Amweb39 Install

7/28/2019 Amweb39 Install

http://slidepdf.com/reader/full/amweb39-install 1/70

IBM Tivoli Access Manager WebSEAL

Installation Guide

Version 3.9

GC32-0848-00






Installation Guide

Version 3.9

GC32-0848-00



NoteBefore using this information and the product it supports, read the information in Appendix B, “Notices” on page 51.

Fifth Edition: (April 2002)

This edition replaces GC32-0683-01

© Copyright International Business Machines Corporation 1999, 2002. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.



Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vWho should read this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

What this guide contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vPublications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

IBM Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viRelated publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiAccessing publications online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xOrdering publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xProviding feedback about publications. . . . . . . . . . . . . . . . . . . . . . . . . . x

Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiContacting customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiConventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Typeface conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Chapter 1. Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . 1Supported platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Disk and memory requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Installation packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Software prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

WebSEAL server prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2WebSEAL ADK prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Installing a new WebSEAL server . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Upgrading a WebSEAL server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Using the easy installation programs . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2. Installing WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . . 5Installing WebSEAL server on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Installing WebSEAL server on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Installing WebSEAL server on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Installing WebSEAL server on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . 8Configuring WebSEAL server on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installing WebSEAL ADK on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Installing WebSEAL ADK on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . 11Installing WebSEAL ADK on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Installing WebSEAL ADK on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Installing WebSEAL server and WebSEAL ADK on Windows . . . . . . . . . . . . . . . . . . . 13

Chapter 3. Upgrading WebSEAL from version 3.8 . . . . . . . . . . . . . . . . . 17Preserving WebSEAL data on all platforms . . . . . . . . . . . . . . . . . . . . . . . . . 17Upgrading WebSEAL on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Upgrading WebSEAL on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Upgrading WebSEAL on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Upgrading WebSEAL on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 4. Upgrading WebSEAL from version 3.7 . . . . . . . . . . . . . . . . . 27Preserving WebSEAL configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . 27Upgrading WebSEAL on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Upgrading WebSEAL on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Upgrading WebSEAL on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Upgrading WebSEAL on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 5. Removing WebSEAL . . . . . . . . . . . . . . . . . . . . . . . . . 39Removing WebSEAL on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

© Copyright IBM Corp. 1999, 2002 iii



Removing WebSEAL on AIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Removing WebSEAL on HP-UX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Removing WebSEAL on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Removing WebSEAL and WebSEAL ADK . . . . . . . . . . . . . . . . . . . . . . . . 42Removing WebSEAL ADK only. . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Appendix A. Easy installation guide . . . . . . . . . . . . . . . . . . . . . . . 45

WebSEAL easy installation programs . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Using the WebSEAL easy installation program. . . . . . . . . . . . . . . . . . . . . . . 46Using the WebSEAL ADK easy installation program . . . . . . . . . . . . . . . . . . . . . 47

Configuring WebSEAL using the easy installation programs . . . . . . . . . . . . . . . . . . . 48Obtaining configuration settings interactively . . . . . . . . . . . . . . . . . . . . . . . 49Obtaining configuration settings from response files . . . . . . . . . . . . . . . . . . . . . 49

Easy installation limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

iv IBM Tivoli Access Manager WebSEAL: Installation Guide



Preface

IBM® Tivoli® Access Manager WebSEAL is a security manager for Web-basedresources. WebSEAL is a high performance, multi-threaded Web server that applies

fine-grained security policy to the protected Web object space. WebSEAL canprovide single sign-on solutions and incorporate back-end Web application serverresources into its security policy.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, theterm management server is now referred to as policy server.

The IBM Tivoli Access Manager WebSEAL Installation Guide explains how to install,configure, and upgrade Access Manager WebSEAL software.

Who should read this guideThe target audience for this installation guide includes:

v Security administrators

v Network system administrators

v IT architects

v Application developers

Reader s should be familiar with:

v Internet protocols, including HTTP, TCP/IP, file transfer protocol (FTP), andtelnet

v Deployment and management of Web servers

v Security management, including authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

What this guide contains

This document contains the following chapters:

v Chapter 1, “Installation overview”

Lists the supported platforms and describes the software dependencies on theIBM Tivoli Access Manager Base.

v Chapter 2, “Installing WebSEAL”

Describes how to install and configure WebSEAL and the WebSEAL softwareprerequisites on each of the supported operating system platforms.

v Chapter 3, “Upgrading WebSEAL from version 3.8”

Describes how to upgrade a Version 3.8 WebSEAL server to Version 3.9.

v Chapter 3, “Upgrading WebSEAL from version 3.7”

Describes how to upgrade a Version 3.7 WebSEAL server to Version 3.9.

v Chapter 4 “Removing WebSEAL”

© Copyright IBM Corp. 1999, 2002 v



Describes how to unconfigure and remove WebSEAL from each of the supportedoperating system platforms.

v Appendix A, “Easy installation guide”

Describes how to use the WebSEAL easy installation program to expediteinstallation and configuration of WebSEAL.

PublicationsThis section lists publications in the Access Manager library and any other relateddocuments. It also describes how to access Tivoli publications online, how to orderTivoli publications, and how to make comments on Tivoli publications.

IBM Tivoli Access ManagerThe Access Manager library is organized into the following categories:

v Release information

v Base information

v WebSEAL information

v Web security information

v Developer reference information

v Supplemental technical information

For additional sources of information about Access Manager and related topics, seethe following Web sites:

http://www.ibm.com/redbookshttps://www.tivoli.com/secure/support/documents/fieldguides

Release informationv IBM Tivoli Access Manager for e-business Read Me First

GI11-0918 (am39_readme.pdf)

Provides information for installing and getting started using Access Manager.

v IBM Tivoli Access Manager for e-business Release Notes

GI11-0919 (am39_relnotes.pdf)

Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide

GC32-0844 (am39_install.pdf)

Explains how to install, configure, and upgrade Access Manager software,including the Web portal manager interface.

v IBM Tivoli Access Manager Base Administrator’s Guide

GC23-4684 (am39_admin.pdf)

Describes the concepts and procedures for using Access Manager services.Provides instructions for performing tasks from the Web portal managerinterface and by using the pdadmin command.

v IBM Tivoli Access Manager Base for Linux on zSeries™ Installation Guide

GC23-4796 (am39_zinstall.pdf)

Explains how to install and configure Access Manager Base for Linux on thezSeries platform.

vi IBM Tivoli Access Manager WebSEAL: Installation Guide



WebSEAL informationv IBM Tivoli Access Manager WebSEAL Installation Guide

GC32-0848 (amweb39_install.pdf)

Provides installation, configuration, and removal instructions for the WebSEALserver and the WebSEAL application development kit.

v IBM Tivoli Access Manager WebSEAL Administrator’s Guide

GC23-4682 (amweb39_admin.pdf)

Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

v IBM Tivoli Access Manager WebSEAL Developer’s Reference

GC23-4683 (amweb39_devref.pdf)

Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

v IBM Tivoli Access Manager WebSEAL for Linux on zSeries Installation Guide

GC23-4797 (amweb39_zinstall.pdf)

Provides installation, configuration, and removal instructions for WebSEALserver and the WebSEAL application development kit for Linux on the zSeriesplatform.

