with Active Directory server configuration file” on page 207. see “Active Directory server configuration file” on page 207. see “Tivoli Access Manager runtime configuration file” on page 205. activedir_ldap.conf The configuration file that is used by the IBM Lotus Domino server to configure the Domino-based user registry. For details about the stanzas that are contained in this configuration file. 1999.properties The configuration file that is used to configure Web Portal Manager.conf The configuration file that is used by the authentication server to configure the Tivoli Access Manager runtime.conf The configuration file that is used to configure the Tivoli Access Manager policy proxy server. For details about the stanzas contained in this configuration file. 2010 203 . The following configuration files are currently used by Tivoli Access Manager: pd.Appendix B. Each configuration file contains sections that are called stanzas. For details about the stanzas that are contained in this configuration file. ivacld.conf The configuration file that is used to configure the Tivoli Access Manager authorization server. see “Authorization server configuration file” on page 205. see “Policy proxy server configuration file” on page 206. activedir. For details about the stanzas that are contained in this configuration file. ivmgrd. For © Copyright IBM Corp. pdmgrproxyd. domino. For details about the stanzas that are contained in this configuration file.conf The configuration file that is used by the LDAP-based server to configure the LDAP-based user registry. For details about the stanzas contained in this configuration file. For details about the stanzas that are contained in this configuration file. see “Policy server configuration file” on page 206. see “LDAP server configuration file” on page 207. Configuration files are processed only when the servers start. ldap. For details about the stanzas contained in this configuration file.conf The configuration file that is used by the Microsoft Active Directory server to configure the Active Directory user registry.conf The configuration file that is used to configure the Tivoli Access Manager policy server. Configuration file reference The operation of the Tivoli Access Manager servers is controlled through the use of configuration files.conf The configuration file that is used to configure the Active Directory user registry when it is used on a non-Windows platform. details about the stanzas contained in this configuration file, see “Web Portal Manager configuration file” on page 208. pdaudit.server.conf The configuration file that is used to configure the Common Auditing Service for each Tivoli Access Manager server or server instance. For details about the stanzas that are contained in this template file, see “Common audit service configuration files” on page 208. The following server-specific configuration files are generated during the configuration of the Common Auditing Service client: pdaudit.pdmgr.conf The configuration file that is used to configure the Common Auditing Service for the Tivoli Access Manager policy server. Do not confuse this configuration file with the ivmgrd.conf configuration file. pdaudit.pdproxymgr.conf The configuration file that is used to configure the Common Auditing Service for a Tivoli Access Manager policy proxy server. Do not confuse this configuration file with the pdmgrproxyd.conf configuration file. pdaudit.pdacld.conf The configuration file that is used to configure the Common Auditing Service for the Tivoli Access Manager authorization server. Do not confuse this configuration file with the ivacld.conf configuration file. pdaudit.instance-webseald-host.conf The configuration file that is used to configure the Common Auditing Service for a specific instance of a Tivoli Access Manager WebSEAL server. Do not confuse this configuration file with the webseald-instance.conf configuration file. pdaudit.webpi.conf The configuration file that is used to configure the Common Auditing Service for a Tivoli Access Manager Plug-in for Web Servers. Do not confuse this configuration file with the pdwebpi.conf configuration file. pdaudit.appsvr.conf The template configuration file that is used to configure the Common Auditing Service for any Tivoli Access Manager resource managers. Do not confuse this configuration file with the aznAPI.conf configuration file. aznAPI.conf A template configuration file that is used to configure any Tivoli Access Manager resource manager. For details about the stanzas that are contained in this template file, see “Resource manager configuration files” on page 209. Location of configuration files If you did not change the installation directories while installing Tivoli Access Manager, the configuration files are located in one of the following platform-specific directories: 204 Administration Guide Linux and UNIX operating systems /opt/PolicyDirector/etc Windows operating systems c:\program files\tivoli\policy director\etc If you did not change the installation directories while installing the common audit service, the templates for the configuration files are located in one of the following platform-specific directories: Linux and UNIX operating systems /opt/PolicyDirector/etc/audit Windows operating systems c:\program files\tivoli\policy director\etc\audit Tivoli Access Manager runtime configuration file For Tivoli Access Manager servers, you must have the pd.conf configuration file. Use this configuration file to automate server startup, to indicate whether the Tivoli Access Manager runtime is configured, and specify information about the user registry. Stanza entries for automating server startup are located in the [pdrte] stanza of the pd.conf configuration file. This configuration file can include the following stanzas: v v v v [meta-info] [pdrte] [ssl] [manager] The unconfiguration of the server using the pd.conf configuration file also queries information from this configuration file. Authorization server configuration file When you use the Tivoli Access Manager authorization server, you must have the ivacld.conf server configuration file. Use this configuration file to customize the operation of each authorization server. This configuration file can include the following stanzas: v [meta-info] v [ivacld] v [ldap] v [uraf-registry] v [ssl] v v v v v v [manager] [authentication-mechanisms] [aznapi-configuration] [xmladi-attribute-definitions] [aznapi-entitlement-services] [aznapi-external-authzn-services] Appendix B. Configuration file reference 205 v v v v [aznapi-pac-services] [aznapi-cred-modification-services] [aznapi-admin-services] [configuration-database] The unconfiguration of the server using the ivacld.conf configuration file also queries information from this configuration file. Policy server configuration file When you use the Tivoli Access Manager policy server, you must have the ivmgrd.conf server configuration file. Use this configuration file to customize the operation of each policy server. This configuration file can include the following stanzas: v [meta-info] v [ivmgrd] v [ldap] v [uraf-registry] v [ssl] v v v v v v [authentication-mechanisms] [aznapi-configuration] [xmladi-attribute-definitions] [aznapi-entitlement-services] [aznapi-pac-services] [aznapi-cred-modification-services] v [aznapi-external-authzn-services] v [delegated-admin] v [configuration-database] v [domains] v [domain=domain_name] The unconfiguration of the server using the ivmgrd.conf configuration file also queries information from this configuration file. Policy proxy server configuration file When you use the Tivoli Access Manager policy proxy server, you must have the pdmgrproxyd.conf server configuration file. Use this configuration file to customize the operation of each policy proxy server. This configuration file can include the following stanzas: v [meta-info] v [pdmgrproxyd] v v v v v [ldap] [uraf-registry] [ssl] [manager] [authentication-mechanisms] 206 Administration Guide v v v v [aznapi-configuration] [xmladi-attribute-definitions] [aznapi-admin-services] [configuration-database] The unconfiguration of the server using the pdmgrproxyd.conf configuration file also queries information from this configuration file. LDAP server configuration file When you use LDAP as the user registry for Tivoli Access Manager, use the ldap.conf configuration file to customize the LDAP-based stanza entries. This configuration file includes the following stanzas: v [ldap] v [meta-info] v [ssl] Note: The ldap.conf configuration file contains the following stanzas that contain entries that are for internal use only: v [ldap-generic-general] v [ldap-generic-pwd-change-error-map] v [ldap-generic-acls] Do not modify any of the values that are defined in these stanzas. The contents of the [ldap] stanza are different in the activedir.conf and domino.conf configuration files. LDAP client with Active Directory server configuration file When you use an LDAP client to retrieve data for the Active Directory user registry to which the Tivoli Access Manager policy server is configured, you must have the activedir_ldap.conf configuration file. Use this configuration file to customize the operation of each Active Directory user registry. For example, you might have multiple platforms where the policy server is configured to use the Active Directory user registry. Other blades, such as WebSEAL on one platform, and the authorization server are configured to use the LDAP client to retrieve data from that Active Directory user registry on another platform. This configuration file can include the following stanzas: v [meta-info] v [uraf-registry] Active Directory server configuration file When you use the Microsoft Active Directory server as your user registry for Tivoli Access Manager, you must have the activedir.conf configuration file. Use this configuration file to customize the operation of each Active Directory user registry. Note: Active Directory is supported only on Microsoft Windows for the policy server. Appendix B. Configuration file reference 207 This configuration file can include the following stanzas: v [uraf-registry] v [meta-info] v [configuration-database] The unconfiguration of the server using activedir.conf also queries information from this configuration file. Also, you can set values for the [uraf-registry] stanza in the ivmgrd.conf and ivacld.conf configuration files. Domino server configuration file When you use the Lotus Domino server as your user registry for Tivoli Access Manager, you must have the domino.conf configuration file. Use this configuration file to customize the operation of each Domino user registry. This configuration file can include the following stanzas: v [meta-info] v [uraf-registry] v [configuration-database] The unconfiguration of the server using the domino.conf configuration file also queries information from this configuration file. You can set values for the [uraf-registry] stanza in the ivmgrd.conf and ivacld.conf configuration files. Web Portal Manager configuration file When you use Web Portal Manager to perform administrative tasks, you must have the amconf.properties configuration file. Use this configuration file to specify customized images, whether the change-password pages are to be displayed, and the authentication login method to use. This configuration file includes only the [pdwpm] stanza. Common audit service configuration files When you use the common audit service for creating Tivoli Access Manager audit reports, you must have a server-specific pdaudit.conf configuration file. Use this configuration file to customize auditing operations for that Tivoli Access Manager server. This configuration file can include the following stanza: v [cars-client] v [cars-filter] v [pdaudit-filter] 208 Administration Guide Resource manager configuration files Tivoli Access Manager provides a sample file that includes the more common configuration stanzas needed by resource managers. Your documentation sources, when implementing your own plug-in or security-enhanced application, include the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference or IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer Reference. When creating your own security resource manager or extending the functions provided by Tivoli Access Manager, you can use the aznAPI.conf configuration file. This file is included as a sample with the authorization ADK package in the /example/authzn/demo/cpp subdirectory. This configuration file can include the following stanzas: v [aznapi-configuration] v v v v v v [xmladi-attribute-definitions] [ssl] [ldap] [uraf-registry] [aznapi-entitlement-services] [aznapi-pac-services] v [aznapi-cred-modification-services] v [aznapi-external-authzn-services] v [aznapi-admin-services] v [manager] v [authentication-mechanisms] Appendix B. Configuration file reference 209 210 Administration Guide Appendix C. Configuration file stanza reference Within configuration files, stanza labels appear within brackets, such as [stanza-name]. For example, the [ssl] stanza in the ivmgrd.conf configuration file defines the Secure Sockets Layer (SSL) configuration settings for the policy server. The [ldap] stanza defines the configuration settings that are required by the policy server to communicate with an LDAP-based user registry. Each stanza in a Tivoli Access Manager configuration file contains one or more key value pairs, which contain information that is expressed as a paired set of parameters. Each stanza entry is a key-value pair in the following format: key = value You should not change the names of the keys in the configuration files. Changing the name of the key might cause unpredictable results in the servers. Note that spaces surrounding the equal sign (=) are not required but are recommended. The initial installation of Tivoli Access Manager establishes many of the default values. Some values are static and never change; other values can be modified to customize server functionality and performance. The following stanza descriptions provide a list of the valid stanza entries. Each stanza entry consists of key value pairs. Each stanza entry includes a description of its default behavior, when applicable. [authentication-mechanisms] stanza This stanza defines the libraries that are to be used for each form of authentication. Tivoli Access Manager supports the following authentication forms: v Password authentication v Certificate authentication Resource managers, such as WebSEAL, can support additional forms of authentication. The configuration entries in this stanza are required by the server to communicate with a user registry. The resource manager can use either a User Registry Adapter Framework (URAF) registry (Active Directory or Domino) or an LDAP registry. Because a user registry is either a URAF registry or an LDAP registry, certain key value pairs in the [authentication-mechanisms] stanza are mutually exclusive. The following example shows how to configure the authentication mechanism for an LDAP user registry: passwd-ldap = fully_qualified_path cert-ldap = fully_qualified_path #passwd-uraf = fully_qualified_path #cert-uraf = fully_qualified_path In this example, the URAF registry items are commented out by using the pound sign (#) before the stanza entry. The LDAP-oriented stanza entries are not commented out. © Copyright IBM Corp. 1999, 2010 211 conf configuration file for the authorization server The pdmgrproxyd. For Windows operating systems. Usage Conditional.so & -cfgfile [/opt/PolicyDirector/etc/server_name.conf configuration file for the policy proxy server The configuration files for your resource managers The aznAPI. No configuration utility is required. Developers of service plug-ins should provide the standard functions.so Solaris /opt/PolicyDirector/lib/libcertauthn.a Example Example for Solaris operating environments: cert-ldap = /opt/PolicyDirector/lib/libcertauthn. path names and file names are case-sensitive. Options fully_qualified_path Represents an alphanumeric string. Default value The following list shows the default. This stanza entry is required when you use an LDAP user registry.conf configuration file is provided with Tivoli Access Manager as a sample file for creating the configuration file for resource managers.conf] 212 Administration Guide . server-dependent values: AIX HP-UX /opt/PolicyDirector/lib/libcertauthn. Before implementing service plug-ins. a question mark (?). read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. String values are expected to be characters that are part of the local code set. The set of characters permitted in a file name can be determined by the file system and by the local code set. a colon (:). For Linux and UNIX operating systems.The stanza entries for configuring the Tivoli Access Manager user registry are located in the [authentication-mechanism] stanza of the following configuration files: v v v v The ivmgrd. cert-ldap Syntax cert-ldap = fully_qualified_path Description Location of the library to use for LDAP certificate authentication. file names cannot have a backward slash (\).dll /opt/PolicyDirector/lib/libcertauthn. You can manually edit these values.so Windows install_dir\bin\certauthn.sl Linux /opt/PolicyDirector/lib/libcertauthn.conf configuration file for the policy server The ivacld. Comment out this stanza entry when you use a URAF user registry. or double quotation marks ("). No configuration utility is required. String values are expected to be characters that are part of the local code set.dll /opt/PolicyDirector/lib/liburafcertauthn. Usage Conditional. For Windows operating systems. String values are expected to be characters that are part of the local code set. The set of characters permitted in a file name can be determined by the file system and by the Appendix C. Configuration file stanza reference 213 . This stanza entry is required when you use a URAF user registry.so Solaris /opt/PolicyDirector/lib/liburafauthn.sl Linux /opt/PolicyDirector/lib/liburafcertauthn. You can manually edit these values. path names and file names are case-sensitive. Default value The following list shows the default. or double quotation marks (").so Windows install_dir\bin\urafcertauthn. Comment out this stanza entry when you use an LDAP user registry. The set of characters permitted in a file name can be determined by the file system and by the local code set. a colon (:).dll & -cfgfile [C:/pd/etc/server_name. a question mark (?).a Example Example for Windows operating systems: cert-ldap = C:\Program Files\Tivoli\Policy Director\bin\certauthn. Options fully_qualified_path Represents an alphanumeric string. For Linux and UNIX operating systems. server-dependent values: AIX HP-UX /opt/PolicyDirector/lib/liburafcertauthn. Options fully_qualified_path Represents an alphanumeric string. file names cannot have a backward slash (\).conf] passwd-ldap Syntax passwd-ldap = fully_qualified_path Description Location of the library to use for LDAP password authentication.cert-uraf Syntax cert-uraf = fully_qualified_path Description Location of the library to use for URAF certificate authentication. For Linux and UNIX operating systems. Usage Conditional. Comment out this stanza entry when you use a URAF user registry. For Windows operating systems. path names and file names are case-sensitive. You can manually edit these values. Comment out this stanza entry when you use an LDAP user registry. String values are expected to be characters that are part of the local code set. You can manually edit these values. This stanza entry is required when you use a URAF user registry. server-dependent values: 214 Administration Guide . file names cannot have a backward slash (\). or double quotation marks ("). Default value The following list shows the default. Options fully_qualified_path Represents an alphanumeric string. This stanza entry is required when you use an LDAP user registry.a Example Example for Solaris operating environments: passwd-ldap = /opt/PolicyDirector/lib/libldapauthn. a question mark (?).so & -cfgfile [/opt/PolicyDirector/etc/server_name. file names cannot have a backward slash (\). path names and file names are case-sensitive.sl Linux /opt/PolicyDirector/lib/libldapauthn.local code set. The set of characters permitted in a file name can be determined by the file system and by the local code set.conf] passwd-uraf Syntax passwd-uraf = fully_qualified_path Description Location of the library to use for URAF password authentication.so Solaris /opt/PolicyDirector/lib/libldapauthn.so Windows install_dir\bin\ldapauthn. a colon (:). For Windows operating systems. a colon (:). Default value The following list shows the default. No configuration utility is required. server-dependent values: AIX HP-UX /opt/PolicyDirector/lib/libldapauthn. Usage Conditional. a question mark (?). No configuration utility is required.dll /opt/PolicyDirector/lib/libldapauthn. or double quotation marks ("). For Linux and UNIX operating systems. dll Example Example for Windows operating systems: passwd-uraf = c:\program files\tivoli\policy director\bin\urafauthn.AIX HP-UX /opt/PolicyDirector/lib/liburafauthn.so Solaris /opt/PolicyDirector/lib/liburafauthn.a /opt/PolicyDirector/lib/liburafauthn.conf] [aznapi-admin-services] stanza An administration service plug-in enables applications to perform application-specific administration tasks.conf configuration file for the authorization server v The pdmgrproxyd. Before implementing service plug-ins. The administration service maps the administration API calls to the corresponding administration service API calls and carries out the requested action. or the calling application can be a custom-built application that uses the Tivoli Access Manager administration APIs. Each administration service plug-in is a standalone module that is dynamically loaded into the authorization service.dll & -cfgfile [c:/pd/etc/server_name.conf configuration file for the policy server v The ivacld. Developers of service plug-ins should provide the standard functions.sl Linux /opt/PolicyDirector/lib/liburafauthn. read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. Configuration file stanza reference 215 .so Windows install_dir\bin\urafauthn.conf configuration file for the policy proxy server v The configuration files for the configured administration service plug-ins for your resource managers The aznAPI. The administration service plug-in is accessed by a calling application using one of the Tivoli Access Manager administration interfaces. The calling application can be an administrative utility such as the pdadmin utility or Web Portal Manager. service-id Syntax service-id = {short_name|path_to_dll} [-pobj protected_object_hierarchy_name ] [& params] Appendix C. The parameters for configuring Tivoli Access Manager administration service plug-ins are declared in the [aznapi-admin-services] stanza of these configuration files provided by Tivoli Access Manager: v The ivmgrd.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file. params Optional: The additional initialization arguments that can be passed to the external authorization service. so it can be loaded on any supported platform. for example. The authorization service does not process the characters after the ampersand. provide a short name. The short name is prepended and appended with known library prefixes and suffixes for each platform.dll protected_object_hierarchy_name Optional: The name of the protected object hierarchy.Description Defines the authorization API service for functions that enable a plug-in to obtain the contents of a defined portion of the protected object hierarchy. Protected object hierarchy names must be unique for each administration service plug-in within the scope of an authorization API application. /usr/lib on Linux and UNIX operating systems or the value of the PATH environment variable on Windows operating systems). An authorization API application can register more than one administration service plug-in.a 216 Administration Guide . but each must have a unique service ID. This option refers either to the name of a protected object space (hierarchy) or to a protected object. Failover support allows for the administration of an object space if a particular authorization API application server fails. multiple authorization API application instances can be registered to service the same protected object hierarchy names. or to enable a plug-in to define application-specific administration tasks that also return commands that perform those tasks. It passes these characters directly to the administration service plug-in. If you want a platform-independent DLL name. Each stanza entry defines different types of aznAPI service. the following names are automatically searched for on each platform: AIX HP-UX libazn_ent_user. For example. do not specify the full path to the DLL. using a short name of azn_ent_user. The arguments must be preceded by the ampersand (&).sl Linux libazn_ent_user. and each possibility is searched in turn.so Windows azn_ent_user. If the DLL is located in a directory that is normally searched by the system (for example. short_name|path_to_dll The path to the dynamic link library (DLL) that contains the executable code for the service executable. Options Each entry has the following format.so Solaris libazn_ent_user. & -server fred. To support failover.so libazn_ent_user. The service libazn_ent_user. specify the DLL name only. service-id Developer-specified ID of the administration service. Developers should read and thoroughly understand these concepts so that they can provide the required standard functions. When switch-user is used. An attribute can establish accountability by providing information to help identify potentially inappropriate access of assets.conf configuration file for the authorization server v The pdmgrproxyd. Usage Optional Default value There is no default value.conf configuration file for the policy proxy server v The configuration files for your resource managers Other stanza entries that apply to the configuration files of your resource managers are discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. an authorization request is evaluated against an assumed identity rather than the actual identity of the user. audit-attribute Syntax audit-attribute = azn-attr Description Name of the access decision information (ADI) attribute to audit. You can grant or deny access based on the rules that are applied to attributes. For example.conf configuration file for the policy server v The ivacld.conf configuration file is provided with Tivoli Access Manager to use as a guide for creating your own resource manager configuration file. Example AZN_ADMIN_SVC_TRACE = pdtraceadmin [aznapi-configuration] stanza Tivoli Access Manager allows a highly flexible approach to authorization through the use of the authorization API. and authorization rule) that are applied to the object being accessed. the WebSEAL switch-user authentication feature provides a mechanism to allow certain users to impersonate another user.definition is discussed in more detail in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. The standards-based authorization API allows applications to make calls to the centralized authorization service. Configuration file stanza reference 217 . Tivoli Access Manager provides built-in support of user name and password authentication as well through the authorization API. A sample aznAPI. It is desirable to allow administrators to capture the user's actual identity. The configuration key value pairs that are used for configuring audit files for Tivoli Access Manager servers are located in the [aznapi-configuration] stanza of each of the following configuration files: v The ivmgrd. Appendix C. POP. You can audit the names or descriptions of the Tivoli Access Manager policies (ACL. If this attribute is not specified. String values are expected to be characters that are part of the local code set. Example The following example shows the configuration for WebSEAL: audit-attribute = tagvalue_su-admin azn-app-host Syntax azn-app-host = other_hostname Description Attribute that is used to specify the host name that the policy server should use when communicating with the resource manager. Options For other_hostname. you can provide any valid internet host name.com v mycomputer By default. uncomment the entry by removing the pound sign. Examples of valid host names: v mycomputer. The following example shows a commented out entry: #azn-app-host = libra To enable this value. Usage Optional Default value There is no default value.city.ibm. Usage Optional Default value There is no default value. the default host name is used.company. Example azn-app-host = libra. this attribute is disabled.Options azn_attr The authorization API attribute represents an alphanumeric string that is not case-sensitive. When disabled. the stanza entry is commented out by using a pound sign (#) at the beginning of the stanza entry. Be sure to include a host name value.dallas.com azn-server-name Syntax azn-server-name = server–hostname 218 Administration Guide . Description Unique name of the Tivoli Access Manager resource manager. or policy server. This valid is between 0 and the size of an unsigned integer. Note: The host name is generated and set during configuration. cache-refresh-interval Syntax cache-refresh-interval = {disable|default|number_seconds} Description Poll interval (in seconds) between checks for updates to the master policy database. Appendix C.conf file. number_seconds The exact time interval in number of seconds. Options disable The interval value in seconds is not set. Do not edit this stanza entry. These extended attributes are stored in the user registry. Note: The local cache is rebuilt only if an update is detected. Configuration file stanza reference 219 . that is configured into the domain. Usage Optional Default value default Example cache-refresh-interval = 500 cred-attributes-entitlement-services Syntax cred-attributes-entitlement-services = {short_name_entitlement_service|path_to_dll} Description Service that provides the ability to add external information to the user credential in the form of credential attributes and allows applications to use that information in making access decisions. The policy server has its own stanza entries for specifying the path to the master policy database. This stanza entry is not used in the ivmgrd. default The default value of 600 seconds is used. authorization server. The unsigned integer is approximately 136 years. The hyphen (-) character is required. the policy proxy server. file names cannot have a backward slash (\). or double quotation marks ("). a question mark (?). The IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference lists the read-only attributes. principal UUID. Each service ID is queried in the order it is declared in the list. The attribute returned is inserted into the credential attribute list of each credential that is built. contains more information about this service. Options fully_qualified_path Represents an alphanumeric string.This service can also work with attributes using an API call. Default value There is no default value. Usage Required for each specified server. For Linux and UNIX operating systems. a colon (:). Usage Optional Default value There is no default value. For Windows operating systems. A list of authorization API entitlement service IDs are queried by the azn_id_get_creds() interface to compile a list of attributes to be added to the user credential while the credential is being built. Example cred-attribute-entitlement-services = myEntSvcID db-file Syntax db-file = fully_qualified_path Description Name and location of the resource manager policy database cache file. The following example shows two entries from the credential attribute list: cred-attribute-entitlement-services = myEntSvcID cred-attribute-entitlement-services = myOtherEntSvcID Note: You cannot use this stanza entry to override read-only attributes in the credential attribute list that include the principal name. The set of characters permitted in a file name can be determined by the file system and by the local code set. and others. String values are expected to be characters that are part of the local code set. This value must be specified. The attributes are added to the user credential while the credential is being built. 220 Administration Guide . path names and file names are case-sensitive. and each server provides its own value. A list of service identifiers. which can be found within the [aznapi-entitlementservices] stanza. is queried to compile a list of attributes. The exception to this rule is for the azn_cred_groups attribute. and explains why administrators who do not want this capability should ensure that the azn_mod_rad service is not loaded by the application. These stanza entries must refer to existing entitlements services. respectively.db The following example sets the policy database using a relative path on a Linux or UNIX operating system: db-file = . Usage Optional Default value There is no default value. Configuration file stanza reference 221 . Refer to “dynamic-adi-entitlement-services” on page 136 and the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference for more information about rules processing and this service. A list of configured authorization API entitlements service identifiers (IDs) is queried by the authorization rules engine when missing ADI is detected during an authorization rule evaluation. bank_A_ADI) are loaded by using service entries in the entitlement service configuration [aznapi-entitlementservices] stanza or in an initialization attribute.Example The following example sets the policy database using an absolute path on a Windows operating system: db-file = C:\pd\db\ivacld. Appendix C./authzn_demo. each service in this list is queried in the order defined in this entry. When ADI is found to be missing during a rule evaluation. The service ID (for example.db dynamic-adi-entitlement-services Syntax dynamic-adi-entitlement-services = entitlement_service Description Dynamic access decision information (ADI) retrieval entitlement service. Example [aznapi-entitlement-services] dynamic-adi-entitlement-services = bank_A_ADI dynamic-adi-entitlement-services = bank_B_ADI input-adi-xml-prolog Syntax input-adi-xml-prolog = prolog_attrs Description Prolog to be added to the top of the XML document that is created using the Access Decision Information (ADI) needed to evaluate a Boolean authorization rule. Options entitlement_service A string value for the container names of the required ADI. If a style sheet prolog is specified. Options prolog_attrs Prolog attributes that are required by the authorization engine and include the following attributes: <?xml version="1..] Description Enables logging and auditing for the application. If no prolog is specified. disable Deactivates the notification listener. Options enable Activates the notification listener. Category. Usage Optional Default value disable Example listen-flags = enable logcfg Syntax logcfg = audit.azn:[log-agent][[param[=value]] . the authorization client fails to start and returns an error. All of the required prolog attributes are specified in the default prolog entries.. Note: If any of these attributes are changed or omitted from the entry. and other parameters are used to capture Tivoli Access Manager auditing and logging events.0" encoding="UTF-8"?> Refer to “input-adi-xml-prolog and xsl-stylesheet-prolog” on page 136 for more information.0" encoding="UTF-8"?> listen-flags Syntax listen-flags = {enable|disable} Description Indication of whether to turn on or off the reception of policy cache update notifications. that prolog is imported into the empty style sheet. destination. Usage Optional Example input-adi-xml-prolog = <?xml version="1. a default prolog value is used instead. 222 Administration Guide . Configuration file stanza reference 223 . depending on the category.azn:log-agent Category of auditing event. Note: This stanza entry is set during configuration.log_id=audit_log mode Syntax mode = {local|remote} Description Operating mode for the resource manager. Options local remote The resource manager uses a remote policy cache that is maintained by the authorization server. Options audit.flush_interval=20. Some configuration attributes apply only to resource managers that are configured to use local mode. Also indicates that the destination where log-agent is one of the following agents: v stdout v stderr v file v pipe v remote param=value Allowable parameters. The parameters vary. Refer to IBM Tivoli Access Manager for e-business: Troubleshooting Guide for information about the log agents and the configuration parameters. Do not change it. Example logcfg = audit.log. Usage Optional Default value Remove the pound signs (#) at the beginning of the configuration file lines to enable authentication or authorization auditing (or both) for the application. Usage Required Default value local Example mode = remote Appendix C.Each server provides its own event logging setting in its corresponding configuration file. and the type of auditing you want to perform.azn:file path=audit. This value cannot be changed after resource manager configuration. the destination of events. The resource manager uses a local policy cache. you can set an attribute on an ACL using the acl modify command with the set attribute option. which can be the policy proxy server. Note: The server name or host name is generated and set during configuration. or policy server. either the policy proxy server. Note: The server password is generated and set during configuration.. Usage Optional Default value No information is returned. Do not edit this stanza entry. Before using this stanza entry and value.} Description Set of attributes that the caller wants to receive from the azn_decision_access_allowed_ext() function in the permission information attribute list. read and thoroughly understand the concept as it is discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. Options For a list of the strings recognized by the authorization engine. authorization server. You can also define your own attributes. authorization server. When you add an attribute name to the list. Do not edit this stanza entry. that is configured into the domain.pd-user-name Syntax pd-user-name = server_name/hostname Description Tivoli Access Manager user account for the resource manager server.. that is configured into the domain. the attribute can be returned only as permission information if it is applicable to the current decision call. The forward slash (/) character is required. or policy server. 224 Administration Guide . pd-user-pwd Syntax pd-user-pwd = server_password Description Tivoli Access Manager user account password for the resource manager. permission-info-returned Syntax permission-info-returned = {attribute1 attribute2 . refer to IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. For example. Example The following example returns permission information for all attributes in the list: permission-info-returned = azn_perminfo_all_attrs policy-cache-size Syntax policy-cache-size = size Description Maximum size of the in-memory policy cache. each service in this list is queried in the order defined. use the following algorithm: 3 * (number of policy objects + number of protected resources) This value controls how much information is cached. add multiple stanza entries. For example. Configuration file stanza reference 225 . If an ADI is found to be missing during a rule evaluation. The cache consists of policy and the relationships between policy and resources. A larger cache potentially improves the application performance. Usage Optional Default value 32768 Example policy-cache-size = 32768 resource-manager-provided-adi Syntax resource-manager-provided-adi = prefix Description Prefix that the authorization engine uses to determine the set of missing access decision information (ADI) provided by the resource manager. Options prefix A string prefix for its value. but uses additional memory as well. As a starting point. This size is configurable. The maximum cache size should be relative to the number of policy objects defined and the number of resources protected as well as the available memory. if you want to notify the authorization engine that any ADI beginning with sales_customer_ be provided by the resource manager application. To specify more than one prefix. the stanza entry would be: Appendix C. These entries must refer to existing entitlements services that were loaded using service entries in the [aznapi-entitlement-services] configuration stanza or that were loaded using an initialization attribute. Options size Size is specified as the number of entries. The knowledge that a resource has no directly associated policy is also cached. org/1999/XSL/Transform" version="1. If no prolog is specified.Need this to ensure default text node printing is off --> <xsl:template match="text()"></xsl:template> Note: If any of the required prolog attributes are changed or omitted from the entry. All of the required prolog attributes are specified in the default prolog entries. a default prolog value is used instead.0" encoding=’UTF-8’?> <xsl:stylesheet xmlns:xsl= "http://www. that prolog is imported into the empty style sheet.resource-manager-provided-adi = sales_customer_ Refer to “resource-manager-provided-adi” on page 136 for more information about rule processing.w3. Options prolog_attrs Prolog attributes that are required by the authorization server. Usage Optional 226 Administration Guide .Required to constrain output of rule evaluation --> <xsl:output method="text" omit-xml-declaration="yes" encoding=’UTF-8’ indent="no" /> !<-. then the authorization client fails to start and returns an error.Required for XSLT language --> <?xml version="1. Usage Optional Default value There is no default value. Use caution when changing this setting. When not specified. Example The following example shows multiple stanza entries: resource-manager-provided-adi = sales_item_ resource-manager-provided-adi = sales_customer_ xsl-stylesheet-prolog Syntax xsl-stylesheet-prolog = prolog_attrs Description The prolog to be added to the top of the XSL stylesheet that is created using the XSL text that defines a Boolean authorization rule. the default XSL stylesheet prolog is: !<-. Refer to “input-adi-xml-prolog and xsl-stylesheet-prolog” on page 136 for more information.0"> !<-. If a style sheet prolog is specified. The credentials modification service can then return this modified credential for use by the calling application. specify only the DLL name. do not specify the full path to the DLL.. If the DLL is located in a directory that is normally searched by the system (for example. If you want a platform-independent DLL name. For example. read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. /usr/lib on Linux and UNIX operating systems or the value of the PATH environment variable on Windows operating systems). so it can be loaded on any supported platform. Applications can use this service to add additional information to a user's credential. The service ID string must be unique. The parameters for configuring Tivoli Access Manager credential modification service plug-ins are declared in the [aznapi-cred-modification-services] stanza of each of the configuration files provided with Tivoli Access Manager: v The ivmgrd.conf configuration file for the policy server v The ivacld. Developers of service plug-ins should provide the standard functions.] Description Defines the authorization API service for the credentials attribute list modification service. Before implementing service plug-ins. this additional information could include the credit card number and credit limit of the user.conf configuration file for the policy proxy server v The configuration file for configured credentials modification service plug-ins for your resource managers The aznAPI.. [aznapi-cred-modification-services] stanza A credential modification service plug-in enables authorization API applications to perform modifications on a Tivoli Access Manager credential. service-id Syntax service-id = short_name|path_to_dll [ & params . Each credential modification service plug-in is a standalone module that is dynamically loaded into the authorization service.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file. Each stanza entry defines different types of aznAPI service.Example See “Defining an XML namespace” on page 126 for a complete explanation of the name space example. short_name|path_to_dll The path to the dynamic link library (DLL) that contains the executable code for the service. The short name is appended with known Appendix C.conf configuration file for the authorization server v The pdmgrproxyd. Options Each entry has the following format: service-id Developer-specified ID of the credential modification service. Configuration file stanza reference 227 . provide a short name. libazn_ent_user. For example. The service definition is discussed in more detail in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference.conf configuration file for the authorization server v The pdmgrproxyd. Example AZN_MOD_SVC_RAD_2AB = azn_mod_rad [aznapi-entitlement-services] stanza An entitlement services plug-in enables authorization API applications to retrieve the entitlements for a user from an entitlements repository. using a short name of azn_ent_user.dll params Optional: The parameters to pass to the service when it is initialized by the aznAPI service. Before implementing service plug-ins. The stanza entries for configuring Tivoli Access Manager entitlement services plug-ins are declared in the [aznapi-entitlement-services] stanza of each of these configuration files provided by Tivoli Access Manager: v The ivmgrd.conf configuration file for the policy server v The ivacld. Parameters are considered to be all data following the ampersand (&). and each possibility is searched in turn.conf configuration file for the policy proxy server v The configuration file for configured entitlement services plug-ins for your resource managers The aznAPI.sl Linux libazn_ent_user.so Solaris libazn_ent_user.a Usage Optional Default value There is no default value. Each entitlement services plug-in is a standalone module that is dynamically loaded into the authorization service.so libazn_ent_user. the following table shows the names that are automatically searched for on each platform: AIX HP-UX libazn_ent_user.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file.library prefixes and suffixes for each platform.so Windows azn_ent_user. 228 Administration Guide . read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. Developers of service plug-ins should provide the standard functions. sl Linux libazn_ent_user. libazn_ent_user. short_name|path_to_dll The path to the dynamic link library (DLL) that contains the executable code for the service. the following names that are automatically searched for on each platform: AIX HP-UX libazn_ent_user. Parameters are considered to be all data following the ampersand (&). specify only the DLL name.dll params Optional: One or more parameters to pass to the service when it is initialized by the aznAPI service. Options Each entry has the following format: service-id Developer-specified ID by which the service can be identified by the aznAPI client. Each stanza entry defines different types of aznAPI service.so Windows azn_ent_user.] Description Defines the authorization API service for the entitlement services of the protected objects.service-id Syntax service-id = {short_name|path_to_dll} [ & params . so it can be loaded on any supported Tivoli Access Manager platform. The short name is appended with known library prefixes and suffixes for each platform. Example credattrs_ent_svc = azn_ent_cred_attrs Appendix C. provide a short form library name.so Solaris libazn_ent_user.a Usage Optional Default value There is no default value. Configuration file stanza reference 229 . The service definition is discussed in more detail in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference.. If you want a platform-independent DLL name. If the DLL is located in a directory that is normally searched by the system (for example. For example.. /usr/lib on Linux and UNIX operating systems or the value of the PATH environment variable on Windows operating systems). The service ID string must be unique. and each possibility is searched in turn. using a short form library name of azn_ent_user.so libazn_ent_user. do not specify the full path to the DLL. If the service is defined an ID. the service is invoked when this ACL action mask is requested as part of an authorization decision. Options policy-trigger The policy trigger is the way that an external authorization service is invoked.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file. Before implementing service plug-ins. the service ID is used as an extended attribute on a POP that triggers the external authorization service when an object has this POP attached to it.conf configuration file for the policy server v The ivacld. it can be my_service_1 or Trx. and each entry is the same format. The policy trigger can be any string that is recognized as a valid key name. Each external authorization service plug-in is a standalone module that is dynamically loaded into the authorization service. For example. the policy trigger is not case-sensitive if the trigger is a POP attribute.