Web security informationv IBM Tivoli Access Manager for WebSphere Application Server User’s Guide

GC32-0850 (amwas39_user.pdf)

Provides installation, removal, and administration instructions for AccessManager for IBM WebSphere® Application Server.

v IBM Tivoli Access Manager for WebLogic Server User’s Guide

GC32-0851 (amwls39_user.pdf)

Provides installation, removal, and administration instructions for AccessManager for BEA WebLogic Server.

v IBM Tivoli Access Manager Plug-in for Edge Server User’s Guide

GC23-4685 (amedge39_user.pdf)

Describes how to install, configure, and administer the plug-in for IBMWebSphere Edge Server.

v IBM Tivoli Access Manager Plug-in for Web Servers User ’s Guide

GC23-4686 (amws39_user.pdf)

Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers application.

Developer referencesv IBM Tivoli Access Manager Authorization C API Developer’s Reference

GC32-0849 (am39_authC_devref.pdf)

Provides reference material that describes how to use the Access Managerauthorization C API and the Access Manager service plug-in interface to addAccess Manager security to applications.

v IBM Tivoli Access Manager Authorization Java Classes Developer ’s Reference

GC23-4688 (am39_authJ_devref.pdf)

Preface vii



Provides reference information for using the Java™ language implementation of the authorization API to enable an application to use Access Manager security.

v IBM Tivoli Access Manager Administration C API Developer’s Reference

GC32-0843 (am39_adminC_devref.pdf)

Provides reference information about using the administration API to enable anapplication to perform Access Manager administration tasks. This document

describes the C implementation of the administration API.v IBM Tivoli Access Manager Administration Java Classes Developer ’s Reference

SC32-0842 (am39_adminJ_devref.pdf)

Provides reference information for using the Java language implementation of the administration API to enable an application to perform Access Manageradministration tasks.

v IBM Tivoli Access Manager WebSEAL Developer’s Reference

GC23-4683 (amweb39_devref.pdf)

Provides administration and programming information for the Cross-domainAuthentication Service (CDAS), the Cross-domain Mapping Framework (CDMF),and the Password Strength Module.

Technical supplementsv IBM Tivoli Access Manager Performance Tuning Guide

GC43-0846 (am39_perftune.pdf)

Provides performance tuning information for an environment consisting of Access Manager with IBM SecureWay Directory defined as the user registry.

v IBM Tivoli Access Manager Capacity Planning Guide

GC32-0847 (am39_capplan.pdf)

Assists planners in determining the number of WebSEAL, LDAP, and backendWeb servers needed to achieve a required workload.

v IBM Tivoli Access Manager Error Message Reference

SC32-0845 (am39_error_ref.pdf

)Provides explanations and recommended actions for the messages produced byAccess Manager.

The Tivoli Glossary includes definitions for many of the technical terms related toTivoli software. The Tivoli Glossary is available, in English only, at the followingWeb site:

http://www.tivoli.com/support/documents/glossary/termsm03.htm

Related publicationsThis section lists publications related to the Access Manager library.

IBM DB2 ® Universal Database™IBM DB2 Universal Database is required when installing IBM SecureWay Directory,z/OS™, and OS/390® SecureWay LDAP servers. DB2 information is available atthe following Web site:

http://www.ibm.com/software/data/db2/

IBM SecureWay DirectoryIBM SecureWay Directory, Version 3.2.2, is shipped on the IBM Tivoli AccessManager Base CD for your particular platform. If you plan to install the IBM

viii IBM Tivoli Access Manager WebSEAL: Installation Guide



SecureWay Directory server as your user registry, the following documents areavailable in the /doc/Directory path on the IBM Tivoli Access Manager Base CDfor your particular platform:

v IBM SecureWay Directory Installation and Configuration Guide

SC32-0845 (aparent.pdf, lparent.pdf, sparent.pdf, wparent.pdf)

Provides installation, configuration, and migration information for IBM

SecureWay Directory components on AIX®

, Linux, Solaris, and Microsoft®

Windows® operating systems.

v IBM SecureWay Directory Release Notes

(relnote.pdf)

Supplements IBM SecureWay Directory, Version 3.2.2, product documentationand describes features and functions made available to you in this release.

v IBM SecureWay Directory Readme Addendum

(addendum322.pdf)

Provides information about changes and fixes that occurred after the IBMSecureWay Directory documentation had been translated. This file is in Englishonly.

v

IBM SecureWay Directory Server Readme(server.pdf)

Provides a description of the IBM SecureWay Directory Server, Version 3.2.2.

v IBM SecureWay Directory Client Readme

(client.pdf)

Provides a description of the IBM SecureWay Directory Client SDK, Version3.2.2. This software development kit (SDK) provides LDAP applicationdevelopment support.

v SSL Introduction and iKeyman User’s Guide

(gskikm5c.pdf)

Provides information for network or system security administrators who plan to

enable SSL communication in their Access Manager secure domain.v IBM SecureWay Directory Configuration Schema

(scparent.pdf)

Describes the directory information tree (DIT) and the attributes that are used toconfigure the slapd32.conf file. In IBM SecureWay Directory Version 3.2, thedirectory settings are stored using the LDAP Directory Interchange Format(LDIF) format in the slapd32.conf file.

v IBM SecureWay Directory Tuning Guide

(tuning.pdf)

Provides performance tuning information for IBM SecureWay Directory. Tuningconsiderations for directory sizes ranging from a few thousand entries to

millions of entries are given where applicable.

For more information about IBM SecureWay Directory, see the following Web site:

http://www.software.ibm.com/network/directory/library/

IBM WebSphere Application ServerIBM WebSphere Application Server Standard Edition, Version 4.0.2, is installedwith the Web portal manager interface. For information about IBM WebSphereApplication Server, see the following Web site:

Preface ix



http://www.ibm.com/software/webservers/appserv/infocenter.html

Accessing publications onlinePublications in the product libraries are included in Portable Document Format(PDF) on the product CD. To access these publications using a Web browser, openthe infocenter.html file, which is located in the /doc directory on the product CD.

When IBM publishes an updated version of one or more online or hardcopypublications, they are posted to the Tivoli Information Center. The TivoliInformation Center contains the most recent version of the publications in theproduct library in PDF or HTML format, or both. Translated documents are alsoavailable for some products.