[aznapi-external-authzn-services] stanza An external authorization service plug-in is an optional extension of the Tivoli Access Manager authorization service that allows you to impose additional authorization controls and conditions. If the service is defined using an ACL action string. Developers of service plug-ins should provide the standard functions. The policy-trigger is case-sensitive. short_name|path_to_dll The path to the dynamic link library (DLL) that contains the executable code for the service. policy-trigger Syntax policy-trigger = {short_name|path_to_dll} [-weight number] [ & params . Each stanza entry defines different types of aznAPI service.] Description Defines the authorization API service for external authorization service definitions that force authorization decisions to made based on application-specific criteria.conf configuration file for the authorization server v The configuration file for configured external authorization service plug-ins for your resource managers The aznAPI. The parameters for configuring Tivoli Access Manager external authorization service plug-ins are declared in the [aznapi-external-authzn-services] stanza of this configuration file provided by Tivoli Access Manager: v The ivmgrd. because the actions themselves are case-sensitive.. However. read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. It is either a service ID or an access control list (ACL) action string. You can use an external authorization service plug-in to force authorization decisions to be made is based on application-specific criteria that are not known to the Tivoli Access Manager authorization service.. 230 Administration Guide . [aznapi-pac-services] stanza A PAC services plug-in gives authorization API applications the ability to move Tivoli Access Manager credentials back and forth between the native Tivoli Access Manager credentials format and an alternate format called privilege attribute certificate (PAC). For example.If the DLL is located in a directory that is normally searched by the system (for example. so it can be loaded on any supported platform. specify only the DLL name. This option is an unsigned size_t value. The stanza entries for configuring Tivoli Access Manager PAC services plug-ins are declared in the [aznapi-pac-services] stanza of each of these configuration files provided by Tivoli Access Manager: Appendix C. The short name is appended with known library prefixes and suffixes for each platform. /usr/lib on Linux and UNIX operating systems or the value of the PATH environment variable on Windows operating systems). Identity information can be obtained from a PAC. & -server fred. and each possibility is searched in turn. Applications can convert user credentials to PACs for use within other authorization domains. The service definition is discussed in more detail in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference.dll [-weight number] Optional: A weighting that is assigned in the access decision process to the particular external authorization service. This value signifies the weight that any decision that is returned by this external authorization service should be given in the entire decision process. using a short name of azn_ent_user. the following names that are automatically searched for on each platform: AIX HP-UX libazn_ent_user. Applications can then pass the PACs to a server in another authorization domain and perform an operation.so Windows azn_ent_user. Configuration file stanza reference 231 . params Optional: Additional initialization information to pass to the external authorization service in the form of arguments.sl Linux libazn_ent_user.so libazn_ent_user. Each PAC services plug-in is a standalone module that is dynamically loaded into the authorization service. do not specify the full path to the DLL. libazn_ent_user. The arguments must be preceded by the ampersand (&).so Solaris libazn_ent_user. If you want a platform-independent DLL name. for example. provide a short name.a Usage Optional Default value There is no default value. The default value is 101. The short name is appended with known library prefixes and suffixes for each platform.v The configuration file for configured PAC services plug-ins for your resource managers The aznAPI. Options Each entry has the following format: service-id Developer-specified ID of the PAC service that produces the PAC. ] Description Defines the authorization API service for the Tivoli Access Manager privilege attribute certificate (PAC) encoding service. libazn_ent_user. /usr/lib on Linux and UNIX operating systems or the value of the PATH environment variable on Windows operating systems). Each stanza entry defines different types of aznAPI authorization service. do not specify the full path to the DLL..so Windows azn_ent_user. Before implementing service plug-ins.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file. Parameters are considered to be all data following the ampersand (&)..so libazn_ent_user.sl Linux libazn_ent_user. so it can be loaded on any supported platform. Developers of service plug-ins should provide the standard functions. The service ID string must be unique. the following names that are automatically searched for on each platform: AIX HP-UX libazn_ent_user. The service definition is discussed in more detail in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. If the DLL is located in a directory that is normally searched by the system (for example.so Solaris libazn_ent_user. For example. read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. and each possibility is searched in turn. using a short form library name of azn_ent_user.dll params Optional: Parameters to pass to the service when it is initialized by the aznAPI service.a 232 Administration Guide . specify only the DLL name. short_name|path_to_dll The path to the dynamic link library (DLL) that contains the executable code for the service executable. If you want a platform-independent DLL name. provide a short name. service-id Syntax service-id = {short_name|path_to_dll} [ & params . the common audit service is not configured for use by Tivoli Access Manager. you need to specify the keyFilePath and stashFilePath entries. Options yes no Compresses the data that is sent during a network transfer. Usage Optional Default value The default value is no. a cache manager thread periodically checks (using the setting of the rebindInterval entry) to determine whether the Appendix C. When events are written to the disk cache file.Usage Optional Default value There is no default value. Example compress = yes diskCachePath Syntax diskCachePath = fully_qualified_path Description Specifies the name and location of the file to be used to cache events. If secure communication with the common event Web service is required.conf file. Configuration file stanza reference 233 . Does not compress the data that is sent during a network transfer. The stanza entry for common audit processing is located in the [pdcars-filter] stanza of the pdaudit. [cars-client] stanza The [cars-client] stanza contains the configuration of the client for the common audit service. This is the default value. The entries in this stanza specify the characteristics of the connection to the common event Web service and how the client processes audit log events. compress Syntax compress = {yes|no} Description Indicates whether the data that is sent during a network transfer is compressed. The file must exist at the specified location. You must specify the doAudit and serverURL entries. If these entries are not specified. This is the default value. Restart the server.audit Web service can accept events. After configuring the Common Auditing Service. file names cannot have a backward slash (\). a question mark (?). Default value There is no default value. a colon (:). Disables auditing for the common audit service. events are not forwarded to the audit server. doAudit Syntax doAudit = {yes|no} Description An indication of whether auditing using the Common Auditing Service is enabled or disabled. For Windows operating systems. Enter the following commands: > pdadmin login -l pdadmin local> config modify keyvalue set config_file cars-client doAudit yes 2. The name of the disk cache file must be unique. This entry is used when the useDiskCache entry is set to auto or always. Usage Required 234 Administration Guide . Options yes no Enables auditing using the common audit service. errors will occur. When auditing is disabled. When the service is available. the cache manager sends the events from the disk cache file. Usage Conditional. For Linux and UNIX operating systems. path names and file names are case-sensitive. Options fully_qualified_path Represents an alphanumeric string. String values are expected to be characters that are part of the local code set. Restart the server. If more than one server or server instance is configured to use the same disk cache file. The set of characters permitted in a file name can be determined by the file system and by the local code set. complete the following steps: 1. or double quotation marks ("). you can start auditing using the following steps: 1. To stop auditing. Enter the following commands: > pdadmin login -l pdadmin local> config modify keyvalue set config_file cars-client doAudit no 2. errors will occur. Usage Conditional. Usage Conditional. Default value There is no default value. Default value There is no default value. The name of the log file must be unique. If the file does not exist at the specified location. file names cannot have a Appendix C. String values are expected to be characters that are part of the local code set. errorFilePath Syntax errorFilePath = fully_qualified_path Description Specifies the name and location of the error log file. clientUserName Syntax clientUserName = user_id Description Specifies the WebSphere audit ID used by the administrator. This stanza entry is required only when using secure communications with the Web service. Example doAudit = yes clientPassword Syntax clientPassword = password Description Specifies the password for the WebSphere audit ID.Default value The default value is no. Configuration file stanza reference 235 . Options fully_qualified_path Represents an alphanumeric string. The set of characters permitted in a file name can be determined by the file system and by the local code set. This stanza entry is required only when using secure communications with the Web service. it will be created by the server identity. If more than one server or server instance is configured to use the same log file. This ID is authenticated with HTTP basic authentication. For Windows operating systems. Default value There is no default value. a question mark (?). The set of characters permitted in a file name can be determined by the file system and by the local code set. Options interval Specifies the number of seconds that an event waits in the queue. This entry is used when the useDiskCache entry is set to auto or never. For Windows operating systems. or double quotation marks ("). or double quotation marks ("). For Linux and UNIX operating systems. Usage Optional Default value There is no default value. Use the SSL key file to handle certificates that are used to communicate with the common event Web service. flushInterval Syntax flushInterval = interval Description Limits the time an event waits in the queue before being forwarded to the audit server. For Linux and UNIX operating systems. Example flushInterval = 600 keyFilePath Syntax keyFilePath = fully_qualified_path Description Specifies the SSL key file name and location. The file extension can be anything. but the extension is usually . a question mark (?). 236 Administration Guide . When events are generated at a slow rate and the queue does not reach the high water mark in a timely manner. a colon (:). a colon (:). path names and file names are case-sensitive. Usage Conditional. use this entry to forward the events in the queue at the designated interval. file names cannot have a backward slash (\).backward slash (\).kdb. String values are expected to be characters that are part of the local code set. Options fully_qualified_path Represents an alphanumeric string. path names and file names are case-sensitive. This stanza entry is required only when using secure communications with the Web service. Configuration file stanza reference 237 . When this low water mark is reached. Usage Optional. Example hiWater = 30 maxCacheFiles Syntax maxCacheFiles = number Appendix C. Default value The default value is 20. When the audit server is slow and the event queue fills up. When this high water mark is reached. queued events are sent directly to the audit server. This entry is used when the useDiskCache entry is set to auto or never. events are removed from the queue and written to the disk cache file until the number of the events is queue is equal to or less than the low water mark. Default value There is no default value. This entry is used when the useDiskCache entry is set to auto. Usage Conditional.Usage Conditional. lowWater Syntax lowWater = number Description Specifies the low water mark for the number of events that can be in the queue before events are no longer removed from the queue and written to the disk cache file. hiWater Syntax hiWater = number Description Specifies the high water mark for the number of events that can be in the queue. Options number Indicates the maximum number of events that can be in the queue. events are sent to the audit server. Default value The default value is 10. the log file rolls over and a new error log file is created. the cache manager deletes that cache file.741. The maximum size is 1 gigabyte (1. Usage Conditional. maxErrorFiles Syntax maxErrorFiles = number Description Specifies the maximum number of error log files that can be created before the oldest log file is used again. Usage Conditional. For additional information about how log files roll over. maxErrorFileSize Syntax maxErrorFileSize = size Description Specifies the maximum size in bytes of the error log file.073. When this size is reached. disk cache files can be used again. Default value The default value is 10485760. Default value The default value is 1000. 238 Administration Guide . When this size is reached. This entry is used when the useDiskCache entry is set to auto or always. Usage Optional Default value The default value is 2. After all of the events in the disk cache file are sent to the audit Web service. Unlike error log and trace files.Description Specifies the maximum number of disk cache files that can be created.824 bytes). This entry is used when the useDiskCache entry is set to auto or always. maxCacheFileSize Syntax maxCacheFileSize = size Description Specifies the maximum size in bytes of the disk cache file. see the IBM Tivoli Access Manager for e-business: Administration Guide. the cache file rolls over and a new cache file is created. For additional information about how log files roll over. Options number_of_threads Represents a numeric value. Appendix C.Usage Optional Default value The default value is 1000000. the log file rolls over and a new error log file is created. Usage Optional. maxTraceFiles Syntax maxTraceFiles = number Description Specifies the maximum number of trace files that can be created before the oldest trace file is used again. Usage Optional Default value The default value is 1000000. These threads read events from the disk cache files and sends them to the server. numberCMThreads Syntax numberCMThreads = number_of_threads Description Number of threads to create for the cache manager. Configuration file stanza reference 239 . Usage Optional Default value The default value is 2. maxTraceFileSize Syntax maxTraceFileSize = size Description Specifies the maximum size in bytes of the trace log file. This entry is used when the useDiskCache entry is set to auto or always. see the IBM Tivoli Access Manager for e-business: Administration Guide. When this size is reached. Default value The default value is 1. Usage Optional. This entry is used when the useDiskCache entry is set to auto or never.Example numberCMThreads = 2 numberEQThreads Syntax numberEQThreads = number_of_threads Description Number of threads to create to service the event queue. specifies the number of attempts to make to send the data. Options number_of_threads Represents a numeric value. Example numberEQThreads = 2 numberRetries Syntax numberRetries = number Description When an error occurs during a network transfer. Usage Optional. queueSize Syntax queueSize = size Description Maximum number of audit events that can be queued. Default value The default value is 1. 240 Administration Guide . This entry is used when the useDiskCache entry is set to auto or never. Usage Optional Default value The default value is 3. Default value The default value is 50. Usage Required Default value There is no default value. Appendix C. This entry is used when the useDiskCache entry is set to auto or always. specifies the number of seconds to wait before another attempt is made to send the data. Default value The default value is 10. For secure communication. use the following URL: http://hostname:9080/CommonAuditService/service/Emitter Options url The URL of the common auditing Web service. Usage Optional Default value The default value is 2. retryInterval Syntax retryInterval = seconds Description When an error occurs during a network transfer. use the following URL: https://hostname:9443/CommonAuditService/service/Emitter For nonsecure communication. Configuration file stanza reference 241 . serverURL Syntax serverURL = url Description Specifies the URL of the common auditing Web service. Usage Conditional.rebindInterval Syntax rebindInterval = seconds Description Specifies that number of seconds that the cache manager waits before attempting to establish a connection to the audit Web service. traceLevel Syntax traceLevel = level Description Specifies the level of trace events to write to the trace log. a question mark (?). traceFilePath Syntax traceFilePath = fully_qualified_path 242 Administration Guide . a colon (:). Required when traceFilePath is defined. The password might be stored encrypted in the stash file. For Linux and UNIX operating systems. or double quotation marks ("). For Windows operating systems. The file extension can be anything. Options fully_qualified_path Represents an alphanumeric string. but it is usually . The following settings are valid: 1 2 Indicates that events resulting from error conditions only are written to the log.sth. String values are expected to be characters that are part of the local code set. Usage Conditional. path names and file names are case-sensitive. Default value There is no default value.stashFilePath Syntax stashFilePath = fully_qualified_path Description Specifies the SSL password stash file name and location. Indicates that the following events only are written to the log file: v Error conditions v Entry and exit trace points Indicates that events resulting from error conditions and from all trace points in the code are written to the log. 3 Usage Conditional. The set of characters permitted in a file name can be determined by the file system and by the local code set. This stanza entry is required only when using secure communications with the Web service. The password is used to protect private keys in the key file. Default value The default value is 1. file names cannot have a backward slash (\). never auto Indicates that audit events are written to the event queue. The name of the trace file must be unique. There is no event queue. indicates how to handle disk caching. or double quotation marks ("). transferSize Syntax transferSize = size Description Number of audit events to send on each network transfer. a question mark (?). The set of characters permitted in a file name can be determined by the file system and by the local code set. it will be created by the server identity. If more than one server or server instance is configured to use the same trace file. There is no disk cache. Options fully_qualified_path Represents an alphanumeric string. Usage Optional Default value There is no default value. For Windows operating systems.Description Specifies the name and location of the trace file. path names and file names are case-sensitive. Configuration file stanza reference 243 . For Linux and UNIX operating systems. useDiskCache Syntax useDiskCache = {auto|always|never} Description Specifies whether to enable disk caching. Options always Indicates that audit events are always written directly to the disk cache on the caller thread. the audit events are written to disk cache. Under these conditions. errors will occur. a colon (:). file names cannot have a backward slash (\). Indicates that audit events are written to the event queue except when the server is down or the event queue is full. String values are expected to be characters that are part of the local code set. and. If the file does not exist at the specified location. Appendix C. Usage Optional Default value The default value is 10. when enabled. or a user-initiated log out. application name. use the config modify command with the append option. an administration terminating a session. the configuration file must include a separate stanza entry. use the config modify command with the remove option. This event type can be used with all Tivoli Access Manager servers. These types of events are the results of a timeout. Events can be identified by event type. and outcome. authn_terminate Indicates termination events. authz Indicates authorization events. To remove event types from the event filter. This event type can be used with all Tivoli Access Manager servers. To add event types to the event filter. For each event type to capture. auditevent Syntax auditevent = type. [cars-filter] stanza The stanza entry for common audit filtering of the Tivoli Access Manager runtime is located in the [cars-filter] stanza of the pdaudit.conf file. do not use the config modify command with the set option. mgmt_config Indicates configuration and other management events for a server. Note: With the auditevent entry. authn_creds_modify Indicates events that modify credentials for users. This event type can be used with all Tivoli Access Manager servers. If an event logged by an application matches any configured filter entry (auditevent or outcome). This event type can be used with the policy server. This event type can be used with all Tivoli Access Manager servers. Options type Specifies one of the following event types: authn Indicates authentication events.Usage Optional Default value The default value is auto. Using the set option overwrites the first auditevent entry in the configuration file. it is forwarded to the Common Auditing Service server. [outcome=outcome] Description Identifies the events to be captured for auditing. 244 Administration Guide . This event type can be used with the policy server. This is the default value. This event type can be used with the policy server. or the plug-in for Web servers. This value applies to authz and resource_access event types only. WebSEAL server. such as starting and stopping security servers. Usage Required. resource_access Indicates events that record all accesses to a resource. administrator-initiated password changes. runtime Indicates runtime events. Records all outcomes. Events generated from administrator-initiated tasks classified as management tasks. This event type can be used with the WebSEAL server or the plug-in for Web servers. such as creating users and groups. such as the creation of an ACL. This event type can be used with the policy server. Administrator-initiated password changes are classified as registry management events. this event type can be used for reporting WebSEAL statistics. Additionally.mgmt_policy Indicates events for security policy management. Default value There is no default value. outcome=outcome Specifies one of the following outcomes: all success Records successful outcomes only. unknown Records outcomes where success could not be determined. unsuccessful Records unsuccessful outcomes only. outcome=unsuccessful auditevent = authz. mgmt_registry Indicates events for registry management. and modifying properties of users and groups. Configuration file stanza reference 245 . This event type can be used with all Tivoli Access Manager servers. such as a file or HTTP request and response events outside of authorization events. mgmt_resource Indicates events for resource events. This event type can be used with the policy server. outcome=unknown Appendix C. password_change Indicates events for user-initiated password changes. Example auditevent = authn. if an obfuscated value is added to the file. including the pd. All bind (log in) passwords are obfuscated and placed in the configuration file.obf is appended to the file name (for example. This stanza has a stanza entry that points to the name and location of the obfuscated configuration file. The name of the obfuscated configuration file is the same name as the related configuration file name. file names cannot have a backward slash (\). For Linux and UNIX operating systems.conf configuration file. You should never edit the entry in the [configuration-database] stanza. The set of characters permitted in a file name can be determined by the file system and by the local code set.conf is ldap. file Syntax file = fully_qualified_path Description File name and location where the obfuscated configuration file information is located. as needed. or double quotation marks ("). Usage Conditional. Remember that whenever the configuration file is moved to a different location. For Windows operating systems. The [configuration-database] stanza can be located in every configuration file. the obfuscated configuration file for ldap. during configuration. ivmgrd. whenever an obfuscated entry is automatically added to the obfuscated configuration file. The file extension can be anything. passwords were obfuscated.obf. Both the existing configuration file and the obfuscated configuration file have the same file name. a question mark (?). Options fully_qualified_path Represents an alphanumeric string.conf. For example. String values are expected to be characters that are part of the local code set.conf.obf). This scenario is the only circumstance where the file name and location should be modified. The one exception might be if the file is to be moved permanently to a different location. you must move the obfuscated file also. but the extension is usually . In addition. except that . Tivoli Access Manager creates a new configuration file containing all the obfuscated entries. a colon (:). 246 Administration Guide . For example. Do not edit this stanza entry.obf. Tivoli Access Manager creates the [configuration-database] stanza. This stanza entry is required only if.conf.[configuration-database] stanza The stanza entry defines the name and location of the Tivoli Access Manager obfuscated password configuration file. Note: The obfuscated password is generated and set by the configuration utility. path names and file names are case-sensitive. the user can be authorized to return the list without authorizing first. Options yes no Enables authorization checks.conf.conf.conf. The stanza entries for turning on or off the setting for authorization checks for the delegated management of groups and users are located in the [delegated-admin] stanza of the following configuration file: v The ivmgrd. This keyword is provided as a performance feature. Disables authorization checks.obf Example The following example of setting the location of the obfuscated configuration file when using Microsoft Active Directory as the user registry on a Windows operating system: c:\program files\tivoli\policy director\etc\activedir. you should use one type of interface throughout the entire process for optimal results.conf configuration file for the policy server authorize-group-list Syntax authorize-group-list = {yes|no} Description Indication of whether authorization checks on the group list and group list-dn commands should be made. Usage Optional Default value no Example authorize-group-list = yes Appendix C.obf c:\program files\tivoli\policy director\etc\server_name. This stanza relates only to the pdadmin utility.obf [delegated-admin] stanza The Tivoli Access Manager configuration can require that the user be authorized to view each group that is returned in the group list. Platform Linux or UNIX Windows File name /opt/PolicyDirector/etc/server_name. Use either Web Portal Manager or the pdadmin utility.Default value The following table shows the default installation location by platform. For delegated administration. Or. Configuration file stanza reference 247 . You can specify one or more relative DNs to use when creating users. For example. Options dn The distinguished name substring Usage Optional Default value There is no default value. 2.[domains] and [domain=domain_name] stanzas The [domains] stanza contains a list of domains. Example allowed-registry-substrings = "dc=mkt" 248 Administration Guide . complete the following tasks: 1. Each domain specified under this stanza must have its own [domain=domain_name] stanza. Notify the domain administrator. The DN substring value restrictions are registry dependent.conf configuration file for the policy server allowed-registry-substrings Syntax allowed-registry-substrings = dn Description Distinguished name (DN) substring that restricts into which registry locations users can be created in or be imported from. to add this string to the DN option when creating and importing users or groups. Manually add the dn value for each domain created. By specifying one or more substrings. after this key value pair is added. Most user registries allow an alphanumeric string that is not case-sensitive. you can restrict creating and importing users and groups to the relative DNs that are identified by the substrings. String values are expected to be characters that are part of the local code set. The DN of the user being created or imported must contain the substring value specified. except the Management (policy server) domain. The following example shows domains named d and mydomain: [domains] domain = d domain = mydomain [domain=d] [domain=mydomain] The stanza entries for configuring multiple domains are located in the [domains] and the [domain=domain_name] stanzas of the following configuration file: v The ivmgrd. you can specify the DN substring dc=mkt to restrict users who are created or imported into a domain named Marketing: As a management domain administrator. or double quotation marks ("). Options The domain_name value is an alphanumeric.db. Appendix C. Default value The following table shows the default value by platform. a colon (:). file names cannot have a backward slash (\).db c:\program files\tivoli\policy director\db\domain_name. but the extension is usually . Usage Conditional. Configuration file stanza reference 249 . case-sensitive string. Options The fully_qualified_path value represents an alphanumeric string. String values are expected to be characters that are part of the local code set. For Windows operating systems. The name of the database is the same as the domain name. This stanza entry is required when the user creates at least one domain. Default value There is no default value. For Linux and UNIX operating systems. a question mark (?). path names and file names are case-sensitive.db domain Syntax domain = domain_name Description Name of the domain that was created. Platform Linux or UNIX Windows File name /var/PolicyDirector/db/domain_name.database-path Syntax database-path = fully_qualified_path Description File name and location of the policy database for the domain listed. The file extension can be anything.db Example The following example shows the setting of the database path on a Windows operating system: d:\programs\ibm\am\db\dname1. Usage Conditional. The set of characters permitted in a file name can be determined by the file system and by the local code set. String values are expected to be characters that are part of the local code set. This stanza entry is required when the user creates at least one domain. Note: Editing this entry is not recommended. Usage Required Default value The following table shows the default value by platform. path names and file names are case-sensitive. For Windows operating systems.conf configuration file for the authorization server log-file Syntax log-file = fully_qualified_path Description Location and name of the log file. String values are expected to be characters that are part of the local code set. file names cannot have a backward slash (\). If it exists.log The 3-character identifier used in the example is HPD. For example: log-file = TCD/HPD/logs /msg__pdacld_utf8.Example domain = mydomain1 [ivacld] stanza The stanza entries for configuring authorization server-related information are located in the [ivacld] stanza in the following configuration file: v The ivacld. this stanza entry is used. For Linux and UNIX operating systems.log c:\program files\tivoli\policy director\log\msg__pdacld_utf8. Platform Linux or UNIX Windows File name /var/PolicyDirector/log/msg__pdacld_utf8. otherwise. At startup of the authorization server. a colon (:). Messages are redirected from STDOUT and STDERR and sent to the server log file as defined in the authorization server routing file (pdacld_routing).log Example The following example sets the log file as Tivoli Common Directory on a Windows operating system: 250 Administration Guide . or double quotation marks ("). The set of characters permitted in a file name can be determined by the file system and by the local code set. Options The fully_qualified_path value represents an alphanumeric string. the routing file is used and this stanza entry is ignored. a question mark (?). During installation of Tivoli Access Manager. a check is made to see if the routing file exists. which specifies that the log files are for the Tivoli Access Manager common components. if you enabled Tivoli Common Directory to specify one common directory location for all your base component log files. The authorization server relies on the routing file to determine the log file names and path. the default installation directory is different. azn:file path=/var/PolicyDirector/audit/ ivacld. log_id Specifies the identifier for directing events from additional categories to the same log-agent. Configuration file stanza reference 251 .authn:file log_id=PDAclAudit Appendix C.log_id=PDAclAudit logcfg = audit.log logcfg Syntax logcfg = audit. Options audit.azn Category that indicates auditing of the authorization component. Usage Optional Default value There is no default value.log-file = C:\pd\log\msg__pdacld_utf8. Remove the pound signs (#) at the beginning of the configuration file lines to enable authentication or authorization auditing (or both) for the application.log The following example sets the log file as Tivoli Common Directory on a Linux or UNIX operating system: /PolicyDirector/TAMBase/HPD/logs/msg__pdacld_utf8. Example The following example shows the configuration for authentication and authorization auditing: logcfg = audit.azn:{log-agent} path=path flush_interval=interval log_id Description Enables logging and auditing for the authorization component. Each server provides its own event logging setting in its corresponding configuration file. flush_interval = interval Specifies the frequency for flushing log file buffers.flush_interval=20.log. log-agent Indicates that the destination where log-agent is one of the following values: v stdout v stderr v file v pipe v remote path = path Specifies the name and location of the log file that is used for the log-agent. Usage Required Default value The following table shows the default value by platform. a colon (:). Options fully_qualified_path Represents an alphanumeric string. Platform Linux or UNIX File name /var/PolicyDirector/log/ivacld. For Windows operating systems. path names and file names are case-sensitive. not just those that were properly authorized with membership in the remote-acl-users group. Usage Optional Default value false Example permit-unauth-remote-caller= false pid-file Syntax pid-file = fully_qualified_path Description Location and name of the PID file. false Authorization API clients should be authorized. Options true Authorization API clients should not be authorized. String values are expected to be characters that are part of the local code set. or double quotation marks ("). Depending on the nature of the policy within the domain security. Attention: Specifying true exposes the policy database in the domain for all clients to read. file names cannot have a backward slash (\).pid 252 Administration Guide .permit-unauth-remote-caller Syntax permit-unauth-remote-caller= {true|false} Description Indication of whether authorization API clients should be authorized by the authorization server before their requests are processed. a question mark (?). system planners must consider the ability for any client to read system-defined policy to be a security problem. The set of characters permitted in a file name can be determined by the file system and by the local code set. For Linux and UNIX operating systems. pid Example Example for a Windows operating system: pid-file = C:\pd\log\ivacld.Platform Windows File name c:\progra files\tivoli\policy director\log\ivacld. Options 0 port Disable the port number. Enable the port number.pid tcp-req-port Syntax tcp-req-port = {0|port} Description Transmission Control Protocol (TCP) port on which the server is listening for requests. The server will run as this user account. or use a port over 1000 that is not currently being used. A valid port number is any positive number that is allowed by TCP/IP and that is not currently being used by another application. Usage Required Default value 7136 Example tcp-req-port = 7136 unix-user Syntax unix-user = user_name Description The Linux or UNIX user account for this server. Configuration file stanza reference 253 . Use the default value. Options The user_name value represents an alphabetic string for the name associated with the user account. Usage Required Default value ivmgr Example unix-user = ivmgr Appendix C. Use any valid port number. The reported time might be the actual last login time minus the configurable value of msDS-LogonTimeSyncInterval. Options The group_name value represents an alphabetic string for the group associated with the user account. This attribute is a system attribute and is updated automatically by Active Directory. You can configure the default value of msDS-LogonTimeSyncInterval to suit the end user domain policy. set [ldap] enable-last-login to yes. Usage Required Default value ivmgr Example unix-group = ivmgr [ivmgrd] stanza The stanza entries for configuring the policy server and policy database are located in the [ivmgrd] stanza in this configuration file: v The ivmgrd. The server will run as this account. This attribute is not updated every time a user logs in successfully. this attribute is only updated if its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute.conf configuration file for the policy server provide-last-login Syntax provide-last-login = {yes|true|no|false} Description Use the provide-last-login option for reporting information about the last login instance of a user. Thus the value that Tivoli Access Manager reports for the last login of a user might not be the exact time that a user last logged in.unix-group Syntax unix-group = group_name Description The Linux or UNIX group account for this server. Tivoli Access Manager uses the Active Directory user attribute lastLogonTimestamp to report the last login time of the user. When a user logs in successfully. For Microsoft Active Directory registry. Tivoli Access Manager has no control over this attribute except reporting the value when required. To record the last login information for LDAP based registries. 254 Administration Guide . no|false Set the provide-last-pwd-change option to no. visit the Microsoft support Web site. Options yes|true Set the provide-last-login option to yes. to disable reporting of the last password change instance of a user. no|false Set the provide-last-login option to no. provide-last-pwd-change Syntax provide-last-pwd-change = {yes|true|no|false} Description Use the provide-last-pwd-change option to permit reporting of information about the last password change instance of a user. This automatic setting is appropriate for environments where database changes are few and infrequent. When you configure update notification to be automatic. Options yes|true Set the provide-last-pwd-change option to yes. you must also correctly configure the max-notifier-threads= and notifier-wait-time= stanza entries. no|false Enable manual update notification. auto-database-update-notify Syntax auto-database-update-notify = {yes|true|no|false} Description Indication of automatic or manual update notification for policy database replicas. Configuration file stanza reference 255 . the Active Directory domains must be at Microsoft Windows 2003 domain functional level.To leverage the lastLogonTimestamp attribute. Options yes|true Enable automatic update notification. For more information about lastLogonTimestamp and msDS-LogonTimeSyncInterval. to let the policy server report the last password change instance of a user. Usage Required Default value yes Appendix C. to let the policy server report the time of last login of a user. to disable reporting of the last login information about a user. For Linux and UNIX operating systems. Note: Editing this stanza entry is not recommended. Independent of the defined value. Usage Required Default value The following table shows the default value by platform. The set of characters permitted in a file name can be determined by the file system and by the local code set.db 256 Administration Guide . path names and file names are case-sensitive. a colon (:).Example auto-database-update-notify = yes ca-cert-download-enabled Syntax ca-cert-download-enabled = {yes|no} Description The policy server always allows the download of the CA certificate. For Windows operating systems. Options fully_qualified_path Represents an alphanumeric string. but the extension is usually . String values are expected to be characters that are part of the local code set. The file extension can be anything. or double quotation marks (").db.db c:\program files\tivoli\policy director\db\master_authzn. Usage Ignored database-path Syntax database-path = fully_qualified_path Description Location and name of the master policy database.db Example The following example set the path to the master policy database on a Windows operating system: database-path = C:\pd\db\master_authzn. It is up to the client application to allow whether the CA certificate can be downloaded. Platform Linux or UNIX Windows File name /var/PolicyDirector/db/master_authzn. the policy server ignores this configuration setting. a question mark (?). file names cannot have a backward slash (\). Usage Required Default value The following table shows the default value by platform. a question mark (?).log-file Syntax log-file = fully_qualified_path Description Location and name of the log file. At startup of the policy server. path names and file names are case-sensitive. The policy server relies on the routing file to determine the log file names and path.log c:\program files\tivoli\policy director\log\msg__pdmgrd_utf8. which specifies that the log files are for Tivoli Access Manager. Platform Linux or UNIX Windows File name /var/PolicyDirector/log/msg__pdmgrd_utf8. file names cannot have a backward slash (\). the routing file is used and this stanza entry is ignored. if you enabled Tivoli Common Directory to specify one common directory location for all your log files.azn:{log-agent} path=path flush_interval=interval log_id Appendix C. Example The following example sets the log file on a Windows operating system without Tivoli Common Directory: log-file = C:\pd\log\msg__pdmgrd_utf8. The set of characters permitted in a file name can be determined by the file system and by the local code set. a colon (:).log The 3-character identifier used in the example is HPD. or double quotation marks ("). Messages are redirected from STDOUT and STDERR and sent to the server log file as defined in the policy server routing file (pdmgrd_routing). logcfg Syntax logcfg = audit. otherwise. a check is made to see if the routing file exists.log The following example sets the log file on a Linux or UNIX operating system with Tivoli Common Directory: log-file = TCD_directory/HPD/logs/msg__pdmgrd_utf8.log During installation of Tivoli Access Manager. For Windows operating systems. the default installation directory is different. If it exists. String values are expected to be characters that are part of the local code set. this stanza entry is used. Options The fully_qualified_path value represents an alphanumeric string. Configuration file stanza reference 257 . For Linux and UNIX operating systems. Usage Optional Default value There is no default value. 258 Administration Guide . Options audit. The policy server is responsible for synchronizing all database replicas in the secure domain.azn Category that indicates auditing of the authorization component. Category.Description Enables logging and auditing for the application.mgmt:file log_id=PDMgrAudit max-notifier-threads Syntax max-notifier-threads = number_threads Description Maximum number of event notifier threads. log_id Specifies the identifier for directing events from additional categories to the same log-agent. and other parameters are used to capture Tivoli Access Manager auditing and logging events. Each replica then has the responsibility to download the new information from the master. notification threads do the work of announcing this change to all replicas. destination. log-agent Indicates that the destination where log-agent is one of the following values: v stdout v stderr v file v pipe v remote path = path Specifies the name and location of the log file that is used for the log-agent. Remove the pound signs (#) at the beginning of the configuration file lines to enable authentication or authorization auditing (or both) for the application.log. Each server provides its own event logging setting in its corresponding configuration file. flush_interval = interval Specifies the frequency for flushing log file buffers.azn:file path=/var/PolicyDirector/audit/ pdmgrd.flush_interval=20.authn:file log_id=PDMgrAudit #logcfg = audit. When a change is made to the master database. Example The following example sets the configuration for authentication and authorization auditing only : logcfg = audit.log_id=PDMgrAudit logcfg = audit. When the update notification stanza entry is set to yes. When the policy server is instructed to make a change to the master policy database. Usage Conditional. Default value 10 Example max-notifier-threads = 20 notifier-wait-time Syntax notifier-wait-time = time_seconds Description Time in seconds that the authorization policy database is idle before notification is sent to replicas. positive whole number. you must correctly configure this stanza entry and also the notifier-wait-time= stanza entry. This stanza entry is required when the auto-database-update-notify = yes. Options number_threads Generally. Valid range for the number of threads is between 1 and 128. Options time_seconds The number of seconds the authorization policy database is idle before notification is sent to replicas. Default value 15 Example notifier-wait-time = 30 pid-file Syntax pid-file = fully_qualified_path Description Location and name of the PID file. this value should be set to equal the number of existing replicas. it waits for a default period of time before sending out notifications to database replicas. This stanza entry is required when auto-database-update-notify = yes. This time delay is reset with each subsequent change to the database. Configuration file stanza reference 259 . you must correctly configure this stanza entry and also the max-notifier-threads= stanza entry. Specify a valid. Appendix C.When the update notification stanza entry is set to yes. Usage Conditional. For Windows operating systems. Currently. or double quotation marks (").pid c:\program files\tivoli\policy director\log\ivmgrd. Zero indicates that no policy servers are standby servers. file names cannot have a backward slash (\). For Linux and UNIX operating systems.pid standby Syntax standby = {0|number} Description Number of standby policy servers Note: The number of standby servers is generated and set by the configuration utility. The set of characters permitted in a file name can be determined by the file system and by the local code set.pid Example Example for a Linux or UNIX operating system: pid-file = /var/PolicyDirector/log/ivmgrd. Platform Linux or UNIX Windows File name /var/PolicyDirector/log/ivmgrd. String values are expected to be characters that are part of the local code set. Options 0 number The number of standby policy servers. Use a number that is a positive whole number. a colon (:). Usage Required Default value The following table shows the default value by platform. this number is only 1. path names and file names are case-sensitive. a question mark (?).Options fully_qualified_path Represents an alphanumeric string. Usage Required Default value 0 Example standby = 1 260 Administration Guide . Do not edit this stanza entry. Use the default port number. The server will run as this account. or use a port number over 1000 that is currently not being used. The server will run as this account. Appendix C. Options user_name Represents an alphabetic string for the name associated with the user account. Usage Required Default value 8135 Example tcp-req-port = 8135 unix-user Syntax unix-user = user_name Description The Linux or UNIX user account for this server. Usage Required Default value ivmgr Example unix-user = ivmgr unix-group Syntax unix-group = group_name Description The Linux or UNIX group account for this server. Configuration file stanza reference 261 .tcp-req-port Syntax tcp-req-port = {0|port} Description TCP port on which the server is listening for requests. Options 0 port Disables the port number. Specify any valid port number. A valid port number is any positive number that is allowed by TCP/IP and that is not currently being used by another application. Enables the port number. Options group_name Represents an alphabetic string for the group associated with the user account. Usage Required Default value ivmgr Example unix-group = ivmgr [ldap] stanza This stanza defines configuration key value pairs that are required for the Tivoli Access Manager servers to communicate with the server that is associated with an LDAP user registry. The value for the user registry stanza entry (ldap-server-config) is determined by the pd.conf file. The pd.conf file is created when the Tivoli Access Manager runtime component is configured. The key value pairs that are used only for the LDAP registry server are located in the ldap.conf configuration file in the [ldap] stanza. The LDAP server stanza entries are described separately in “[ldap] stanza for ldap.conf” on page 278. The key value pairs that are for the server configuration files are located in the [ldap] stanza of each of the following configuration files: v The ivmgrd.conf configuration file for the policy server v The ivacld.conf configuration file for the authorization server v The pdmgrproxyd.conf configuration file for the policy proxy server v Your resource managers' configuration file for configured LDAP entries The aznAPI.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file. Developers of service plug-ins should provide the standard functions. Before implementing service plug-ins, read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. enhanced-pwd-policy Syntax enhanced-pwd-policy = {yes|true|no|false} Description The LDAP registries Tivoli Access Manager uses provide password policy enforcement for LDAP accounts. Tivoli Access Manager uses LDAP account passwords for authentication. So Tivoli Access Manager is subject to LDAP registry password policies. When the enhanced-pwd-policy option is enabled, Tivoli Access Manager efficiently identifies the underlying LDAP registry password policy and reacts appropriately. The Tivoli Access Manager password policy is enforced concurrently and is not affected by the enhanced-pwd-policy option. 262 Administration Guide This option is supported for Sun Directory Server 6.3.1 and Tivoli Directory Server. For Tivoli Directory Server, Tivoli Access Manager versions older than 6.1.1 provide limited support for handling LDAP registry password policies. The enhanced-pwd-policy option enhances such support. When you set the auth-using-compare option to no, a user password is authenticated by creating a connection to the LDAP registry and binding the connection using the user password. Success or failure of the binding is noted and the connection is closed. If you set the enhanced-pwd-policy option is set to yes when auth-using-compare is set to no, the user password changes occur on the connection used to authenticate the user. Such behavior increases the duration of the connection and might cause the number of simultaneous instances to increase. If the increase in simultaneous connections is not acceptable, use the max-auth-connections option to limit the number of simultaneous connections. For detailed information about the max-auth-connections option, see the max-auth-connections section. Note: Only Tivoli Directory Server supports enabling of the auth-using-compare option. For other LDAP servers, Tivoli Access Manager considers this option disabled. Tivoli Access Manager WebSEAL 6.1.1 takes advantage of enhanced-pwd-policy. The password policies and account states supported by Tivoli Access Manager are: v Password reset v v v v Locked accounts Expired accounts Grace login for expired accounts Accounts whose passwords are going to expire Options yes|true When the enhanced-pwd-policy option is set to true, Tivoli Access Manager efficiently identifies the underlying LDAP registry password policy and reacts appropriately. no|false When the enhanced-pwd-policy option is set to false, the behavior of Tivoli Access Manager towards LDAP registry password policy enforcement remains unchanged. Default value The default value of enhanced-pwd-policy is no|false Example An example of this feature is: LDAP reports that an account is expired and allows grace login. The user is informed that the account is expired, and is provided a grace login page and an option to change the password. Using enhanced-pwd-policy with Tivoli Directory Server: If you enable enhanced-pwd-policy for the Tivoli Directory Server when using Tivoli Directory Server for the registry, you must: v Manually update the access control lists (ACL) of the server so that users can change their passwords. Appendix C. Configuration file stanza reference 263 v Set auth-using-compare to no in each configuration file where you set enhanced-pwd-policy to yes. Complete the following steps to update LDAP access control lists: v To ensure that users can change their passwords, suffixes that contain or will contain Tivoli Access Manager user accounts must have an LDAP ACL that permits users to change their passwords. An example of the suffix that you create is o=ibm,c=us. An example of a suffix that Tivoli Access Manager creates is secAuthority=Default. Each of these suffixes requires an LDAP ACL to let the users change their passwords. 1. For the suffix that you created, create a file, for example, addacl1.ldif, that contains the following: dn:o=ibm,c=us changetype:modify add:aclEntry aclEntry:access-id:cn=this:at.userPassword:rwsc 2. Run the command: idsldapmodify -D "cn=root" -w "password" -h your.ldap.host.name -f "addacl1.ldif" Behavior of Tivoli Access Manager policy server LDAP accounts and policies: The pwdMustChange option in the LDAP policy prevents the policy server from starting during configuration. The account used for configuration does not exist before the configuration starts. So you cannot set a policy to override the global policy. To create Tivoli Access Manager LDAP server accounts, you might have to temporarily disable the global policies before configuration. After you configure the Tivoli Access Manager server LDAP accounts and the policy server, set a policy for each Tivoli Access Manager server LDAP account to overrides any global policy that affects the use of the LDAP account. max-auth-connections Syntax max-auth-connections = {0|unlimited number of simultaneous connections used for user authentication|any number higher than 0|actual number of simultaneous connections used for user authentication} Description Use the max-auth-connections option to determine how many simultaneous connections to your LDAP server are permitted for user authentication. This option has no effect if auth-using-compare is enabled. The benefit of the max-auth-connections option is greater if enhanced-pwd-policy is enabled. See enhanced-pwd-policy for details. Options 0|unlimited number of simultaneous connections used for user authentication When you set max-auth-connections to 0 (zero), you can use unlimited LDAP server connections simultaneously to authenticate users. 264 Administration Guide any number higher than 0|actual number of simultaneous connections used for user authentication If you set max-auth-connections to a value greater than 0 (zero), the number of simultaneous connections used for user authentication is limited to the number you specify. Default value By default, max-auth-connections is set to 0 (zero.) enable-last-login Syntax enable-last-login = {yes|true|no|false} Description For LDAP-based registries, each Tivoli Access Manager server that provides a login service requires you to set the enable-last-login option to store the last login date of a user in LDAP. Examples of such servers are: v WebSEAL. v Policy Server. v Authorization Server. v Local-mode authorization and Java Authorization applications that allow user authentication directly to the registry. Options yes|true Set the value of the enable-last-login option to yes if you want last the login information of users to be recorded and displayed to users. no|false Set the value of the enable-last-login option to no if you do not want the last login information of users to be recorded and displayed to users. auth-using-compare Syntax auth-using-compare = {yes|true|no|false} Description Choice of whether ldap_compare() is used instead of the ldap_bind() call to verify the password and authenticate the user. For those LDAP servers that allow it, a compare operation might perform faster than a bind operation. The value for each server can be different, depending on how that server is configured. This option changes the method used by the following authorization API calls: v azn_util_client_authenticate() v azn_util_password_authenticate() Options yes|true A compare operation is used to authenticate LDAP users. no|false A bind operation is used to authenticate LDAP users. Appendix C. Configuration file stanza reference 265 Any value other than yes|true, including a blank value, is interpreted as no|false. For information on how to use this key value pair for performance tuning, see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. Usage Optional Default value The default values are server-dependent. Example auth-using-compare = yes authn-timeout Syntax authn-timeout = {0|number_seconds} Description Amount of time (in seconds) that is allowed for authentication operations before the LDAP server is considered to be down. If specified, this value overrides any value set for the timeout entry for authentication operations. Note: Do not specify this stanza entry in the ldap.conf server configuration file. Options 0 No timeout (synchronous). number_seconds The number of seconds allowed for authentication operations. Specify a positive whole number. There is no range limitation for timeout values. Usage Optional Default value 0 Example authn-timeout = 0 bind-dn Syntax bind-dn = LDAP_dn Description LDAP user distinguished name (DN) that is used when binding (signing on) to the LDAP server. The LDAP_dn value is created, based on the server name that was specified with the –n server_name option and the local host of the machine. Use the svrsslcfg utility to set the LDAP_dn value. 266 Administration Guide For information on how to use this key value pair for performance tuning, see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. Options LDAP_dn Distinguished name that is used to bind to the LDAP server Usage Conditional. This stanza entry is required when using an LDAP user registry. Default value The default value is server-dependent. Example The following example sets the distinguished name for the policy server: bind-dn = cn=ivmgrd/master,cn=SecurityDaemons,secAuthority=Default cache-enabled Syntax cache-enabled = {yes|true|no|false} Description Indication of whether LDAP client-side caching is used to improve performance for similar LDAP queries. Options yes|true Enables LDAP client-side caching. no|false Disables LDAP client-side caching. This value is the default value. Anything other than yes|true, including a blank value, is interpreted as no|false. For information on how to use this key value pair for performance tuning, see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. Usage Optional Default value no Example cache-enabled = no cache-group-expire-time Syntax cache-group-expire-time = number_seconds Description Amount of time (in seconds) until a group entry in the cache is considered stale and is discarded. This stanza entry is ignored if the cache is not enabled. Appendix C. Configuration file stanza reference 267 Options number_seconds The amount of time specified in seconds. Specify a positive whole number. Usage Optional Default value 300 (5 minutes) Example cache-group-expire-time = 600 cache-group-membership Syntax cache-group-membership = {yes|true|no|false} Description Indication of whether group membership information is cached. This stanza entry is ignored if the cache is not enabled. Options yes|true Group membership is cached. no|false Group membership is not cached. Anything other than yes|true, including a blank value, is interpreted as no|false. Usage Optional Default value yes|true Example cache-group-membership = no cache-group-size Syntax cache-group-size = group_entries Description Number of entries in the LDAP group cache. This stanza entry is ignored if the cache is not enabled. Options group_entries A positive whole number that represents the number of entries is the LDAP group cache. Usage Optional 268 Administration Guide Default value 64 Example cache-group-size = 100 cache-policy-expire-time Syntax cache-policy-expire-time = number_seconds Description Amount of time in seconds until a policy entry in the cache is considered stale and is discarded. This stanza entry is ignored if the cache is not enabled. Options number_seconds The amount of time specified in number of seconds. Specify a positive whole number. Usage Optional Default value 30 Example cache-policy-expire-time = 60 cache-policy-size Syntax cache-policy-size = policy_entries Description Number of entries in the LDAP policy cache. This stanza entry is ignored if the cache is not enabled. Options policy_entries A positive whole number that represents the number of entries is the LDAP policy cache. Usage Optional Default value 20 Example cache-policy-size = 50 Appendix C. Configuration file stanza reference 269 is interpreted as no|false. no Usage Optional Default value no Example cache-return-registry-id = no cache-use-user-cache Syntax cache-use-user-cache = {yes|true|no|false} Description Indication of whether to use the user cache information. Options yes|true Use user information from the cache. Anything other than yes|true. including a blank value.” on page 199 for guidelines on changing configuration file properties.cache-return-registry-id Syntax cache-return-registry-id = {yes|no} Description Indicates whether the LDAP cache returns the TAM user identity as it is stored in the registry or the value entered by the user. This option returns the user identity exactly as it was created and preserved in the registry. Return the TAM user identity as the value is entered by the user. Options yes Return the TAM user identity as it is stored in the registry. Usage Optional Default value yes|true Example cache-use-user-cache = no 270 Administration Guide . Note: Refer to Appendix A. no|false Do not use user information from the cache. This stanza entry is ignored if the cache is not enabled. “Guidelines for changing configuring files. Configuration file stanza reference 271 . Usage Optional Default value 30 Example cache-user-expire-time = 120 cache-user-size Syntax cache-user-size = user_entries Description Number of entries in the LDAP user cache. Options user_entries A positive whole number that represents the number of entries is the LDAP user cache. Appendix C.cache-user-expire-time Syntax cache-user-expire-time = number_seconds Description Amount of time in seconds until a user entry in the cache is considered stale and is discarded. Options number_seconds The amount of time specified in number of seconds. This stanza entry is Ignored if the cache is not enabled. Use a number that is a positive whole number. Usage Optional Default value 256 Example cache-user-size = 1000 default-policy-override-support Syntax default-policy-override-support = {yes|true|no|false} Description Indication of whether user-level policy support is allowed. This stanza entry is ignored if the cache is not enabled. Options yes|true User policy support is disabled. a colon (:). When a user policy is specified by the administrator. default-policy-override-support = no becomes the value. Note: When the ldap-server-config entry is specified in the configuration file. it overrides the global policy.conf c:\program files\tivoli\policydirector\etc\ldap. host. and replica are obtained from the ldap.conf 272 Administration Guide . Usage Optional Default value no Example default-policy-override-support = yes ldap-server-config Syntax ldap-server-config = fully_qualified_path Description Location of the ldap. port. String values are expected to be characters that are part of the local code set. path names and file names are case-sensitive. The set of characters permitted in a file name can be determined by the file system and by the local code set. their values are overridden by the values from the ldap.conf configuration file. Default value The following table shows the default value by platform. file names cannot have a backward slash (\). For information on how to use this key value pair for performance tuning. If no value is specified. Usage This stanza entry is required for ivmgrd. see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. a question mark (?). For Windows operating systems. Platform Linux or UNIX Windows File name /opt/PolicyDirector/etc/ldap. and only the global (default) policy is checked. This option allows the user policy to not be checked. Options fully_qualified_path Represents an alphanumeric string.conf. max-search-size.conf file. no|false User policy support is enabled. even if it is specified. or double quotation marks (").conf file. For Linux and UNIX operating systems. the values for enabled. If any of these entries exist in the configuration file. Options yes no Tracking of failures is maintained in the registry. but defaults to 2048 if not configured. specified as the number of entries. The value for each server can be different. Usage Optional Default value no Example login-failures-presistent = yes max-search-size Syntax max-search-size = [0|number_entries] Description Limit for the maximum search size.conf login-failures-persistent Syntax login-failures-persistent = {yes|no} Description Indicates whether the tracking of login failures is persistent (maintained in the registry) or done in the local process cache. number_entries The maximum number of entries for search. that can be returned from the LDAP server. Example max-search-size = 2048 Appendix C. Configuration file stanza reference 273 . depending on how the server was configured. Usage Optional Default value The default value is server-dependent.Example The following example set the location of the LDAP server for a Linux or UNIX operating system: ldap-server-config = /opt/PolicyDirector/etc/ldap. Tracking of failures is done in the local process cache. specified as an integer whole number. Options 0 The number is unlimited. This value can also be limited by the LDAP server itself. There is no limit to the maximum search size. not required for the policy server. Usage Required for the policy proxy server and authorization server. the default value for ivmgrd.port Syntax port = port Description Non-SSL IP port number that is used for communicating with the LDAP server. Usage Optional Default value There is no default value. is interpreted as no|false.conf is no. no|false Disables the client. Options yes|true Enables the client to be able to question the Read/Write LDAP server. For example. Options port The port number configured for the LDAP server. The default value can be different. Anything other than yes|true. Example prefer-readwrite-server = no search-timeout Syntax search-timeout = {0|number_seconds} 274 Administration Guide . including a blank value.conf is yes while the default value for ivacld. Default value 389 Example port = 389 prefer-readwrite-server Syntax prefer-readwrite-server = {yes|true|no|false} Description Indication of whether the client can question the Read/Write LDAP server before querying any replica Read-only servers that are configured in the domain. The default value is server dependent. the key file DN. depending on how that server was configured. Usage Optional Default value 0 Example search-timeout = 0 ssl-enabled Syntax ssl-enabled = {yes|true|no|false} Description Indication of whether the Tivoli Access Manager server uses SSL to communicate with the LDAP server. including a blank value. Usage Required to enable SSL communication. is interpreted as no or false. The default values are server-dependent.conf file must be set to useSSL. you must enable SSL using this stanza entry. Options 0 No timeout (synchronous). Note: Do not specify this stanza entry in the ldap. If you specify that the authorization API (aznAPI) should use SSL to communicate with the LDAP server.Description Amount of time in seconds that is allowed for search operations before the LDAP server is considered to be down. LDAP is told to use whatever secure communication protocol it chooses for FIPS enablement. When ssl-enabled = yes. If specified. you must specify an SSL key file name and. Options yes|true Enables SSL communication. There is no range limitation for timeout values. If this value is set to yes and Federal Information Processing Standards (FIPS) mode is enabled (ssl-enable-fips=yes). If you enable SSL communication. Anything other than yes or true. if there are multiple keys in the file. The value for each Tivoli Access Manager server can be different. Appendix C. Configuration file stanza reference 275 . Default value There is no default value. no|false Disables SSL communication. the LdapSSL entry in the ldap.conf server configuration file. this value overrides any value that is set for the timeout entry for search operations. Specify a positive whole number. number_seconds The number of seconds allowed for search operations. kdb file. a colon (:). but the extension is usually .kdb c:\program files\tivoli\policy director\keytab\server_name.kdb file and the folder that contains the . String values are expected to be characters that are part of the local code set.kdb ssl-keyfile-dn Syntax ssl-keyfile-dn = ldap-ssl-keyfile-label Description Key label of the client certificate within the SSL key file. The certificate files in a directory need to be accessible to the server user (or all users). Use the SSL key file to handle certificates that are used in LDAP communication. Platform Linux or UNIX Windows File name /opt/PolicyDirector/keytab/server_name. Options ldap-ssl-key-filename A valid file name is an alphanumeric string that is not case-sensitive.Example ssl-enabled = yes ssl-keyfile Syntax ssl-keyfile = ldap-ssl-key-filename Description SSL key file name and location. The file extension can be anything. This stanza entry is required only when the LDAP server is configured to perform client authentication (ssl-enabled = yes). ivmgr) or all users have permission to access the . 276 Administration Guide . Options ldap-ssl-keyfile-label Identifies the client certificate that is presented to the LDAP server. path names and file names are case-sensitive. or double quotation marks. For Windows operating systems. file names cannot have a backward slash (\). For Linux and UNIX operating systems. Default value The following table shows the default value by platform.kdb.kdb Example The following example sets the SSL key file for a UNIX policy server: ssl-keyfile = /ldap52kdb/a17jsun. a question mark (?). Usage Conditional. Make sure that server user (for example. user-and-group-in-same-suffix Syntax user-and-group-in-same-suffix = {yes|true|no|false} Description Indication of whether the groups. For information on how to use this key value pair for performance tuning purposes. all LDAP suffixes are searched to locate the groups of which the user is a member. When a user is authenticated. is interpreted as no|false. including a blank value. Options yes|true The groups that are assumed to be defined in the same LDAP suffix as the user definition. Only that suffix is searched for group membership. This stanza entry is required only when the LDAP server is configured to perform client authentication. the groups in which the user is a member must be determined in order to build a credential.Usage Conditional. Usage Optional Default value no Example user-and-group-in-same-suffix = yes Appendix C. Although this entry might exist in a configuration file. because only a single suffix is searched. Normally. no|false The groups might be defined in any LDAP suffix. see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. Use this option only if group definitions are restricted to the same suffix as user definitions. Example ssl-keyfile-dn = "PDLDAP" ssl-keyfile-pwd Syntax ssl-keyfile-pwd = ldap-ssl-keyfile-password Description Deprecated: The ssl-keyfile-pwd entry is deprecated in the [ldap] stanza. Configuration file stanza reference 277 . Default value If the default policy server key database is being used. in which a user is a member. This behavior can improve the performance of group lookup. Anything other than yes|true. the default client certificate value is PDLDAP. are defined in the same LDAP suffix as the user definition. it will be ignored. in this stanza. you can find the configuration keys and values for LDAP failover. 278 Administration Guide . For example. The user registry type value is determined by the pd. For information on how to use this key value pair for performance tuning purposes. The pd. For information on how to use the key value pairs in this stanza for performance tuning. Anything other than yes|true.[ldap] stanza for ldap.conf file. The parameter must be modified manually using the pdadmin command line (local login).conf This stanza defines the configuration key value pairs that are required for the LDAP server. Options yes|true Enables LDAP client-side caching. no|false Disables LDAP client-side caching. For more information.conf file is created when the Tivoli Access Manager runtime is configured. including the use of master server and replica servers. cache-enabled Syntax cache-enabled = {yes|true|no|false} Description Indication of whether LDAP client-side caching is used to improve performance for similar LDAP queries. is interpreted as no|false. refer to "pdadmin commands" in the IBM Tivoli Access Manager for e-business: Command Reference. This value is the default value. see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. including a blank value. This parameter is not available using the pdconfig utility. Usage Optional Default value no Example cache-enabled = no connection-inactivity Syntax connection-inactivity = number_seconds Description Specifies the number of seconds of inactivity allowed on a given LDAP connection before the connection is taken down. see the IBM Tivoli Access Manager for e-business: Performance Tuning Guide. A connection-inactivity value of 0 indicates that connection inactivity is not tracked and the connections. Anything other than yes|true.conf configuration file. including a blank value. Usage Optional Default value no Example dynamic-groups-enabled = no enabled Syntax enabled = {yes|true|no|false} Description Indication of whether LDAP is being used as the user registry. Note: This stanza entry can be used only in the ldap. once established. is interpreted as no|false. Options yes|true Tivoli Access Manager attempts to resolve dynamic group membership. This key value pair applies to supported LDAP registries. the default value is 0. The valid range for this parameter is 0 to 31536000. Example connection-inactivity = 0 dynamic-groups-enabled Syntax dynamic-groups-enabled = {yes|true|no|false} Description Indication of whether dynamic groups are supported. Only one user registry can be specified at a time.Options number_seconds The number of seconds of inactivity allowed on a given LDAP connection. no|false Tivoli Access Manager does not attempt to resolve dynamic group membership. Configuration file stanza reference 279 . are left connected permanently. Tivoli Access Manager supports dynamic groups with IBM Tivoli Directory Server regardless of this setting. Usage Optional Default value If this parameter is not specified. Appendix C. Usage Required Default value There is no default value. is interpreted as no or false. The pd. depending on how the server is configured. use the svrsslcfg utility to set the host_name value. including a blank value.conf file. The host that is specified by this entry is assumed to be a readwrite type of server with a preference of 5. This stanza entry is required when LDAP is the user registry. The value is taken from the pd. Default value The default value can be different.conf file. and port with which to bind to the server.dallas. other required stanza entries are an LDAP server host name. a bind user DN.conf file is created when the Tivoli Access Manager runtime is configured.com ignore-suffix Syntax ignore-suffix = suffix_dn 280 Administration Guide . Options yes|true Enables LDAP user registry support. When LDAP is the configured user registry. no|false Disables LDAP user registry support and indicates that LDAP is not the user registry being used. Example host = libra host = libra. Valid values for host_name include any valid Internet Protocol (IP) host name. and bind user password (obfuscated). Usage Conditional.ibm. Anything other than yes or true. For a general description of server types and preferences. Options host_name The value is taken from the pd. Example enabled = yes host Syntax host = host_name Description Host name of the LDAP server. see “replica” on page 283.If enabled. conf configuration file. depending on how the server was configured. but it defaults to 2048 if it is not configured. By default. Options suffix_dn Specifies the suffix distinguished name (DN) that you want to be ignored.c=us max-search-size Syntax max-search-size = [0|number_entries] Description Limit for the maximum search size.Description LDAP server suffix that is to be ignored when searching for user and group information. Example ignore-suffix = o=tivoli. specified as an integer whole number. For example. This value can be limited by the LDAP server itself. Usage Optional Default value All defined suffixes are searched. Options 0 The number is unlimited. Example max-search-size = 2048 max-server-connections Syntax max-server-connections = number_connections Appendix C. There is no limit to the maximum search size. that can be returned from the LDAP server. any user or group that includes o=tivoli. The value for each server can be different. specified as the number of entries. number_entries The maximum number of entries for search. all defined suffixes in the LDAP server are searched when acquiring User and group information. Repeat this stanza entry for each suffix you want to be ignored.c=us as part of the DN is ignored. Configuration file stanza reference 281 .c=us. if you specify ignore-suffix = o=tivoli. Usage Optional Default value The default value is server-dependent. Note: This stanza entry can be used only in the ldap. The optional ignore-suffix parameter(s) will be honored. group. From this pool.Description Indicates the maximum number of connections that are allowed with the LDAP server. no|false Access Manager performs a baseless (global root) search of the entire namespace for user. a new connection is established with the LDAP server. The valid range for this parameter is 2-16. Usage Optional Default value If this parameter is not specified. and policy information. the default pool size is 16. Example max-server-connections = 16 novell-suffix-search-enabled Syntax novell-suffix-search-enabled = {yes|true|no|false} Description When the Novell eDirectory LDAP server is used as the user registry. and policy information using a baseless (global root) search or to automatically determine the set of naming contexts hosted by the LDAP server and search each defined naming context individually for user.conf configuration file. and policy information. and policy information. Access Manager uses this option to determine whether to search the entire directory namespace for user. this stanza entry can be used only in the ldap. For more information. The Tivoli Access Manager runtime maintains a pool of connections for each LDAP server. group. refer to "pdadmin commands" in the IBM Tivoli Access Manager for e-business: Command Reference. up to the maximum server connection pool size. This parameter is not available using the pdconfig utility. Options number_connections The maximum number of connections allowed with the LDAP server. an available connection is chosen to perform requests to the LDAP server. Default value no 282 Administration Guide . The parameter must be modified manually using the pdadmin command line (local login). Values greater than 16 are set to 16. Usage Optional. The optional ignore-suffix parameter(s) will be ignored. group. group. If all connections are busy. Options yes|true Access Manager performs naming context (suffix/partition) discovery and searches each naming context for user. Example The following example shows one replica that is specified and two replicas that are commented out: Appendix C. Options ldap-server The network name of the server. A number between 1 and 10. then load balancing occurs among the least busy of the servers. If multiple servers have the same preference value.Example novell-suffix-search-enabled = no port Syntax port = port Description Non-SSL IP port number that is used for communicating with the LDAP server. Configuration file stanza reference 283 . A valid port number is any positive number that is allowed by TCP/IP and that is not currently being used by another application. type pref Usage Optional Default value No replicas are specified. Either readonly or readwrite. pref Description Definition of the LDAP user registry replicas in the domain. The server with the highest preference is chosen for LDAP operations. port. type. Options port The value configured for the LDAP server. port The port number for the LDAP server. Usage Required Default value 389 Example port = 389 replica Syntax replica = ldap-server. where 10 is the highest preference. readonly. this parameter serves as a starting search location for the secAuthorityInfo object when Tivoli Access Manager is started.391. This stanza entry is required when the LDAP server is configured to perform client authentication (ssl-enabled = yes). If this parameter is set. Options port Any valid port number.readwrite.390.1 #replica = barney.replica = freddy. Usage Optional. then the entire set of suffixes will be searched.readwrite. Default value 636 284 Administration Guide .2 #replica = benny.392. Options suffix Suffix under which the secAuthorityInfo object is located. the specified suffix will be searched first to locate the secAuthorityInfo object for the domain. Usage Conditional. Example secauthority-suffix = c=US ssl-port Syntax ssl-port = port Description SSL IP port that is used to connect to the LDAP server. This parameter must be set manually using the pdadmin utility.conf" ldap secauthority-suffix "c=US" Default value No suffixes are specified. or if the secAuthorityInfo object is not located within the suffix specified by the parameter. as in the following example: >pdadmin login -l >pdadmin local>config modify keyvalue set "c:\Progra~1\Tivoli\Policy Director\etc\ldap. A valid port number is any positive number that is allowed by TCP/IP and that is not currently being used by another application.3 secauthority-suffix Syntax secauthority-suffix = suffix Description Provides a suffix under which the secAuthorityInfo object is located. If this parameter is not set. a hyphen (-). the value is set using the bassslcfg utility. Note: The internal interface that Tivoli Access Manager uses to access the LDAP server when "LDAP" is selected as registry type is called the IntraVerse Registry API (IRA). Use this value when you configure your own name for the domain. If the runtime has not been configured. domain_name Specifies the user-specified domain.Example ssl-port = 636 [manager] stanza The stanza entries for configuring the master server settings are located in the [manager] stanza of each of the following configuration files: v The ivacld.conf file. the IRA uses the value of the management-domain parameter in the pd. an ampersand (&). v For other configuration files. Function call are required to accurately specify the target domain for requests. and an asterisk (*).conf configuration file for the policy proxy server management-domain Syntax management-domain = {default|domain_name} Description Name of the management domain. Configuration file stanza reference 285 . case-sensitive string. an underscore (_). The domain_name value is an alphanumeric.S. the value is set using the svrsslcfg utility. or if the management-domain parameter is missing. an "at" symbol (@).conf configuration file when you use the authorization server v The pdmgrproxyd. then the management domain is assumed to be Default.conf configuration file for the authorization server v The pd. Options Default Specifies the Management domain. Usage Required Default value Default Example management-domain = mymgmtdomain Appendix C. the numbers 0-9. String values are expected to be characters that are part of the local code set.conf file.). You cannot use a space in the domain name. English are the letters a-Z. a plus sign (+). a period (. This value is created and set by one of the following utilities: v For the pd. If the IRA cannot determine the target domain from the ira_local_domain or ira_authority options. Valid characters for domain names for U. This value is the default value for all servers. v For all other configuration files.master-host Syntax master-host = server_hostname Description Host name of the Tivoli Access Manager server. Example master-host = ammaster master-port Syntax master-port = port Description TCP port on which the server listens for requests. the value is set using the bassslcfg utility. or use a port over 1000 that is currently not being used. the value is set using the svrsslcfg utility. Usage Required Default value The default value is server-dependent. Usage Required Default value There is no default value. Options port Any valid port number. This value is created and set by one of the following utilities: v For the pd. Example master-port = 7135 286 Administration Guide . A valid port number is any positive number that is allowed by TCP/IP and that is not currently being used by another application.company.com v mycomputer Options server_hostname Represents the valid name for the host. The following host names are valid: v mycomputer.conf file.city. Use the default port number value. including a blank value. SSL is automatically configured.[meta-info] stanza The stanza entry for configuring Tivoli Access Manager version information is located in the [meta-info] stanza of each of the following configuration files: v The ivmgrd. any Tivoli Access Manager server that is SSL enabled cannot communicate with the LDAP server. If the LDAP server is not SSL enabled. Do not modify the values in this file. LdapSSL Syntax LdapSSL = {ssl|nossl} Description Indication of whether to enable SSL communication on the LDAP server. Options ssl nossl Enables SSL communication. To properly configure these entries.conf configuration file for the policy server v The ivacld. Anything other than ssl.conf configuration file for the authorization server v The pd. [pdconfig] stanza This stanza defines the configuration key value pairs that are required for the LDAP server. use the pdconfig utility.conf configuration file for the policy proxy server version Syntax version = number Description Version of Tivoli Access Manager in decimal format. is interpreted as nossl. Note: This value is generated. Do not change it. Note: The entries in this stanza are for internal use only.conf configuration file when you use the authorization server v The pdmgrproxyd. Do not modify the values in this file. Example LdapSSL = nossl Appendix C. use the pdconfig utility. Usage Optional Default value The default value is server dependent. To properly configure these entries. Disables SSL communication. Configuration file stanza reference 287 . The entries in this stanza are for internal use only. This stanza entry is used when the LDAP server is configured to perform client authentication. For Windows operating systems. The set of characters permitted in a file name can be determined by the file system and by the local code set. use the pdconfig utility. String values are expected to be characters that are part of the local code set. Usage Conditional. use the pdconfig utility.kdb file. To properly configure these entries. Note: The entries in this stanza are for internal use only. The file extension can be anything. a question mark (?). The certificate files in a directory need to be accessible to the server user (or all users).kdb. a colon (:). path names and file names are case-sensitive. Platform Linux or UNIX Windows File name /opt/PolicyDirector/keytab/ivmgrd. but the extension is usually . To properly configure these entries. Use the SSL key file to handle certificates that are used in LDAP communication. Options ldap-ssl-key-filename The file name and location that represents an alphanumeric string that is not case-sensitive. Note: The entries in this stanza are for internal use only. ivmgr) or all users have permission to access the . For Linux and UNIX operating systems.LdapSSLKeyFile Syntax LdapSSLKeyFile = ldap-ssl-key-filename Description SSL key file name and location. 288 Administration Guide . file names cannot have a backward slash (\). Do not modify the values in this file. This stanza entry is required when LdapSSL = ssl.kdb file and the folder that contains the . Do not modify the values in this file. or double quotation marks ("). Make sure that the server user (for example.kdb Example LdapSSL = ssl LdapSSLKeyFile = /opt/PolicyDirector/keytab/ivmgrd.kdb LdapSSLKeyFileDn Syntax LdapSSLKeyFileDn = keyLabel Description Key label of the client certificate within the SSL key file.kdb c:\program files\tivoli\policy director\keytab\ivmgrd. Default value The following table shows the default value by platform. Usage Conditional. and other parameters are used to capture Tivoli Access Manager auditing and logging events. Example LdapSSL = ssl LdapSSLKeyFileDn = "PD_LDAP" LdapSSLKeyFilePwd Syntax LdapSSLKeyFilePwd = ldap-ssl-keyfile-password Description Password to access the SSL key file. Options ldap-ssl-keyfile-password The password that is associated with the SSL key file. Note: The entries in this stanza are for internal use only. Do not modify the values in this file. This stanza entry is required when LdapSSL = ssl.. Default value There is no default value. destination.conf configuration file. logcfg Syntax logcfg = audit.Options keyLabel Identifies the client certificate that is presented to the LDAP server. To properly configure these entries. Configuration file stanza reference 289 . use the pdconfig utility.] Description Enables logging and auditing for the application. Appendix C.. Example LdapSSL = ssl LdapSSLKeyFilePwd = mysslpwd [pdaudit-filter] stanza The stanza entry for Tivoli Access Manager auditing support is located in the [pdaudit-filter] stanza of the pdaudit. The default SSL key file is key4ssl.azn:[log-agent][[param[=value]] . Category. This stanza entry is required when LdapSSL = ssl. Default value There is no default value. Usage Conditional. Each server provides its own event logging setting in its corresponding configuration file. Also indicates that the destination where log-agent is one of the following agents: v stdout v stderr v file v pipe v remote param=value Allowable parameters. Usage Optional Default value Remove the pound signs (#) at the beginning of the configuration file lines to enable authentication or authorization auditing (or both) for the application. the destination of events. Refer to IBM Tivoli Access Manager for e-business: Troubleshooting Guide for information about the log agents and the configuration parameters.conf configuration file for the policy proxy server cache-database Syntax cache-database = {yes|no} Description Indication of whether in-memory caching of the policy database is enabled. Options yes no Enables in-memory caching of the policy database.log_id=audit_log [pdmgrproxyd] stanza The stanza entries for configuring the policy proxy server are located in the following configuration file: v The pdmgrproxyd.flush_interval=20.azn:file path=audit. The parameters vary.azn:log-agent Category of auditing event. Disables in-memory caching of the policy database. and the type of auditing you want to perform. Example logcfg = audit. Usage Required Default value no Example cache-database = yes 290 Administration Guide .log. Options audit. depending on the category. For Windows operating systems. Appendix C.log-file Syntax log-file = fully_qualified_path Description Location and name of the log file. a check is made to see if the routing file exists. Usage Required Default value The following table shows the default value by platform. the routing file is used and this stanza entry is ignored. file names cannot have a backward slash (\). Messages are redirected from STDOUT and STDERR and sent to the server log file as defined in the policy proxy server routing file (pdmgrproxyd_routing). the default installation directory is different. which specifies that the log files are for the Tivoli Access Manager common component. or double quotation marks ("). String values are expected to be characters that are part of the local code set. At startup of the policy proxy server. Platform Linux or UNIX Windows File name /var/PolicyDirector/log/msg__pdmgrproxyd_utf8. The set of characters permitted in a file name can be determined by the file system and by the local code set. Example The following example shows a Windows operating system without Tivoli Common Directory: log-file = c:\pd\log\msg__pdmgrproxyd_utf8. The policy proxy server relies on the routing file to determine the log file names and path. if you enabled Tivoli Common Directory to specify one common directory location for all your log files.log During installation of Tivoli Access Manager. a colon (:). Options fully_qualified_path Represents an alphanumeric string. this stanza entry is used. For Linux and UNIX operating systems.log The 3-character identifier used in the example is HPD. If it exists. path names and file names are case-sensitive.log The following example shows a Linux or UNIX operating system with Tivoli Common Directory: log-file = TCD_directory/HPD/logs/msg__pdmgrproxyd_utf8. a question mark (?).log c:\prograrm files\tivoli\policy director\log\ msg__pdmgrproxyd_utf8. otherwise. Configuration file stanza reference 291 . Platform Linux or UNIX Windows File name /var/PolicyDirector/log/pdmgrproxyd.pid Example pid-file = c:\pd\log\pdmgrproxyd. Usage Required Default value 8138 Example tcp-req-port = 8138 292 Administration Guide . Use any valid port number. Usage Required Default value The following table shows the default value by platform. For Linux and UNIX operating systems. or use a port number over 1000 that is currently not being used.pid tcp-req-port Syntax tcp-req-port = {0|port} Description TCP port on which the server is listening for requests. path names and file names are case-sensitive. or double quotation marks ("). a question mark (?). a colon (:). Options fully_qualified_path Represents an alphanumeric string.pid-file Syntax pid-file = fully_qualified_path Description Location and name of the PID file. file names cannot have a backward slash (\).pid c:\program files\tivoli\policy director\log\pdmgrproxyd. Options 0 port Disables the port number. A valid port is any positive number that is allowed by TCP/IP and that is not currently being used by another application. Use the default port number value. For Windows operating systems. Enables the port number. The set of characters permitted in a file name can be determined by the file system and by the local code set. String values are expected to be characters that are part of the local code set. The user name is set as the group owner of the policy proxy server files. The group name and user name are different items. The user name is set as the user owner of the proxy manager files.unix-group Syntax unix-group = group_name Description The Linux or UNIX group account for this server. Default value ivmgr Example unix-group = ivmgr unix-user Syntax unix-user = user_name Description The Linux or UNIX user account for this server. This stanza entry is required when working with Linux or UNIX group accounts. Configuration file stanza reference 293 . The validity of the group name specified depends on the requirements of the specific Linux or UNIX operating system. This stanza entry is required when working with Linux or UNIX user accounts. Usage Conditional. The group name and user name are different items. Options user_name Represents an alphabetic string for the name associated with the user account. Default value ivmgr Example unix-user = ivmgr Appendix C. and both can have the same value. Options group_name Represents an alphabetic string for the group associated with the user account. but both can have the same value. The validity of the user name specified depends on the requirements of the specific Linux or UNIX operating system. Usage Conditional. This stanza entry is required for Linux and UNIX operating systems only. Do not start the authorization server at system boot.conf configuration file when you use the authorization server When you use the Tivoli Access Manager authorization server. Options yes no Start the authorization server at system boot.conf configuration file. Do not start the policy server at system boot.