You can access the Tivoli Information Center and other sources of technicalinformation from the following Web site:

http://www.tivoli.com/support/documents/

Information is organized by product, including release notes, installation guides,

user ’s guides, administrator’s guides, and developer ’s references.

Note: If you print PDF documents on other than letter-sized paper, select the Fit topage check box in the Adobe Acrobat Print dialog (which is available whenyou click File → Print) to ensure that the full dimensions of a letter-sizedpage are printed on the paper that you are using.

Ordering publicationsYou can order many Tivoli publications online at the following Web site:

http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi

You can also order by telephone by calling one of these numbers:

v In the United States: 800-879-2755

v In Canada: 800-426-4968

v In other countries, for a list of telephone numbers, see the following Web site:

http://www.tivoli.com/inside/store/lit_order.html

Providing feedback about publicationsWe are very interested in hearing about your experience with Tivoli products anddocumentation, and we welcome your suggestions for improvements. If you havecomments or suggestions about our products and documentation, contact us in oneof the following ways:

v Send an e-mail to [email protected].

v Complete our customer feedback survey at the following Web site:

http://www.tivoli.com/support/survey/

x IBM Tivoli Access Manager WebSEAL: Installation Guide



Accessibility

Accessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Contacting customer support

If you have a problem with any Tivoli product, you can contact Tivoli CustomerSupport. See the Tivoli Customer Support Handbook at the following Web site:

http://www.tivoli.com/support/handbook/

The handbook provides information about how to contact Tivoli CustomerSupport, depending on the severity of your problem, and the followinginformation:

v Registration and eligibility

v Telephone numbers and e-mail addresses, depending on the country in whichyou are located

v What information to gather before contacting support

Conventions used in this book

This guide uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThe following typeface conventions are used in this book:

BoldCommand names and options, keywords, and other informationthat you must use literally appear in bold.

Italic Variables, command options, and values you must provide appearin italics. Titles of publications and special words or phrases thatare emphasized also appear in italics.

Monospace Code examples, command lines, screen output, file and directorynames, and system messages appear in monospace font.

Preface xi



xii IBM Tivoli Access Manager WebSEAL: Installation Guide



Chapter 1. Installation overview

This chapter lists the WebSEAL installation packages and the WebSEAL softwareprerequisites. An installation overview section describes how to use the rest of this

installation guide to either install a new WebSEAL server or upgrade an existingone.

Supported platforms

IBM Tivoli Access Manager WebSEAL and the IBM Tivoli Access ManagerWebSEAL ADK are supported on the following platforms:

v Solaris 2.7 and Solaris 2.8

v AIX 4.3.3

– The following patch is required on AIX 4.3.3:

bos.rte.libpthreads 4.3.3.51 (or greater)

v

AIX 5.1.0v Windows NT 4.0 with Service Pack 6a

v Windows 2000 Advanced Server with Service Pack 2

v HP-UX 11.0

Disk and memory requirements

WebSEAL has the following hardware requirements:

v Disk space: 10 MB

When combined with the prerequisite IBM Tivoli Access Manager runtimeenvironment (65 MB), the minimum required disk space is 75 MB.

It is recommended that you reserve an additional 100 MB of disk space forWebSEAL log files.

v Memory: 64 MB Minimum. 256 MB Recommended.

Note that the 64 MB minimum is in addition to the 64 MB minimum needed bythe prerequisite IBM Tivoli Access Manager runtime environment. Total memoryof 256 MB or greater will produce optimum performance results.

Installation packages

The Web Security CD contains installation packages for the following WebSEALsoftware:

v IBM Tivoli Access Manager WebSEAL

This package includes the WebSEAL server and configuration files.v IBM Tivoli Access Manager WebSEAL application development kit (ADK)

This package contains development APIs for the Access Manager Cross-domainAuthentication Service (CDAS) and the Access Manager Password StrengthModule.

The Web Security CD also contains the following software prerequisite packages:

v IBM Tivoli Access Manager runtime environment

v IBM SecureWay Directory Client

v IBM Global Security Toolkit

© Copyright IBM Corp. 1999, 2002 1



v IBM Tivoli Access Manager ADK

Software prerequisites

WebSEAL is an application that installs and runs in an Access Manager securedomain. You must establish an Access Manager secure domain before installingWebSEAL or WebSEAL ADK.

The Access Manager secure domain is established when you install the IBM TivoliAccess Manager policy server. This policy server is distributed on the IBM TivoliAccess Manager Base CD for your operating system.

The following sections discuss the software prerequisites for each of the WebSEALpackages:

v “WebSEAL server prerequisites”

v “WebSEAL ADK prerequisites” on page 3

WebSEAL server prerequisitesThe following software must be installed and configured on each computer thathosts a WebSEAL server:



v IBM Global Security Toolkit (GSKit)

To establish a secure domain, the following software must be installed andconfigured either on the same computer that hosts the WebSEAL server or on aremote computer:

v IBM Tivoli Access Manager policy server

Note: The term policy server replaces the term management server, which was

used in Version 3.8 and earlier.v A supported LDAP server, such as IBM SecureWay Directory

Thus, there are two deployment scenarios for the WebSEAL server:

1. On the same computer as the IBM Tivoli Access Manager policy server

2. On a different computer from the IBM Tivoli Access Manager policy server

In the first scenario, all of the WebSEAL prerequisites are satisfied during theinstallation and configuration of the policy server. Installation of the policy serverrequires installation of the IBM Tivoli Access Manager runtime environment, theIBM SecureWay Directory Client, and the IBM Global Security Toolkit. When youdeploy WebSEAL in this configuration, you can simply install WebSEAL without

installing any further prerequisites.

In the second scenario, you must first configure the computer into an existingAccess Manager secure domain, and then install the WebSEAL server. To configurethe computer into the Access Manager secure domain, you must install andconfigure the following software:



v IBM Global Security Toolkit (GSKit)

2 IBM Tivoli Access Manager WebSEAL: Installation Guide



After you have configured the above prerequisites, you can install and configureWebSEAL.

The IBM Tivoli Access Manager Web Security CD contains the prerequisitesoftware. This prerequisite software is identical (the exact same version number) tothe software contained on the IBM Tivoli Access Manager Base CDs. The copies onthe IBM Tivoli Access Manager Web Security CD are provided to enable you to

complete the IBM Tivoli Access Manager WebSEAL installation without having toaccess the IBM Tivoli Access Manager Base CDs.

Note: The WebSEAL server has no dependencies on the IBM Tivoli AccessManager authorization server. This authorization server is distributed aspart of the IBM Tivoli Access Manager Base for your operating system.