[pdrte] stanza When the policy server is installed. Options yes no Start the policy server at system boot. you must have the pd. Default value no Example boot-start-ivacld = yes boot-start-ivmgrd Syntax boot-start-ivmgrd = {yes|no} Description Indication of whether to start the policy server at system boot. The stanza entries for automating server startup when using any of the user registries are located in the [pdrte] stanza of the following configuration file: v The pd. Usage Conditional. the policy server automatically starts after each system reboot. the authorization server daemon automatically starts after each system reboot. When the authorization server is installed. Usage Conditional. boot-start-ivacld Syntax boot-start-ivacld = {yes|no} Description Indication of whether to start the authorization server at system boot. This stanza entry is required for Linux and UNIX operating systems only. Default value no 294 Administration Guide . Example boot-start-ivmgrd = yes boot-start-pdproxyd Syntax boot-start-pdproxyd = {yes|no} Description Indication of whether to start the policy proxy server at system boot. file names cannot have a backward slash (\). Configuration file stanza reference 295 . Note: This value is generated. Options fully_qualified_path Represents an alphanumeric string. String values are expected to be characters that are part of the local code set. Do not start the policy proxy server at system boot. Usage Conditional. Default value no Example boot-start-pdproxyd = yes configured Syntax configured = {yes|no} Description Indication of whether the Tivoli Access Manager runtime package was configured. tivoli_common_dir Syntax tivoli_common_dir = fully_qualified_path Description File name and location for message files and trace log files. Appendix C. Options yes no Start the policy proxy server at system boot. Indicates whether Tivoli Common Directory is used. a question mark (?). path names and file names are case-sensitive. For Linux and UNIX operating systems. This stanza entry is required for Linux and UNIX operating systems only. Do not change it. a colon (:). or double quotation marks ("). For Windows operating systems. The set of characters permitted in a file name can be determined by the file system and by the local code set. Do not change it. Default value Refer to IBM Tivoli Access Manager for e-business: Troubleshooting Guide for more information about Tivoli Common Directory. user-reg-hostport Syntax user-reg-hostport = port Description Non-SSL IP port number that is used for communicating with the user registry server. Note: This value is generated during configuration. user-reg-server Syntax user-reg-server = server_name Description User registry server name.properties configuration file. This stanza entry is required when you configure the IBM Tivoli Access Manager Runtime for Java environment for Tivoli Common Directory (TCD) logging. Do not change it. Note: This value is generated during configuration. user-reg-type Syntax user-reg-type = {ldap|domino|active_directory} Description User registry type. 296 Administration Guide . [pdwpm] stanza The stanza entry for configuring Web Portal Manager information is located in the [pdwpm] stanza of the amconf. Note: This value is generated during configuration. Do not change it. user-reg-host Syntax user-reg-host = hostname Description User registry host name.Usage Conditional. Note: This value is generated during configuration. Do not change it. Use when Web Portal Manager is junctioned behind WebSEAL and WebSphere Application Server security is in use Usage Required Appendix C.This configuration file is in the /classes subdirectory of one of the following operating system-specific directories: For Linux and UNIX operating systems websphere_install_dir/WebSphere/AppServer/systemApps/isclite.ear/ iscwpm. when Web Portal Manager is junctioned behind WebSEAL or when WebSphere Application Server security is in use.ear\iscwpm. Usage Required Default value true authMethod Syntax authMethod = {FORM|BASIC|SSO|TAI} Description Specifies the authentication method. Options FORM BASIC SSO TAI Use when FORM-based login is needed.war directory contains the default GIF files for English locales. see “Customizing the Web Portal Manager interface” on page 28. For changes to the amconf. Use when basic authentication is needed. Configuration file stanza reference 297 .properties file to take effect. aclMembership Syntax aclMembership = {true|false} Description Indicates whether the ACL Management tab is shown for the User and Group properties page. restart the WebSphere server.war\ where websphere_install_dir is the directory where WebSphere is installed. Use for single sign-on. The /images/en subdirectory under the iscwpm.war/ For Windows operating systems websphere_install_dirProgram Files\IBM\WebSphere\AppServer\ systemApps\isclite. For additional information about customizing Web Portal Manager. By default. Do not display pages that allow Web Portal Manager users to change their passwords.war For delegate administration /delegate. Options true false Display pages that allow Web Portal Manager users to change their passwords. Passwords for Web Portal Manager must adhere to the password policies that is set by the administrator. Options file_name The name of the JSP or HTML file to load. The JSP or HTML file must in one of the following directories: For administration /pdadmin.jsp changePassword Syntax changePassword = {true|false} Description Indication of whether the password-change pages are displayed so that users can change their passwords with Web Portal Manager.war Usage Required Default value top_banner.jsp Example bannerFile = top_banner. passwords must contain a minimum of eight characters (consisting of at least one number and four letters) and a maximum of two repeated characters.Default value FORM Example authMethod = BASIC bannerFile Syntax bannerFile = file_name Description Specifies which JSP or HTML file is loaded. Usage Required 298 Administration Guide . gif Example infoBarGif = infobar_ibm.war directory for administration or /delegate.Default value true Example changePassword = false debug Syntax debug = {true|false} Description Determines whether the trace is permitted to be displayed to standard out (stdout) when an exception is thrown. Options file_name The name of the GIF file. Usage Required Default value false Example debug = true infoBarGif Syntax infoBarGif = file_name Description Specifies which image is shown in the on the bottom right of the page. The GIF file must in one of the following directories under the /pdadmin. Options true false Allows the trace information to be displayed to standard output.gif Appendix C.war directory for delegate administration: v /images v /images/locale Usage Required Default value infobar_ibm. Configuration file stanza reference 299 . Does not allow the trace information to be displayed to standard output. war directory for delegate administration: v /images v /images/locale Usage Required Default value accessmanager.gif Example loginGif = accessmanager. Note: This value is generated during configuration. This stanza entry requires the jrteHost stanza entry. The GIF file must in one of the following directories under the /pdadmin. Note: This value is generated during configuration. This stanza entry requires the jrteProps stanza entry.gif splashGif Syntax splashGif = file_name 300 Administration Guide . Do not change it. Options file_name The name of the GIF file.jrteHost Syntax jrteHost = hostname Description Indicates the host name of the system where the Tivoli Access Manager Runtime for Java package is installed and configured. jrteProps Syntax jrteProps = fully_qualified_path Description Indicates the file name and location of the properties file that is used by the Tivoli Access Manager Runtime for Java environment. loginGif Syntax loginGif = file_name Description Specifies which image is shown on the login page.war directory for administration or /delegate. Do not change it. conf configuration file for the authorization server The pd. read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file. and Policy pages are displayed. Developers of service plug-ins should provide the standard functions.war directory for administration or /delegate.war directory for delegate administration: v /images v /images/locale Usage Required Default value accessmanager. Usage Required Default value false [ssl] stanza The [ssl] stanza in the configuration file defines the Secure Sockets Layer (SSL) configuration settings for the Tivoli Access Manager servers. Before implementing service plug-ins. Group. Appendix C. The GIF file must in one of the following directories under the /pdadmin.conf configuration file for the policy proxy server Your resource managers' configuration file for configured SSL entries The aznAPI.gif Example splashGif = accessmanager. The stanza entries for configuring Tivoli Access Manager SSL settings are located in the [ssl-info] stanza of each of the following configuration files: v v v v v The ivmgrd.Description Specifies which image is shown on the Welcome page. GSO. Do not change it. This stanza entry is for internal use only. Configuration file stanza reference 301 . after the Login page Options file_name The name of the GIF file.conf configuration file when you use the authorization server The pdmgrproxyd.gif wasEmbedded Syntax wasEmbedded = {true|false} Description Indicates whether only the User.conf configuration file for the policy server The ivacld. conf configuration file. set this value using the mgrsslcfg utility to a value between 1 and 7299.conf configuration file. Note: This value is created and its value set during configuration for the authentication server and the policy proxy server. For the ivmgrd. it is set using the bassslcfg utility. v For all other configuration files. Any issued or renewed certificates must use this value. Options yes no Enables automatic certificate and password refresh. or four years. Use this utility to modify this value after initial configuration. This stanza entry is not used for the policy server.ssl-authn-type Syntax ssl-authn-type = certificate Description Type of authentication.conf configuration file. Disables automatic certificate and password refresh. Do not edit this stanza entry. (The default is 1460. Note: This value is set using a configuration utility. ssl-cert-life Syntax ssl-cert-life = number_days Description Value for the lifetime in number of days of a certificate. The new value is in effect only for certificates that are issued or that are renewed 302 Administration Guide . Default value certificate ssl-auto-refresh Syntax ssl-auto-refresh = {yes|no} Description Indication of whether automatic refresh of the SSL certificate and the key database file password occur. change the value and restart the policy server. it is set using the svrsslcfg utility. v For the pd.) The name and path are fixed for this configuration file. Do not edit this stanza entry. it is set using the mgrsslcfg utility. This value is created and its value set using one of the following utilities: v For the ivmgrd. To increase or decrease the value. If enable. Notes: 1. If both the certificate and the password to the key database file that contains the certificate expire. The password value is set using the mgrsslcfg utility. 3. SSL version 3 (SSLv3) is the secure communication protocol used. Transport Layer Security (TLS) version 1 (TLSv1) is the secure communication protocol used.conf configuration file. 2. Appendix C. If not enabled. set to no. it is set using the bassslcfg utility. increase this timeout value in the pd. Note: The timeout value is set using the configuration utility. To resolve this problem. This value is set by the configuration utility that is associated with each server. This timeout value is created.from that point on.conf configuration file. Example ssl-enable-fips = no ssl-io-inactivity-timeout Syntax ssl-io-inactivity-timeout = {0|number_seconds} Description Duration in seconds that an SSL connection waits for a response before timing out. ssl-enable-fips Syntax ssl-enable-fips = {yes|no} Description Determines whether Federal Information Process Standards (FIPS) mode is enabled.conf configuration file. set to yes. For certain administration request. it is set using the svrsslcfg. it is set using the mgrsslcfg utility. the password must be refreshed first. Usage Required Default value There is no default value. v For all other configuration files. Only the policy server uses this value. Do not edit this stanza entry. Configuration file stanza reference 303 . Options yes no Indicates that TLSv1 is the secure communication protocol. such as looking up members in a large user registry group over an SSL connection. Indicates that SSLv3 is the secure communication protocol. Do not edit this stanza entry. and the value is set using one of the following utilities: v For the ivmgrd. v For the pd. you might receive the HPDBA0219E error message when the timeout value is too small. is generated and set by the configuration utility. the key file is located in one of the following operating system-specific directories: Linux and UNIX operating systems /var/PolicyDirector/keytab Windows operating systems c:\program files\tivoli\policy director\keytab The certificate files in a directory need to be accessible to the server user (or all users). Quotation marks surrounding the label value are not permitted. Example ssl-io-inactivity-timeout = 300 ssl-keyfile Syntax ssl-keyfile = key-path Description File name and location on the local system of the SSL key file. This file is created. The file extension can be anything.kdb file and the folder that contains the .Options 0 No timeout is allowed. and the value is set using one of the following utilities: v For the ivmgrd. 304 Administration Guide .conf configuration file. it is set using the bassslcfg utility. v For all other configuration files. it is set using the mgrsslcfg utility. v For the pd. Usage Required Default value There is no default value.kdb file. but it is usually . This value is set by the configuration utility that is associated with each server. Note: The file name.conf configuration file. number_seconds Specifies the number of seconds that an SSL connection waits for a response before timing out. the application fails. If the key-value pair does not exist in the configuration file. ivmgr) or all users have permission to access the . By default. Make sure that server user (for example.kdb. Do not edit this stanza entry. it is set using the svrsslcfg utility. There is no range limitation for this timeout value. ssl-keyfile-label Syntax ssl-keyfile-label = label Description Label of key to use other than the default. including extension. it is set using mgrsslcfg utility v For the pd. The file extension can be anything. it is set using the bassslcfg utility. it is set using the svrsslcfg utility. including extension. this entry does not apply. v For all other configuration files. the resource manager cannot receive policy update notifications or pdadmin server task commands. and the name is defined by the –n option. but it is usually . Do not edit this stanza entry. Note: The file name. Note: The label is set by the configuration utility.This label is created. Options 0 Disables listening. and the value is set using one of the following utilities: v For the ivmgrd.conf configuration file. ssl-keyfile-stash Syntax ssl-keyfile-stash = stash-path Description File name and location of the SSL password stash file that is used to protect private keys in the key file. the key file is located in one of the following operating system-specific directories: Linux and UNIX operating systems /var/PolicyDirector/keytab Windows operating systems c:\program files\tivoli\policy director\keytab This file is created. the parameter should be modified only by issuing the scrsslcfg -chgport command so that the policy server knows that the listening port has been changed.conf configuration file. v For the pd. is generated and set by the configuration utility. ssl-listening-port Syntax ssl-listening-port = {0|port} Description TCP port to listen on for incoming requests. Do not edit this stanza entry. The path is defined by the –d option. it is set using the mgrsslcfg utility. Configuration file stanza reference 305 .conf configuration file. By default.sth. Note: Do not change this parameter directly. The value is specified during configuration by using the svrsslcfg utility. Otherwise. Appendix C. The password might be stored encrypted in the stash file. it is set using the svrsslcfg utility. Note: The policy server does not use this stanza entry. and the value is set using one of the following utilities: v For the ivmgrd. v For all other configuration files.conf configuration file. If this value is not in the configuration file. The domain name value is created during configuration. change it using the svrsslcfg utility. when configuring the policy proxy server. but you can change it using one of the following utilities: v For the ivmgrd. 306 Administration Guide . except for the policy server. There is no one default value. This value is then used in the call to the SSL configuration utility. Default value If not specified during configuration. Options number_threads Number of threads that can be specified. the default value is 0. the user is prompted for a port. Otherwise. ssl-maximum-worker-threads Syntax ssl-maximum-worker-threads = number_threads Description Number of threads that can be created by the server to handle incoming requests. Note: This value is set during configuration or set using the configuration utility. Usage Required Default value The default value is server-dependent. the value is server-dependent. with 8139 as the default. v For the pd. Do not edit this stanza entry. change it using the bassslcfg utility. The server runs on this domain. v For all other configuration files.conf configuration file.port Enables listening at the specified port number. Usage Required. because it is dependent on available system resources. because the configuration programs for each daemon specify its own default value.conf configuration file. change it using the mgrsslcfg utility. The valid range must be equal to or greater than 1. For example. Example ssl-listening-port = 8139 ssl-local-domain Syntax ssl-local-domain = {Default|domain_name} Description The name of the local domain. The valid range for port is any positive number that is allowed by TCP/IP and is not currently being used by another application. then operations that rely on its presence fail. The maximum number varies. If a certificate and the password to the key database file containing that certificate are both expired. it is set using the svrsslcfg utility. This timeout value is created. The number of days between 1 and 7299 is created. Do not edit this stanza entry. For automatic password renewal. the value is dictated by the value supplied to the svrsslcfg –chgpwd utility.conf configuration file.Example ssl-maximum-worker-threads = 50 ssl-pwd-life Syntax ssl-pwd-life = number_days Description Password lifetime for the key database file. it is set using the mgrsslcfg utility. The timeout value is set using the configuration utility. This value is also written into the appropriate configuration file. 2. v For all other configuration files. This timeout value controls how often a full SSL handshake is completed between Tivoli Access Manager clients and servers. v For the pd. it is set using the bassslcfg utility.conf configuration file. the password must be refreshed first. Appendix C. For manual password renewal. v For the pd. specified in the number of days. Notes: 1. The password value is set using the configuration utility. Do not edit this stanza entry. it is set using the mgrsslcfg utility.conf configuration file. v For all other configuration files. and the name is defined by the –n option.conf configuration file. it is set using the bassslcfg utility. The path is defined by the –d option. and the value is set using one of the following utilities: v For the ivmgrd. Tivoli Access Manager components might not function with small timeout values in some network environments. ssl-v3-timeout Syntax ssl-v3-timeout = number_seconds Description Session timeout in seconds for SSL v3 connections between clients and servers. Notes: 1. the value for the lifetime of a password is controlled by the number_days value when the server is started. and the value is set using one of the following utilities: v For the ivmgrd. it is set using the svrsslcfg. Configuration file stanza reference 307 . 2. and cache-lifetime stanza entries do not appear in ivmgrd.[ssl] stanza for ldap. operations that rely on its presence fail.conf configuration file for the policy proxy server Your resource managers' configuration file for configured registry types that are not LDAP The aznAPI.conf. You can set additional stanza entries in the [uraf-registry] stanza of the activedir. because the policy server object should not be cached. The stanza entries for configuring URAF-based registry settings for the server are located in the [uraf-registry] stanza of the following configuration files: v v v v The ivmgrd. Before implementing service plug-ins.conf configuration file. Note: This value is created and set by using the svrsslcfg utility.conf. or domino. The configuration file that is used depends on the type of URAF user registry that you configure. If this value is not set in the configuration file.conf configuration file for the policy server The ivacld. activedir_ldap. The stanza entries for configuring SSL settings are located in the [ssl] stanza of the following configuration file: v The ldap.conf configuration file that is provided with Tivoli Access Manager is a sample file for creating configuration files for your own resource managers.conf. activedir_ldap.conf configuration file for the LDAP server ssl-local-domain Syntax ssl-local-domain = {Default|domain_name} Description The name of the local domain. read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. Note: Do not place the following stanza entries in the [uraf-registry] stanza of the activedir. Developers of service plug-ins should provide the standard functions. The cache-mode.conf.conf configuration file defines the SSL configuration settings for the LDAP server.conf configuration file for the authorization server The pdmgrproxyd. or domino.conf configuration files. with the exception of the cache-related items that must be manually updated by the Tivoli Access Manager administrator. Do not edit this stanza entry. [uraf-registry] stanza A User Registry Adapter Framework (URAF) stanza is required when the configured registry type is not LDAP. Most information in this stanza is filled in during configuration.conf configuration files: v uraf-registry-config v bind-id 308 Administration Guide . The server runs on this domain.conf The ldap. cache-size. Only the server uses this ID. disabled Turns the cache off. You would enable the cache mode to improve the performance of repetitive Read actions on a specified object. a Lotus Notes ID file provides the bind ID equivalent. Performance for Write actions would not be improved. Caching opens a small window for users to go from server to server in order to bypass the maximum number of failed login attempts. the user must have privileges to update and modify data in the user registry. For an IBM Lotus Domino user registry. cache-mode Syntax cache-mode = {enabled|disabled} Description Mode for caching that represents the cache being either turned on or turned off. Options enabled Turns the cache on. If the ID belongs to a user rather than an administrator. except the policy server Default value enabled Example cache-mode = enabled cache-lifetime Syntax cache-lifetime = number_seconds Appendix C. You would disable the cache mode for better security. Configuration file stanza reference 309 . because you do not want to cache the policy server object. Do not change it. Usage Optional.conf configuration file. Note: This stanza entry is not in the ivmgrd. such as: login performance that is done more than once a day. normally provided for all Tivoli Access Manager servers. Note: This value is generated during configuration.bind-id Syntax bind-id = server_id Description The login identity of the server administrator or of the user that is used to bind (sign on) to the registry server. Note: This stanza entry is not in the ivmgrd.[. the default value is used. because you do not want to cache the policy server object. a setting of 251 might work well. For example.Description Number of seconds that the objects are allowed to stay in the cache. A smaller number of seconds negates the cache advantage for user-initiated Reads. Options number_objects Maximum number of objects (as a prime number) for the cache count between 3 and a maximum number that is logical for the task and that does not affect performance. the value is a list of one or more object types and their cache counts. if it is not numeric. because you do not want to cache the policy server object.conf configuration file. If cache-mode = enabled and this stanza entry is not used. the longer the repetitive Read advantage is held.. If cache-mode = enabled and this stanza entry is not used. if only 200 of those users log in and out repetitively during the day. Options number_seconds The timeout specified in number of seconds between 1 and 86400. Non-prime numbers are rounded up to the next higher prime number. However.conf configuration file. Usage Optional Default value 30 Example cache-lifetime = 63200 cache-size Syntax cache-size = {number_objects|object_type:cache_count_value. Or. the longer the time specified. 310 Administration Guide . For performance tuning.. a setting of 251 might not be good if you have 1000 users logging in and out several times a day. Note: This stanza entry is not in the ivmgrd. If the number fails.]} Description Maximum number of objects for a particular object type that can be in the cache at one time without hash table collisions. the default value for cache size is used. Performance tuning depends on how much memory is dedicated to a cache or how many objects you typically have repetitive read operations on (such as how many users you have logging in a day). conf v activedir_ldap. This stanza entry is required for URAF user registries only. a question mark (?). Usage Conditional. but it can be changed.group:251.conf Appendix C. The set of characters permitted in a file name can be determined by the file system and by the local code set. resgroup. Options fully_qualified_path Represents an alphanumeric string.object_type:cache_count_value List of one or more object types and their cache counts. For Linux and UNIX operating systems. or double quotation marks (").rescreds:251. and rescreds objects: cache-size = user:251. file names cannot have a backward slash (\). String values are expected to be characters that are part of the local code set. The following example sets the cache to 251 objects for each of the user and group objects. The default URAF registry configuration files can be one of the following files: v domino. Configuration file stanza reference 311 . resource. For Windows operating systems.conf Example The following Windows example uses an IBM Domino server as the user registry from a Windows client: uraf-registry-config = c:\program files\tivoli\policy director\etc\ domino. Usage Optional Default value The default value is server-specific. uraf-registry-config Syntax uraf-registry-config = fully_qualified_path Description File name and location of the URAF registry configuration file for Tivoli Access Manager. group. cache-size = user:251. a colon (:).conf v activedir.resgroup:251. Default value The default value is server-specific. Example The following example sets the cache to a total of 251 object: cache-size = 251 The following example sets the cache to 251 objects for each of the user. It is generated. The other object types are not cached.group:251.resource:251. path names and file names are case-sensitive. When set to yes. Anything other than yes.conf configuration file to configure IBM Lotus Domino as the user registry server enabled Syntax enabled = {yes|no} Description Indication of whether Domino is being used as the user registry.conf The stanza entries for configuring an IBM Lotus Domino server as the URAF user registry are located in the [uraf-registry] stanza of the following configuration file: v The domino.conf The following Windows example uses a Microsoft Active Directory server as a user registry from a Windows 2003 client: uraf-registry-config = c:\program files\tivoli\policy director\etc\ activedir_ldap.The following Windows example uses a Microsoft Active Directory server as a user registry from Windows Active Directory Domain or from a client of an Active Directory Domain. the configuration file must set the following entities: v server v PDM v NAB Options yes no Indicates that Domino is the user registry. is interpreted as no. Usage Required Default value no Example enabled = yes NAB Syntax NAB = nsf_filename 312 Administration Guide . uraf-registry-config = c:\program files\tivoli\Policy Director\etc\ activedir. including a blank value.conf The following example using an Microsoft Active Directory server as the user registry from a UNIX client: uraf-registry-config = /opt/PolicyDirector/etc/activedir_ldap.conf [uraf-registry] stanza for domino. Indicates that Domino is not the user registry. nsf file name conforms to the underlying operating system file naming conventions of the Domino server. Options nsf_filename The names. The recommended file name extension is . Options nsf_filename Represents a Domino database file name.nsf. Usage Conditional. The database is set at configuration time and cannot be changed. Default value names. The file name conforms to the underlying operating system file naming conventions of the Domino server.nsf server Syntax server = server_name Description Name of the IBM Lotus Domino server. Default value PDMdata. Configuration file stanza reference 313 . Usage Conditional.nsf.nsf Example PDM = PDMdata. This stanza entry is required when enabled = yes. Options server_name Appendix C.nsf Example NAB = names.nsf PDM Syntax PDM = nsf_filename Description Tivoli Access Manager meta-data database. The database is created on the Domino server during configuration and cannot be changed. This stanza entry is required when enabled = yes. The file name extension must always be .Description IBM Lotus Domino Name and Address Book (NAB) database. Represents an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set. The minimum and maximum lengths of the name are imposed by the underlying registry. Usage Conditional. This stanza entry is required when enabled = yes. Default value There is no default value. Example server = grizzly/Austin/IBM Where grizzly is the host name of the Domino server machine and the remainder of the name is the Domino domain name. uraf-return-registry-id Syntax uraf-return-registry-id = {yes|no} Description Indicates whether the URAF registry returns the TAM user identity as it is stored in the registry or the value entered by the user. Note: Refer to Appendix A, “Guidelines for changing configuring files,” on page 199 for guidelines on changing configuration file properties. Options yes Return the TAM user identity as it is stored in the registry. This option returns the user identity exactly as it was created and preserved in the registry. Return the TAM user identity as the value is entered by the user. no Usage Optional Default value no Example uraf-return-registry-id = no [uraf-registry] stanza for activedir.conf The stanza entries for configuring a Microsoft Active Directory server as the URAF user registry are located in the [uraf-registry] stanza of the following configuration file: v activedir.conf to configure Microsoft Active Directory as the URAF user registry dnforpd Syntax dnforpd = ad_dn 314 Administration Guide Description Distinguished name that is used by Active Directory to store Tivoli Access Manager data. Note: This stanza entry is set during configuration. Do not edit this entry. domain Syntax domain = root_domain_name Description Active Directory root (primary) domain. Note: This name is domain-dependent, based on what you selected during the configuration of the Tivoli Access Manager runtime. Do not edit this entry. dynamic-groups-enabled Syntax dynamic-groups-enabled = {yes|no} Description Indication of dynamic group support. Note: Microsoft supports Active Directory dynamic groups only for Windows Server 2003 and beyond. Do not change this value if Active Directory is not capable of handling dynamic groups. For information about setting up your environment to enable an Active Directory registry to handle dynamic groups, consult the Microsoft Web site. Options yes no Tivoli Access Manager attempts to resolve dynamic group membership. Tivoli Access Manager does not attempt to resolve dynamic group membership. Usage Optional Default value no Example dynamic-groups-enabled = yes enabled Syntax enabled = {yes|no} Description Indication of whether Active Directory is being used as the user registry. Appendix C. Configuration file stanza reference 315 Options yes no Indicates that Active Directory is the user registry. Indicates that Active Directory is not the user registry. Anything other than yes, including a blank value, is interpreted as no. Usage Conditional. This stanza entry is required when your user registry is Microsoft Active Directory. Default value no Example enabled = yes hostname Syntax hostname = host_name Description Active Directory DNS host name. Note: This value is automatically filled in during the configuration of the Tivoli Access Manager runtime. Do not edit this entry. multi-domain Syntax multi-domain = {true|admd|false} Description Indication of whether the domain is a single domain configuration or a multi-domain configuration. Selection is made during the configuration of the Tivoli Access Manager runtime. Note: This stanza entry is set during configuration. Do not edit it. uraf-return-registry-id Syntax uraf-return-registry-id = {yes|no} Description Indicates whether the URAF registry returns the TAM user identity as it is stored in the registry or the value entered by the user. Note: Refer to Appendix A, “Guidelines for changing configuring files,” on page 199 for guidelines on changing configuration file properties. Options yes Return the TAM user identity as it is stored in the registry. This option returns the user identity exactly as it was created and preserved in the registry, which is case-sensitive. 316 Administration Guide no Return the TAM user identity as the value is entered by the user. Usage Optional Default value no Example uraf-return-registry-id = no use-email-as-user-id Syntax use-email-as-user-id = {yes|no} Description Indicates whether support is enabled for using an alternate format for the userPrincipalName registry attribute. This support ensures that Tivoli Access Manager works with the Microsoft Active Directory registry when the userPrincipalName attribute of the Active Directory user object is required to have a non-default value. Note: To fully enable this support, this option must be enabled in all Tivoli Access Manager runtime configured environments. Options yes no Support is enabled for using an alternate format for the userPrincipalName registry attribute. Support for an alternate format userPrincipalName is disabled. Usage Conditional. This stanza entry is required when your user registry is Microsoft Active Directory. Default value no Example use-email-as-user-id = no useEncryption Syntax useEncryption = {true|false} Description Indication of whether encryption communication to Active Directory is being used. Note: This value is specified during the configuration of the Tivoli Access Manager runtime. Do not edit this entry. Appendix C. Configuration file stanza reference 317 [uraf-registry] stanza for activedir_ldap.conf When you use an LDAP client to retrieve data for the Active Directory user registry that the Tivoli Access Manager server is configured to, you must have the activedir_ldap.conf server configuration file. Use this configuration file to customize the operation of each Active Directory registry server. The stanza entries for configuring the Microsoft Active Directory as the user registry on a Tivoli Access Manager server are located in the [uraf-registry] stanza of the following configuration file: v activedir_ldap.conf change-pwd-using-ldap-api Syntax change-pwd-using-ldap-api = {yes|no} Description Indicates whether password change requests are performed using a direct LDAP connection to the Active Directory server. When this option is set to yes, the Policy Server does not need to be available to process the password change request. Notes: 1. To implement this functionality across an enterprise system, this option must be enabled (set to yes) in every IBM Tivoli Access Manager run-time configured environment in which change password requests are to be handled using LDAP APIs rather than the Policy Server. 2. Before this option is enabled, Tivoli Access Manager must be configured for Secure Socket Layer (SSL) for a connection between the LDAP client and the Active Directory server. The Active Directory environment must also be able to accept LDAP connections over SSL. Options yes Indicates that password change requests are performed using a direct LDAP connection to the Active Directory server; the Policy Server does not need to be available. Indicates that password change requests are performed using the Access Manager Policy Server and are treated as password resets. no Usage Conditional. This stanza entry is required when your user registry is Microsoft Active Directory. Default value no Example change-pwd-using-ldap-api = no dnforpd Syntax dnforpd = ad_dn 318 Administration Guide Description Distinguished name that is used by Active Directory to store Tivoli Access Manager data. Note: This stanza entry value is set during configuration. Do not change it. domain Syntax domain = secondary_domain_name Description Name of Active Directory secondary or child domain host name. This host name is in the same forest as the root domain, its host name, and zero or more replica host names. This name is domain-dependent, based on what you select during the configuration of the Tivoli Access Manager runtime. For the Active Directory single domain configuration, either primary-domain= or domain= can be used to enter the domain name information. For the Active Directory multiple domain configuration, multiple domain name entries are allowed. Options secondary_domain_name An alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. The maximum length for the domain name is user registry dependent. For Active Directory that maximum length is 256 alphanumeric characters. Use the following format to specify a domain: domain = nnn|hhh[|rrr1[|rrr2[|...]]] Where: nnn hhh rrr The primary domain name. The name format can be either child.ibm.com or dc=child,dc=ibm,dc=com. The primary domain host name or IP address. The primary domain replica host name or IP address. Square brackets ([]) show entries that are optional and the required vertical bar (|) acts as a separator. Usage Conditional. This stanza entry is required when your user registry is Microsoft Active Directory and when the multi-domain entry is set to true or admd. Default value There is no default value. Example domain = dc=child,dc=ibm,dc=com|adhost.child.ibm.com|adhostreplica.child.ibm.com Appendix C. Configuration file stanza reference 319 dynamic-groups-enabled Syntax dynamic-groups-enabled= {yes|no} Description Indication of dynamic group support. Note: Before enabling dynamic group support on blade servers, you must first enable dynamic group support on the policy server. Remember that while dynamic group support must be enabled on the policy server, you can disable this option for a blade server. If disabled, the blade server cannot benefit from dynamic group support. Options yes no Tivoli Access Manager attempts to resolve dynamic group membership. Tivoli Access Manager does not attempt to resolve dynamic group membership. Usage Optional Default value no Example dynamic-groups-enabled = no enabled Syntax enabled = {yes|no} Description Indication of whether Active Directory is being used as the user registry. When set to yes, the following entries must be set: v ssl-keyfile v ssl-keyfile-pwd Options yes no Indicates that Active Directory is the user registry. Indicates that Active Directory is not the user registry. Anything other than yes, including a blank value, is interpreted as no. Usage Conditional. This stanza entry is required when your user registry is Microsoft Active Directory. Default value no Example enabled = yes 320 Administration Guide ldap-client-timeout Syntax ldap-client-timeout = {0|number_seconds} Description Amount of time that is allowed for to LDAP simple bind and LDAP searches before the LDAP client is considered to be down. Options 0 Unlimited amount of time for synchronous operations only. number_seconds Amount of time, in seconds, allowed for asynchronous operations. The number of seconds is specified as a positive whole number. The suggested range is between 240 to 900. Usage Required Default value 0 Example ldap-client-timeout = 520 max-connections-per-ad-domain Syntax max-connections-per-ad-domain = {2-16} Description Specifies the number of concurrent connections with each Microsoft Active Directory domain. Usage Conditional. This stanza entry is required when your user registry is Microsoft Active Directory. Default value 16 Example max-connections-per-ad-domain = 16 multi-domain Syntax multi-domain = {true|admd|false} Description Indication of whether the domain is a single-domain configuration or a multi-domain configuration. Selection is during the configuration of the Tivoli Access Manager runtime. Note: This stanza entry is set during configuration. Do not edit it. Appendix C. Configuration file stanza reference 321 Usage Required Default value There is no default value. but the extension is usually .kdb. Only one primary domain entry is allowed.primary-domain Syntax primary-domain = primary_domain_name Description Active Directory primary domain host name. 322 Administration Guide ..]]] Where: nnn hhh rrr The primary domain name.. This name is domain-dependent.com|adprimreplica1. based on what you select during the configuration of the Tivoli Access Manager runtime.dc=com|adprim. The primary domain host name or IP address. For the Active Directory multi-domain configuration. and zero or more replica host names. The primary domain replica host name or IP address. Use the SSL key file to handle certificates that are used in LDAP communication.ibm. Square brackets ([]) show entries that are optional and the required vertical bar (|) acts as a separator.com or dc=ibm. the primary domain entry must contain the root domain information. For Active Directory that maximum length is 256 alphanumeric characters. String values are expected to be characters that are part of the local code set.dc=com. The maximum length for the domain name is user registry dependent. case-sensitive string. Example primary-domain = dc=ibm.ibm. Use the following format to specify a domain: primary-domain = nnn|hhh[|rrr1[|rrr2[|. The file extension can be anything. Options primary_domain_name An alphanumeric.com ssl-keyfile Syntax ssl-keyfile = ldap-ssl-key-filename Description SSL key file name and location. The name format can be either ibm. For the Active Directory single domain configuration. either the primary-domain = entry or the domain = entry can be used for the domain information. This stanza entry is required when the LDAP server is configured to perform client authentication. The key label must be enclosed in double quotation marks. The maximum string length for the Active Directory user registry is 256 alphanumeric characters.kdb c:\program files\tivoli\policy director\keytab\server_name. a colon (:).kdb file. String values are expected to be characters that are part of the local code set.kdb Example ssl-keyfile = /opt/PolicyDirector/keytab/ivmgrd. This stanza entry is required when ssl-enabled = yes.kdb ssl-keyfile-label Syntax ssl-keyfile-label = key_label Description Specifies the key label that is used to identify the client certificate. Example ssl-keyfile-label = "PDLDAP" Appendix C. path names and file names are case-sensitive. Usage Conditional. Default value The following table shows the default value by platform. Options key_label An alphanumeric string that is not case-sensitive. For Windows operating systems. Default value There is no default value. ivmgr) or all users have permission to access the . It is the key label of the client certificate within the SSL key file. that is presented to the LDAP server. The minimum and maximum lengths of the ID. are imposed by the underlying registry. Usage Conditional. or double quotation marks ("). The location and file name value represents an alphanumeric string that is not case-sensitive.kdb file and the folder that contains the . if there are limits.The certificate files in a directory need to be accessible to the server user (or all users). String values are expected to be characters that are part of the local code set. For Linux and UNIX operating systems. The set of characters permitted in a file name can be determined by the file system and by the local code set. a question mark (?). Make sure that the server user (for example. Platform Linux or UNIX Windows File name /opt/PolicyDirector/keytab/server_name. file names cannot have a backward slash (\). Configuration file stanza reference 323 . Return the TAM user identity as the value is entered by the user. Example ssl-keyfile-pwd = key4ssl uraf-return-registry-id Syntax uraf-return-registry-id = {yes|no} Description Indicates whether the URAF registry returns the TAM user identity as it is stored in the registry or the value entered by the user. Default value There is no default value. no Usage Optional Default value no Example uraf-return-registry-id = no use-email-as-user-id Syntax use-email-as-user-id = {yes|no} Description Indicates whether support is enabled for using an alternate format for the userPrincipalName registry attribute.ssl-keyfile-pwd Syntax ssl-keyfile-pwd = ldap-ssl-keyfile-password Description Password to access the SSL key file. Note: Refer to Appendix A. This stanza entry is required when enabled = yes. Options yes Return the TAM user identity as it is stored in the registry. This option returns the user identity exactly as it was created and preserved in the registry. This support ensures that Tivoli Access 324 Administration Guide . The password associated with the default SSL key file is key4ssl.” on page 199 for guidelines on changing configuration file properties. Usage Conditional. “Guidelines for changing configuring files. Configuration file stanza reference 325 . Options yes no Support is enabled for using an alternate format for the userPrincipalName registry attribute.tivoli. This value must be set and in effect prior to enabling support for alternate UPNs. the ad-gc-server entry must also be modified to add the hostname(s) for the global catalog server.com ad-gc-port Syntax ad-gc-port = {3268|3269} Appendix C. This property accepts multiple values. this option must be enabled in all Tivoli Access Manager runtime configured environments. Usage Required when the use-email-as-user-id option is enabled (use-email-as-user-id = yes). Default value no Example enabled = no ad-gc-server Syntax ad-gc-server = gc_server_hostname Description Specifies the Active Directory hostname for the Global Catalog server. Default value none Example ad-gc-server = gc-server1.tivoli.Manager works with the Microsoft Active Directory registry when the userPrincipalName attribute of the Active Directory user object is required to have a non-default value.com ad-gc-server = gc-server2. Support for an alternate format userPrincipalName is disabled. Note: To fully enable this support. Options gc_server_hostname Active Directory hostname for the Global Catalog server. This stanza entry is required when your user registry is Microsoft Active Directory. If this property is enabled manually using the pdadmin utility. Usage Conditional. read and thoroughly understand the concepts discussed in the IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference. This stanza can be found or placed into any of the Tivoli Access Manager configuration files. Default value none UseSSL Syntax UseSSL = {yes|no} Description Indication of whether to use SSL. except for the pd. 326 Administration Guide . Developers of service plug-ins should provide the standard functions. Options yes no Specifies that you want to use SSL.Description Specifies the port number for the Active Directory Global Catalog on the Global Catalog server. Before implementing service plug-ins. Usage Required Default value yes Example usessl = no [xmladi-attribute-definitions] stanza The stanza entries for configuring the Access Decision Information Extensible Markup Language (ADI XML) document attribute definitions are located in the [xmladi-attribute-definitions] stanza. Note: This value is automatically set and should not be modified manually. The aznAPI. Specifies that you do not want to use SSL. Port number reserved by Microsoft Active Directory for Global Catalog in an SSL environment.conf configuration file is provided with Tivoli Access Manager as a sample file for creating your own resource manager configuration file. Options 3268 3269 Port number reserved by Microsoft Active Directory for Global Catalog in a non-SSL environment. Usage Required when the use-email-as-user-id option is enabled (use-email-as-user-id = yes).conf configuration file. Configuration file stanza reference 327 . “Authorization rules management. </XMLADI> --> Usage Required Example xmlns:myNS = "http://myURI. The ADI XML model requires that the XML document contains the following top-level XML element into which all target ADI for a particular rule evaluation is inserted.com" appID=’"Jupiter" .XML formatted ADI are inserted here.Account Management Web Portal Server #1.’ The attribute value must be enclosed in either double or single quotation marks.” on page 119. The following XMLADI element start tag defines these attributes: <XMLADI xmlns:myNS="http://myURI.Account Management Web Portal Server #1.AttributeName Syntax AttributeName = "AttributeValue" Description Definition of ADI XML document attributes that are inserted into the XML ADI element start tag to enable attributes to be defined for the entire XML ADI document and for all ADI defined in the XML ADI document. The XMLADI element is created automatically as part of the rule evaluation process <XMLADI> <!-.’> For more information.com" appID = ’"Jupiter" .mycompany. see Chapter 10.mycompany. Appendix C. 328 Administration Guide . v When using an LDAP user registry. Tivoli Access Manager enforces its own Password Policy first and foremost.Appendix D. When using a URAF user registry. v To take advantage of the multi-domain support in Tivoli Access Manager. After this capability is granted. If Tivoli Access Manager can map this return code without any ambiguity with the corresponding Tivoli Access Manager error code. LDAP concerns The following concerns are specific to all of the supported LDAP user registries: v There are no configuration steps needed in Tivoli Access Manager to make it support LDAP's own Password Policy. you must use an LDAP user registry. 2010 329 . This release of Tivoli Access Manager supports LDAP and URAF user registries. Tivoli Access Manager supports the following LDAP user registries: v Tivoli Directory Server v IBM z/OS Security Server LDAP Server v Novell eDirectory Server v Sun Java System Directory Server v Sun ONE Directory Server v Microsoft Active Directory Application Mode (ADAM) Tivoli Access Manager supports the following URAF user registries: v Microsoft Active Directory Server v Lotus Domino Server General concerns The following concerns are specific to all of the supported user registries: v Avoid using the forward slash (/) character when defining the names for users and groups when that name is defined using distinguished names strings. the capability to own global sign-on credentials must be explicitly granted to a user. 1999. only a single Tivoli Access Manager domain is supported. Each user registry treats this character differently. it © Copyright IBM Corp. v Avoid using leading and trailing blanks in user and group names. Tivoli Access Manager does not assume the existence or non-existence of LDAP's own Password Policy at all. Each user registry treats blanks differently. User registry differences Each user registry presents unique concerns when integrated with Tivoli Access Manager. Tivoli Access Manager will attempt to update password in LDAP only when the provided password passes Tivoli Access Manager's own Password Policy check. it will do so and will return a proper error message. After that Tivoli Access Manager tries to accommodate LDAP's own Password Policy to the best of its ability using the return code that its get from LDAP during a password related update. v Leading and trailing blanks in user names and group names are ignored when using an LDAP user registry in a Tivoli Access Manager secure domain. For 330 Administration Guide . or type -1 to define no maximum limit. When this service is used with an LDAP user registry. 3. Microsoft Active Directory Application Mode (ADAM) concerns The following concerns are specific to ADAM. users that are created in a URAF user registry are automatically given this capability. This service is used to retrieve user attributes from a user registry. However.can subsequently be removed. The ADAM registry requires the value of cn to be the same as the cn naming attribute in the distinguished name (dn) attribute. Select the LDBM Plug-in Settings tab. v The Tivoli Access Manager authorization API provides a credentials attribute entitlements service. To ensure consistent processing regardless of the user registry. or integer data. When creating a user or group in Tivoli Access Manager. Conversely. This capability cannot be removed. specify the same value for cn as the cn naming attribute in the dn. 2. the look-through limit is unlimited and overrides any settings specified in this field. 5. the default value is 5000. v The common name (cn) attribute is a single-value attribute and can store only one value. when used with a URAF user registry. v Policy Server configuration allows you to select between a standard or minimal data model for the user registry. the directory server might return the following status that Tivoli Access Manager treats as an error: LDAP_ADMINLIMIT_EXCEEDED When the directory server is installed. If you bind the directory as the Directory Manager. type the maximum number of entries that you want the server to check in response to the search. define user names and group names without leading or trailing blanks. v Attempting to add a single duplicate user to a group does not produce an error when using an LDAP user registry. Expand the Data entry. Tivoli Access Manager ignores the value of the cn attribute if it is different from the value of the cn naming attribute in the dn. Because ADAM allows only a single naming attribute to be used when creating LDAP objects. perform the following steps from the Sun Java System Directory Server Console: 1. To modify this value. In the Look-through Limit field. 4. Sun Java System Directory Server concerns The following concerns are specific to Sun Java System Directory Server: v If the user registry contains more entries than the defined look-through limit. binary data. Select the Configuration tab. Select Database Settings. the retrieved attributes can be string data or binary data. ADAM requires the minimal data model. Access Manager always uses the minimal data model when ADAM is selected as the user registry. the retrieved attributes can be string data. Regardless of which data model is chosen during Policy Server configuration. use an LDAP user registry. define user names and group names without leading or trailing blanks.c=us fred smith password1 URAF concerns The following concerns are specific to the supported URAF user registries: v When using a URAF user registry. user1: pdadmin user create user1 cn=user1. the retrieved attributes can be only string data or binary data.o=ibm. binary data. The lastLogin value in blade server cache and the registry might not be synchronized. After this capability is granted. Microsoft Active Directory Server concerns In addition to the general URAF-specific concerns. you cannot use the following command to create a user because the value of the cn attribute. it can subsequently be removed. the pdadmin user show command shows the latest lastLogin value. To ensure consistent processing. v Users created in a URAF user registry are automatically given the capability to own global sign-on credentials. The pdadmin command queries information directly from the registry while the blade server keeps the lastLogin value in cache until the cache expires and user activity exists. you must define that name using distinguished name designations. Lotus Domino Server concerns In addition to the general URAF-specific concerns. or integer data. when used with an LDAP user registry. fred. the following concerns are specific to Microsoft Active Directory Server: Appendix D. use the following command: pdadmin user create myuser cn=username/o=locinfo test test testpwd v When the following conditions occur. only one Tivoli Access Manager domain is supported. to create a user with the distinguished name string username/locinfo. This capability cannot be removed.example. However. For example. If the cache is disabled for a Tivoli Access Manager blade server. this capability must be explicitly granted. the lastLogin value reported by the pdadmin user show command might not reflect the actual last login time of the user: – URAF cache is enabled on a Tivoli Access Manager blade server such as WebSEAL. v The Tivoli Access Manager authorization API provides a credentials attribute entitlements service. the retrieved attributes can be string data. This service is used to retrieve user attributes from a user registry. User registry differences 331 . is different from the cn naming attribute in the dn. regardless of the user registry. To take advantage of the Tivoli Access Manager multidomain support. When using an LDAP user registry. – The provide-last-login property is set in the Policy Server configuration file to show the last login time stamp. the following concerns are specific to Lotus Domino Server: v Leading and trailing blanks in user names and group names are significant when using Lotus Domino Server as the user registry in a Tivoli Access Manager secure domain. v When creating names for users or groups and that name is defined with a distinguished name string that contains a forward slash (/) character. When this service is used with a URAF user registry. the query result does not display the primary group of the user. Additionally. v Tivoli Access Manager does not support cross domain group membership or universal groups. When a user logs in successfully. Tivoli Access Manager uses the Active Directory user attribute lastLogonTimestamp to report the last login time of the user. For this reason. v Users created in Active Directory may have an associated primary group. When a user logs in successfully. The Active Directory default primary group is Domain Users. This attribute is not updated every time a user logs in successfully. this attribute is only updated if its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute. the result does not include any members for whom the group is the primary group. providing the blade server with the ability to read dynamic group data. This means that when Tivoli Access Manager queries for a list of members of a group. such as inaccurate group membership. Manually removing this read permission while Tivoli Access Manager is configured to the Active Directory registry results in adverse behavior. v If the option to change a user's password using LDAP APIs is enabled in an environment where: – Tivoli Access Manager is configured to use the Active Directory user registry and – Tivoli Access Manager blade servers use LDAP APIs to communicate with the Active Directory server. such as WebSEAL. to have read permission to the registry authorization store.v For Microsoft Active Directory registry. this attribute is only updated if its current value is older than the current time minus the value of the msDS-LogonTimeSyncInterval attribute. Tivoli Access Manager must be configured with Secure Socket Layer (SSL) to allow connections between the LDAP client and the Active Directory server. This attribute is not updated every time a user logs in successfully. The Active Directory environment must also be enabled to accept LDAP connections over Secure Socket Layer (SSL). This read permission enables Tivoli Access Manager blade servers. v For Microsoft Active Directory registry. the ivacld-servers and remote-acl-users groups apply read permission on each authorization store to which the dynamic group belongs. This attribute is a system attribute and is updated automatically by Active Directory. Tivoli Access Manager has no control over this attribute except reporting the value when required. But Active Directory does not add the primary group information to the user's memberOf or the group's member attribute. thus. Tivoli Access Manager uses the Active Directory user attribute lastLogonTimestamp to report the last login time of the user. 332 Administration Guide . avoid using a Tivoli Access Manager group as the Active Directory primary group for Tivoli Access Manager users. This attribute is a system attribute and is updated automatically by Active Directory. when Tivoli Access Manager queries for all the groups to which a user belongs. Tivoli Access Manager does not support importing these types of groups. v When Tivoli Access Manager imports a dynamic group. such as group membership for building Tivoli Access Manager credentials. Tivoli Access Manager has no control over this attribute except reporting the value when required. regardless of the user registry. Active Directory user objects and group objects both have the sAMAccountName attribute as one of their attributes. respectively. the policy server must be installed and configured on a Windows operating system. Access Manager supports user password change requests using either the Policy Server or LDAP APIs. including the domain suffix. User registry differences 333 .com is created in Active Directory domain child_domain.com is the value of the userPrincipalName.v When using an Active Directory user registry in a Tivoli Access Manager configuration with blade servers that use LDAP APIs to communicate with the Active Directory server. v Tivoli Access Manager supports the use of an email address or other alternate format of the userPrincipalName attribute of the Active Directory registry user object as a Tivoli Access Manager user identity. multiple users and groups can be defined with the same short name as long as they are located in different domains. where domain_suffix is the Active Directory domain where the user identity is created. The use of LDAP APIs to communicate with the Active Directory Server for blade servers is a multi-platform support that allows blade servers to be installed on machines that are not clients of the same domain as the policy server. Microsoft requires that the sAMAccountName attributes be unique within an Active Directory domain.com is the Active Directory domain where the user identity is created. if the registry user johndoe@other_domain. User and group short name values that are stored in the sAMAccountName attribute of Active Directory user objects and group objects. The default format of the userPrincipalName registry attribute is user_id@domain_suffix. The alternate format of the userPrincipalName attribute is user_id@any_suffix.com or johndoe. and their user identities are johndoe@other_domain. v When using a multi-domain Active Directory user registry. v When using an Active Directory user registry.com.com is created in Active Directory tivoli. where any_suffix can be any domain (Active Directory or non-Active Directory) other than the Active Directory domain in which the user identity is created. must always be specified to Tivoli Access Manager. To ensure consistent processing. depending on whether Tivoli Access Manager is configured to use Active Directory with multiple domains or a single domain. Both of these users can be Tivoli Access Manager users. when it is enabled. Change user password requests using the LDAP APIs do not require the Policy Server to be up-and-running.tivoli.com. This is an optional enhancement.com. each user name and each group name in a domain must be unique.com and johndoe@tivoli. define user names and group names without leading or trailing blanks. The alternate user principal name (UPN) support must be enabled in all Tivoli Access Manager run-time environments to ensure that Tivoli Access Manager user identities work properly with alternate UPNs. v Leading and trailing blanks in user names and group names are ignored when using Microsoft Active Directory Server as the user registry in a Tivoli Access Manager secure domain. tivoli. the full name of the user or group. johndoe@tivoli. Appendix D. The Tivoli Access Manager user identity corresponding to the registry user in this example is either johndoe@tivoli. However. respectively. For example. both the default and the email address or other alternate format of the userPrincipalName can co-exist in the Tivoli Access Manager environment. In this configuration. and the registry user johndoe@tivoli. For example. Some Active Directory functions interpret the forward slash character as a separator between the object name and the host name. Maximum lengths for names by user registry and the optimal length across user registries Name IBM Tivoli Directory Server IBM z/OS Security Server Novell eDirectory Server Sun Java System Directory Server 256 128 128 1024 256 Microsoft Active Directory Server 64 64 64 2048 64 Lotus Domino Server Active Directory Application Mode (ADAM) 64 64 64 1024 64 Optimal length First name (LDAP CN) Middle name Last name (surname) Registry UID (LDAP DN) Tivoli Access Manager user identity User password User description Group name 256 128 128 1024 256 256 128 128 1024 256 64 128 128 1024 256 960 65535 960 255 196 domain_ name_length unlimited 64 64 64 255 64 unlimited unlimited unlimited 1024 unlimited 256 128 1024 256 1024 64 256 256 256 256 64 196 domain_ name_length 64 Group description Single sign-on resource name Single sign-on resource description Single sign-on user ID Single sign-on password 240 240 240 240 240 240 1024 240 60 256 1024 240 1024 60 1024 1024 1024 240 60 256 240 60 unlimited unlimited unlimited unlimited 256 unlimited unlimited 256 334 Administration Guide . Table 7. Length of names The maximum lengths of various names that are associated with Tivoli Access Manager vary depending on the user registry that is being used. subsequent operations on the object might fail.Once the use of alternate UPN format as Access Manager user identity is enabled. it cannot be reversed without breaking Tivoli Access Manager functionalities. do not use a forward slash character to define the user. To avoid the problem. v Although users and groups can be created with names that use a distinguished name string that contain a forward slash (/) character. See Table 7 for a comparison of the maximum lengths that are allowed and the recommended maximum length to use to ensure compatibility with all the user registries that are supported by Tivoli Access Manager. Choose maximum values that are logical for your environment. If you configure Tivoli Access Manager to use multiple Active Directory domains. The maximum length of 64 applies only to the user_id portion. Maximum lengths for names by user registry and the optimal length across user registries (continued) Name IBM Tivoli Directory Server IBM z/OS Security Server Novell eDirectory Server Sun Java System Directory Server 240 Microsoft Active Directory Server 60 Lotus Domino Server Active Directory Application Mode (ADAM) 240 Optimal length Single sign-on group name Single sign-on group description Action name Action description. the maximum name length remains the same. object description Object space name. the format of a user identity is user_id@domain_suffix. Although the lengths of some names can be of unlimited. User registry differences 335 . excessive lengths can result in policy that is difficult to manage and might result in poor system performance. If you use an email address or other alternate format for the Tivoli Access Manager user identity in the Active Directory. the maximum length of the user identity and group name does not include the domain suffix. Appendix D. action type Object name. ACL descriptions POP name. the maximum length of each relative distinguished name (RDN) is 64.Table 7. POP description 240 240 240 256 60 1024 1024 1024 1 unlimited 1 unlimited 1 unlimited unlimited unlimited unlimited unlimited unlimited unlimited unlimited unlimited unlimited unlimited unlimited unlimited Although the maximum length of an Active Directory distinguished name (registry UID) is 2048. but includes the suffix. When using multiple domains. object space description ACL name. 336 Administration Guide . 2010 337 . Table 8. Information about the pdadmin utility can be found in the IBM Tivoli Access Manager for e-business: Command Reference.Appendix E. 1999. pdadmin to Web Portal Manager equivalents This appendix shows the mapping of the administration pdadmin commands to Web Portal Manager. Mapping between the pddamin utility and Web Portal Manager pdadmin utility acl attach object_name acl_name Web Portal Manager ACL → List ACL → click ACL name → Attach tab → Attach → type protected object path → Attach ACL → Create ACL → fill in form → Create ACL → List ACL → select ACL names → Delete ACL → List ACL → click ACL name → Attach tab → select protected object → Detach ACL → List ACL → click ACL name → Attach tab ACL → List ACL ACL → List ACL → click ACL name → Extended Attribute tab ACL → List ACL → select ACL name → Extended Attribute tab → select attributes → Delete Not supported ACL → List ACL → click ACL name → modify description → Set ACL → List ACL → click ACL name → select Any-other → Delete ACL → List ACL → click ACL name → select group name → Delete ACL → List ACL → click ACL name → select Unauthenticated → Delete ACL → List ACL → click ACL name → select user name → Delete ACL → List ACL → click ACL name → select Any-other → Create → select permissions → Apply ACL → List ACL → click ACL name → Extended Attribute tab → Create → fill in form → Apply ACL → List ACL → click ACL name → Create → select Group → specify group name → select permissions → Apply acl create acl_name acl delete acl_name acl detach object_name acl find acl_name acl list acl list acl_name attribute acl modify acl_name delete attribute attribute_name acl modify acl_name delete attribute attribute_name attribute_value acl modify acl_name description description acl modify acl_name remove any-other acl modify acl_name remove group group_name acl modify acl_name remove unauthenticated acl modify acl_name remove user user_name acl modify acl_name set any-other permissions acl modify acl_name set attribute attribute_name attribute_value acl modify acl_name set group group_name permissions © Copyright IBM Corp. Table 8. Mapping between the pddamin utility and Web Portal Manager (continued) pdadmin utility acl modify acl_name set unauthenticated permissions acl modify acl_name set user user_name permissions acl show acl_name acl show acl_name attribute attribute_name action create name description action_type action create name description action_type action_group_name action delete name action delete name action_group_name action group create action_group_name action group delete action_group_name action group list action list action list action_group_name admin show configuration authzrule attach object_name ruleid Web Portal Manager ACL → List ACL → click ACL name → Create → select Unauthenticated → select permissions → Apply ACL → List ACL → click ACL name → Create → select User → specify user name → select permissions → Apply ACL → List ACL → click ACL name ACL → List ACL → click ACL name → Extended Attribute tab ACL → List Action Groups → click primary action group → Create → fill in form → Create ACL → List Action Groups → click action group → Create → fill in form → Create ACL → List Action Groups → click primary action group → select actions → Delete ACL → List Action Groups → click action group → select actions → Delete ACL → Create Action Group → type group name → Create ACL → List Action Groups → select action groups → Delete ACL → List Action Groups ACL → List Action Groups → click primary action group ACL → List Action Groups → click action group Not supported AuthzRule → List AuthzRule → click authorization rule name → Attach tab → Attach → type protected object path → Attach AuthzRule → Create AuthzRule → fill in form → Create AuthzRule → List AuthzRule → select authorization rule name → Delete AuthzRule → List AuthzRule → click authorization rule name → Attach tab → select object names → Detach AuthzRule → List AuthzRule → click authorization rule name → Attach tab AuthzRule → List AuthzRule AuthzRule → List AuthzRule → click authorization rule name → modify fields → Apply AuthzRule → List AuthzRule → click authorization rule name Not supported authzrule create ruleid {–rulefile filename | ruletext} [–desc description] [–failreason failreason] authzrule delete ruleid authzrule detach object_name authzrule find ruleid authzrule list authzrule modify ruleid {–rulefile filename | ruletext rule_text | description description | failreason failreason authzrule show ruleid config modify svrpassword config_file password 338 Administration Guide . .Table 8. pdadmin to Web Portal Manager equivalents 339 . user_n]) Group → Search Groups → type pattern and maximum results → Search → click group name → type description → Apply Group → Search Groups → type pattern and maximum results → Search → click group name → Members tab → select user names → Remove Group → Search Groups → type pattern and maximum results → Search → click group name Not supported group modify group_name description description group modify group_name remove user group modify group_name remove (user_1 user_2 [.. Mapping between the pddamin utility and Web Portal Manager (continued) pdadmin utility config modify keyvalue set [–obfuscate] config_file stanza key value config modify keyvalue append [–obfuscate] config_file stanza key value config modify keyvalue remove config_file stanza key value config modify keyvalue remove config_file stanza key config show config_file stanza key context show domain create domain domain_admin_id domain_admin_password [–desc description] domain delete domain [–registry] domain list domain modify domain description description domain show domain errtext error_number exit group create group_name dn cn [group_container] group delete [–registry] group_name Web Portal Manager Not supported Not supported Not supported Not supported Not supported Not supported Secure Domain → Create Secure Domain → fill in form → Create Secure Domain → List Secure Domain → select secure domain names → Delete Secure Domain → List Secure Domain Secure Domain → List Secure Domain → click secure domain name → modify description → Apply Secure Domain → List Secure Domain → click secure domain name Not supported Not supported Group → Create Group → fill in form → Create Group → Search Groups → type pattern and maximum results → Search → select group names → Delete Group → Import Group → fill in form → Import Group → Search Groups → type pattern and maximum results → Search Not supported group import group_name dn [group_container] group list pattern max_return group list-dn pattern max_return group modify group_name add user Group → Search Groups → type pattern and maximum results → Search → click group group modify group_name add (user_1 user_2 name → Members tab → select users → Add [. user_n]) group show group_name group show-dn dn Appendix E... Mapping between the pddamin utility and Web Portal Manager (continued) pdadmin utility group show-members group_name Web Portal Manager Group → Search Groups → type pattern and maximum results → Search → click group name → Members tab Not supported Not supported Not supported Not supported Not supported Object Space → Create Object → fill in form → Create The type field is not supported. You can select the Can Policy be attached to this object check box on the Protected Object Properties page. object delete object_name object exists object_name object list object list object_name object list object_name attribute Object Space → Browse Object Space → expand and click object name → Delete Not supported Object Space → Browse Object Space → expand Object Space → Browse Object Space → expand and click object name Object Space → Browse Object Space → expand and click object name → Extended Attributes tab Not supported Object Space → Browse Object Space → expand and click object name → Extended Attributes tab → select attribute → Delete Not supported Object Space → Browse Object Space → expand and click object name → Extended Attributes tab → Create → fill in form → Apply Object Space → Browse Object Space → expand and click object name → modify description → Apply Object Space → Browse Object Space → expand and click object name → select or clear check box→ Apply Not supported Object Space → Browse Object Space → expand and click object name Object Space → Browse Object Space → expand and click object name → Extended Attributes tab help {topic | command} login –a admin_id –p password [–d domain | –m] login –l logout object access object_name permissions object create object_name description type ispolicyattachable {yes | no} object listandshow object_name object modify object_name delete attribute_name object modify object_name delete attribute_name attribute_value object modify object_name set attribute attribute_name attribute_value object modify object_name set description description object modify object_name isPolicyAttachable {yes | no} object modify object_name type type object show object_name object show object_name attribute attribute_name 340 Administration Guide .Table 8. Mapping between the pddamin utility and Web Portal Manager (continued) pdadmin utility objectspace create objectspace_name objectspace delete objectspace_name objectspace list policy get policy_name policy get policy_name –user user_name Web Portal Manager Object Space → Create Object Space → fill in form → Create Object Space → Browse Object Space → click object space name → Delete Object Space → Browse Object Space User → Show Global User Policy User → Search Users → type pattern and maximum results → Search → click user name → Policy tab User → Show Global User Policy → modify value → Apply User → Search Users → type pattern and maximum results → Search → click user name → Policy tab → modify value → Apply POP → List POP → click POP name → Attach tab → Attach → type protected object path → Attach POP → Create POP → fill in form → Create POP → List POP → select POP names → Delete POP → List POP → click POP name → Attach tab → select object → Detach POP → List POP → click POP name → Attach tab POP → List POP POP → List POP → click POP name POP → List POP → click POP name → Extended Attributes tab POP → List POP → click POP name → Extended Attributes tab → select attributes → Delete Not supported POP → List POP → click POP name → Extended Attributes tab → Create → fill in form → Apply POP → List POP → click POP name → select or clear appropriate check boxes → Apply POP → List POP → click POP name → modify description → Apply POP → List POP → click POP name → IP Auth tab → Create → type the network.Table 8. pdadmin to Web Portal Manager equivalents 341 . and authentication level → Apply POP → List POP → click POP name → IP Auth tab → Create → type network and net mask and select Forbidden check box → Apply policy set policy_name policy_value policy set policy_name policy_value –user user_name pop attach object_name pop_name pop create pop_name pop delete pop_name pop detach object_name pop find pop_name pop list pop list pop_name pop list pop_name attribute pop modify pop_name delete attribute attribute_name pop modify pop_name delete attribute attribute_name attribute_value pop modify pop_name set attribute attribute_name attribute_value pop modify pop_name set audit-level {all | none | audit_level_list} pop modify pop_name set description description pop modify pop_name set ipauth add network netmask authentication_level pop modify pop_name set ipauth add network netmask forbidden Appendix E. net mask. Table 8. Mapping between the pddamin utility and Web Portal Manager (continued) pdadmin utility pop modify pop_name set ipauth anyothernw authentication_level Web Portal Manager POP → List POP → click POP name → IP Auth tab → Create → select Any Other Network check box and type authentication level → Create POP → List POP → click POP name → IP Auth tab → Create → select Any Other Network and Forbidden check boxes → Create POP → List POP → click POP name → IP Auth tab → select IP authorization entries → Delete POP → List POP → click POP name → select appropriate quality of protection → Apply pop modify pop_name set ipauth anyothernw forbidden pop modify pop_name set ipauth remove network netmask pop modify pop_name set qop {none | integrity | privacy} pop modify pop_name set tod-access {anyday POP → List POP → click POP name → define | weekday | day_list}:{anytime | time of day access → Apply time_spec-time_spec}[:utc | local] pop modify pop_name set warning {yes | no} pop show pop_name pop show pop_name attribute quit rsrc create resource_name [–desc description] rsrc delete resource_name rsrc list rsrc show resource_name POP → List POP → click POP name → select or clear Warn Only On Policy Violation check box → Apply POP → List POP → click POP name POP → List POP → click POP name → Extended Attributes tab Not supported GSO Resource → Create GSO → fill in form → Create GSO Resource → List GSO → select resources → Delete GSO Resource → List GSO GSO Resource → List GSO → click resource User → Search Users → Search → click user rsrccred create resource_name rsrcuser resource_userid rsrcpwd resource_pwd rsrctype name → GSO Credentials tab → Create → fill in form → Create {web | group} user user_name rsrccred create resource_group_name rsrcuser User → Search Groups → Search → click user resource_userid rsrcpwd resource_pwd rsrctype name → GSO Credentials tab → Create → fill {web | group} user user_name in form → Create rsrccred delete resource_name rsrctype {web | User → Search Users → Search → click user group} user user_name name → GSO Credentials tab → select credentials → Delete rsrccred delete resource_group_name rsrctype {web | group} user user_name rsrccred list user user_name rsrccred modify resource_name rsrctype {web | group} [–rsrcuser resource_userid] [–rsrcpwd resource_pwd] user user_name User → Search Groups → Search → click user name → GSO Credentials tab → select credentials → Delete User → Search Users → Search → click user name → GSO Credentials tab User → Search Users → Search → click user name → GSO Credentials tab → Create → modify form → Create 342 Administration Guide . .. see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.Table 8. Mapping between the pddamin utility and Web Portal Manager (continued) pdadmin utility rsrccred modify resource_group_name rsrctype {web | group} [–rsrcuser resource_userid] [–rsrcpwd resource_pwd] user user_name rsrccred show resource_name rsrctype {web | group} user user_name rsrccred show resource_group_name rsrctype {web | group} user user_name rsrcgroup create resource_group_name [–desc description] rsrcgroup delete resource_group_name rsrcgroup list rsrcgroup modify resource_group_name add rsrcname resource_name rsrcgroup modify resource_group_name remove rsrcname resource_name rsrcgroup show resource_group_name server list server listtasks server_name server replicate server_name server show server_name server task server_name {help | stats | trace} server task server_name server_task Web Portal Manager User → Search Groups → Search → click user name → GSO Credentials tab → Create → modify form → Create User → Search Users → Search → click user name → GSO Credentials tab User → Search Groups → Search → click user name → GSO Credentials tab GSO Resource → Create GSO Group → fill in form → Create GSO Resource → List GSO Groups → select resource groups → Delete GSO Resource → List GSO Groups GSO Resource → List GSO Groups → select resource group → select members → Add GSO Resource → List GSO Groups → select resource group → select members → Remove GSO Resource → List GSO Groups → select resource group Not supported Not supported Not supported Not supported Not supported Not supported For more information about the WebSEAL server tasks and junction points. user create [–gsouser] [–no-passwordpolicy] user_name dn cn sn password [group1 [group2 .]] user delete [–registry] user_name User → Create User → fill in form → Create User → Search Users → type pattern and maximum results → Search → select user names → Delete User → Import User → fill in form → Import User → Search Users → type pattern and maximum results → Search Not supported User → Search Users → type pattern and maximum results → Search → click user name → select or clear check box → Apply User → Search Users → type pattern and maximum results → Search → click user name → modify password→ Apply user import [–gsouser] user_name dn [group_name] user list pattern max_return user list-dn pattern max_return user modify user_name account-valid {yes | no} user modify user_name password password Appendix E. pdadmin to Web Portal Manager equivalents 343 . Mapping between the pddamin utility and Web Portal Manager (continued) pdadmin utility user modify user_name password-valid {yes | no} user show user_name user show-dn dn user show-groups user_name Web Portal Manager User → Search Users → type pattern and maximum results → Search → click user name → select or clear check box → Apply User → Search Users → type pattern and maximum results → Search → click user name Not supported User → Search Users → type pattern and maximum results → Search → click user name → Groups tab 344 Administration Guide .Table 8. which Tivoli Access Manager still treats as a master-subordinate or peer-to-peer relationship. Active Directory Application Mode (ADAM) replication is based on membership in a configuration set. refer to the documentation that came with your user registry product. © Copyright IBM Corp. Sun Java System Web Server replication is based on a supplier/consumer model. which means that any instance in the configuration set is writable and will propagate the changes to all other instances in the configuration set. Note: ADAM instances cannot replicate with Active Directory.Appendix F. Tivoli Directory Server replication is based on a master-subordinate model. This section contains the following topics: v “LDAP failover configuration” v “Using valid characters for LDAP user and group names” on page 349 v “Applying Tivoli Access Manager ACLs to new LDAP suffixes” on page 350 LDAP failover configuration The Lightweight Directory Access Protocol (LDAP) defines a standard method for accessing and updating information in a directory. An example of an LDAP server product is the Tivoli Directory Server. Directories are usually accessed using the client/server model of communication. 2010 345 . ADAM uses a multi-master form of replication. which is included with Tivoli Access Manager. The LDAP protocol standard includes low-level network protocol definitions plus data representation and handling functionality. The LDAP distributed architecture supports scalable directory services with server replication capabilities. This chapter contains the following sections: v “LDAP-specific tasks” v “Active Directory-specific tasks” on page 362 v “Novell-specific tasks” on page 368 LDAP-specific tasks LDAP is a protocol that runs over TCP/IP. even when ADAM is running in an Active Directory domain. For common administrative tasks for your particular registry (tasks that are not specific to Tivoli Access Manager). 1999. Managing user registries This chapter contains a subset of user registry tasks that are specific to the installation of Tivoli Access Manager. Any server that implements LDAP is an LDAP server. Server replication improves the availability of a directory service. A directory that is accessible through LDAP is commonly referred to as an LDAP directory. and they replicate on a schedule that is completely independent of the Active Directory replication schedule. which is a group of ADAM instances that share and replicate a common configuration partition and schema partition. For Tivoli Access Manager. The master-subordinate replication model Replication involves two types of directories: master/peer and replica. 346 Administration Guide . If the LDAP master server is down for any reason. the directory service continues to be available from another replicated server. The combination of a master server and multiple replicated servers helps to ensure that directory data is always available when needed. Note: When using SSL. Tivoli Access Manager supports this replication capability. updates are directed to the ADAM instance with the highest preference and no other instances will be used as failover unless the preferred instance is down. Note that the default replication schedule for ADAM is once per hour.conf configuration file) when it starts up. If any server fails. Even when peer-to-peer replication is being used. This schedule can be changed. these types of servers are configured as readwrite servers. a replica server can be promoted as a master server to allow write operations to the directory. the Tivoli Access Manager server must be able to connect to an available LDAP replica server for any read operations. see “Setting preference values for replica LDAP servers” on page 348. which is always used for write operations to the directory. updates to one instance in a configuration set will not be propagated for at least fifteen minutes. see the documentation for your LDAP server. Tivoli Access Manager can use this replication support. these types of servers are configured as readonly servers. Changes to the directory can be made only to a master server. This way. The Access Manager directory partition that contains the secAuthorityInfo subtree must be replicated to each of the ADAM instances in the configuration set. For information about whether your LDAP server supports replication in this manner. When using a generic LDAP server. All updates are made on the master server and these updates are subsequently propagated to the replica servers. Tivoli Access Manager failover capability for LDAP servers Tivoli Access Manager connects to the LDAP master server (indicated by the host key in the ldap. the peer servers can be considered “masters” for the Tivoli Access Manager perspective. when Tivoli Access Manager is used with ADAM. As long as this LDAP server recognizes the concept of master-subordinate. the same Certificate Authority should issue the ADAM certificate for each instance in the configuration set. it is recommended that one instance in the configuration set is configured to have a higher read/write preference than all other instances. Therefore. Tivoli Access Manager can validate the ADAM certificate from each instance. For information about setting the ADAM replication schedule. When the original master server is out of service for an extended period of time. LDAP refers to the master as the master server and to the replica as the replica server. If the ADAM instances in the configuration set are on the same system.Tivoli Access Manager treats each ADAM instance in a configuration set as a replica. refer to ADAM documentation. This way. Each replica server directory contains a copy of the data in the master server directory. but the most frequent rate at which ADAM will replicate is four times an hour. For Tivoli Access Manager. the failover configuration depends on the specific LDAP server. For information about setting preference values. Either the master or the replicas can be used for read operations. the instances can share the same certificate. such as adding a new user account through the Web Portal Manager. port ssl-port max-search-size If you make a change to the LDAP database. Tivoli Access Manager treats the Sun Java System supplier server as the master server for configuration purposes. Tivoli Access Manager performs failover to a replica server when it cannot connect to the master server. Replica server configuration Tivoli Directory Server supports the existence of one or more read-only replica LDAP servers. Use the following syntax for each replica: Appendix F. Values are yes and no. The SSL listening port of the LDAP master server. Sun Java System Web Server supports the existence of one or more read-only replica LDAP servers referred to as consumers. You can find the configuration parameters for LDAP failover in the [ldap] stanza of the ldap. You determine these values during Tivoli Access Manager configuration. After proper configuration. The Tivoli Access Manager limit for an LDAP client search of database items .conf configuration file: This configuration file is in one of the following operating system-specific locations: On Linux and UNIX operating systems /opt/PolicyDirector/etc/ldap. especially those from regular users. The network name of the machine where the LDAP master server is located. For example: [ldap] enabled = yes host = outback port = 389 ssl-port = 636 max-search-size = 2048 Entity enabled host Description Tivoli Access Manager uses an LDAP user registry.Many operations. Sun Java System Web Server supports multiple read-write LDAP servers. The active configuration lines in the ldap.conf Master server configuration Tivoli Directory Server supports the existence of a single read-write master LDAP server or multiple peer-to-peer read/write servers.conf file represent the parameters and values for this master LDAP server. This server is assumed to be a readwrite server with a preference of 5. These include operations such as user authentication and signon to back-end junctioned Web servers. are read operations. The TCP listening port of the LDAP master server. You must add lines to the [ldap] stanza that identifies any replica servers available to Tivoli Access Manager.such as a request for the Web Portal Manager to list users from the LDAP database. Managing user registries 347 . Tivoli Access Manager uses the read-write (master) LDAP server.conf On Windows operating systems install_path\etc\ldap. ” preference Example: replica = replica1. You can set hierarchical preference values to allow access to a single LDAP server (with failover to the other servers). Load balancing determines which server is selected for each access operation. The functionality of the replica server. or set equal preferences for all servers and allow load balancing to dictate server selection.com. The port this server listens on.readonly. “M” refers to the master (read-only/read-write) LDAP server. A read-write type would represent a master server. If two or more servers have the same preference value. For example. The Table 9 illustrates some possible preference scenarios. Generally. which is either readonly or readwrite. If the primary read-only server fails for any reason. you could prevent the master server from handling everyday read operations.replica = ldap_server. with appropriate preference settings. use 389 or 636.tivoli.com.preference Entity ldap-server port type Description The network name of the LDAP replica server. For read-only access. Table 9. the master server has a hardcoded default preference setting of 5. Normally.4 replica = replica2.4 Changes to the ldap. A number from 1 to 10. 348 Administration Guide .tivoli. Remember that the master LDAP server can function as both a read-only and a read-write server.389. the server with the next highest preference value is used.port. a least-busy load balancing algorithm determines which one is selected. Setting preference values for replica LDAP servers Each replica LDAP server must have a preference value (1 to 10) that determines its priority based on one of the following selections: v The primary read-only access server v A backup read-only server during a failover The higher the number.ldap.389. use read-only. “R2” and “R3” refer to the replica (read-only) LDAP servers. The server with the highest preference value is chosen for LDAP connections. the higher the priority.type. “R1”.conf file do not take effect until you restart Tivoli Access Manager. Potential preference scenarios M 5 5 R1 5 R2 5 R3 Failover preference All servers have the same preference values. This preference setting allows you to set replica servers at values higher or lower than the master to obtain the required performance. See “Setting preference values for replica LDAP servers.readonly.ldap. However. see "Characters disallowed for user and group name" in Appendix A of the IBM Tivoli Access Manager for e-business: Command Reference. If server 3 fails. Tivoli Access Manager continuously polls the server to check for its return to active duty. 5 6 7 8 Preference values affect only read-only access to the LDAP database. This override occurs because those daemons usually make update operations that should go to the master LDAP server. The master is used only if all three replica servers become unavailable. Server 3 (with the highest preference value) becomes the primary server.o=tivoli. Also note that some Tivoli Access Manager daemons (such as the policy server) override the preference settings in their configuration files to indicate that the read-write server is preferred.one" "cn=user\. you can use special characters within a distinguished name. The following special characters must be escaped when used in a distinguished name: v Plus sign (+) v Semicolon (. In general. If you use special characters when using the pdadmin utility. Potential preference scenarios (continued) M 5 6 R1 6 R2 6 R3 Failover preference The three replica servers have the same preference value. Managing user registries 349 . Using valid characters for LDAP user and group names When using LDAP as the user registry.Table 9.) v Comma (. Load balancing determines server selection among the three replicas. to create a user containing a semicolon using the pdadmin utility: pdadmin> user create "user.c=us" "user.one.one" "user. server 2 becomes the primary server because it has the next highest preference value. This value is higher than the master server value. the set of valid characters allowed within a user or group name is determined by the following Internet Engineering Task Force (IETF) Request for Comments (RFC): v 2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names v 2254 The String Representation of LDAP Search Filters The specific LDAP server can also dictate the validity of these characters. For more information. enclose each argument of the user or group command with double quotation marks. The poll time is 10 seconds.) For example. certain special characters require an additional escape character.one" password1 Note: Avoid using the backward slash character (\) as part of a user or group name. Server polling If an LDAP server does fail. Tivoli Access Manager always uses the master (read-write) server when you need to make a change to the LDAP database. The double Appendix F. see "ivrgy_tool" in the IBM Tivoli Access Manager for e-business: Command Reference. the LDAP naming model is maintained in a hierarchical namespace known as the Directory Information Tree (DIT). which is included with Tivoli Access Manager. it attempts to apply appropriate access controls in the form of Access Control Lists (ACLs) to each LDAP suffix that is in the LDAP server.cn=SecurityGroups. such as Tivoli Directory Server. Access to ADAM registry entries is controlled by administration groups within ADAM. Applying Tivoli Access Manager ACLs to new LDAP suffixes Generally. Many LDAP server products. When the Tivoli Access Manager policy server is configured. the appropriate ACLs must be applied to the new suffix.ou=austin. if an LDAP administrator adds an LDAP suffix after Tivoli Access Manager is configured and wants Tivoli Access Manager to manage users and groups in this new suffix. For LDAP server types other than ADAM. To apply the appropriate access controls to a newly created LDAP suffix. The set of suffixes that is maintained by the LDAP server can be configured using the vendor-specific LDAP administration tools. avoid using special characters. because it represents the ending portion of a distinguished name (DN).o=ibm. Alternately. For more information. the c=us suffix might be created to represent country-specific data within an organization.quotation marks allow the argument to be entered without being subject to interpretation by the operating system shell command processor.secAuthority=Default v Full access cn=ivacld-servers. This access control gives appropriate permissions to allow Tivoli Access Manager to create and manage user and group information in these suffixes.secAuthority=Default v read v search v compare v write for the following attributes: – secAcctValid – secPwdFailCountTime – secPwdFailures – secPwdLastChanged – secPwdLastFailed – secPwdLastUsed – secPwdUnlockTime – secPwdValid 350 Administration Guide . Due to the variability of special character handling in general. you can manually apply the following ACLs to each new suffix: cn=SecurityGroup.c=us. Sometimes. this naming context is called a suffix. For example. and the Sun Java System Web Server and Novell eDirectory. Note: The Tivoli Access Manager policy server does not attempt to apply ACLs to each LDAP suffix when ADAM is used as the user registry. The top of the tree is referred to as a naming context. An entry within this suffix might have a DN similar to cn=Joe Williams. use the ivrgy_tool utility with the add-acls parameter. maintain the data of the DIT in a hierarchical namespace that is often represented as a tree structure. secAuthority=Default v read v search v compare v write for the following attributes: – secAcctValid – secPwdFailCountTime – secPwdFailures – secPwdLastChanged – secPwdLastFailed – secPwdLastUsed – secPwdUnlockTime – secPwdValid cn=remote-acl-users. which is created during the configuration of the policy server.cn=remote-acl-users.cn=Subdomains.cn=SecurityGroups. see the documentation that is associated with the generic LDAP server.cn=SecurityGroups. cn=Subdomains.secAuthority=Default v read v search v compare v write for the following attributes: – secAcctValid – secPwdFailCountTime – secPwdFailures – secPwdLastChanged – secPwdLastFailed – secPwdLastUsed – secPwdUnlockTime – secPwdValid When using a generic LDAP server. If a Tivoli Access Manager administrator created a domain other than the initial \Management domain.secAuthority=domain_name. the following additional ACLs should be applied to the new suffix for each domain: cn=SecurityGroup.cn=SecurityGroups. For information about how to set access control for a generic LDAP server.secAuthority=domain_name.cn=Subdomains. the same access controls should be given to the specified groups. secAuthority=Default v Full access cn=ivacld-servers.secAuthority=Default v read v search v compare v write for the following attributes: – secAcctValid – secPwdFailCountTime – secPwdFailures – secPwdLastChanged – secPwdLastFailed – secPwdLastUsed – secPwdUnlockTime – secPwdValid Appendix F.secAuthority=domain_name. Managing user registries 351 . click Logout. Select the appropriate structural object class for the newly added suffix. use the domain list command. click Next to define the selected structural object class. Tivoli Directory Server: This procedure describes how to apply the appropriate Tivoli Access Manager access controls in Tivoli Directory Server for a newly created suffix. go to step 7 on page 353. In the navigation area on the left. If the list of console server contains the LDAP server to be administered. add an entry for a newly created suffix. f. Click OK to add the server. Log in as the Console Admin. If you do not see the newly added suffix. e. Substitute your newly created suffix for this value in the following procedures. This action presents a list of LDAP servers that are currently configured for administration. The default login page is the following URL: http://server_name:12100/IDSWebApp/IDSjsp/Login. b. click Console administration and Manage console servers. 