WebSEAL ADK prerequisitesThe following software must be installed and configured on the same computer asthe WebSEAL ADK:

v IBM Tivoli Access Manager WebSEAL server

v IBM Tivoli Access Manager application development kit (ADK)




To install and use the WebSEAL ADK, you must first install and configure aWebSEAL server. This requires that you satisfy the prerequisites described directlyabove in “WebSEAL server prerequisites” on page 2.

In addition, you must install the IBM Tivoli Access Manager ADK. The ADK isincluded as a separate package on the IBM Tivoli Access Manager Base CD foryour operating system. This ADK is also included on the Web Security CD.

Complete installation instructions for the ADK are included in the IBM Tivoli Access Manager Base Installation Guide. Summary installation instructions are alsoincluded in this WebSEAL installation guide.

Installation overview

This document provides three sets of installation instructions. You can complete aWebSEAL installation by following one of the sets of instructions, as appropriatefor your deployment on WebSEAL. The following sections provide a quicksummary of each instruction set:

v “Installing a new WebSEAL server”

v “Upgrading a WebSEAL server” on page 4

v “Using the easy installation programs” on page 4

Installing a new WebSEAL serverTo install a new WebSEAL server, complete the instructions in Chapter 3,“Installing WebSEAL”.

This chapter describes how to install and configure the WebSEAL server and theWebSEAL application development kit (ADK). This chapter also includesinstructions for installing the software prerequisites for WebSEAL and WebSEALADK.

Chapter 1. Installation overview 3



The instructions in this chapter describe how to install using the operating systeminstallation utilities, such as pkgadd, SMIT, swinstall, or InstallShield. Theinstructions for configuring WebSEAL describe how to use the IBM Tivoli AccessManager configuration utility.

As an alternative to this chapter, you may be able to use the WebSEAL easyinstallation guide. Easy installation is described in Appendix A, “Easy Installation

Guide”.

Upgrading a WebSEAL serverThe WebSEAL installation software supports an upgrade of WebSEAL from Version3.7 or Version 3.8 to Version 3.9. To complete an upgrade of a WebSEAL server,follow the instructions in either Chapter 3, “Upgrading WebSEAL from version 3.8″or Chapter 4, “Upgrading WebSEAL from version 3.7”.

Note: When upgrading a WebSEAL server, you do not need to complete theinstructions in Chapter 2, “Installing WebSEAL”. Also, you cannot use theinstructions in Appendix A, “Easy Installation Guide”.

The WebSEAL upgrade process requires upgrading the following prerequisitesoftware:




The WebSEAL upgrade process is closely tied to the upgrade process for the IBMTivoli Access Manager policy server. The instructions in Chapter 3, “UpgradingWebSEAL from version 3.8” and Chapter 4 “Upgrading WebSEAL from version3.7″ must be used in conjunction with the policy server upgrade instructions in theIBM Tivoli Access Manager Base Installation Guide.

Using the easy installation programsWebSEAL provides easy installation programs that you can use to expedite theinstallation and configuration of the WebSEAL server and the WebSEAL ADK.These programs provide a simple user interface that serves as a wrapper to theoperating system installation utilities. These programs are described in AppendixA, “Easy Installation Guide”.

The easy installation programs prompt the user for the necessary configurationinformation for WebSEAL, WebSEAL ADK, and the software prerequisites. Theeasy installation programs then automatically install and configure WebSEAL,WebSEAL ADK and the software prerequisites.

For many deployments of WebSEAL, you can use the instructions in Appendix A,“Easy Installation Guide’ instead of those in Chapter 2, “Installing WebSEAL”.

You cannot use the easy installation program to upgrade WebSEAL from Version3.7 or Version 3.8 to Version 3.9.




Chapter 2. Installing WebSEAL

This chapter provides instructions for installing and configuring the IBM TivoliAccess Manager WebSEAL (WebSEAL) packages. This chapter also provides

instructions for installing the software prerequisites for each WebSEAL package.

Note: If you are upgrading WebSEAL from a previous version of IBM TivoliAccess Manager, do not use this chapter. See either Chapter 3, “UpgradingWebSEAL from version 3.8” on page 17 or Chapter 4, “Upgrading WebSEALfrom version 3.7” on page 27.

The WebSEAL product consists of two packages:

v WebSEAL server

v WebSEAL application development kit (ADK)

You can install the WebSEAL server without installing the WebSEAL ADK. If you

want to install the WebSEAL ADK, you must install the WebSEAL server as aprerequisite.

Both the WebSEAL server and the WebSEAL ADK require that the IBM TivoliAccess Manager runtime environment is installed and configured. In addition, theWebSEAL ADK requires that the IBM Tivoli Access Manager ADK is installed.

The prerequisite packages for both the WebSEAL server and the WebSEAL ADKare included on the Web Security CD. The installation instructions in this chapterdescribe how to install each of the prerequisite packages.

Note: For complete installation instructions and configuration options for the IBMTivoli Access Manager runtime environment and the IBM Tivoli Access

Manager ADK, see the IBM Tivoli Access Manager Base Installation Guide.

This chapter contains separate sections for installing WebSEAL server andWebSEAL ADK on each supported UNIX system. You must complete the UNIXsection for installing WebSEAL server before you use the UNIX section forinstalling WebSEAL ADK.

Instructions for installing WebSEAL server and WebSEAL ADK on Windows areincluded in one section.

Note: As an alternative to the instructions in this chapter, you may be able to usethe WebSEAL easy installation program. For more information, seeAppendix A, “Easy installation guide” on page 45.

To install WebSEAL, see the instructions in the appropriate section below:

v “Installing WebSEAL server on UNIX” on page 6

v “Installing WebSEAL ADK on UNIX” on page 11

v “Installing WebSEAL server and WebSEAL ADK on Windows” on page 13




Installing WebSEAL server on UNIX

This section contains separate instructions for installing WebSEAL server on eachsupported UNIX platform. This section also contains one section for configuring aWebSEAL server on UNIX. The section for configuring a WebSEAL server appliesto all UNIX platforms.

To install a WebSEAL server on a UNIX system, complete the instructions in theappropriate section:

v “Installing WebSEAL server on Solaris”

v “Installing WebSEAL server on AIX” on page 7

v “Installing WebSEAL server on HP-UX” on page 8

After you complete the installation instructions in the sections above, configure theWebSEAL server by using the instructions in the following section:

v “Configuring WebSEAL server on UNIX” on page 9

Installing WebSEAL server on Solaris

The WebSEAL installation separates file extraction from package configuration. Usepkgadd to install software packages on Solaris. Then use the IBM Tivoli AccessManager configuration utility pdconfig to configure WebSEAL.

Note: If you have already installed and configured WebSEAL and need to reinstallit, you must first unconfigure and remove the WebSEAL package. SeeChapter 5, “Removing WebSEAL” on page 39.