3. click Directory management and Manage entries. For the c=fr suffix. Access the login page using the URL in step 1 and select from the list the LDAP server that you added. From the navigation area. type the LDAP server administrator in the Username field (for example. 4. For a list of domains. 6. 352 Administration Guide .Where domain_name is the name of the additional administrative domain. b. Click Next to display the Select auxiliary object classes window where you can add additional object classes appropriate for the entry type. Click Close to complete the action. Add a suffix: a. depending on the LDAP server type being used. the appropriate object class is country. Access the login page using a supported Web browser.jsp Where server_name is the host name of the application server where the Web Administration Tool is installed. Because this example does not use other object classes. Example procedures The following example procedures can be used for either Tivoli Directory Server or Sun Java System Web Server. If this list does not contain the server. c. The default Console Admin identity is superadmin and the default password is secret. The following example procedures assume the newly created c=fr suffix. Click Add and type the host name and port number for the LDAP server to be administered. 2. 5. This procedure uses the Tivoli Directory Server Web Administration Tool and assumes that this tool is installed and configured into the WebSphere Application Server. In the navigation area on the left. select its host name and go to step 4. cn=root) and password in the password field. Add an LDAP server to the list of console servers: a. d. 1. and click Login. Click Add to display the Add an entry window. In the Login window. c. add it as a console server. d. If you see the newly added suffix in the Manage entries window on the right. Click Go to display the Edit ACL window that shows the current ACLs on the suffix.cn=SecurityGroups. Appendix F. system and restricted security classes to grant for the read. Set the Add child right to grant. d. From the Select Action list. The only required attribute is c for country. In a. Click OK to return to the Edit ACL window. sensitive. In the Edit ACL window.e. search. and compare actions. and click Finish to return to the Manage entries window. Go to step 17 on page 354. select the suffix. 8. b. where domain_name is the domain name being protected. type cn=ivacldservers. 9. From the Select column. Set the normal. If you have other domains and need to add domain ACLs. secAuthority=Default.cn=Subdomains. 11. If you have no further domains. set each of these attributes to grant for the read. b. In the Subject DN (distinguished name) field. b. search. critical. write. In the Add access rights window: a. You should now see the newly added suffix in the list of top-level entries. In the Subject DN (distinguished name) field.secAuthority=domain_name. Set the Subject Type to group. click Add to display the Add access rights window. continue to step 12. After defining these attributes. Click Non-filtered ACLs. search. click Add to display the Add access rights window. From the Attributes list. this completes the access control. and compare actions. type c=fr and leave the Parent DN field blank. Managing user registries 353 . Set the Delete entry right to grant. select Edit ACL.secAuthority=Default. This sample procedure has additional domains the require domain ACLs. f. the Add access rights window: In the Subject DN (distinguished name) field. In the Relative DN field. In the Edit ACL window: a. type cn=SecurityGroup. Click Add to display the Add access rights window. In the Edit ACL window. In the Manage entries window: a. c. 12. Ensure that the Propagate ACLs option is selected. 7. c. c. and compare actions. Set the normal security classes to grant for the read. e.secAuthority=Default. type cn=SecurityGroup. write. Click OK to return to the Edit ACL window. In the Add access rights window: a. Fill in the value fr. b. Repeat this step for each of the following attributes: v secPwdFailCountTime v secPwdFailures v secPwdLastChanged v secPwdLastFailed v secPwdLastUsed v secPwdUnlockTime v secPwdValid e. c. d. select secAcctValid and click Define. 10. c. and compare actions.cn=Subdomains. f. After defining these attributes. search. type cn=ivacldservers. Set the Subject Type to group. After defining these attributes. d. write. Repeat this step for each of the following attributes: v secPwdFailCountTime v secPwdFailures v secPwdLastChanged v secPwdLastFailed v secPwdLastUsed v secPwdUnlockTime v secPwdValid e. Set the Add child right to grant. c. Click OK to return to the Edit ACL window. and compare actions. secAuthority=Default.secAuthority=domain_name. search. critical. In the Subject DN (distinguished name) field. c. You do not need to restart the LDAP server for the changes to take affect. In the Add access rights window: a. In the Edit ACL window. select secAcctValid and click Define. search.b. Set the normal. In the Add access rights window: a.secAuthority=domain_name. d. set each of these attributes to grant for the read. 354 Administration Guide . In the Subject DN (distinguished name) field.cn=Subdomains. b. and compare actions. 17. Click OK to return to the Edit ACL window. where domain_name is the domain name being protected. set each of these attributes to grant for the read. Set the Subject Type to group.cn=SecurityGroups. In the Edit ACL window. From the Attributes list. Repeat this step for each of the following attributes: v secPwdFailCountTime v secPwdFailures v secPwdLastChanged v secPwdLastFailed v secPwdLastUsed v secPwdUnlockTime v secPwdValid e. search. Click Close. write. and compare actions. 13. 16. Set the normal security classes to grant for the read. 14. system and restricted security classes to grant for the read. write. f. click Add to display the Add access rights window.cn=SecurityGroups. search. This completes the addition of the access control for the suffix. Set the Delete entry right to grant. and compare actions. where domain_name is the domain name being protected. 15. sensitive. secAuthority=Default. type cn=remote-aclusers. b. click Add to display the Add access rights window. d. e. Set the normal security classes to grant for the read. select secAcctValid and click Define. Click OK to return to the Edit ACL window. From the Attributes list. Right-click the name of the server at the top of the directory tree. 1. Click the Directory tab. Click Open to access the Sun Java System Directory server./startconsole v On systems running the Solaris operating environment. 6. Select the Sun Java System Domain to be used by Tivoli Access Manager. Note: These instructions assume an example suffix.2. Expand the server name and Server Group. b. Select c=fr from the list of root suffixes. Select Directory Server to display the configuration information about the Sun Java System Directory server. and click OK. click Logout. e. If the newly created suffix is not displayed. Start the Sun Java System Server Console using one of the following commands: v On Linux and UNIX operating systems. The New Object selection window is displayed. Enter the following command: startconsole arguments c. In the Country field type fr. version 5. If you no longer need to use the Web Administration Tool. Type the password for this administrator. and select Object → New Root Object to display a list of root suffixes. b. 10. Select View → Refresh to display the new suffix. go to step 8. If the newly created suffix is displayed on the left pane. 9. Log in to the Sun Java System Server Console: a. Click OK to display the Property Editor window. This procedure uses the Sun Java System Server Console. Managing user registries 355 .18. 5. d. v On Windows operating systems. Click OK. create an entry for the new suffix before applying access controls to the suffix. To create the entry: a. scroll down and select Country as the new object entry type. In the New Object selection window. 7. Click New to display the Edit ACI for c=fr window. Sun Java System Web Server: The following procedure describes how to apply the appropriate Tivoli Access Manager access controls to the newly created suffix for Sun Java System Web Server. c. Type the LDAP administrator ID. which is usually cn=Directory Manager b. Change to the server root directory.2. Right-click c=fr in the left pane. select Start Programs Sun Java System Server Products Sun Java System Server Console Version 5. when not using the Solaris packaged version: a. and select Object → Set Access Permissions to display the Manage Access Control for c=fr window. 3. In the Edit ACI for c=fr window: Appendix F. Type –h to display a usage message explaining command line arguments. f. 4. c. 8. enter the following command from the Sun Java System Web Server installation directory: # . 2. Create the entry type and name that corresponds to your actual suffix. secAuthority=Default". Replace the default ACI text with the following text: (target="ldap:///c=fr")(targetattr="secAcctValid || secPwdFailCountTime || secPwdFailures || secPwdLastChanged || secPwdLastFailed || secPWDLastUsed || secPwdUnlockTime || secPwdValid") (version 3. Correct errors until the syntax validates. Click Edit Manually. In the ACI name field. Replace the default ACI text with the following text: (target="ldap:///c=fr")(targetattr="*") (version 3. type PD Remote ACL Users GROUP – ALLOW READ. allow (read. Click New to display the Edit ACI for c=fr window. b. Click Check Syntax to ensure validate the text. secAuthority=Default".secAuthority=Default". b. d. compare) groupdn = "ldap:///cn=ivacld-servers. In the Edit ACI for c=fr window: a.) e. f. b. d.cn=SecurityGroups. Highlight All Users. Click OK to return to the Manage Access Control for c=fr window. Click Check Syntax to ensure validate the text. Highlight All Users. acl "PD Servers GROUP – ALLOW READ".) e. Click Edit Manually. acl "SECURITY GROUP – ALLOW ALL".a. In the Edit ACI for c=fr window: a. the Edit ACI for c=fr window: In the ACI name field. search. c. b. allow (read.cn=SecurityGroups. Replace the default ACI text with the following text: 356 Administration Guide . 14. Click OK to return to the Manage Access Control for c=fr window.) e. Click Edit Manually. In the ACI name field. c. Correct errors until the syntax validates. In the ACI name field. Click OK to return to the Manage Access Control for c=fr window. d. Click New to display the Edit ACI for c=fr window. d. Highlight All Users. 11. In a. and click Remove. Replace the default ACI text with the following text: (target="ldap:///c=fr")(targetattr="*") (version 3. type SECURITY GROUP– ALLOW WRITE. compare) groupdn = "ldap:///cn=ivacld-servers. type SECURITY GROUP – ALLOW ALL. 15. Click Check Syntax to ensure validate the text. Click New to display the Edit ACI for c=fr window. allow (all) groupdn = "ldap:///cn=SecurityGroup. f. Highlight All Users. acl "SECURITY GROUP– ALLOW WRITE".0.0. type PD Servers GROUP – ALLOW READ. c. and click Remove. Click Edit Manually. 12. and click Remove. Correct errors until the syntax validates. 16. f. and click Remove. c. search.0. 13. secAuthority=Default|| ldap:///cn=ivacld-servers. allow (read. compare) groupdn = "ldap:///cn=remote-acl-users. If you have no further domains. d. Correct errors until the syntax validates. Highlight All Users. If you have additional domains and need to add domain ACLs. Click Check Syntax to ensure validate the text. Highlight All Users. Click New to display the Edit ACI for c=fr window. type PD Deny-Others. b. this completes the access control. Click New to display the Edit ACI for c=fr window. deny(all) groupdn != "ldap:///cn=SecurityGroup. acl "SECURITY GROUP– ALLOW WRITE". In the Edit ACI for c=fr window: a. search.(target="ldap:///c=fr")(targetattr="*") (version 3. f. type SECURITY GROUP – ALLOW ALL.) e. and click Remove. continue with step 21.secAuthority=Default|| ldap:///cn=remote-acl-users.0. You can skip to step 33 on page 359.0. 17. Click OK to return to the Manage Access Control for c=fr window. 19. Correct errors until the syntax validates. Replace the default ACI text with the following text: Appendix F. and click Remove. Click Edit Manually. 20. Click OK to return to the Manage Access Control for c=fr window. d. 18. Correct errors until the syntax validates. In the Edit ACI for c=fr window: a. allow (read. c. d. secAuthority=Default". and click Remove. In the ACI name field. Highlight All Users. f. acl "PD Remote ACL Users GROUP – ALLOW READ". In the Edit ACI for c=fr window: a. Managing user registries 357 . b. In the ACI name field. In the ACI name field. 21. Click OK to return to the Manage Access Control for c=fr window. f. Click Edit Manually. b. 22. type SECURITY GROUP– ALLOW WRITE. secAuthority=Default".cn=SecurityGroups. acl "PD Deny-Others". Click Check Syntax to ensure validate the text.cn=SecurityGroups.) e. Replace the default ACI text with the following text: (target="ldap:///c=fr")(targetattr="secAcctValid || secPwdFailCountTime || secPwdFailures || secPwdLastChanged || secPwdLastFailed || secPWDLastUsed || secPwdUnlockTime || secPwdValid") (version 3. c.) e. Replace the default ACI text with the following text: (targetfilter="(secAuthority=Default)") (version 3. Click New to display the Edit ACI for c=fr window. Click Edit Manually. c.cn=SecurityGroups. Click Check Syntax to ensure validate the text. search.cn=SecurityGroups.secAuthority=Default".0. compare) groupdn = "ldap:///cn=remote-acl-users. d.cn=Subdomains. Highlight All Users. Replace the default ACI text with the following text: 358 Administration Guide . type PD Remote ACL Users GROUP – ALLOW READ. In the ACI name field.0. In the Edit ACI for c=fr window: a. f. In the Edit ACI for c=fr window: a. and click Remove. allow (read.) where domain_name is the name of the domain being protected. d. c. cn=Subdomains. Click Check Syntax to ensure validate the text. Replace the default ACI text with the following text: (target="ldap:///c=fr")(targetattr="secAcctValid || secPwdFailCountTime || secPwdFailures || secPwdLastChanged || secPwdLastFailed || secPWDLastUsed || secPwdUnlockTime || secPwdValid") (version 3. In the ACI name field.ALLOW ALL.ALLOW READ". Replace the default ACI text with the following text: (target="ldap:///c=fr")(targetattr="*") (version 3. Correct errors until the syntax validates. b. 27. and click Remove.cn=SecurityGroups. search.) where domain_name is the name of the domain being protected.0. b. In the Edit ACI for c=fr window: a. d. Click New to display the Edit ACI for c=fr window. 24. Correct errors until the syntax validates. Correct errors until the syntax validates. Click New to display the Edit ACI for c=fr window. Click New to display the Edit ACI for c=fr window. 28. f. acl "SECURITY GROUP– ALLOW WRITE". compare) groupdn = "ldap:///cn=ivacld-servers. 25.secAuthority=Default".) e. type PD Servers GROUP – ALLOW READ. e.secAuthority=domain_name. and click Remove. secAuthority=domain_name. Click Check Syntax to ensure validate the text. Highlight All Users. e. In the ACI name field.cn=SecurityGroups. Click Edit Manually. acl "SECURITY GROUP . allow (all) groupdn = "ldap:///cn=SecurityGroup. compare) groupdn = "ldap:///cn=ivacld-servers.secAuthority=Default". acl "PD Servers GROUP .0.(target="ldap:///c=fr")(targetattr="*") (version 3. 23. f. c. Highlight All Users.secAuthority=Default". search. Click OK to return to the Manage Access Control for c=fr window. c. Click Edit Manually. type SECURITY GROUP– ALLOW WRITE. 26. Click Edit Manually.cn=Subdomains. secAuthority=domain_name. allow (read. Click OK to return to the Manage Access Control for c=fr window. Click OK to return to the Manage Access Control for c=fr window. b. Click Check Syntax to ensure validate the text. Correct errors until the syntax validates. In the Edit ACI for c=fr window: a.cn=Subdomains. secAuthority=domain_name.secAuthority=Default|| ldap:///cn=SecurityGroup. d. 30. 33. Click Console → Exit to exit the console. Managing user registries 359 .ALLOW READ". If there are further domains.secAuthority=Default". Click OK to close the Manage Access Control for c=fr window.) where domain_name is the name of the domain being protected. e. Correct errors until the syntax validates.) e. acl "PD Remote ACL Users GROUP . Highlight All Users. Replace the default ACI text with the following text: (targetfilter="(secAuthority=domain_name)") (version 3. Highlight All Users. f.secAuthority=domain_name. b. deny(all) groupdn != "ldap:///cn=SecurityGroup. For each domain. acl "PD Deny-Others". allow (read.secAuthority=Default". Click Edit Manually. In the ACI name field. In the ACI name field.0. d. repeat steps 21 on page 357 to 32. Click Edit Manually. cn=Subdomains.cn=Subdomains. Click Check Syntax to ensure validate the text. b.) where domain_name is the name of the domain being protected.(target="ldap:///c=fr")(targetattr="*") (version 3. search. Click OK to return to the Manage Access Control for c=fr window.secAuthority=Default|| ldap:///cn=ivacld-servers.secAuthority=domain_name. 31.secAuthority=Default". type PD Deny-Others. allow (read. continue with step 33. 29. and click Remove. Correct errors until the syntax validates.cn=SecurityGroups. Appendix F.cn=SecurityGroups. secAuthority=domain_name. Replace the default ACI text with the following text: (target="ldap:///c=fr")(targetattr="secAcctValid || secPwdFailCountTime || secPwdFailures || secPwdLastChanged || secPwdLastFailed || secPWDLastUsed || secPwdUnlockTime || secPwdValid") (version 3. compare) groupdn = "ldap:///cn=remote-acl-users. Click Check Syntax to ensure validate the text.cn=SecurityGroups. When complete.secAuthority=domain_name. Click OK to return to the Manage Access Control for c=fr window. compare) groupdn = "ldap:///cn=remote-acl-users.0. type SECURITY GROUP– ALLOW WRITE. secAuthority=Default|| ldap:///cn=remote-acl-users. c. In the Edit ACI for c=fr window: a. 32.cn=SecurityGroups. acl "SECURITY GROUP– ALLOW WRITE". cn=Subdomains. f. Click Check Syntax to ensure validate the text. Click OK to return to the Manage Access Control for c=fr window. e. and click Remove. 34.cn=Subdomains.0. Click New to display the Edit ACI for c=fr window. Click New to display the Edit ACI for c=fr window. c. f. search. Restart the IBM z/OS LDAP Server. For information about using this utility. These steps are specifically for the IBM z/OS Security Server LDAP Server version 1.secPwdValid:rwsc aclentry: group:cn=remote-acl-users. Use the appropriate LDIF file as input to the ldapadd command: ldapadd -h ldap_host -p ldap_port -D ldap_admin_dn -w ldap_admin_pwd -v -f ldif_filename 4.secPwdLastFailed:rwsc:at. Create an LDIF file.secAcctValid:rwsc:at. Apply the updates in the LDIF file by using it as input to the ldapmodify command: ldapmodify -h ldap_host -p ldap_port -D ldap_admin_dn -w ldap_admin_pwd -v -f ldif_file 360 Administration Guide .secPwdFailCountTime:rwsc:at. See z/OS LDAP Server Administration and Use for your version of z/OS LDAP for details on how to update the server configuration file.secPwd\ Failures:rwsc:at. To add a suffix for the IBM z/OS LDAP Server manually: 1. To add an entry to the newly created suffix. 2.cn=SecurityGroups.secPwdUnlockTime:rwsc:at.6.8.secPwdLastChanged:rwsc:at.secPwdLastFailed:rwsc:at. 3.secPwdLastChanged:rwsc:at. Add the new suffix to the LDAP server configuration file. and the IBM Tivoli Directory Server for z/OS Version 1.secAuthority=Defau\ lt:normal:rsc:at.secAuthority=Default:object:ad:normal:\ rwsc:sensitive:rwsc:critical:rwsc:restricted:rwsc aclentry: group:cn=ivacld-servers.secAuthority=Defaul\ t:normal:rsc:at.secPwdFailCountTime:rwsc:at. you can use the ivrgy_tool utility to update the ACLs on suffixes added after the initial policy server configuration.secPwdValid:rwsc entryowner: LDAP_admin_dn entryowner: group:cn=SecurityGroup. do either of the following tasks: v If no additional Access Manager domains were created other than the initial management domain.secAuthority=Default ownerpropagate: TRUE The backward slash ( \ ) at the end of a line indicates that this line combines with the next line.cn=SecurityGroups. Hereafter.secP\ wdLastUsed:rwsc:at. these LDAP servers are referred to as the IBM z/OS LDAP Server. the IBM z/OS Integrated Security Services LDAP Server Version 1. see "ivrgy_tool" in the Installation Guide.c=us: dn: o=neworg.4. To apply the appropriate Tivoli Access Manager access controls to the newly created suffix (suffix). b. without any spaces.sec\ PwdLastUsed:rwsc:at.secPwd\ Failures:rwsc:at. complete the following steps: a. This example assumes the newly created suffix is o=neworg.c=us objectClass: organization objectClass: top o: neworg b.secPwdUnlockTime:rwsc:at. Create the following LDIF file: dn: suffix aclpropagate: TRUE aclentry: group:cn=SecurityGroup.secAcctValid:rwsc:at.IBM z/OS Security Server: This procedure describes how to apply the appropriate Tivoli Access Manager access controls to the newly created suffix for IBM z/OS Security Server after the Tivoli Access Manager policy server is configured. perform the following steps: a. Instead of using the manual process described below. secPw\ dUnlockTime:rwsc:at.cn=SecurityGroups.secAcctVali\ d:rwsc:at. The default login page is the following URL: http://server_name:12100/IDSWebApp/IDSjsp/Login.se\ cPwdFailures:rwsc:at.cn=Subdomains.cn=SecurityGroups.secPwdLastChanged:rwsc:at.secPwdUnlockTime:rwsc:at.cn=SecurityGroups.secPwdLastFailed:rwsc:at.secAuthority=added\ _domain.secPwdFailCountTime:rwsc:at.secPwdLastUsed:rwsc:at.v If a domain was created in addition to the initial management domain.secPwdFailures:rwsc:at.secAcctValid:rwsc:at.secPwdLas\ tChanged:rwsc:at.secPwdUnlockTime:rwsc:at.secAcctValid:rwsc:at.secPwdLastFailed:rwsc:a\ t.secAuthority=added_domain.jsp Where server_name is the host name of the application server where the Web Administration Tool is installed. you can take advantage of its password history policy.secAuthority=Def\ ault:normal:rsc:at.secPwdLastUsed:rwsc:at. complete the following steps: 1.secPwdU\ nlockTime:rwsc:at. Apply the updates in the LDIF file by using it as input to the ldapmodify command: ldapmodify -h ldap_host -p ldap_port -D ldap_admin_dn -w ldap_admin_pwd -v -f ldif_file Note: The ldapmodify command returns an error if the following attributes and values are set by default for the newly added suffix: aclpropagate: TRUE entryowner: LDAP_admin_dn ownerpropagate: TRUE If the ldapmodify command returns the following error.secAuthority=Default ownerpropagate: TRUE b.secAuthority=Default:normal:rsc:at. Managing user registries 361 . Access the login page using a supported Web browser.secPwdLastFailed:rwsc:at.secPwdLastUsed:rwsc:at.secAcctValid:\ rwsc:at. Complete the following steps: a.secAuthority=Default:normal:rsc:at.secPwdValid:rwsc aclpropagate: TRUE entryowner: LDAP_admin_dn entryowner: group:cn=SecurityGroup.cn=Subdomai\ ns. Appendix F.secPwdFailCountTime:rwsc:at. remove these three attribute and value pairs from the LDIF file and run the ldapmodify command again: ldapmodify: additional info: R004086 Entry ’suffix’ already contains attribute ’attribute’ with value ’value’ Setting the password history policy When using Tivoli Directory Server as your user registry.secAuthority=add\ ed_domain.\ secPwdLastUsed:rwsc:at.secPwdFailCountTime:rwsc:at.secPwdValid:rwsc aclentry: group:cn=remote-acl-users.secPwdLastFailed:rwsc:at.cn=SecurityGroups.cn=Subdomains. and if a new suffix is created.secPwdValid:rwsc aclentry: group:cn=SecurityGroup.secAuthority=Defau\ lt:normal:rsc:at.secP\ wdFailures:rwsc:at.secPwdLastChanged:rwsc:at. Add ACLs to the default domain and added domain (added_domain) by creating an LDIF file similar to the following one: dn: suffix aclentry: group:cn=SecurityGroup.secPwdLastC\ hanged:rwsc:at.secAuthority=Default:object:ad:normal:rwsc:sensitive:rwsc:critical:\ rwsc:restricted:rwsc aclentry: group:cn=ivacld-servers.secPwdValid:rwsc aclentry: group:cn=remote-acl-users. ACLs need to be applied for each added domain.secPwdFailCountTime:rwsc:at. To enable this policy.secPwdFailures:rwsc:at.secAuthority=Default:object:ad:normal\ :rwsc:sensitive:rwsc:critical:rwsc:restricted:rwsc aclentry: group:cn=ivacld-servers. If not already enabled. Set the minimum number of passwords that must be used before a password can be reused. The Web Administration Tool starts. at least two domains are required from these types of domains: v A primary domain v A child domain of the primary domain v A domain tree in the forest For failover. 3. select Server administration Manage security properties. Select the LDAP Host name to be managed and log in as an LDAP administrator (for example.2. a password can be reused without restriction. at least two primary domain controllers are needed. set the Password policy enabled check box to enable password policy. click Password policy. 7. For multi-domain mode. see the IBM Tivoli Directory Server: Administration Guide. 6. DNS enables computers to find the IP addresses of the domain controllers. In the navigation area. 4. Click Apply. In the main window. Active Directory-specific tasks Microsoft Active Directory is an infrastructure supported by Windows 2003 that includes a network management of directory objects. For more information about setting the password policy that is used with Tivoli Directory Server. 9. group. You can set up the DNS server before configuring the domain controllers or when you configure the primary Active Directory domain controller. 5. If you enter zero. Enter a number from 0 to 30. and has the capability to communicate with other directory services. This section contains the following topics: v “Setting up Microsoft Windows 2003 Domain Name System for Active Directory” v “Updating the Tivoli Access Manager schema” on page 363 v “Adding a Tivoli Access Manager user to the Active Directory system group” on page 364 v “Using valid characters for Active Directory user. 8. select Password validation. Click OK. In the main window. and distinguished names” on page 364 v “Importing dynamic groups to Tivoli Access Manager” on page 366 v “Enabling change user password requests to be performed using LDAP APIs” on page 366 Setting up Microsoft Windows 2003 Domain Name System for Active Directory Active Directory uses the Domain Name System (DNS) as a domain controller location mechanism. cn=root). There are two ways to set up DNS for Active Directory: 362 Administration Guide . complete the following steps: 1. Click New in the menu. The DNS server is not necessary on the host that is the domain controller in the forest. 2. (for example. Note: Before updating the Tivoli Access Manager schema. If using a separate DNS. This domain controller and its replicas serve as the DNS servers. 5. In this window. complete the following steps: 1. If you are not using a Windows-based DNS server. DNS is configured automatically on that host if this is the first domain controller configured. The Tivoli Access Manager schema is updated to the schema master during the configuration of Tivoli Access Manager. then the Tivoli Access Manager schema is already on the schema master. verify that it is not already on the schema master.1. Create a new zone (new root domain) or child domain. contact your DNS administrator or a DNS server vendor to find out whether your server supports the required standards. If the server does not support the required standards or the zone cannot be configured to allow dynamic updates. Use a separate DNS server If configuring DNS on the forest root. you need to modify the existing DNS infrastructure. Run the following command: aminstall_dir\sbin\adschema_update –u AMConfID –p AMConfPWD where: Appendix F. do the following: 1. In your domain controller. Managing user registries 363 . Updating the Tivoli Access Manager schema To perform all Tivoli Access Manager operations. You do not need to update the Tivoli Access Manager schema. 3. To manually update the Tivoli Access Manager schema. Adding a new domain name to a DNS To add a new domain name to a DNS. Install Tivoli Access Manager runtime on the root domain controller. go to Start → Programs → Administrative Tools → Active Directory Users and Computers. Right click the Users folder. A menu opens. 2. expand the domain that contains the Users folder. 4. The Active Directory Users and Computers window is displayed. you need to add a Tivoli Access Manager schema on Active Directory. URAF-container). 4. open the domain properties and change the Allow dynamic updates field to Yes. The Tivoli Access Manager schema needs to be updated only once in the forest. If a list of Tivoli Access Manager classes for Active Directory is displayed in the menu in the URAF-xxx form. 2. Click Start → Programs → Administrator Tools → DNS to open the DNS. and expand Forward Lookup Zones. Expand the host name. Configure DNS on the forest root 2. To verify that the Tivoli Access Manager schema is updated on your system. You can use any DNS server. TheTivoli Access Manager schema needs to be added to the schema master. 3. Another menu opens. The master schema is a root domain controller in the forest. group. To add a user to an Active Directory system group on a system where Active Directory is configured as a Tivoli Access Manager user registry. 4. 11. 9. Go to Start → Programs → Administrative Tools. 364 Administration Guide . Adding a Tivoli Access Manager user to the Active Directory system group To have sufficient access to modify user and group attributes. After you verify that the Tivoli Access Manager schema was added to the schema master. 12. Click Add. 2. (as described in RFC 1779 and RFC 2253). and distinguished names (DNs). and do the following: 1. go to Tivoli PD Domains → default → system → users. The Active Directory Users and Computers window is displayed. Click Active Directory Users and Computers from the menu. From the list of users displayed. Tivoli Access Manager added support to handle special characters for DNs. For each user you want to add to multiple groups. 3. Right-click the Tivoli Access Manager user. a Tivoli Access Manager user must be added to the appropriate Active Directory system group. Select the appropriate group that you want the Tivoli Access Manager user to become a member of. In version 6. Click the Member Of tab.0. 5. select the Enterprise Admins group. On the left navigation panel. v If Tivoli Access Manager is configured using Active Directory multiple domain. Using valid characters for Active Directory user. Click OK to close all opened windows. 10. repeat the add-user-to-group process.v aminstall_dir is the directory that installs Tivoli Access Manager v AMConfID is the Tivoli Access Manager configuration login ID v AMConfPWD is the Tivoli Access Manager configuration login password 3. 7. and distinguished names This section describes how to specify valid characters for Active Directory user names. and click Properties. 8. Do one of the following: v If the purpose is to modify user or group attributes for Active Directory single domain. The Select Groups window is displayed. 6. where the users container of the Tivoli Access Manager user registry container is located. and click Add. select the Tivoli Access Manager user that you want to add to the Active Directory system group. Note: The Tivoli Access Manager schema propagation takes approximately five minutes from the schema master to add to the non-root domain controller. you can uninstall Tivoli Access Manager runtime from the root domain. select the Domain Admins group. group names. The Properties window for the selected Tivoli Access Manager user is displayed. Log in as Administrator. The double quotation marks allow the argument to be entered without being subject to interpretation by the operating system shell command processor. If you use special characters when using the pdadmin utility. User and group distinguished names There are special characters that are not allowed in a distinguished name (DN) unless the character is preceded by an additional escape character or is encoded in hexadecimal. 4.0. these users cannot authenticate at the Tivoli Access Manager blade level (version 3.) Appendix F. user@[email protected]. To encode in hexadecimal. Due to the variability of special character handling in general. User and group names Active Directory user and group names can contain all Unicode characters except for the following characters: v Forward slash (/) v Backward slash (\) v Left square bracket ([) v Right square bracket (]) v Colon (:) v Semicolon (. avoid using special characters.com is not allowed.Attention: If you upgraded the policy server to Tivoli Access Manager.1). user@mydomain. However. version 6. or 5.) v Vertical bar (|) v Equal sign (=) v Plus sign (+) v Asterisk (*) v Question mark (?) v Left angle bracket (<) v Right angle bracket (>) v Double quote (") v At symbol (@) Note: An "at" symbol (@) is not allowed unless it is used to specify the domain. replace the character with a backward slash (\) followed by two hexadecimal digits.) Plus sign (+) Double quotation (") Left angle bracket (<) Right angle bracket (>) Semicolon (. Managing user registries 365 . enclose each argument of the user or group command with double quotation marks.9. The following characters must be escaped using the backward slash (\) character before being used in a distinguished name: v Pound sign (#) at the beginning of the string v A space at the end of the string v v v v v v Comma (.com is allowed. you can create and import users containing special characters. For example. but did not upgrade the blade servers. avoid using the backward slash character (\) in distinguished names.john. This requirement is to ensure that only one dynamic group can be mapped to a Tivoli Access Manager group object at any give time.cn=myAuthorizationStore. asterisk (*).dc=mydomain. 366 Administration Guide . Example 1 To create a user with a DN that contains a comma next to the separator: pdadmin sec_master> user create "johndoe" "cn=doe\. which is a reserved character: pdadmin sec_master> user create "johndoe" "cn=doe\ODJohn. the Tivoli Access Manager group short name/ID (not including the @domain suffix when Tivoli Access Manager was configured to use Active Directory multiple domain) must be the same as the dynamic group cn.dc=domain. Example 3 To create a user with a distinguished name that contains a number sign: pdadmin sec_master>user create "#pounduser" "cn=\#pounduser.dc=com" John Doe password1 The hexadecimal representation of a carriage return is 0D.dc=com" "#pound" "user" password1 Importing dynamic groups to Tivoli Access Manager When importing an Active Directory group to Tivoli Access Manager.cn=users.dc=com" John Doe password1 Example 2 To create a user with a DN that contains a carriage return.cn=ProgramData.cn=AzGroupObjectContainermyAuthorizationStore. For example.dc=mydomain. if you have an Active Directory group with cn = dyngroup1 and distinguishedName = cn=dyngroup1. the character must be encoded in hexadecimal. or a non UTF-8 character. For other reserved characters.Note: Due to differences in registries and command shell processors. cn=myAuthorizationStore.cn=Program Data. such as an equal sign (=).cn=users. cn=AzGroupObjectContainer-myAuthorizationStore. For more information.cn=Program Data. cn=myAuthorizationStore.dc=domain. the import command would be similar to one of the following: v Tivoli Access Manager configured to an Active Directory registry single domain environment: pdadmin sec_master> group import dyngroup1 "cn=dyngroup1. see "Characters disallowed for distinguished names" in Appendix A of the IBM Tivoli Access Manager for e-business: Command Reference.dc=domain.dc=com" v Tivoli Access Manager configured to an Active Directory registry multiple domain environment: pdadmin sec_master> group import [email protected]=mydomain.cn=AzGroupObjectContainer-myAuthorizationStore.com "cn=dyngroup1.dc=com.cn=users.dc=com" Enabling change user password requests to be performed using LDAP APIs Tivoli Access Manager can be configured to use LDAP APIs for user password change requests in an environment that meets all of the following criteria: v Tivoli Access Manager is configured to use an Active Directory user registry. This is an optional enhancement. To enable this support. both the default and the alternate format of the userPrincipalName can co-exist in the Tivoli Access Manager environment. Enabling support for the use of email address or other alternate format as user identity Tivoli Access Manager can be configured to support the use of email address or other alternate format of the userPrincipalName attribute of the Active Directory registry user object for Access Manager user identity. enabling this support allows only new Access Manager user identities to use the alternate format. use the pdadmin command utility to modify the registry configuration file. use the pdadmin config modify command to update the change-pwd-using-ldap-api property in the [uraf-registry] stanza of the activedir_ldap. The following lines show an example of how to enable the change user password via LDAP APIs on Windows using Active Directory LDAP: pdadmin> login local pdadmin local> config modify keyvalue set "c:\Program Files\Tivoli\Policy Director\etc\activedir_ldap. To enable this functionality. Existing Access Manager user identities should not be modified. Managing user registries 367 . For an existing Tivoli Access Manager environment. when it is enabled.conf" "uraf-registry" "use-email-as-user-id" yes The following example demonstrates how to use the pdadmin utility to enable support of alternate userPrincipalName when using LDAP APIs on an AIX system: pdadmin> login local pdadmin local> config modify keyvalue set "/opt/PolicyDirector/etc/activedir_ldap.conf configuration file. see change-pwd-using-ldap-api on page 318.conf" "uraf-registry" "change-pwd-using-ldap-api" yes For more information.conf" "uraf-registry" "change-pwd-using-ldap-api" yes The following lines show an example of how to enable the change user password via LDAP APIs on for Active Directory LDAP on AIX: pdadmin> login local pdadmin local> config modify keyvalue set "/opt/PolicyDirector/etc/activedir_ldap. The following example demonstrates how to use the pdadmin utility to enable support of alternate userPrincipalName natively for an Active Directory environment: pdadmin> login local pdadmin local> config modify keyvalue set "c:\Program Files\Tivoli\Policy Director\etc\activedir. Note: After you enable this option.conf" "uraf-registry" "use-email-as-user-id" yes Appendix F.v Blade servers communicate directly with the Active Directory server using LDAP APIs. the Policy Server does not need to be up-and-running to handle user change password requests. Click Apply. 2. However. 6.hostname.com Novell-specific tasks The Novell eDirectory can be configured for use as a Tivoli Access Manager user registry. respectively. and then click Close. Click the Class Map tab and the table of LDAP class names. Click the Attribute Map tab and the table of LDAP attribute names. append them using the pdadmin utility. Check the value of the corresponding LDAP attribute. 5. there are several modifications to Novell eDirectory that must first be performed using Novell’s ConsoleOne directory management utility or iManager web-based administration console. prior to configuring the policy server. For example: pdadmin> login local pdadmin local> config modify keyvalue append "/opt/PolicyDirector/etc/activedir_ldap. By default. these classes are mapped into the eDirectory classes of User and Group. Select the organization object within your Novell eDirectory tree. To update the eDirectory schema using the Novell eDirectory ConsoleOne directory management utility. Delete the entries with LDAP classes of inetOrgPerson and groupOfNames. The Novell eDirectory attribute names are displayed. For each additional Global Catalog server. Start the Novell ConsoleOne directory management utility.500 object classes of inetOrgPerson or groupOfNames.pdadmin local> config modify keyvalue set "/opt/PolicyDirector/etc/activedir_ldap. 7. A list of objects is displayed on the right side of the ConsoleOne window. Because Tivoli Access Manager uses the inetOrgPerson and groupOfNames object classes for creating its own users and groups.conf" "uraf-registry" "ad-gc-server" adgc. if there are multiple Global Catalog servers. use the config modify command as in the previous example. 4. but replace the set operation with append.conf" "uraf-registry" "ad-gc-server" adgc. Note: The default Novell eDirectory schema assumes that the directory does not use the X. Tasks to be performed include: v Updating the eDirectory schema v Novell eDirectory maintenance activities that can damage schema modifications applied by Tivoli Access Manager Updating the eDirectory schema If you are installing a new Tivoli Access Manager secure domain. Right click the LDAP group object (not LDAP server). modifications to the default eDirectory schema are required. and click Properties from the menu. complete the following steps: 1. This section describes a few steps that are unique to this configuration. the Tivoli Access Manager schema is installed on the Novell eDirectory Server (NDS) automatically when the Tivoli Access Manager policy server is configured. 3. 8. If the LDAP attribute value is 368 Administration Guide .hostname2.com Note that the ad-gc-server entry in the previous example is a multi-value property. Scroll through the table and find the Novell eDirectory attribute member. The Novell eDirectory class names are displayed. 4. Click Class Map to display the Novell eDirectory class to LDAP class mappings. If the LDAP attribute value is member. Click the Roles and Tasks icon at the top of the iManager window to open the Roles and Tasks view.member. click ndsHomeDirectory. Repeat steps 3-5 to return to the LDAP Group page. click the LDAP Options task. v From the Novell eDirectory NDS Attribute field menu. v Click OK in the pop-up window to confirm the removal of the mapping. 3. to accept the changes that have been made. click OK to accept the changes. If you are using Solaris. proceed to the next step. v Click Modify. expand the LDAP category. click Home Directory. On the LDAP Options page. you need to modify it as follows. v Change the Secondary LDAP attribute field from member to uniqueMember. click OK. click the LDAP Group listed. v Repeat this step to remove a mapping for the LDAP class groupOfNames. If you are using Windows NT®. Managing user registries 369 . Click Attribute Map to access the Novell eDirectory attribute to LDAP attribute mappings. Remove mappings to inetOrgPerson and groupOfNames. you need to modify it as follows: v Select the row and click the View/Edit Mapping icon. v Scroll through the list and look for mappings of eDirectory classes to the LDAP class inetOrgPerson. v Change the Primary LDAP Attribute field from uniqueMember to member. v In the Primary LDAP Attribute field. 10. v Change the Primary LDAP Attribute field from uniqueMember to member. v If a mapping exists. 10. 11. 9. 8. v In the Attribute window. Click OK. no change is needed. v In the Attribute Mapping window. you might have to add another mapping for the LDAP attribute ndsHomeDirectory as follows: v On the right hand side of the Attribute Mappings window. Scroll through the table and find the Novell eDirectory attribute member. Check the value of the corresponding LDAP attribute. In the Properties window. then no change is needed. In the expanded list. 9. complete the following steps 1. click Add . click OK to accept the changes. If the attribute is showing the default value of uniqueMember. 7. 6. 2. In the Roles and Tasks navigation frame. Appendix F. select the row and click the Remove Mapping icon to remove the mapping. 5. The Attribute Mapping window repaints and is displayed again. To update the eDirectory schema using the Novell iManager Web-based administration console. v Click Apply to apply the changes. If the attribute is showing the default value of uniqueMember. v Click OK in the pop-up window to confirm the change. v Change the Secondary LDAP attribute field from member to uniqueMember. Launch the iManager Web page and log in as the administrator for the Novell eDirectory tree to be updated. The Attribute Mapping window is displayed. ivrgy_tool(. The Group object class is not affected. it also redefines the eDirectory User and Group object classes to allow instances of these classes to be container objects. Novell eDirectory allows this change to its schema definition. To add another mapping for the LDAP attribute ndsHomeDirectory: v Click the Add Mapping icon in the right side of the window. v Running Basic Repair from the iManager console and running local database repair with the rebuild operational schema option. v Upgrading Novell eDirectory to a more recent version.exe) -h edir_server_name -p port -D edir_admin_dn -w edir_admin_password schema The ivrgy_tool utility can be found in one of the following Tivoli Access Manager directories: Linux and UNIX operating systems /opt/PolicyDirector/sbin Windows operating systems c:\program files\tivoli\policy director\sbin 370 Administration Guide . eDirectory adds an attribute X-NDS_NOT_CONTAINER ’1’ to each of these object class definitions that specifies they are not container objects. 13. respectively. v Click OK to confirm the mapping and close the pop-up window. Should it be necessary to perform any of these operations after Tivoli Access Manager was configured into the eDirectory server. When Tivoli Access Manager adds its own object class definitions to the eDirectory schema. Both of these object classes are defined by eDirectory as leaf nodes.12. Novell eDirectory maintenance activities that can damage schema modifications applied by Tivoli Access Manager Novell eDirectory defines the object classes User and Group as part of its base schema. select Home Directory. The following Novell eDirectory administrator actions cause Tivoli Access Manager modification to the User object class to be undone. Instances of these object classes are created by an eDirectory administrator when defining a user or a group. type ndsHomeDirectory. If you are using Windows NT. A pop-up window to define the mapping is displayed. v In the Primary LDAP Attribute field. Not being a container object means that the objects cannot be defined beneath instances of these object classes. If you are using Solaris. you might have to add another mapping for the LDAP attribute ndsHomeDirectory. v In the eDirectory Attribute field. v Applying a patch update to Novell eDirectory. v Running the eDirectory database repair tool ndsrepair using the rebuild schema option. Tivoli Access Manager requires the ability to append its own objects beneath pre-existing eDirectory users and groups in order to import them and make them usable by Tivoli Access Manager. v Click Apply to apply the changes. Click OK in the Attribute Map window to accept the changes. proceed to the next step. run the following command immediately to ensure that the definition of the User object class is restored. You must run the ivrgy_tool utility from the /sbin directory.Tivoli Access Manager does not add the /sbin directory to the system PATH. Managing user registries 371 . Appendix F. 372 Administration Guide . check the product support site by performing the following steps: 1. From this topic. Go to the IBM Software Support site at the following Web address: © Copyright IBM Corp. Expand Troubleshooting and support. you can search a variety of resources. Click Web search. 