To install a WebSEAL server on Solaris complete the following instructions:

1. Log in as user root.

2. Mount the IBM Tivoli Access Manager Web Security for Solaris CD on/cdrom/cdrom0.

3. Change directory to /cdrom/cdrom0/solaris.4. Verify that this computer has the IBM Tivoli Access Manager runtime

environment configured. The runtime environment will be configured if theIBM Tivoli Access Manager policy server is installed on this computer, or if thecomputer has previously been added to the Access Manager secure domain.

5. If this computer already has the runtime environment configured, skip thisstep. Go to the next step.

If this computer does not have the IBM Tivoli Access Manager runtimeenvironment configured, install and configure the necessary softwareprerequisites by completing the following instructions:

a. Enter the following command to install the IBM Global Security Toolkit:

# pkgadd -d . gsk5bas

b. Enter the following command to install the IBM SecureWay DirectoryClient:

# pkgadd -d . IBMldapc

c. Enter the following command to install the IBM Tivoli Access Managerruntime environment:

# pkgadd -d . PDRTE

d. Enter the following command to configure the IBM Tivoli Access Managerruntime environment:

# pdconfig




For further installation and configuration instructions for each of thepackages above, see the IBM Tivoli Access Manager Base Installation Guide.

6. Enter the following command to install the WebSEAL server package:

# pkgadd -d . PDWeb

When prompted to continue, type y and press Enter. Files are extracted fromthe CD and installed on the hard disk. A message appears indicating thatinstallation of the WebSEAL package was successful. The pkgadd utility exits.

7. Next, configure the WebSEAL server. Go to the following section: “ConfiguringWebSEAL server on UNIX” on page 9.

Installing WebSEAL server on AIXThe WebSEAL installation separates file extraction from package configuration. UseSMIT to install software packages on AIX. Then use the IBM Tivoli AccessManager configuration utility pdconfig to configure WebSEAL.


To install a WebSEAL server on AIX complete the following instructions:

1. Log in as root.

2. If installing on an AIX 4.3.3 system, verify that the following patch is installed:

v bos.rte.libpthreads 4.3.3.51 (or greater)

3. Mount the IBM Tivoli Access Manager Web Security for AIX CD.

4. Determine if this computer already has the IBM Tivoli Access Managerruntime environment configured. The runtime environment will already beconfigured if the IBM Tivoli Access Manager policy server is installed on thiscomputer, or if the computer has previously been added to the AccessManager secure domain.


If this computer does not have the runtime environment configured, installand configure the software prerequisites for the WebSEAL server bycompleting the following instructions:

a. Use the SMIT utility to install the software prerequisites.

# smit

The SMIT utility starts.

b. List the packages available for installation, and select the following:


The install package is gskit. The menu description is AIX Certificateand SSL Base Runtime ACME Toolkit.


The installation package is ldap.client.


The installation package is PD.RTE.

c. Follow the SMIT menus to install each of the selected packages.

d. Use the SMIT menus to configure the IBM Tivoli Access Manager runtimeenvironment.

Chapter 2. Installing WebSEAL 7



For further installation and configuration instructions for the softwareprerequisites, see the IBM Tivoli Access Manager Base Installation Guide.

6. Enter the following command at a shell prompt:

# smit


7. Select Software Installation and Maintenance. Select Install and UpdateSoftware.

v On AIX 4.3 systems, select Install and Update Software from LATESTAvailable Software.

v On AIX 5.1 systems, select Install Software.

8. When prompted for input device:

v On AIX 4.3, enter the location where the CD is mounted

v On AIX 5.1, enter the directory on the CD containing the installationpackages. For example:

/< mount_point>/usr/sys/inst.images

Click OK.

9. Click the List button for SOFTWARE to install.

A Multi-select List window displays the list of IBM Tivoli Access Managersoftware packages.

10. Select the Access Manager WebSEAL package. Click OK.

The Install and Update Software from LATEST Available Software dialog boxappears.

11. Verify that the default value of yes is present in the field labeledAUTOMATICALLY install requisite software.

12. Set other fields to values appropriate to your installation. In most cases, youcan accept the default values. Click OK.

13. A message box appears asking if you are sure you want to install thispackage. Click OK.

The package files are installed. Several status messages are displayed. A finalstatus message indicates success upon completion of file extraction.

14. Click Done. Click Cancel to exit SMIT.

15. Next, configure the WebSEAL server. Go to: “Configuring WebSEAL server onUNIX” on page 9.

Installing WebSEAL server on HP-UXThe WebSEAL installation separates file extraction from package configuration. Useswinstall to install software packages on HP-UX. Then use the IBM Tivoli AccessManager configuration utility pdconfig to configure WebSEAL.


To install a WebSEAL server on HP-UX, complete the following steps:


2. Insert the IBM Tivoli Access Manager Web Security for HP-UX CD in the drive.Use the following commands to mount the CD:




# nohup /usr/sbin/pfs_mountd &# nohup /usr/sbin/pfsd &# /usr/sbin/pfs_mount <mount-device> <mount-point>

For example:

# /usr/sbin/pfs_mount /dev/dsk/c0t0d0 /cdrom

3. Change directory to hp.

4. Determine if this computer already has the IBM Tivoli Access Manager runtimeenvironment configured. The runtime environment will already be configured if the IBM Tivoli Access Manager policy server is installed on this computer, or if the computer has previously been added to the Access Manager secure domain.


If this computer does not have the runtime environment configured, install andconfigure the software prerequisites for the WebSEAL server by completing thefollowing instructions:


# swinstall -s /cdrom/hp gsk5bas


# swinstall -s /cdrom/hp LDAP


# swinstall -s /cdrom/hp PDRTE

d. Enter the following command to configure the IBM Tivoli Access Managerruntime environment:

# pdconfig

For further installation and configuration instructions for the WebSEALserver prerequisites, see the IBM Tivoli Access Manager Base Installation Guide.

6. Enter the following command to install the WebSEAL server package:# swinstall -s /cdrom/hp PDWeb

A message appears indicating that the analysis phase has succeeded. Anothermessage appears indicating that the execution phase is beginning. Files areextracted from the CD and installed on the hard disk. A message appearsindicating that the execution phase has succeeded. The swinstall utility exits.

7. Next, configure the WebSEAL server. Go to: “Configuring WebSEAL server onUNIX” on page 9.

Configuring WebSEAL server on UNIXUse the IBM Tivoli Access Manager configuration utility pdconfig to configureWebSEAL on a UNIX platform. The configuration steps for the WebSEAL serverare identical on all UNIX platforms.

To configure a WebSEAL server on a UNIX system, complete the followinginstructions:

1. Enter the following command at a UNIX shell prompt:

# pdconfig

Note: On AIX, you can optionally use SMIT instead of pdconfig to configureWebSEAL. Within SMIT, select Communications Applications and




Services, and then select Access Manager. You can then follow the restof the instructions in this section.

The Access Manager Setup Menu appears.

2. Type the menu number for Configure Package.

The Access Manager Configuration Menu appears.

3. Type the menu number for Access Manager WebSEAL (PDWeb)

Configuration. A prompt appears requesting you to enter the password of theAccess Manager Administrator.

4. Enter the password for sec_master.

Troubleshooting Note: If you repeatedly enter an incorrect password, youmay see the error message: Error: This account has been temporarilylocked out due to too many failed login attempts. If this occurs, obtain thecorrect password, wait five minutes for the lock to clear, and then restartpdconfig.

You are prompted to enable SSL communication between the WebSEAL serverand the LDAP server.

5. Choose one of the following actions:

v If you want to enable SSL communication, type y and press Enter.

v If you do not want to enable SSL communications, type n and press Enter.

6. If you disabled SSL communication, go to the next step. If you have enabledSSL communication, provide the following values when prompted:

v LDAP SSL Client Key Ring File Location

v SSL Client Certificate Label (optional)

The client certificate label is usually not required. This label is needed onlywhen the LDAP server is configured to ask for client-side certificates.Typically, LDAP servers require only server-side certificates. If your LDAPserver does not require client-side certificates, you can just press Enter atthis prompt.

v SSL Client Key File Password

v LDAP Server SSL port number. The default port is 636.

The SSL configuration is now complete. The current Web server configurationvalues are displayed.

7. Check the Web server configuration values. Modify any that need to bechanged. In most cases, you can accept the default values. The followingscreen dialog appears:

Please check Web Server configuration:1. Enable TCP HTTP? Yes2. HTTP Port 803. Enable HTTPS? Yes4. HTTPS Port 4435. Web document root directory /opt/pdweb/www/docsa. Accept configuration and continue with installationx. Exit installationSelect item to change:

Note: If you are running any other Web servers on this computer, verify thatthe TCP HTTP port for the other servers does not conflict with theWebSEAL TCP HTTP port.

8. When you are satisfied that the configuration is correct, type the letter a toaccept the configuration and continue the installation. Press Enter.

Several status messages appear as the WebSEAL server is configured. Whenthe configuration is complete, a status message indicates that the WebSEAL




server is starting. When the WebSEAL server is running, a final messageappears indicating that the configuration of the WebSEAL server package wassuccessful.

9. Press Enter to continue.

The Access Manager Configuration Menu appears.

10. Press Enter to select the default choice of x to exit the utility.

Note: Access Manager WebSEAL supports multiple instances of WebSEAL serverson each host computer. See the IBM Tivoli Access Manager WebSEAL

Administrator’s Guide for information on configuring multiple instances of WebSEAL servers.

Installing WebSEAL ADK on UNIX

This section contains instructions for installing the WebSEAL ADK on each of thesupported UNIX platforms.

Note: The WebSEAL ADK has a prerequisite on the WebSEAL server. If you havenot yet installed a WebSEAL server on this computer, go to “Installing

WebSEAL server on UNIX” on page 6

To install the WebSEAL ADK, follow the instructions in the appropriate section:

v “Installing WebSEAL ADK on Solaris”

v “Installing WebSEAL ADK on AIX” on page 12

v “Installing WebSEAL ADK on HP-UX” on page 13

Installing WebSEAL ADK on SolarisTo install the WebSEAL ADK on Solaris, complete the following instructions:

1. Verify that the WebSEAL server package has been installed and configured.

If the WebSEAL server has not been installed, complete the instructions in

“Installing WebSEAL server on Solaris” on page 6.2. Verify the following information:

v You are logged in as root.

v The IBM Tivoli Access Manager Web Security for Solaris CD is mounted on/cdrom/cdrom0.

v The current directory is /cdrom/cdrom0/solaris.

3. Enter the following command to install the IBM Tivoli Access Manager ADK:

# pkgadd -d . PDAuthADK

When prompted to continue, type y and press Enter. Files are extracted fromthe CD and installed on the hard disk. A status message appears indicating that

installation of the IBM Tivoli Access Manager ADK package was successful.The pkgadd utility exits.

4. Enter the following command to install the WebSEAL ADK:

# pkgadd -d . PDWebADK

When prompted to continue, type y and press Enter. Files are extracted fromthe CD and installed on the hard disk. A status message appears indicating thatinstallation of the WebSEAL ADK package was successful. The pkgadd utilityexits.




The WebSEAL ADK does not require any configuration. Installation of theWebSEAL ADK is now complete.

Installing WebSEAL ADK on AIXTo install the WebSEAL ADK on AIX, complete the following instructions:


If the WebSEAL server has not been installed, complete the instructions in“Installing WebSEAL server on AIX” on page 7.

2. Verify that you are logged in as root and that the IBM Tivoli Access ManagerWeb Security for AIX CD is in the CD drive.


# smit


4. Select Software Installation and Maintenance. Select Install and UpdateSoftware.

v On AIX 4.3 systems, select Install and Update Software from LATESTAvailable Software.

v On AIX 5.1 systems, select Install Software.

5. When prompted for input device:

v On AIX 4.3, enter the location where the CD is mounted.

v On AIX 5.1, enter the directory on the CD containing the installationpackages. For example:

/< mount_point>/usr/sys/inst.images

Click OK.



7. Select the following packages:

v Access Manager WebSEAL ADK

v Access Manager ADK

Click OK. The Install and Update Software from LATEST Available Softwaredialog box appears.

8. Verify that the default value of yes is present in the field labeledAUTOMATICALLY install requisite software.

9. Set other fields to values appropriate to your installation. In most cases, youcan accept the default values. Click OK.

10. A message box appears asking if you are sure you want to install these

packages. Click OK.The package files are installed. Several status messages are displayed. A finalstatus message indicates success upon completion of file extraction.

11. Click Done. Click Cancel to exit SMIT.





Installing WebSEAL ADK on HP-UXTo install the WebSEAL ADK on HP-UX, complete the following instructions:


If a WebSEAL server has not been installed, complete the instructions in“Installing WebSEAL server on HP-UX” on page 8.

2. Verify the following information:

v You are logged in as root.

v The IBM Tivoli Access Manager Web Security for HP-UX CD is mounted. If the CD is not mounted, enter the following commands:

# nohup /usr/sbin/pfs_mountd &# nohup /usr/sbin/pfsd &# /usr/sbin/pfs_mount < mount-device> < mount-point>

For example:


v The current working directory is /cdrom/hp.

3. Enter the following command to install the IBM Tivoli Access Manager ADK:

# swinstall -s /cdrom/hp PDAuthADK

When prompted to continue, type y and press Enter. Files are extracted fromthe CD and installed on the hard disk. A status message appears indicating thatinstallation of the IBM Tivoli Access Manager ADK package was successful.The swinstall utility exits.