2. Searching information centers IBM provides extensive documentation in an information center that can be installed on your local computer or on an intranet server. To search multiple Internet resources for your product. 1999. which includes the following resources: v IBM Technotes v v v v v IBM downloads IBM Redbooks® IBM developerWorks® Forums and news groups Google Obtaining fixes A product fix might be available to resolve your problem. you want it resolved quickly. Expand Searching knowledge bases. and support documents. reference information. 4. 3. To determine what fixes are available for your IBM software product. You can use the search function of this information center to query conceptual information. instructions for completing tasks. Searching the Internet If you cannot find an answer to your question in the information center. Support information This section describes the following options for obtaining support for IBM products: v “Searching knowledge bases” v “Obtaining fixes” v “Registering with IBM Software Support” on page 374 v “Receiving weekly software updates” on page 374 v “Contacting IBM Software Support” on page 375 Searching knowledge bases If you encounter a problem.Appendix G. most complete information that might help you resolve your problem. perform the following steps: 1. 2010 373 . Expand the product folder in the navigation frame on the left. search the Internet for the latest. You can search the available knowledge bases to determine whether the resolution to your problem was already encountered and is already documented. and click Submit. click Search tips.com/software/support 2. Go to the IBM Software Support site at the following Web address: http://www.com/software/support 2.Z.ibm. Click your product name to open the product-specific support page. 6. Under Products A . and click Submit to open your support page. Click the My support link to open the Sign in page. and click Add products. 6. After choosing all your products. Under Self help. Repeat step 5 for each additional product. 8.ibm. and other service updates for your product. 3. Complete the form. follow the link to All Updates.ibm. you need to register with IBM Software Support. Optional. click the letter with which your product starts to open a Software Product List. 3.html 374 Administration Guide . use the filters and choose which updates you want to receive. Click Register in the upper right-hand corner of the support page to establish your user ID and password. click the Subscribe to email link. 4.services. Provide your sign in information. For each product about which you want to receive updates. fix packs. see the IBM Software Support Handbook at the following Web address: http://techsupport. follow these steps: 1.http://www. 5. For more information about the types of fixes that are available. where you will find a list of fixes. Click the name of a fix to read the description. 7. Click the Edit profile tab. download the fix. Registering with IBM Software Support Before you can receive weekly e-mail updates about fixes and other news about IBM products. 9. Receiving weekly software updates After registering with IBM Software Support. For tips on refining your search.com/software/support 2.com/guides/handbook. For each product category.ibm. 5. 4. 3. To register with IBM Software Support. and click Update. Repeat step 8 for each additional product category. you can receive weekly e-mail updates about fixes and other news about IBM products. use the filters to choose your exact interests. follow these steps: 1. Go to the IBM Software Support site at the following Web address http://www. To receive weekly notifications. html If you are not sure what type of software maintenance contract you need. Product types are one of the following categories: v For IBM distributed software products (including. 2. Linux.lotus. you need to understand and assess the business impact of the problem that you are reporting. The type of software maintenance contract that you need depends on the type of product that you have.com/servers/eserver/techsupport. follow these steps: “Determining the business impact” “Describing problems and gathering information” on page 376 “Submitting problems” on page 376 Determining the business impact When you report a problem to IBM. Lotus.com/services/passport. Support information 375 . and Rational® products.ibm. go to the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region for phone numbers of people who provide support for your location: http://techsupport.services. but not limited to. enroll in Passport Advantage® in one of the following ways: Online Go to the IBM Software Passport Advantage site at the following Web address and click How to Enroll: http://www.com/guides/contacts. go to the IBM Software Support site at the following Web address and click the name of your geographic region: http://techsupport. or UNIX operating systems). as well as DB2 and WebSphere products that run on Windows. the following criteria must be met: v Your company has an active IBM software maintenance contract. 3.html To 1. go to the IBM eServer Technical Support Advantage site at the following Web address: http://www.ibm. call 1-800-IBMSERV (1-800-426-7378) in the United States or. Use the following severity criteria: Appendix G. you are asked to supply a severity level.html v For IBM eServer™ software products (including.services. you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. and iSeries® environments). but not limited to. Before contacting IBM Software Support. contact IBM Software support. from other countries.com/guides/contacts.ibm.Contacting IBM Software Support IBM Software Support provides assistance with product defects. v You are authorized to submit problems to IBM Software Support.nsf/ WebDocs/Passport_Advantage_Home By phone For the phone number to call in your country. For more information about support for eServer software products. DB2 and WebSphere products that run in System z®. pSeries®. Therefore. Tivoli. ibm. but less significant features that are not critical are unavailable. IBM Software Support creates an Authorized Program Analysis Report (APAR). know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs. Describing problems and gathering information When explaining a problem to IBM. and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. traces. Whenever possible.services. v Are you currently using a workaround for this problem? If so. go to the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region: http://techsupport. what steps were performed to encounter the problem? v Was any change made to the system? For example. or a reasonable circumvention to the problem was implemented. You are unable to use the program. but it is severely limited. The problem causes little impact on operations.com/guides/contacts. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently.Severity 1 The problem has a critical business impact. please be prepared to explain it when you report the problem. networking software. IBM Software Support provides a workaround that you can implement until the APAR is resolved and a fix is delivered. To save time. The APAR describes the problem in detail. resulting in a critical impact on operations. Severity 2 The problem has a significant business impact. 376 Administration Guide .ibm. were there changes to the hardware. operating system.com/software/support/probsub. and so on. so that other users who experience the same problem can benefit from the same resolution. This condition requires an immediate solution.html If the problem you submit is for a software defect or for missing or inaccurate documentation. IBM publishes resolved APARs on the IBM product support Web pages daily. Severity 4 The problem has minimal business impact. The program is usable. be as specific as possible. The program is usable.html By phone For the phone number to call in your country. v Can you create the problem again? If so. Severity 3 The problem has some business impact. Submitting problems You can submit your problem to IBM Software Support in one of two ways: Online Go to the Submit and track problems page on the IBM Software Support site at the following address. and provide your information into the appropriate problem submission tool: http://www. see “Searching knowledge bases” on page 373 and “Obtaining fixes” on page 373.For more information about problem resolution. Appendix G. Support information 377 . 378 Administration Guide . © Copyright IBM Corp. to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. NY 10504-1785 U. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.S. BUT NOT LIMITED TO. or service. this statement may not apply to you. 1999. Some states do not allow disclaimer of express or implied warranties in certain transactions. INCLUDING.S. program. it is the user's responsibility to evaluate and verify the operation of any non-IBM product. Minato-ku Tokyo 106. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. EITHER EXPRESS OR IMPLIED. IBM may have patents or pending patent applications covering subject matter described in this document. However. program.A. or service is not intended to state or imply that only that IBM product. in writing. For license inquiries regarding double-byte (DBCS) information. 2010 379 . contact the IBM Intellectual Property Department in your country or send inquiries. or service may be used. program. these changes will be incorporated in new editions of the publication. THE IMPLIED WARRANTIES OF NON-INFRINGEMENT. Consult your local IBM representative for information on the products and services currently available in your area. services. Any functionally equivalent product. or service that does not infringe any IBM intellectual property right may be used instead. to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome.Appendix H. program. Changes are periodically made to the information herein. IBM may not offer the products.A. Notices This information was developed for products and services offered in the U. in writing. The furnishing of this document does not give you any license to these patents. Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND. therefore. This information could include technical inaccuracies or typographical errors. Any reference to an IBM product. or features discussed in this document in other countries. You can send license inquiries. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. other countries. Linux is a trademark of Linus Torvalds in the United States. WebSphere. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems. IBM has not tested those products and cannot confirm the accuracy of performance. eServer. DB2 Universal Database. or both. subject to appropriate terms and conditions. Microsoft and Windows are trademarks of Microsoft Corporation in the United States. All statements regarding IBM’s future direction or intent are subject to change or withdrawal without notice. and z/OS are trademarks or registered trademarks of International Business Machines Corporation in the United States. or both. brands. 380 Administration Guide . Such information may be available. Tivoli logo. other countries. This information contains examples of data and reports used in daily business operations. TX 78758 U. Information concerning non-IBM products was obtained from the suppliers of those products. Tivoli. Redbooks. and products. Inc. Lotus. and represent goals and objectives only. Trademarks IBM. other countries. including in some cases. other countries. zSeries®. iSeries. SecureWay™. in the United States and other countries. To illustrate them as completely as possible. pSeries. DB2. AIX.A. companies. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement.Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which was exchanged. compatibility or any other claims related to non-IBM products. should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin. Lotus and Domino are trademarks of International Business Machines Corporation and Lotus Development Corporation in the United States. UNIX is a registered trademark of The Open Group in the United States and other countries. IBM logo. Passport Advantage. their published announcements or other publicly available sources. the examples include the names of individuals. IBM International Program License Agreement or any equivalent agreement between us. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. or both. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. or both.S. developerWorks. payment of a fee. Domino. Notices 381 . Appendix H.Other company. or service names may be trademarks or service marks of others. product. 382 Administration Guide . ACL entry. If you do not find the term or abbreviation for which you are looking. access permission. A characteristic or trait of an entity that describes the entity. an audit entry is created when a resource is modified. Part of the security policy that contains ACL entries that control who can access which domain resources and perform which actions. audit level. attribute. ACL policy. A record of each action is written to the audit journal. See also authorization rule and protected object policy. action group. ADK. See also access control list. and documentation to assist with the development of software in a specific computer language or for a particular operating environment. See Refers the reader to a term that is the expanded form of an abbreviation or acronym or to a synonym or more preferred term. Customers may develop these services using the authorization ADK. © Copyright IBM Corp. A set of tools. A set of actions that are explicitly associated with a resource or set of resources. APIs. form the basis of all ADI that can be referenced in a rule or presented to the authorization engine. Data in an access control list that specifies a set of permissions.Glossary This glossary defines the technical terms and abbreviations that are used in Tivoli Access Manager. In computer security. The access privilege that applies to the entire object. The administration service responds to remote requests from the pdadmin command to perform tasks. an access control list is a list that is associated with a file that identifies the users who can access the file and identifies the users' access rights to that file. See access control list. Actions that can be audited include authority failures and restoring objects. which indicates the range of information given by the attribute. an attribute consists of a name-value pair within a tagged element and modifies a feature of an element. Attribute lists consist of a set of name-value pairs. audit event. See application development kit administration service. such as listing the objects under a particular node in the protected object tree.ibm. A linked list that contains extended information that is used to make authorization decisions. A record of an operation in the audit log or change history. audit trail. An attribute can have a type.com/ibm/terminology The following cross-references are used among terms: Contrast with Refers the reader to a term that has an opposed or substantively different meaning. Obsolete Indicates that the term should not be used and refers the reader to the preferred term. for example. For example. The data and attributes that are used by the authorization engine to evaluate a rule. Authorization API attributes are name-value pairs. refer to the IBM Terminology Web site at the following Web address: http://www. for example. ADI. application development kit (ADK). The types of user actions that are currently being audited for the entire system or for specific users on the system. Information about an identity. and a value. 1999. A access control. access decision information (ADI). In XML. A chronological record of events that enables the user to examine and reconstruct a sequence See also Refers the reader to a related term. account. which is within a range. In computer security. access control list (ACL). 2010 383 . the process of ensuring that only authorized users can access the resources of a computer system in authorized ways. An authorization API runtime plug-in that can be used to perform administration requests on a Tivoli Access Manager resource manager application. action. ACL. a list with an object that identifies all the subjects that can access the object and their access rights. See access decision information. attribute list. An access control list (ACL) permission attribute. Authentication is distinct from authorization. connection. authorization rule. authorization server. A CA creates digital signatures and public-private key pairs. and environment context. The role of the CA s to authenticate the entities (users and organizations) involved in electronic transactions. responds accordingly. See also multi-factor authentication. Security uses a two-step process: after authentication has verified the identity. authorization evaluator. An Internet standard for defining scripts that pass information from a Web server to an application program. (2) In TCP/IP. authorization API. A component that provides application-specific services and components. The manner in which the hardware and software of a system. See certificate authority. which. and step-up authentication. common gateway interface (CGI). (3) In system B BA. thereby enabling the certificate owner to be authenticated. or to another identifier or to associate formal parameters to actual parameters. authorization. The CA guarantees the identity of the individual who is granted the unique certificate and guarantees the services that the owner is authorized to use. An authorization rule is used to make access decisions based on attributes such as user. A dynamic or shared library that can be loaded by the authorization API runtime client at initialization time to perform operations that extend a service interface in the Authorization API. See cross domain mapping framework. business entitlement. one are the only two values that can be returned. An authentication method that verifies identity using a user name and password. See external authentication C API. basic authentication. The evaluator makes its recommendation to the resource manager. See also ACL policy and protected object policy. application. The decision-making process that determines whether a client can access a protected resource based on the security policy. or network are organized and interconnected. the process that grants or denies access to resources. audit trail file. a digital document that binds a public key to the identity of the certificate owner. Part of the security policy that define conditions that are contained in authorization policy. certificate. network-based authentication. to an address. CDAS. The file that contains the audit trail. and vice versa. Boolean. The supplemental attribute of a user credential that describes the fine-grained conditions that can be used in the authorization process. CGI. Obsolete. to relate an identifier to a value. a connection extends from a TCP application on one system to a TCP application on another system. authorization allows the resource or process access to various resources based on its identity. to issue new certificates. A CGI script is a CGI program that is written in a scripting language. and to revoke certificates that belong to users and organizations who are no longer authorized to use the services. configuration. an association established between functional units for conveying information. The Tivoli Access Manager component that passes requests for authorization decisions from the resource manager to the authorization evaluator. In the Internet. authorization is concerned with granting and denying access to resources. authentication. Because the CA guarantees that the two parties that are exchanging information are really who they claim to be. See common gateway interface. certificate authority (CA). the process that verifies identity. in turn. A certificate is issued by a certificate authority. To relate an identifier to another object in a program. authorization service. In computer security. the CA is a critical component in data security and electronic commerce. for example. blade. through an HTTP request. (1) In data communication. bind. See basic authentication. a value of zero represents false while a value of one represents true. such as Perl. the path between two protocol applications that provides reliable data stream delivery service. An organization that issues certificates. cipher. A cryptographic algorithm that is used to encrypt data that is unreadable until it is converted into plain data (decrypted) with a predefined key.of events. The Tivoli Access Manager component that runs the authorization service. C CA. A binary numbering system that is named after mathematician George Boole in which zero and 384 Administration Guide . Audit trails are useful for managing security and for recovering lost transactions. In computer security. In computer security. See also authorization service. CDMF. subsystem. See also authorization server and authorization service. com is the fully qualified domain name (FQDN) of a host system. cookie. See distinguished name. A system process that runs unattended to perform continuous or periodic system-wide functions. DN. A storage area for data. When an attribute is added to a directory entry that causes it to match the search expression. the process of transforming data into a cipher. and other security-related identity attributes. data store. A structural designation that organizes the object space into distinct functional regions. A group that is defined using a search expression. See also service. entitlement. a computer or network that uses a firewall to be isolated from. Entitlements contain policy data or capabilities that are formatted in a way that is understandable to a specific application. and which attributes are optional. auditing. A distinguished name is made up of an attribute-value pairs. In computer security. (2) A set of name-value pairs (such as cn=common name and c=country) that uniquely identifies an entry in a digital certificate. cross domain mapping framework (CDMF). both austin. The digital signature proves that the message was signed by the entity that owns. See also domain name. The authorization can be made by a user or by an administrator. DMZ. or file. a line over which data can be passed between two systems or between a system and a device. such as network control. See demilitarized zone. A user who is authorized to work for another user. The administrator for a domain who can assign any of the roles in that domain to subdomains. An authorization API runtime plug-in which can be used to modify a Tivoli Access Manager credential. administrators in that subdomain can assign subdomain users these roles. Information that is encrypted with a private key and is appended to a message to assure the recipient of the authenticity and integrity of the message. domain name. A data structure that contains externalized security policy information. credentials modification service. domain administrator. The valid attribute types and object classes that can appear in a directory. any group associations. demilitarized zone (DMZ).ibm. pipe log agent. the name of a host system. Obsolete. acquired during authentication. (2) A part of a network that is administered with a common protocol. In network security. a private intranet) and an untrusted network (for example.com and ibm. A log agent that writes events to standard error or standard output. The attribute types and object classes define the syntax of the attribute values.com® are domain names. For example. delegate. cross domain authentication service (CDAS).communication. After assigning roles to subdomains. See external authorization service. that describes the user. the private key or shared secret symmetric key. directory schema. such as a database system. Credentials can be used to perform a multitude of services. Credentials modification services developed externally by customers are limited to performing operation to add and remove from the credentials attribute list and only to those attributes that are considered modifiable. the Internet). which attributes are required. entitlement service. digital signature. See also file log agent. and to serve as a neutral zone between. D daemon. separated by commas. console log agent. Cookies allow servers to remember specific information about clients. A programming interface that allows a developer to customize the mapping of user identities and the handling of user attributes when WebSEAL e-Community SSO function are used. Detailed information. directory. a trusted network (for example.ibm. A domain name consists of a sequence of subnames that are separated by a delimiter character. the entry automatically becomes a member of the group. Information that a server stores on a client machine and accesses during subsequent sessions. (1) The name that uniquely identifies an entry in a directory. such as authorization. credentials. An authorization API runtime plug-in which can be used to return entitlements from Glossary 385 . and remote log agent. See external authentication C API. One or more secure gateways usually control access to the DMZ from the trusted or the untrusted network. In the Internet suite of protocols. container object. if austin. dynamic group. or has access to. (1) A logical grouping of resources in a network that share common administration and management. E EAS. domain. and delegation. encryption. distinguished name (DN). An XML processing language that is used to convert an XML document into another document in XML. a protocol that can use Transmission Control Protocol (TCP) and Telnet services to transfer files between machines. HTML. I inheritance. See also Extensible Stylesheet Language. file transfer protocol (FTP). Each activity has its own event pool. GSO. extended attribute. The host can be a client. as a member of a particular category or type. The identity information in the HTTP response headers is used to generate user credentials. A C API that enables you to write custom authentication modules that replace or extend the functionality of the built–in authentication process. hypertext transfer protocol (HTTP). an item that can be treated as a unit and. The event pool is initialized when the activity is created and is deleted when the activity is deleted. and remote log agent. An object-oriented programming technique that allows the use of existing classes as a basis for creating other classes. An authorization API runtime plug-in that can be used to make application. often. A computer that is connected to a network and provides an access point to that network. or both a client and a server simultaneously. A log agent that writes events to a file. See hypertext transfer protocol. A standard meta-language for defining markup languages that is based on Standard Generalized Markup Language (SGML). A set of events recognized by an activity. A flexible single sign-on solution that enables the user to provide alternative user names and passwords to the back-end Web application server. F file log agent. See also single sign-on. or network application. Contrast with external authentication HTTP interface. Customers may develop these services using the authorization ADK. Customers can develop these services using the authorization ADK. A named list of users by which access levels to corporate directories. or other format. Extensible Stylesheet Language (XSL). databases. event pool.or environment-specific authorization decisions as part of the authorization decision chain. for the resolution to a problem. a server. Through a single login. Entitlements are normally application specific data that will be consumed by the resource manager application in some way or added to the principal's credentials for use further on in the authorization process. such as text. Extensible Markup Language (XML). FTP. H host. An extended attribute can be any format. Contrast with external authentication C API. for example. external authorization service (EAS). and servers are assigned. pipe log agent. An interface that enables you to extend the functionality of the built-in authentication process to allow a remote service to handle the authentication process. In object-oriented design. Additional information that the system or a program associates with an object. Designed for large enterprises consisting of multiple systems and applications within heterogeneous. or binary data. network resource. Extensible Stylesheet Language Transformation (XSLT). See file transfer protocol G global sign-on (GSO). the protocol that is used to transfer and display documents. entity. global sign-on grants users access to the computing resources they are authorized to use. Any significant change in the state of a system resource. distributed computing environments. Two or more individual users who are categorized for the purpose of assigning database security settings. XSL Transformation (XSLT) is used with XSL to describe how an XML document is transformed into another document. An event can be generated for a problem. In the Internet suite of protocols. a bitmap. See global sign-on. 386 Administration Guide . PDF. A language for specifying style sheets for XML documents. GSO eliminates the need for users to manage multiple user names and passwords. external authentication C API. external authentication HTTP interface. See also console log agent. or for the successful completion of a task. group. An entity can be concrete or abstract. administrators must assign individuals to groups before assigning roles. In the Internet suite of protocols. The identity information is returned through the authentication module interface. event. See also Extensible Stylesheet Language Transformation. HTTP.an external source for a principal or set of conditions. the central server. private keys. See lightweight third party authentication. signals. and certificates. The ticket is then embedded in messages that are sent over the network. In the Kerberos protocol. Glossary 387 . LTPA. In the Kerberos protocol. See key table. This domain is created when the policy server is configured. Because the private key holds more of the encryption pattern than the public key. lightweight directory access protocol (LDAP). trusted roots. authorization. a file that contains service principal names and secret keys. (2) A mechanism of an operating system that allows processes to communicate with each other within the same computer or over a network. LDAP can be used to locate people.500 model and that does not incur the resource requirements of the more complex X. Internet suite of protocols. L LDAP. An open protocol that uses TCP/IP to provide access to directories that support an X. and other information that is sealed using a secret key. The KDC is sometimes referred to as the Kerberos server. Kerberos ticket. key table. In computer security. keytab file. the sender uses the public key to encrypt the message. lightweight third party authentication (LTPA). a public key and a private key. Information that is expressed as a paired set. a sequence of symbols that is used with a cryptographic algorithm for encrypting or decrypting data. IPC. A key file that contains both public keys stored as signer certificates and private keys stored in personal certificates. See key file. key. Kerberos. See lightweight directory access protocol. interprocess communication (IPC). the signer uses the private key to encrypt a representation of the message. When the key pair is used for encryption. The default domain in which Tivoli Access Manager enforces security policies for authentication. (1) The process by which programs communicate data to each other and synchronize their activities. J junction. and internal message queues are common methods of interprocess communication. The receiver of a message uses the ticket to authenticate the sender. IP. A simple ticket contains the identity. key database file (KDC). See private key and public key. the key pair is called asymmetric. and access control.500 Directory Access Protocol (DAP). See Internet protocol. It works by assigning a unique key. In computer security. A node that has no children before it in the directory tree. A logical connection that is created to establish a path from one server to another. The secret keys should be known only to the services that use the key table file and the key distribution center (KDC). and the recipient uses the private key to decrypt the message. called a ticket. K KDC. which includes the authentication server and the ticket-granting server. and other resources in an Internet or intranet directory. In the Internet suite of protocols. A set of protocols developed for use on the Internet and published through the Internet Engineering Task Force (IETF). An authentication protocol that users cryptography to support security across a set of Web servers in a distributed environment. See interprocess communication.Internet protocol (IP). key-value pair. A transparent application mechanism that transmits the identity of an initiating principal to its target. a file that contains public keys. The interface that a domain administrator can use to manage security policy. See key file. key file. In Tivoli Access Manager. When the key pair is used for signing. M management domain. Semaphores. to each user that logs on to the network. keystore file. and the recipient uses the public key to decrypt the representation of the message for signature verification. a connectionless protocol that routes data through a network or interconnected networks. See also domain. In computer security. key distribution center. an administrator can use Web Portal Manager or the pdadmin commands to apply security policy to resources. IP acts as an intermediary between the higher protocol layers and the physical network. leaf node. key pair. organizations. For example. a session key. management interface. key ring. See key distribution center. An authentication system that enables two parties to exchange private information over an otherwise open network. a timestamp. O object. in some cases. policy database. The policy server also maintains location information about other Tivoli Access Manager and non-Tivoli Access Manager resource managers that are operating in the secure domain. PDCA. pipe log agent. and remote log agent. data. The number and meaning of permissions for an object are defined by the access control list (ACL). N namespace. See also access control list. See also namespace. libraries. policy server. can be secured. See policy server. P PAC. policy enforcer. multi-factor authentication. A virtual representation of the resources to be protected. See Policy Director Certificate Authority permission. A PDCA certificate is stored in the master policy database. A trusted certificate that is created during the configuration of the policy server and that is used to sign all other Tivoli Access Manager certificates. such as a file or directory. Gateways establish a single authenticated channel to the originating server and tunnel all client requests and responses through this channel. Obsolete. and stream files. a uniform resource identifier (URI) that provides a unique name to associate with all the elements and type definitions in a schema. (3) A named storage space that consists of a set of characteristics that describe the space and.management server. A gateway that accommodates multiple client access. object type. See also console log agent. migration. A server that permits the hosting of multiple customers on a single server instead of multiple client machines. file log agent. the access control on a protected resource can require that the users authenticate with both user name/password and user name/token passcode. See multiplexing proxy agent. object space. MPA. In a network environment. can be located in a library or directory. See also protected object policy. The master server is designed to manage the network. and on which defined operations can be performed. the server that has permissions to run commands on all other machines in the environment. files. The installation of a new version or release of a program to replace an earlier version or release. Each domain has its own policy database. (1) In XML. An object is anything that occupies space in storage. A log agent that writes events as standard input to another program. Some examples of objects are programs. multiplexing proxy agent (MPA). Traditional applications bundle the policy enforcer and the resource manager as one process. An object can appear as text. (2) Space reserved by a file system to contain the names of its objects. Data that describes the characteristics of stored data. an icon. See privilege attribute certificate. and resource objects in the network database. For example. and updates database replicas whenever a change is made to the master policy database. A protected object policy (POP) that forces a user to authenticate using two or more levels of authentication. user can manipulate as a single unit and perform a task. (1) In object-oriented design or programming. Contrast with replica server metadata. A protected object policy (POP) that controls access to objects based on the Internet protocol (IP) address of the user. The ability to access a protected object. replicates this policy information throughout the secure domain. or both. network-based authentication. master server. policy. The database that contains the security policy information for all resources in the domain. These gateways are sometimes known as Wireless Access Protocol (WAP) gateways when clients access a secure domain using a WAP. A categorization or group of object instances that share similar behavior and characteristics. clients. but the class owns the operations that are associated with the data. A set of rules that are applied to managed resources. a concrete realization (instance) of a class that consists of data and the operations associated with that data. An object contains the instance data that is defined by the class. See also protected object policy. multiple tenancy server. The synchronization mechanism that the policy server uses to inform all database replicas of a change to the master policy database. The Tivoli Access Manager component that maintains the master policy database. notification thread. A component of a resource manager that directs requests to the authorization service for processing after authorization is granted. Policy Director Certificate Authority (PDCA). (2) Any digital content that a 388 Administration Guide . Contrast with public key. principal.polling. A hardware. and program. (2) Any server or application that uses the authorization API to process client requests for access to resources. or transaction that manages and controls access to shared resources. proxy server. a key that is known only to its owner. For example. In computer security. Contrast with private key. A log agent that sends events to a remote server for recording. (1) The storage representation of a single row of a table or other data in a database. program. (1) An entity that can communicate securely with another entity. protected object policy (POP). remote log agent. and vice-versa. See also console log agent. authorization rule. which defines its access rights. Users and processes are limited in how they can access resources when that user or process does not have the appropriate role. A single point of access to diverse information and applications. and software. protected object. See also protected object and protected object policy. systems. resource object. The level of data security. resource. See also protected object policy and protected object space. (2) An authenticated user. privilege attribute certificate service. In access control policies. protected object space. resource groups specify the resource to which the policy authorizes access. (2) A group of related data. An operational mode in which a resource manager uses the functions that are provided by the authorization API to communicate to the remote authorization server. (1) An application. The setup and configuration data has to be entered during an interactive installation. Users can customize and personalize a portal. R record. and privacy conditions. such as memory buffers and data sets. The logical representation of an actual system resource that is used for applying ACLs and POPs and for authorizing user access. response file. replica server. protected object. a key that is made available to everyone. The virtual object representation of actual system resources that is used for applying ACLs and POPs and for authorizing user access. An authorization API runtime client plug-in which translates a PAC of a predetermined format in to a Tivoli Access Manager credential. file log agent. Customers may develop these services using the authorization ADK. A type of security policy that imposes additional conditions on the operation permitted by the ACL policy to access a protected object. registry. portal. A principal is identified by its associated security context. file. These services could also be used to package or marshall a Tivoli Access Manager credential for transmission to other members of the secure domain. remote cache mode. determined by a combination of authentication. The process by which databases are interrogated at regular intervals to determine if data needs to be transmitted. resource group. See also silent installation. The representation of an actual network resource. Contrast with master server. In computer security. POP. a client cannot meet the security authentication requirements of the server but should be permitted some services. See also privilege attribute certificate. or data entity that is managed. See also ACL policy. Glossary 389 . private key. resource manager. words. A server that contains a copy of the directory or directories of another server. The datastore that contains access and configuration information for users. and pipe log agent. role. integrity. the installation can proceed without user interaction. privilege attribute certificate (PAC). A proxy server is often used when the client and the server are incompatible for direct connection. software. but with the response file. Replicas back up master servers or other replica servers to enhance performance or response times and to ensure data integrity. and protected object space. such as a service. public key. or fields treated as a unit. See protected object policy. A server that receives requests intended for another server and that acts on behalf of a client to obtain the requested service. It is the responsibility of the resource manager to enforce the POP conditions. A digital document that contains a principal's authentication and authorization attributes and a principal's capabilities. A definition of the access permissions that a user or process has and the specific resources that the user or process can modify at those levels. An ASCII file that can be customized with the setup and configuration data that automates an installation. A group of resources that can include business objects such as contracts or a set of related commands. Q quality of protection. See also ACL policy. and message forgery. step-up authentication. The ability of hardware. directory. Shamir. rule. and protected object policies attached to objects to make them protected objects. Work performed by a server. RSA encryption. RSA. See Secure Socket Layer. HTTP servers. service. Name servers that have authoritative control of all the top-level domains. such that the user has the appropriate access permissions for the object defined for that role. The mechanism that allows a user to logon once and access multiple applications through a single authorization challenge. See single sign-on. self-registration. security context. root container object. Stanzas are usually separated by blank lines or colons. A system for public-key cryptography used for encryption and authentication. but it requires the user to S scalability. (2) In Tivoli Access Manager. A group of lines in an ASCII file that together have a common function or define a part of a system. role assignment. The acronym stands for Rivest. A security policy describes the risks that you intend to minimize and the actions that should be taken if someone breaches your security controls. stanza. root domain. and used by GSKit. and protected object policy. The process by which a user can enter required data and become a registered user without the involvement of an administrator. Secure Sockets Layer (SSL). The local copy of the master key file that resides in an encrypted format on the local disk. Also. a user does not need to log on to each application separately. security management. The top-level container object in the hierarchy or resource objects. The set of statements. See also daemon. runtime environment. or file. The component responsible for evaluating an authorization rule. A protected object policy (POP) that relies on a preconfigured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource. Inc. The software discipline that addresses how an organization can control access to mission critical applications and data. A service can be a simple request for data to be sent or stored (as with file servers. tampering. the inventors of this encryption technique. and each stanza has a name. and contains information about when the token expires. expressed in a data definition language. The time period during which a computer program is running. authorization rule. run time. routing file. or it can be for more complex requests (as with print servers or process servers). SSL enables client/server applications to communicate in a way that is designed to prevent eavesdropping. routing table. session. An ASCII file that contains commands that control the configuration of messages. A collection of path information through which hosts or networks can communicate with each other. The security of the system depends on the difficulty of factoring the product of two large prime numbers. that completely describes the structure of data that is stored in a database. The step-up authentication POP does not force the user to authenticate using multiple levels of authentication to access any given resource. SSO. and Adleman. A public-key encryption technology that was developed by RSA Data Security. An installation that does not send messages to the console but instead stores messages and errors in log files. software. See also response file. stash file. A set of logical statements that enable a server to recognize relationships among events and to perform automated responses accordingly. rules evaluator. or e-mail servers). A security protocol that provides communication privacy. (1) A written document that defines the security controls that you institute for your computer systems. schema. the combination of ACL policies. lists the roles and access rights for the principal. a silent installation can use response files for data input. A series of requests to a server or application that originate from the same user at the same browser. single sign-on (SSO). SSL. silent installation. authorization rules.role activation. See also global sign-on. The process of applying access permissions to a role. The process of assigning a role to a user. security policy. Using SSO.. A subset of an application development kit (ADK) that contains the executable files and other supporting files that comprise the operational environment of the platform. 390 Administration Guide . or a distributed system to maintain performance levels as it increases in size and increases in the number of users who access resources. The digitally signed token that identifies a principal. device. Web projects. See Extensible Stylesheet Language Transformation. U uniform resource identifier (URI). custom tag libraries. The URL includes the abbreviated name of the protocol used to access the information resource and the information used by the protocol to locate the resource. A standard that uses XSL stylesheets to transform XML documents into other XML documents or fragments or to transform XML documents into HTML documents. See Kerberos ticket. which is a particular subset or URI called uniform resource locator (URL). See Extensible Stylesheet Language. the computer that contains the resource. See registry. A character string that represent resources on a computer or in a network. this GUI enables remote administrator access and enables administrators to create delegated user domains and assign delegate administrators to these domains. organization. XSLT. T ticket. A URI typically describes how to access the resource. An alternative to the pdadmin command line interface. URL. The character string used to identify an abstract or physical resource on the Internet. XSL stylesheet. XML transform. A directory server can have multiple suffixes. each identifying a locally held directory hierarchy. See Web Portal Manager. A Web-based graphical application used to manage Tivoli Access Manager security policy in a secure domain. See also uniform resource locator. and archive files. WebSEAL.authenticate at a level at least as high as that required by the policy protecting a resource. V virtual hosting. program. for example. such as the Internet. Any one of the resources that are created during the development of a Web application. JSP files. servlets. user. this suffix applies to every other entry within that directory hierarchy. A distinguished name that identifies the top entry in a locally held directory hierarchy. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy. trusted root. or system that uses a service provided by others. HTML pages. XSL. X XML. WPM. A high performance. The capability of a Web server that allows it to appear as more than one host to the Internet. Each device can acquire and use the token to control the medium. A sequence of bits (symbol of authority) that is passed successively along a transmission medium from one device to another to indicate the device that is temporarily in control of the transmission medium. The most common form of URI is the Web page address. token. and the name of the resource. In the Secure Sockets Layer (SSL). URI. uniform resource locator (URL). See Extensible Markup Language. W Web Portal Manager (WPM). Any person. multi-threaded Web server that applies a security policy to a protected object space. suffix. Code that describes how an XML document should be rendered (displayed or printed). Web session. the public key and associated distinguished name of a certificate authority (CA). See also Secure Socket Layer. Web resource. See uniform resource identifier. Because of the relative naming scheme used in Lightweight Directory Access Protocol (LDAP). See session. See also protected object policy. Glossary 391 . See uniform resource locator. user registry. process. protocol. 392 Administration Guide . 91. 92 modify delete attribute 95 modify set attribute creating extended attributes 93 modifying extended attributes 93 show 85. 86. 91. 2010 393 .Index Special characters AttributeName entry 327 policy-trigger entry 230 service-id entry aznapi-admin-services stanza 215 service-id entry aznapi-cred-modification-services stanza aznapi-entitlement-services stanza 229 aznapi-pac-services stanza 232 ACL policies (continued) exporting all 86 multiple 87 one 87 extended attributes creating 92 deleting 94 deleting values 95 listing 93 modifying 93 finding 89 importing 86 inheritance 50 listing 85 management tasks 83 modifying description 84 modifying entry permissions 91 operations on an object 38 policies 38 purpose security considerations 77 removing ACL entries 91 versus authorization rules 40 viewing 85 viewing extended attributes 94 ACL policies. 1999. 90. 92 show attribute 94 ACL entries creating for ACL policy 90 custom permissions 81 default permissions 80 definition 78 ID attribute 79 modifying permissions 91 permissions attribute 79 removing from ACL policy 91 representation of custom permissions 82 type attribute 79 ACL policies attaching 88 cloning 86 creating 84 creating ACL entries 90 definition 77 definition of 37 deleting 89 detaching 88 evaluating 39 explicit 50 50 © Copyright IBM Corp. defining 11 ACL policy definition of 12 ACL policy administrator 43 aclMembership entry 297 ACLs 45 ACL entries 78 ACL policies 77 applying policies to different object types control permission 48 default administration ACL 51 default config ACL 52 default domain ACL 53 default GSO ACL 52 default management ACL 52 default policy ACL 52 default proxy ACL 53 default replica ACL 52 default root ACL 51 explicit versus inherited 47 group management policies 191 management permissions 53 managing 77 managing ACL permissions 53 resolving request 49 user management policies 192 action bits See permissions action commands create 98 delete 98 group create 96 group delete 97 group list 96 list 98 227 A access control list See ACLs access control lists See ACLs access decision information See ADI accessibility xiii accessmanager.gif file 28 accountability 4 accounts. user and group 145 acl commands attach 88 create 84 delete 90 detach 89 find 89 list 85 list attribute 94 modify 85. 90. 136 POPs 101 audit-attribute entry 217 auditevent entry 244 auditing disabling. 208 ad-gc-port entry 325 ad-gc-server entry 325 ADI containers and container names 123 definition of 119 determining what is missing 136 dynamic retrieval entitlement services 136 name/value pair attributes 124 request from the resource manager 133.action create command 98 action delete command 98 action group commands create 96 delete 97 list 96 action group create command 96 action group delete command 97 action group list command 96 action groups creating 96 creating new permissions 97 custom 81 custom scenario 82 deleting 97 deleting permissions 98 guidelines 95 listing 96 listing permissions 98 management tasks 95 primary group 80 when to create 81 action list command 98 actions See also permissions managing Action permissions 54 Active Directory enabling dynamic groups 158 Active Directory server activedir. network-based authorization 110 allowed registry substring 181 allowed-registry-substrings entry 248 amconf. common audit service 234 auditing events 197 auth-using-compare entry 265 authenticated authenticated requests 39 unauthenticated requests 39 authenticated requests 39 authentication applying step-up policy 115 configuring levels of step-up 115 introduction 2 levels 114 multi-factor authentication 116 step-up 114 authentication-mechanisms stanza cert-ldap entry 212 cert-uraf entry 213 description 211 passwd-ldap entry 213 passwd-uraf entry 214 authMethod entry 297 394 Administration Guide .conf configuration file 207.conf 207 configuration file with LDAP client 207 activedir_ldap. 135 retrieval entitlements service 121 source 121 XML document model 122 XML document model restriction 123 administration delegate role 185 enterprise domain 183 multiple domains 184 roles 185 superdomain 183 administration ACL (default) 51 administration API 4 administration groups 187 administration users creating 43 administration users and groups defaults 43 administrator multiple domains 184 superdomain 183 tasks 186 administrators administrator 184 domain 184 enterprise domain 183 administrators (continued) predefined 184 sec_master 183 senior 184 support 185 Tivoli Access Manager 184 types 184 algorithm. common audit service 234 enabling.properties configuration file 208 any-authenticated type attribute See any-other any-other adding ACL entry to ACL policy 90 authenticated requests 39 modifying permissions 91 removing ACL entries from ACL policies 91 type attribute 79 unauthenticated requests 39 any-other user 38 app_context attribute list 120 application context information 120 applying ACL policies 50 attribute lists app_context 120 permission_info-returned 135 attribute name. XML 124 attribute pairs (name/value) 119 attributes ACL ID 79 ACL permissions 79 ACL type 79 azn_cred_groups 131 azn_cred_principal_name 131 azn_cred_registry_id 131 azn_engine_requested_actions attribute 120 azn_engine_target_resource 120 azn_init_set_perminfo_attrs 133 azn_perminfo_reason_rule_failed 135 azn_perminfo_rules_adi_request 133.conf configuration file 207 activedir. conf 205 key and stash files 161 pdacld server process 167 preventing automating startup 173 starting 170 authorization service 6 authorization API 10 benefits 7 extending 17 interfaces 10 overview 8. 136 azn-app-host entry 218 azn-server-name entry 218 aznapi-admin-services stanza service-id entry 215 description 215 aznapi-configuration stanza audit-attribute entry 217 azn-app-host entry 218 azn-server-name entry 218 cache-refresh-interval entry 219 cred-attributes-entitlement-services entry 219 db-file entry 220 description 217 dynamic-adi-entitlement-services entry 221 input-adi-xml-prolog entry 221 listen-flags entry 222 logcfg entry 222 mode entry 223 pd-user-name entry 224 pd-user-pwd entry 224 permission-info-returned entry 224 policy-cache-size entry 225 resource-manager-provided-adi entry 225 xsl-stylesheet-prolog entry 226 aznapi-cred-modification-services stanza service-id entry 227 description 227 aznapi-entitlement-services stanza service-id entry 229 description 228 aznapi-external-authzn-services stanza policy-trigger entry 230 description 230 aznapi-pac-services stanza service-id entry 232 description 231 aznAPI. 137 managing rule permissions 58 modifying 139 overview 119 policies 40 policies for 46 when to use 41 authorization server configuration file 205 ivacld. 255 automatic certificate and password refresh 161 azn_cred_groups attribute 131 azn_cred_principal_name attribute 131 azn_cred_registry_id attribute 131 azn_decision_access_allowed_ext () method 120 azn_decision_access_allowed_ext() method 135 azn_decision_access_allowed() method 133 azn_engine_requested_actions attribute 120 azn_engine_target_resource attribute 120 azn_entitlement_get_entitlements() call 136 azn_entitlement_get_entitlements() method 129 azn_init_set_perminfo_attrs attribute 133 azn_init_set_perminfo_attrs initialization parameter 135 azn_perminfo_reason_rule_failed attribute 135 azn_perminfo_rules_adi_request attribute 133.authn-timeout entry 266 authorization evaluation process 18 introduction 2 step-by-step process 13 authorization API introducing 14 local cache mode 16 remote cache mode 15 standard 5 authorization API attributes 119 authorization database replicating 174 authorization evaluator overview 9 authorization model conceptual model 6 authorization policy database 9 Authorization rule language languages 122 authorization rules 13 attaching to an object 142 changing 139 cloning 140 creating 138 definition of 37 deleting 144 delimiters 128 detaching 143 differing from ACL policies and POPs 40 evaluator 128 examples ADI from dynamic ADI retrieval services ADI from entitlement data 131 ADI from resource manager 131 exporting all 141 multiple 141 one 141 finding 143 Format and constraints 129 importing 140 listing 140 management tasks 119.conf configuration file 209 Index 395 . 9 authorize-group-list entry 247 authzrule attach command 142 authzrule commands attach 142 132 authzrule commands (continued) create 139 delete 144 detach 143 find 143 list 140 modify 139 authzrule create command 139 authzrule delete command 144 authzrule detach command 143 authzrule find command 143 authzrule list command 140 authzrule modify command 139 auto-database-update-notify entry 174. conf 267 ldap stanza.conf 278 ldap stanza. ldap. ivmgrd. 91.conf changePassword entry 298 chgcert option of svrsslcfg command 164 clientPassword entry 235 clientUserName entry 235 cloning POPs 106 commands acl attach 88 acl create 84 acl delete 90 acl detach 89 acl find 89 acl list 85 acl list attribute 94 acl modify 85. 91.B bannerFile entry 298 bassslcfg -config command 165 benefits of authorization service 7 bind-dn entry 266 bind-id entry 309 books see publications ix. pdmgrproxyd. 157 318 396 Administration Guide . ivacld. 86. 90. 92 acl modify delete attribute 95 acl modify set attribute creating extended attributes 93 modifying extended attributes 93 acl show 85. activedir_ldap.conf 267 ldap stanza. xii boot-start-ivacld command 173 boot-start-ivacld entry 294 boot-start-ivmgrd command 173 boot-start-ivmgrd entry 294 boot-start-pdmgrproxyd command 174 boot-start-pdproxyd entry 295 C CA See certificate authority ca-cert-download-enabled entry 256 cache-database entry 290 cache-enabled entry ldap stanza. 92 acl show attribute 94 action create 98 action delete 98 action group create 96 action group delete 97 action group list 96 action list 98 authzrule attach 142 authzrule create 139 authzrule delete 144 authzrule detach 143 authzrule find 143 authzrule list 140 authzrule modify 139 bassslcfg -config 165 config modify 158 domain create 62 domain delete 64 domain list 63 domain modify 63 group create 155. 90.conf 267 cache-group-expire-time entry 267 cache-group-membership entry 268 cache-group-size entry 268 cache-lifetime entry 309 cache-mode entry 309 cache-policy-expire-time entry 269 cache-policy-size entry 269 cache-refresh-interval entry 219 cache-return-registry-id entry 270 cache-size entry 310 cache-use-user-cache entry 270 cache-user-expire-time entry 271 cache-user-size entry 271 CARS See common audit service cars-client stanza clientPassword entry 235 clientUserName entry 235 compress entry 233 description 233 diskCachePath entry 233 doAudit entry 234 errorFilePath entry 235 flushInterval entry 236 hiWater entry 237 keyFilePath entry 236 lowWater entry 237 maxCacheFiles entry 237 maxCacheFileSize entry 238 maxErrorFiles entry 238 maxErrorFileSize entry 238 maxTraceFiles entry 239 maxTraceFileSize entry 239 numberCMThreads entry 239 numberEQThreads entry 240 numberRetries entry 240 queueSize entry 240 rebindInterval entry 241 retryInterval entry 241 serverURL entry 241 cars-client stanza (continued) stashFilePath entry 242 traceFilePath entry 242 traceLevel entry 242 transferSize entry 243 useDiskCache entry 243 cars-filter description 244 cars-filter stanza auditevent entry 244 centralized management 4 cert-ldap entry 212 cert-uraf entry 213 certificate authority See also CA definition 159 determining trust 162 certificates automatic refresh 161 FTP 164 initial configuration 160 management tasks 159 revocation 164 update utilities 161 change-pwd-using-ldap-api entry uraf-registry stanza. conf 209 Boolean values 201 configuration files (continued) common audit service 208 default location 204 default values 200 defined strings 200 Domino server 208 domino.commands (continued) group create command 190 group import 157 group list 156.conf 208 pdmgrproxyd. 154 user import 154 user list 148.conf 205 pdaudit. 105 server replicate 175 svrsslcfg -unconfig 164 user create 147.conf 206 LDAP client with Active Directory server 207 LDAP server 207 ldap. 193 user list-dn 193 user modify password 149 user show groups 193 common audit service disabling audit 234 enabling audit 234 common problems reporting describing problem 376 determining business impact 375 gathering information 376 submitting problems 376 communication FIPS mode 2 SSL 2 TLS 2 compress entry 233 config ACL (default) 52 config option bassslcfg command 165 configuration server files 172 configuration entries dynamic-adi-entitlement-services 136 input-adi-xml-prolog 136 resource-manager-provided-adi 136 xsl-stylesheet-prolog 136 configuration files Active Directory server 207 activedir_ldap. 189 security considerations 77 containers for ADI 123 context information application 120 authorization engine 120 control permission 48 conventions typeface xiv core technologies 1 count() function 132 creating group container objects 189 cred-attributes-entitlement-services entry 219 credential entitlements 120 custom action groups representation in ACL entries 82 scenario 82 custom permissions represented in ACL entries 82 customer support contacting 375 obtaining fixes 373 receiving updates from 374 registering with 374 searching information centers 373 Index 397 .conf 207 pd. 193 group list-dn 193 login 61 object create 72 object create command 189 object delete 75 object list 73 objectspace create 66 objectspace delete 69 objectspace list 67 pdadmin group import 156 policy set all users 153 single user 151 pop attach 108 pop create 104 pop delete 109 pop detach 109 pop find 109 pop list 105 pop modify set ipauth 113 pop modify set ipauth add 113 pop modify set ipauth remove 114 pop show 104.conf 208 file names 200 general guidelines 199 integer values 201 ivacld.conf 205 ivmgrd.properties 208 authorization server 205 aznAPI.conf 206 policy proxy server 206 policy server 206 resource managers 209 runtime 205 string values 200 Web Portal Manager 208 configuration stanzas See stanzas configuration-database stanza description 246 file entry 246 configurations managing Config permissions 55 configured entry 295 configuring initialization attributes 135 levels for step-up authentication 115 connection-inactivity entry ldap stanza.conf 207 activedir.conf 207 amconf. ldap. authorization rules 129 container names for ADI containers 123 limitations of 123 container objects 34.conf 278 constraints. conf 279 uraf-registry stanza. activedir_ldap. described 183 superdomain 183 domain ACL (default) 53 domain administrator 145 domain commands create command 62 delete command 64 list command 63 modify command 63 domain entry domain=domain_name stanza 249 domains stanza 249 uraf-registry stanza.conf 320 uraf-registry stanza.customer support (continued) searching knowledge bases 373 searching the Internet 373 submitting problems 376 D data integrity or redundancy 177 database path for user registry 181 database-path entry domain=domain_name stanza 249 domains stanza 249 ivmgrd stanza 256 db-file entry 220 debug entry 299 default administration ACL 51 administration users and groups 187 config ACL 52 domain ACL 53 GSO ACL 52 management ACL 52 policy ACL 52 proxy ACL 53 replica ACL 52 root ACL 48. activedir_ldap. domino.conf 315 136 E education see Tivoli technical training xiii enable-last-login entry 265 enabled entry ldap stanza. activedir.conf configuration file 208 dynamic ADI 121 dynamic ADI retrieval entitlement services 136 dynamic group support 36.conf 315 domain=domain_name stanza allowed-registry-substrings entry 248 database-path entry 249 description 248 domain entry 249 domains definition of 33 managing domain permissions 59 domains stanza allowed-registry-substrings entry 248 database-path entry 249 description 248 domain entry 249 Domino server domino.conf 315 uraf-registry stanza. notation xiv diskCachePath entry 233 dnforpd entry uraf-registry stanza. 51 security policy 43 default proxy ACL 53 default-policy-override-support entry 271 defining security policy 45 delegate administrator. authorization rules evaluator 128 dependencies server 169 Deployment Administrator 43 diagnostic events 197 directory names. activedir_ldap.conf 318 uraf-registry stanza.conf 279 uraf-registry stanza.conf 314 doAudit entry 234 document model for ADI 122 domain administrator (sec_master) 36 administrators 184 changing description 62 creating 61 deleting 64 enterprise 183 domain (continued) listing 63 logging in 61 modifying 62 multiple 184 subdomain. ldap. XML 125 320 398 Administration Guide . activedir. activedir.conf 312 encryption supported ciphers 2 enhanced-pwd-policy Tivoli Directory Server 263 enhanced-pwd-policy entry 262 enterprise domain 183 entitlement example. ldap.conf uraf-registry stanza. 156 dynamic groups Active Directory 158 enabling 158 LDAP registry 158 dynamic-adi-entitlement-services 136 dynamic-adi-entitlement-services configuration entry dynamic-adi-entitlement-services entry 221 dynamic-groups-enabled entry ldap stanza. illustrated 184 delegate role administration 185 delegated administration administration users and groups 43 group ACL permissions 192 group container objects 189 managing policy 193 object space management 186 user management 192 delegated management administration users and groups 187 group management 188 delegated-admin stanza authorize-group-list entry 247 description 247 delimiters.conf 208 domino. activedir_ldap. activedir.conf 319 uraf-registry stanza. conf 321 max-notifier-threads 258 max-search-size ldap stanza.conf 315 enable-last-login 265 enabled ldap stanza.conf uraf-registry stanza.conf 267 ldap stanza. ldap. ldap. ldap. activedir. pdmgrproxyd.conf 273 ldap stanza. ivacld.conf 315 uraf-registry stanza. activedir.conf 278 ldap stanza. ldap. ivacld. activedir.conf 279 uraf-registry stanza.entitlements retrieval entitlement services 121 user credential 120 entries AttributeName 327 policy-trigger 230 service-id aznapi-admin-services stanza 215 aznapi-cred-modification-services stanza 227 aznapi-entitlement-services stanza 229 aznapi-pac-services stanza 232 aclMembership 297 ad-gc-port 325 ad-gc-server 325 allowed-registry-substrings 248 audit-attribute 217 auditevent 244 auth-using-compare 265 authMethod 297 authn-timeout 266 authorize-group-list 247 auto-database-update-notify 255 azn-app-host 218 azn-server-name 218 bannerFile 298 bind-dn 266 bind-id 309 boot-start-ivacld 294 boot-start-ivmgrd 294 boot-start-pdproxyd 295 ca-cert-download-enabled 256 cache-database 290 cache-enabled ldap stanza. activedir_ldap.conf 312 enhanced-pwd-policy 262 errorFilePath 235 file 246 flushInterval 236 hiWater 237 host 280 hostname 316 ignore-suffix 280 infoBarGif 299 input-adi-xml-prolog 221 jrteHost 300 jrteProps 300 keyFilePath 236 ldap-client-timeout 321 ldap-server-config 272 LdapSSL 287 LdapSSLKeyFile 288 LdapSSLKeyFileDn 288 LdapSSLKeyFilePwd 289 listen-flags 222 log-file ivacld stanza 250 ivmgrd stanza 257 pdmgrproxyd stanza 291 logcfg aznapi-configuration stanza 222 ivacld stanza 251 ivmgrd stanza 257 pdaudit-filter stanza 289 login-failures-persistent 273 loginGif 300 lowWater 237 management-domain 285 master-host 286 master-port 286 max-connections-per-ad-domain uraf-registry stanza.conf uraf-registry stanza. activedir_ldap.conf 278 cred-attributes-entitlement-services 219 database-path domain=domain_name stanza 249 domains stanza 249 ivmgrd stanza 256 db-file 220 entries (continued) debug 299 default-policy-override-support 271 diskCachePath 233 dnforpd uraf-registry stanza. domino.conf 273 ldap stanza.conf 314 doAudit 234 domain domain=domain_name stanza 249 domains stanza 249 uraf-registry stanza.conf uraf-registry stanza.conf 318 changePassword 298 clientPassword 235 clientUserName 235 compress 233 configured 295 connection-inactivity ldap stanza.conf 273 318 319 320 320 Index 399 .conf 267 ldap stanza. ldap. activedir_ldap.conf uraf-registry stanza. ivmgrd. activedir_ldap. activedir. activedir. ivmgrd.conf 267 cache-group-expire-time 267 cache-group-membership 268 cache-group-size 268 cache-lifetime 309 cache-mode 309 cache-policy-expire-time 269 cache-policy-size 269 cache-refresh-interval 219 cache-return-registry-id 270 cache-size 310 cache-use-user-cache 270 cache-user-expire-time 271 cache-user-size 271 cert-ldap 212 cert-uraf 213 change-pwd-using-ldap-api uraf-registry stanza. activedir_ldap.conf 279 uraf-registry stanza.conf 281 ldap stanza.conf 315 dynamic-adi-entitlement-services 221 dynamic-groups-enabled ldap stanza. pdmgrproxyd. conf 316 NAB 312 notifier-wait-time 259 novell-suffix-search-enabled ldap stanza. activedir_ldap.conf ssl-keyfile-dn 276 ssl-keyfile-label ssl stanza 304 uraf-registry stanza. pd.conf 306 ssl-maximum-worker-threads 306 ssl-port 284 ssl-pwd-life 307 ssl-v3-timeout 307 standby 260 stashFilePath 242 tcp-req-port ivacld stanza 253 ivmgrd stanza 261 pdmgrproxyd stanza 292 tivoli_common_dir 295 traceFilePath 242 traceLevel 242 transferSize 243 unix-group ivacld stanza 254 ivmgrd stanza 261 pdmgrproxyd stanza 293 unix-user ivacld stanza 253 ivmgrd stanza 261 pdmgrproxyd stanza 293 uraf-registry-config 311 uraf-return-registry-id 314 uraf-registry stanza.conf 306 ssl stanza. ldap.conf 274 ldap stanza. ivacld.conf 324 uraf-registry stanza. activedir. pdmgrproxyd. activedir_ldap.conf 274 ldap stanza. ivmgrd. ivacld.conf uraf-registry stanza.conf 282 numberCMThreads 239 numberEQThreads 240 numberRetries 240 passwd-ldap 213 passwd-uraf 214 pd-user-name 224 pd-user-pwd 224 PDM 313 permission-info-returned 224 permit-unauth-remote-caller 252 pid-file ivacld stanza 252 ivmgrd stanza 259 pdmgrproxyd stanza 292 policy-cache-size 225 port ldap stanza. activedir. activedir_ldap. ivmgrd.conf 308 ssl stanza. pdmgrproxyd.conf 283 ldap stanza. 324 useDiskCache 243 useEncryption 317 user-and-group-in-same-suffix 277 user-reg-host 296 user-reg-hostport 296 user-reg-server 296 user-reg-type 296 UseSSL 326 version 287 wasEmbedded 301 xsl-stylesheet-prolog 226 environment variables.conf 274 prefer-readwrite-server 274 primary-domain 322 provide-last-login 254 provide-last-pwd-change 255 queueSize 240 rebindInterval 241 replica 283 resource-manager-provided-adi 225 retryInterval 241 search-timeout 274 secauthority-suffix 284 server 313 serverURL 241 splashGif 300 ssl-authn-type 302 ssl-auto-refresh 302 ssl-cert-life 302 ssl-enable-fips 303 ssl-enabled 275 ssl-io-inactivity-timeout 303 ssl-keyfile ldap stanza 276 ssl stanza 304 uraf-registry stanza. activedir_ldap. ldap. notation xiv errorFilePath entry 235 evaluation process.conf ssl-keyfile-pwd 324 ldap stanza 277 321 322 323 entries (continued) ssl-keyfile-stash 305 ssl-listening-port 305 ssl-local-domain ssl stanza. activedir.conf 316 use-email-as-user-id uraf-registry stanza.conf 306 ssl stanza.entries (continued) max-server-connections ldap stanza. authorization rules 128 events auditing 197 diagnostic 197 messages 197 statistics 197 trace 197 examples custom permissions 81 external authorization service 18 explicit ACL 47 explicit policy 12 extended attributes ACL policies creating 92 deleting 94 400 Administration Guide .conf 281 maxCacheFiles 237 maxCacheFileSize 238 maxErrorFiles 238 maxErrorFileSize 238 maxTraceFiles 239 maxTraceFileSize 239 mode 223 multi-domain uraf-registry stanza. ldap.conf 317. authorization 18 evaluator.conf 306 ssl stanza. ldap. gif 28 I IBM Directory 345 Index 401 . 190 definition 145 delegating management 188 deleting 157 dynamic 36 enabling dynamic 158 iv-admin 36 iv-admin group 43 ivmgrd-servers 43 listing 155 management tasks 145 managing groups permissions 57 modifying permissions 91 removing ACL entries from ACL policies searching 155 type attribute 79 GSO managing GSO permissions 58 GSO ACL (default) 52 guidelines for secure object space 41 key file renewal 165 stash file renewal 165 91 H HACMP environment 177 guidelines for cluster 177 hacmp. authorization rules 129 FTP 164 207 Global Sign-On See GSO group dynamic 156 importing 156 group accounts 145 group commands create 155.conf 207 activedir. obtaining 373 flushInterval entry 236 format.jsp 29 regProp.conf 206 policy proxy server 206 policy server 206 resource managers 209 Web Portal Manager 208 key renewal guidelines 165 renewing 161 regAdmin. 190 delete 157 import 157 import command 156 list 156 group container objects creating 189 group create command 190 group list command 193 group list-dn command 193 group management 191 groups accounts 145 adding ACL entry to ACL policy 90 creating 155.conf 205 ivmgrd.properties 208 authorization server 205 aznAPI.log file 179 high availability log files 179 management 178 policy server setup 178 standby policy server 178 High Availability Cluster Multiprocessing See HACMP hiWater entry 237 host entry 280 hostname entry 316 G GIF files accessmanager.conf 207 amconf.conf 207 pdaudit.conf 209 common audit service 208 default location 204 Domino server 208 domino.gif 28 configuration 205 Active Directory server 207 activedir_ldap.extended attributes (continued) ACL policies (continued) deleting values 95 listing 93 modifying 93 viewing 94 Extensible Markup Language See XML Extensible Style Language See XSL external authorization service deploying 20 implementing 20 introduction 17 F failover configuration 345 Federal Information Processing Standards See FIPS file entry 246 files accessmanager.jsp 29 regControl.conf 206 LDAP client with Active Directory server LDAP server 207 ldap.conf 208 ivacld.conf 208 pdmgrproxyd.jsp 29 runtime 205 stash renewal guidelines 165 FIPS communication 2 fixes. kdb key file 161 ivmgrd.conf 278 default-policy-override-support entry 271 description ivacld.conf 267 ldap. searching 373 introduction 1 IP addresses adding network-based authorization for POPs 113 deleting network-based authorization for POPs 114 forbidding network-based authorization for POPs 113 specifying for POPs 113 iPlanet See Sun ONE iv-admin group 36.kdb key file 161 ivacld.IBM Directory Server user registry See LDAP server ID attribute 79 ignore-suffix entry 280 infoBarGif entry 299 information centers.jsp 29 regControl.conf 278 pdmgrproxyd.conf 207 LDAP servers failover 177 ldap stanza auth-using-compare entry 265 authn-timeout entry 266 bind-dn entry 266 cache-enabled entry ldap stanza.conf 262 ldap. 43 ivacld stanza description 250 log-file entry 250 logcfg entry 251 permit-unauth-remote-caller entry 252 pid-file entry 252 tcp-req-port entry 253 unix-group entry 254 unix-user entry 253 ivacld.conf 278 failover configuration 345 LDAP client activedir_ldap.kdb 161 pdmgrproxyd. ivmgrd.sth stash file 161 K key files definition 159 ivacld.conf 279 enable-last-login entry 265 enabled entry ldap.conf 267 ldap stanza. pdmgrproxyd. 50 inherited policy 12 initialization attributes 135 dynamic-adi-entitlement-services 136 input-adi-xml-prolog 136 resource-manager-provided-adi 136 xsl-stylesheet-prolog 136 input-adi-xml-prolog configuration entry 136 input-adi-xml-prolog entry 221 integrity of data 177 Internet.conf 207 LDAP failover preference values 348 LDAP registry enabling dynamic groups 158 LDAP server ldap.conf 279 enhanced-pwd-policy entry 262 host entry 280 ignore-suffix entry 280 J jrteHost entry 300 jrteProps entry 300 JSP files regAdmin.conf configuration file 205 ivacld.kdb 161 ivmgrd.conf 262 ivmgrd.conf 262 dynamic-groups-enabled entry ldap. definition 159 knowledge bases information centers 373 searching 373 the Internet 373 L LDAP configuration ldap.jsp 29 regProp.conf configuration file 206 ivmgrd.kdb 161 pd.conf 267 ldap stanza.kdb 161 renewal guidelines 165 renewing 161 keyFilePath entry 236 keystores. ivacld. searching 373 inherited ACL 47.sth stash file 161 ivmgrd stanza auto-database-update-notify entry 255 ca-cert-download-enabled entry 256 database-path 256 description 254 log-file entry 257 logcfg entry 257 max-notifier-threads entry 258 notifier-wait-time entry 259 pid-file entry 259 provide-last-login entry 254 provide-last-pwd-change entry 255 standby entry 260 tcp-req-port entry 261 unix-group entry 261 unix-user entry 261 ivmgrd-servers group 43 ivmgrd.conf 278 cache-group-expire-time entry 267 cache-group-membership entry 268 cache-group-size entry 268 cache-policy-expire-time entry 269 cache-policy-size entry 269 cache-return-registry-id entry 270 cache-use-user-cache entry 270 cache-user-expire-time entry 271 cache-user-size entry 271 connection-inactivity entry ldap.jsp 29 402 Administration Guide . ivacld.conf 283 ldap stanza. ldap.ldap stanza (continued) ldap-server-config entry 272 login-failures-persistent entry 273 max-search-size entry ivacld.conf 273 max-server-connections entry ldap stanza. xii mapping. ldap. 16 log files hacmp.conf 273 max-server-connections entry ldap stanza. pdmgrproxyd.log 179 high availability 179 log-file entry ivacld stanza 250 ivmgrd stanza 257 pdmgrproxyd stanza 291 logcfg entry aznapi-configuration stanza 222 ivacld stanza 251 ivmgrd stanza 257 pdaudit-filter stanza 289 login-failures-persistent entry 273 loginGif entry 300 look-through limit 330 Lotus Domino server See Domino server lowWater entry 237 M management ACL (default) 52 management delegation 186. ivmgrd.conf 273 ldap stanza.conf 273 ivmgrd.conf 281 novell-suffix-search-enabled entry ldap stanza. ldap. ivacld. ldap. 188 management domain 33 management interface 10 management region permissions 53 management tasks authorization rules 137 management-domain entry 285 Management/ACL permissions 53 management/Action permissions 54 Management/Config permissions 55 Management/Domain permissions 59 Management/Groups permissions 57 Management/GSO permissions 58 Management/Policy permissions 56 Management/POP permissions 55 Management/Proxy permissions 59 Management/Replica permissions 56 Management/Rule permissions 58 Management/Server permissions 55 Management/Users permissions 56 manager stanza description 285 management-domain entry 285 master-host entry 286 master-host port entry 286 managing ACL permissions 53 Action permissions 54 Config permissions 55 delegated administration policy 193 domain permissions 59 groups permissions 57 GSO permissions 58 object space 65 policy permissions 56 POP permissions 55 proxy permissions 59 replica permissions 56 rule permissions 58 server permissions 55 servers 167 users permissions 56 manuals see publications ix.conf 273 ldap stanza.conf 281 maxCacheFiles entry 237 maxCacheFileSize entry 238 maxErrorFiles entry 238 maxErrorFileSize entry 238 maxTraceFiles entry 239 maxTraceFileSize entry 239 Index 207 403 .conf 281 ldap stanza.conf 274 ldap stanza. ldap. ldap.conf 321 max-notifier-threads entry 175.conf 273 ldap stanza.conf 347 ldap.conf 274 ldap stanza.conf 282 port entry ldap stanza. network-based authorization 110 Linux servers See UNIX servers listen-flags entry 222 local cache mode 14. 258 max-search-size entry ldap stanza. ivmgrd.conf 274 prefer-readwrite-server entry 274 replica entry 283 search-timeout entry 274 secauthority-suffix entry 284 ssl-enabled entry 275 ssl-keyfile entry 276 ssl-keyfile-dn entry 276 ssl-keyfile-pwd entry 277 ssl-port entry 284 user-and-group-in-same-suffix entry 277 LDAP_ADMINLIMIT_EXCEEDED 330 ldap-client-timeout entry 321 ldap-generic-acls (internal use) 207 ldap-generic-general (internal use) 207 ldap-generic-pwd-change-error-map (internal use) ldap-server-config entry 272 ldap. container names 123 limitations.conf configuration file 207 LdapSSL entry 287 LdapSSLKeyFile entry 288 LdapSSLKeyFileDn entry 288 LdapSSLKeyFilePwd entry 289 legal notices 379 trademarks 380 levels for step-up authentication 115 limitations.conf 281 pdmgrproxyd. pdmgrproxyd. activedir. pdadmin CLI to WPM 337 master authorization policy database 9 master-host entry 286 master-port entry 286 max-connections-per-ad-domain entry uraf-registry stanza. conf uraf-registry stanza.conf 282 numberCMThreads entry 239 numberEQThreads entry 240 numberRetries entry 240 113 O object commands create 72.conf 316 multi-factor authentication 116 multiple domain 184 example 184 illustrated 184 multiple-tenancy policy server 181 321 objects (continued) exporting 74 importing 73 listing 73 management tasks 71 objectspace commands create 66 delete 69 list 67 objectspace create command objectspace delete 69 objectspace list 67 online publications accessing xii ordering publications xii overview 1 66 P passwd-ldap entry 213 passwd-uraf entry 214 password troubleshooting 185 Password policy LDAP 329 passwords automatic refresh 161 changing 148 management tasks 159 path names. notation xiv pd_start utility displaying server status 171 restarting servers 171 starting servers 170 stopping servers 171 pd-user-name entry 224 pd-user-pwd entry 224 pd. 259 novell-suffix-search-enabled entry ldap stanza. 189 object delete command 75 object list command 73 object space definition of 34 delegating management 186 management tasks 65 object spaces browsing 67 copying 67 creating 65 deleting 69 exporting 68 importing 68 listing 67 objects creating 71 deleting 74 404 Administration Guide .conf 287 LdapSSL entry 287 LdapSSLKeyFile entry 288 LdapSSLKeyFileDn entry 288 LdapSSLKeyFilePwd entry 289 PDM entry 313 pdmgr See policy server pdmgrd server process policy server 167 starting 170 pdmgrproxyd server process policy proxy server 167 N NAB entry 312 network-based authorization adding for POPs 113 algorithm 110 deleting for POPs 114 forbidding or POPs 113 limitations 110 specifying IP addresses and ranges notation environment variables xiv path names xiv typeface xiv notices 379 notification delay time 176 notifier-wait-time entry 176.conf configuration file 205 pd. activedir_ldap. 189 delete 75 list 73 object create command 72.kdb key file 161 pd.conf configuration file 208 PDCA reconfiguring policy server 163 PDCA certificate See certificates pdconfig stanza description ldap. activedir. document 122 modes authorization API local cache 16 authorization API remote cache 15 multi-domain entry uraf-registry stanza.messages 197 meta-info stanza description 287 version entry 287 mode entry 223 model of authorization 6 model. ldap.sth stash file 161 pdacld server process authorization server 167 starting 170 pdadmin command interface 4 pdaudit-filter stanza description 289 logcfg entry 289 pdaudit. 105 Index 405 . 101 audit level 111 configuring 111 management tasks 102 setting 111 time of day 112 warning mode 111 pop commands attach 108 create 104 delete 109 detach 109 find 109 list 105 show 104. example 81 defaults 80 deleting from action group 98 iv-admin group 43 listing for action group 98 roles 185 sec_master 43 permissions (continued) traverse (T) 48 permissions attribute 79 permissions attrribute represented in ACL entries 82 permit-unauth-remote-caller entry 252 pid-file entry ivacld stanza 252 ivmgrd stanza 259 pdmgrproxyd stanza 292 policies authorization rules 40.kdb key file 161 pdmgrproxyd. defining 11 pop show command 104.conf configuration file 206 pdmgrproxyd.conf 206 key and stash files 161 overview 9 pdmgrd server process 167 preventing automating startup 173 reconfiguring PDCA 163 standby server 178 starting 170 policy-cache-size entry 225 pop attach command 108 POP attributes 45. 46 managing policy permissions 56 POPs 40 policy ACL (default) 52 policy commands set all users 153 single user 151 policy database 9 policy enforcer 6 policy proxy server configuration file 206 introducing 168 key and stash files 161 pdmgrproxyd server process 167 pdmgrproxyd. 105 pop create command 104 pop delete command 109 pop detach command 109 pop find command 109 pop list command 105 pop modify set ipauth add command 113 pop modify set ipauth command 113 pop modify set ipauth remove command 114 POP policies.sth stash file 161 pdrte stanza boot-start-ivacld entry 294 boot-start-ivmgrd entry 294 boot-start-pdproxyd entry 295 configured entry 295 description 294 tivoli_common_dir entry 295 user-reg-host entry 296 user-reg-hostport entry 296 user-reg-server entry 296 user-reg-type entry 296 pdwpm stanza aclMembership entry 297 authMethod entry 297 bannerFile entry 298 changePassword entry 298 debug entry 299 description 296 infoBarGif entry 299 jrteHost entry 300 jrteProps entry 300 loginGif entry 300 splashGif entry 300 wasEmbedded entry 301 permission_info attribute list 135 permission-info-returned entry 224 permissions /Management/ACL permissions 53 /management/Action permissions 54 /Management/Config permissions 55 /Management/Domain permissions 59 /Management/Groups permissions 57 /Management/GSO permissions 58 /Management/Policy permissions 56 /Management/POP permissions 55 /Management/Proxy permissions 59 /Management/Replica permissions 56 /Management/Rule permissions 58 /Management/Server permissions 55 /Management/Users permissions 56 ACL entries modifying 91 adding ACL entry to ACL policy 90 administration users 43 control (c) 48 creating in action group 97 custom 81 custom.conf 206 preventing automating startup 174 starting 170 policy server configuration file 206 high availability setup 178 ivmgrd.pdmgrproxyd server process (continued) starting 170 pdmgrproxyd stanza cache-database entry 290 description 290 log-file entry 291 pid-file entry 292 tcp-req-port entry 292 unix-group entry 293 unix-user entry 293 pdmgrproxyd. ADI XML document model 123 retrieval entitlement services 136 retrieval entitlements service 120. certificates and passwords 161 regAdmin.conf 283 ldap stanza.conf 274 ldap stanza. 121 retryInterval entry 241 roles assigning role assignment 186 defined 185 delegate 185 permissions 185 role activation 186 role assignment 186 role creation 186 root ACL (default) 48. 15 renewals key files 161 stash files 161 replica 347 replica ACL (default) 52 replica entry 283 replicas managing replica permissions 56 replicate authorization database 174 replication 10 resolving ACL request 49 resource manager 6 requesting ADI 133 resource managers aznAPI.POPs adding network-based authorization 113 attaching to object 108 attributes of 45 cloning 106 configuring attributes 111 creating 102 definition of 13. ivacld.conf 274 prefer-readwrite-server entry 274 preference values (LDAP failover) 348 preventing automating startup authorization server 173 policy proxy server 174 policy server 173 primary group default permissions 80 primary-domain entry 322 prolog statements 136 protected object policies See POPs protected object policy See POPs protected object space 34 guidelines 41 protected objects management tasks 71 Protected Resource Administrator 43 provide-last-login entry 254 provide-last-pwd-change entry 255 proxies managing proxy permissions 59 proxy ACL (default) 53 publications ix accessing online xii ordering xii Quality of Protection introduction 2 setting 114 queueSize entry 240 R RAID See Redundant Array of Independent Disks reason codes rule failure 135 rebindInterval entry 241 redundancy of data 177 Redundant Array of Independent Disks 177 refresh. ldap. pdmgrproxyd.conf 274 ldap stanza.conf 209 configuration file 209 resource objects 34 resource requests 18 resource-manager-provided-adi configuration entry resource-manager-provided-adi entry 225 responsibilities Deployment Administrator 43 Protected Resource Administrator 43 Security Policy Administrator 43 restarting servers 171 restriction.jsp file 29 remote cache mode 14.jsp file 29 regControl. ivmgrd. 37 deleting 109 deleting network-based authorization 114 detaching from object 108 exporting all 107 multiple 107 one 107 finding where attached 109 forbidding network-based authorization 113 importing 106 introducing 101 listing 105 management tasks 102 managing POP permissions 55 modifying 104 network-based authorization 110 policies 40 Quality of Protection 114 showing 105 specifying IP addresses and ranges 113 versus authorization rules 40 port entry ldap stanza.jsp file 29 regProp. 51 rule failure reason code 135 runtime configuration file 205 pd.conf 205 reconfiguring secure communication 163 136 Q QoP See Quality of Protection 406 Administration Guide . conf 278 pdmgrproxyd.conf 306 ssl-maximum-worker-threads entry 306 ssl-pwd-life entry 307 ssl-v3-timeout entry 307 ssl-authn-type entry 302 ssl-auto-refresh entry 302 ssl-cert-life entry 302 ssl-enable-fips entry 303 ssl-enabled entry 275 ssl-io-inactivity-timeout entry 303 ssl-keyfile entry ldap stanza 276 ssl stanza 304 uraf-registry stanza.conf 323 ssl-keyfile-pwd entry 324 ldap stanza 277 ssl-keyfile-stash entry 305 ssl-listening-port entry 305 ssl-local-domain entry ssl stanza. pd. pd. ivmgrd. 43 secauthority-suffix entry 284 secure communication reconfiguring runtime 163 Secure Socket Layer See SSL security policy 185 security considerations ACL policies 77 container objects 77 security policy 37 default 43 defining 45 implementing 11 overview 5 Security Policy Administrator 43 server replicating 175 server entry 313 server replicate command 175 servers automating startup 173 configuration files 172 dependencies for 169 displaying status 171 HACMP cluster 177 LDAP servers 177 management of 167 managing server permissions 55 primary and standby 177 restarting using the pd_start utility 171 starting and stopping for UNIX 170 starting and stopping for Windows 171 starting manually 170 starting using the pd_start utility 170 stopping using the pd_start utility 171 serverURL entry 241 shared disk arrays 177 software updates.conf 306 ssl stanza.conf 306 ssl stanza.conf 308 pd.conf 306 ssl stanza. ivacld. ldap.conf 306 ssl-maximum-worker-threads entry 306 ssl-port entry 284 ssl-pwd-life entry 307 ssl-v3-timeout entry 307 standby entry 260 stanza entries See entries stanzas authentication-mechanisms 211 aznapi-admin-services 215 aznapi-configuration 217 aznapi-cred-modification-services 227 aznapi-entitlement-services 228 aznapi-external-authzn-services 230 aznapi-pac-services 231 cars-client 233 cars-filter 244 configuration-database 246 delegated-admin 247 domain=domain_name 248 domains 248 general format 211 ivacld 250 ivmgrd 254 ldap ivacld.conf 306 ssl stanza. activedir_ldap.conf 306 ssl stanza. activedir_ldap.conf 262 ldap-generic-acls (internal use) 207 ldap-generic-general (internal use) 207 ldap-generic-pwd-change-error-map (internal use) manager 285 Index 207 407 . pdmgrproxyd.conf 308 ssl stanza.S scalability 3. receiving 374 sources for ADI 121 sparse ACL model 47 splashGif entry 300 SSL communication 2 reconfiguring runtime 163 ssl stanza description ivacld.conf 308 ssl stanza.conf 301 ssl-authn-type entry 302 ssl-auto-refresh entry 302 ssl-cert-life entry 302 ssl-enable-fips entry 303 ssl-io-inactivity-timeout entry 303 ssl-keyfile entry 304 ssl-keyfile-label entry 304 ssl-keyfile-stash entry 305 ssl-listening-port entry 305 ssl stanza (continued) ssl-local-domain entry ldap. ivmgrd.conf 322 ssl-keyfile-dn entry 276 ssl-keyfile-label entry ssl stanza 304 uraf-registry stanza.conf 301 ldap.conf 301 pdmgrproxyd. pdmgrproxyd. ivacld.conf 301 ivmgrd.conf 262 ivmgrd.conf 306 ssl stanza. 10 search-timeout entry 274 sec_master 183 sec_master domain administrator 36 sec_master user 36.conf 262 ldap. Tivoli technical xiii transferSize entry 243 Transport Layer Security See TLS traverse permission 48 trust determination.conf 301 uraf-registry activedir_ldap.conf 308 pd.conf 308 pdmgrproxyd.conf 308 ivmgrd.conf 312 91 172 T tasks role activation 186 role administration 186 role assignment 186 role creation 186 roles 185 types 186 408 Administration Guide .sth 161 pdmgrproxyd.conf 301 ivmgrd.conf 314 domino.sth 161 renewal guidelines 165 renewing 161 stashFilePath entry 242 statistics 197 status. server 171 step-up authentication applying 115 configuring 115 versus multi-factor authentication 116 stopping servers UNIX 170 using the pd_start utility 171 using the Windows Services Control Panel Windows 171 string identifiers 129 subdomain 183 sum() function 132 Sun Java System Directory Server LDAP_ADMINLIMIT_EXCEEDED 330 look-through limit 330 superdomain 183 support See customer support svrsslcfg -unconfig command 164 172 tcp-req-port entry ivacld stanza 253 ivmgrd stanza 261 pdmgrproxyd stanza 292 Tivoli Access Manager runtime package Tivoli Information Center xii Tivoli technical training xiii Tivoli user groups xiii tivoli_common_dir entry 295 TLS communication 2 reconfiguring runtime 163 trace data 197 traceFilePath entry 242 traceLevel entry 242 trademarks 380 training.sth 161 pd.sth 161 ivmgrd.conf 318 activedir.stanzas (continued) meta-info 287 pdaudit-filter 289 pdconfig ldap.conf 301 pdmgrproxyd.conf 287 pdmgrproxyd 290 pdrte 294 pdwpm 296 ssl ivacld.conf 318 activedir.conf 318 description activedir_ldap.conf 301 ldap.conf 308 xmladi-attribute-definition 326 starting servers UNIX 170 using the pd_start utility 170 using the Windows Services Control Panel Windows 171 stash files definition 160 ivacld.conf 314 domino. certificates 162 type attribute any-authenticated 79 any-other 79 categories 79 group 79 unauthenticated 79 user 79 typeface conventions xiv types of Tivoli Access Manager servers 167 Tivoli Access Manager utilities 170 161 U unauthenticated adding ACL entry to ACL policy 90 modifying permissions 91 removing ACL entries from ACL policies type attribute 79 unauthenticated requests 39 unauthenticated user 38 UNIX servers starting and stopping 170 unix-group entry ivacld stanza 254 ivmgrd stanza 261 pdmgrproxyd stanza 293 unix-user entry ivacld stanza 253 ivmgrd stanza 261 pdmgrproxyd stanza 293 update-notifier threads 175 uraf-registry stanza ad-gc-port entry 325 ad-gc-server entry 325 bind-id entry 309 cache-lifetime entry 309 cache-mode entry 309 cache-size entry 310 change-pwd-using-ldap-api entry activedir_ldap.conf 312 ivacld. conf 317. senior 184 administrator.conf 321 multi-domain entry activedir_ldap.conf 319 activedir.conf 322 ssl-keyfile-label entry activedir_ldap.conf 320 activedir.conf 308 pdmgrproxyd.conf 308 dnforpd entry activedir_ldap.conf 316 use-email-as-user-id entry uraf-registry stanza. Tivoli Access Manager 184 changing passwords 148 creating 146 definition 145 delegate 185 deleting 154 importing 153 management tasks 145 managing users permissions 56 modifying permissions 91 removing ACL entries from ACL policies 91 sec_master 36.conf 323 ssl-keyfile-pwd entry 324 uraf-registry-config entry 311 uraf-return-registry-id entry 314 activedir_ldap.conf 324 activedir.conf 315 enabled entry 312 activedir_ldap.conf 316 use-email-as-user-id entry activedir. 43 setting user policy modify user policy 149 type attribute 79 UseSSL entry 326 utilities 170 manual certificate updates 161 V variables. domain 184 administrator.conf 324 uraf-registry stanza. sec_master 183 administrator. administrator 184 administrator. activedir.conf 308 ivmgrd.uraf-registry stanza (continued) description (continued) ivacld. activedir. 324 useEncryption entry 317 UseSSL entry 326 uraf-registry-config entry 311 uraf-return-registry-id entry 314 uraf-registry stanza.conf 318 activedir. 324 useDiskCache entry 243 useEncryption entry 317 user credential entitlements 120 listing 147 searching 147 user accounts 145 user commands create 147 delete 154 import 154 list 148 modify password 149 user groups.conf 315 hostname entry 316 ldap-client-timeout entry 321 max-connections-per-ad-domain entry activedir.conf 321 activedir. support 185 administrator.conf 314 domain entry activedir_ldap.conf 316 NAB entry 312 PDM entry 313 primary-domain entry 322 server entry 313 ssl-keyfile entry activedir_ldap. Tivoli xiii user list command 193 user list-dn command 193 user management 192 user policies modifying for a user 149 setting for a user 149 user registries Active Directory server 207 Active Directory with LDAP client 207 Domino server 208 LDAP server 207 user registry differences 329 maximum values 334 user show groups command 193 user-and-group-in-same-suffix entry 277 user-reg-host entry 296 user-reg-hostport entry 296 user-reg-server entry 296 user-reg-type entry 296 users accounts 145 adding ACL entry to ACL policy 90 administrator 36 administrator.conf 317.conf 320 activedir. activedir_ldap.properties 208 common tasks 26 configuration file 208 customizing 28 customizing images 28 logging in 27 rebranding 28 signing off 27 starting for administration 26 Windows starting and stopping servers 171 Index 409 .conf 315 dynamic-groups-enabled entry activedir_ldap. notation for version entry 287 xiv W wasEmbedded entry 301 Web Portal Manager 4 accessing online help 27 amconf. X XML ADI containers and container names 123 ADI document model 122 ADI document model restriction 123 ADI name/value pair attributes 124 authorization rules 122 entitlement document example 125 prolog statements 136 xmladi-attribute-definition stanza AttributeName entry 327 definition 326 XSL authorization rules 122 prolog statements 136 xsl:template statement 129 xsl:when statement 131 xsl-stylesheet-prolog configuration entry 136 xsl-stylesheet-prolog entry 226 xsl:template statement 129 xsl:when statement 131 410 Administration Guide . . Printed in USA SC23-6504-01 .