4. Enter the following command to install the WebSEAL ADK:

# swinstall -s /cdrom/hp PDWebADK

When prompted to continue, type y and press Enter. Files are extracted fromthe CD and installed on the hard disk. A status message appears indicating thatinstallation of the IBM Tivoli Access Manager WebSEAL ADK package wassuccessful. The swinstall utility exits.


Installing WebSEAL server and WebSEAL ADK on Windows

The WebSEAL installation separates file extraction from package configuration. Usean InstallShield program to install the WebSEAL files. Next, use the IBM TivoliAccess Manager configuration utility to configure the WebSEAL server.

Note: If you have already installed and configured WebSEAL and need to reinstallit, you must first unconfigure and remove the WebSEAL package. See

Chapter 5, “Removing WebSEAL” on page 39.

To install and configure WebSEAL on Windows complete the followinginstructions:

1. Log in to the Windows domain as a user with Windows administratorprivileges.

2. Insert the IBM Tivoli Access Manager Web Security for Windows CD into theCD drive.

3. Verify that this computer has the IBM Tivoli Access Manager runtimeenvironment configured. The runtime environment will be configured if the




IBM Tivoli Access Manager policy server is installed on this computer, or if the computer has previously been added to the Access Manager securedomain.

4. If this computer has the runtime environment configured, skip this step. Go tothe next step.

If this computer does not have the runtime environment configured, install

and configure the software prerequisites for the WebSEAL server bycompleting the following instructions:

a. Run the IBM SecureWay Directory Client setup program:

E:\Windows\Directory\ldap32_us\setup.exe

b. Run the IBM Tivoli Access Manager runtime environment setup program:

E:\Windows\PolicyDirector\Disk Images\Disk1\Pdrte\Disk Images\Disk1\setup.exe

c. Use the IBM Tivoli Access Manager configuration utility to configure theruntime environment. Select Start > Programs > Policy Director >Configuration.

For complete instructions on how to configure the runtime environment,see the IBM Tivoli Access Manager Base Installation Guide.

d. If you want to install the WebSEAL ADK, you must install the prerequisiteIBM Tivoli Access Manager ADK. Run the ADK setup program:

E:\Windows\PolicyDirector\Disk Images\Disk1\PDAuthADK\Disk Images\Disk1\setup.exe

The IBM Tivoli Access Manager ADK does not require any configuration.

5. Run the WebSEAL InstallShield setup program by double-clicking on thefollowing file (where the letter E: in the following command represents theCD drive):

E:\Windows\PolicyDirector\Disk Images\Disk1\WebSEAL\Disk Images\Disk 1\setup.exe

The Choose Setup Language dialog box appears.

6. Select the appropriate language and click OK.

The InstallShield program starts and the Welcome dialog box appears.7. Click Next.

The License Agreement dialog box appears.

8. Click Yes to accept the License Agreement.

The Choose Destination Location dialog box appears.

9. Accept the default or specify an alternative location. Click Next.

The Select Components dialog box appears.

10. Select the check box for each package that you want to install:

v PDWeb

This package contains the WebSEAL server and utilities.

v PDWebADKs

This package contains WebSEAL application development kits (ADKs). Youmust install PDWeb when you install PDWebADKs.

The files for the selected packages are extracted to the disk. A messageappears indicating that the packages have been installed.

11. Click Finish to exit the setup program.

12. Select Start > Programs > Policy Director > Configuration.

The Access Manager Configuration dialog box appears.

Note: The WebSEAL ADK does not require any configuration.




13. Select Access Manager WebSEAL (PDWeb). Click Configure.

The HTTP properties dialog box appears.

14. Select or deselect the Allow unsecure TCP HTTP access check box. If youallowed unsecure TCP HTTP access, specify the port number. In most cases,you can accept the default port number of 80.

Note: If you are running any other Web servers on this computer, verify thatthe TCP HTTP port for the other servers does not conflict with theWebSEAL TCP HTTP port.

15. Select or deselect the Allow HTTPS access check box. If you allowed HTTPSaccess, specify the port number. In most cases, you can accept the default portnumber of 443. Click OK.

The Access Manager Administrator Password dialog box appears.


Troubleshooting Note: If you repeatedly enter an incorrect password, youmay see the error message: Error: This account has been temporarilylocked out due to too many failed login attempts. If this occurs, obtain thecorrect password, wait five minutes for the lock to clear, and then restart the

configuration program.The status message Configuring Access Manager WebSEAL appears. Whenconfiguration completes, a status message states that the configuration wassuccessful. The Access Manager Configuration dialog box appears.

17. Click Close to exit the configuration utility.

Installation and configuration of WebSEAL on Windows is now complete.

Note: Access Manager WebSEAL supports multiple instances of WebSEAL serverson each host computer. See the IBM Tivoli Access Manager WebSEAL

Administrator’s Guide for information on configuring multiple instances of WebSEAL servers.







Chapter 3. Upgrading WebSEAL from version 3.8

IBM Tivoli Access Manager (Access Manager) supports an upgrade of IBM TivoliAccess Manager WebSEAL (WebSEAL) from Version 3.7 or Version 3.8 to Version

3.9. This chapter describes how to upgrade a Version 3.8 WebSEAL server toVersion 3.9.

Note: If you are installing a new WebSEAL server, do not use this chapter. SeeChapter 2, “Installing WebSEAL” on page 5. If you are upgrading fromVersion 3.7 to Version 3.9, do not use this chapter. See Chapter 4,“Upgrading WebSEAL from version 3.7” on page 27.

The upgrade process consists of two pieces:

v Preserving WebSEAL information

v Upgrading WebSEAL files

Note: Please check the IBM Tivoli Access Manager for e-business Release Notes on theTivoli support Web site for possible limitations to the Access ManagerWebSEAL upgrade process.

To begin the upgrade process, go to “Preserving WebSEAL data on all platforms”on page 17.

Preserving WebSEAL data on all platforms

Before upgrading a WebSEAL server, preserve the WebSEAL certificate information.Complete the following steps:

1. Copy the WebSEAL certificate file to a temporary directory:

(UNIX) # cp /opt/pdweb/www/certs/pdsrv.kdb /<temporary_directory>(Windows) MSDOS> copy C:\Program Files\Tivoli\PDWeb\www\certs\pdsrv.kdb \<temporary_directory>

2. Copy the WebSEAL certificate stash file to a temporary directory:

(UNIX) # cp /opt/pdweb/www/certs/pdsrv.sth /<temporary_directory>

(Windows) MSDOS> copy C:\Program Files\Tivoli\PDWeb\www\certs\pdsrv.sth \<temporary_directory>

Note: Remember the name of the temporary directory you chose. You willneed to copy the files back into place at the end of the WebSEALupgrade process.

3. You do not need to preserve any other WebSEAL information. WebSEALconfiguration data, such as junction database information, is automaticallypreserved during the WebSEAL upgrade from Version 3.8 to Version 3.9.

However, please observe good system administration practices and performcomplete backups of WebSEAL systems before installing and upgrading Version3.9 software.

4. Complete the upgrade by following the instructions in the appropriate section:

v “Upgrading WebSEAL on Solaris” on page 18

v “Upgrading WebSEAL on AIX” on page 19

v “Upgrading WebSEAL on HP-UX” on page 21

v “Upgrading WebSEAL on Windows” on page 23




Upgrading WebSEAL on Solaris

To upgrade a WebSEAL server on Solaris, complete the following instructions:

1. Verify that you have preserved the WebSEAL certificate files, as described in“Preserving WebSEAL data on all platforms” on page 17.


3. Verify that the Access Manager secure domain is able to upgrade WebSEAL:a. Verify that the Access Manager policy server for the secure domain has

already been upgraded to Version 3.9.

b. Verify that the Access Manager policy server is running, and that you cancontact it. You can do this by executing a sample pdadmin command. Forexample:

# pdadmin# login -a sec_master -p passwordpdadmin> pdadmin acl list

If you cannot log in, do not proceed with the WebSEAL upgrade. Resolvethe login problem before continuing.

4. Stop the WebSEAL server. Enter the following command:# /usr/bin/pdweb stop

5. If WebSEAL runs on the same computer as the Access Manager policy server,skip this step. Go to the next step.

If WebSEAL runs on a different computer from Access Manager policy server,remove the Version 3.8 prerequisite software, as follows:

a. Remove IBM SecureWay Directory Client, Version 3.2.1:

# pkgrm IBMldapc

b. Remove IBM Global Security Toolkit:

# pkgrm gsk4bas

6. Mount the IBM Tivoli Access Manager Web Security for Solaris CD on

/cdrom/cdrom0.7. Change directory to /cdrom/cdrom0/solaris.

8. If you are upgrading WebSEAL on the same computer as the Access Managerpolicy server, skip this step. Go to the next step.

If you are upgrading WebSEAL on a different computer from the AccessManager policy server, you must upgrade the software prerequisites forWebSEAL. Complete the following instructions:






# pkgadd -d . -a < mount_point>/solaris/pddefault PDRTE

You do not need to run pdconfig to configure the runtime environment.For complete information on upgrading the IBM Tivoli Access Managerruntime environment, see the IBM Tivoli Access Manager Base InstallationGuide.

9. Obtain the Access Manager migrate.conf file from the Web Security CD. Thisfile is located on the CD in




< mount_point>/solaris/migrate/migrate.conf

a. Copy migrate.conf to:

/tmp/migrate.conf

b. Edit migrate.conf and add the sec_master password for your securedomain.

pdadmin-login = sec_master

pdadmin-pwd = <sec_master_password>

Use the default values for the other entries in migrate.conf.

10. Enter the following command to install the WebSEAL server package:

# pkgadd -d . -a /< mount_point>/solaris/pddefault PDWeb

When prompted to continue, type y and press Enter. Files are extracted fromthe CD and installed on the hard disk. A message appears indicating that anupgrade is taking place. A message appears indicating that installation of theWebSEAL package was successful. The pkgadd utility exits.

11. If you want to upgrade the WebSEAL ADK on this computer, install it now. If you do not want to use it, skip this step and go to the next step.

a. The WebSEAL ADK has a dependency on the IBM Tivoli Access Managerapplication development kit (ADK). Both ADK packages are included onthe Web Security CD. If you have not already installed the Version 3.9Access Manager ADK, install it now. Use pkgadd to install each package:

# pkgadd -d . -a < mount_point>/solaris/pddefault PDAuthADK

# pkgadd -d . -a < mount_point>/solaris/pddefault PDWebADK

b. When prompted to continue, type y and press Enter.

Files are extracted from the CD and installed on the hard disk. A messageappears indicating that installation of the WebSEAL ADK package wassuccessful. The pkgadd utility exits.

Neither the Access Manager ADK package nor the WebSEAL ADK packagerequire any configuration steps.

12. Restore the WebSEAL certificate files that you preserved before starting theWebSEAL upgrade:

# cp /<temporary_directory>/pdsrv.kdb /opt/pdweb/www/certs/pdsrv.kdb# cp /<temporary_directory>/pdsrv.sth /opt/pdweb/www/certs/pdsrv.sth

13. Restart the WebSEAL server.

Note: You do not need to run pdconfig to configure WebSEAL. WebSEALautomatically uses the Version 3.8 configuration information.

The upgrade of WebSEAL on Solaris from Version 3.8 to Version 3.9 is complete.

Upgrading WebSEAL on AIX

To upgrade a WebSEAL server on AIX, complete the following instructions:



3. Verify that the Access Manager secure domain is able to upgrade WebSEAL:

a. Verify that the Access Manager policy server for the secure domain hasalready been upgraded to Version 3.9.

Chapter 3. Upgrading WebSEAL from version 3.8 19






4. Ensure that the WebSEAL server is not running:

# /usr/bin/pdweb stop

5. Use SMIT to remove the IBM SecureWay LDAP Client and IBM GSKit Toolkitcomponents that were installed as prerequisites for the Version 3.8 PolicyDirector runtime environment.

6. Mount the IBM Tivoli Access Manager Web Security for AIX CD.


# smit


8. Select Software Installation and Maintenance. Select Install and UpdateSoftware. Select Install and Update Software from LATEST AvailableSoftware.

9. When prompted for input device, enter the location where the CD is mounted.

< mount_point>/usr/sys/inst.images



11. If installing on the same system as Access Manager policy server, skip thisstep. Go to the next step.

If installing on a different system from the Access Manager policy server, installthe software prerequisites. Select the following packages:


The install package is gskit. The menu description is AIX Certificate andSSL Base Runtime ACME Toolkit.


The installation package is ldap.client


The installation package is PD.RTE

12. Obtain the Access Manager migrate.conf file from the Web Security CD. Thisfile is located on the CD in

< mount_point>/usr/sys/inst.images/migrate/migrate.conf


/tmp/migrate.conf


pdadmin-login = sec_masterpdadmin-pwd = <sec_master_password>


13. Select the Access Manager WebSEAL package.




The installation package is PDWeb.Web.

Optionally, you can also select the Access Manager WebSEAL ADK package.If you select the Access Manager WebSEAL ADK, you must also selectAccess Manager ADK.

Note: The WebSEAL ADK requires the Access Manager ADK. The AccessManager ADK is included on the Web Security CD.

14. Click OK.

15. The Install and Update Software from LATEST Available Software dialog box appears.

16. Verify that the default value of yes is present in the field labeledAUTOMATICALLY install requisite software. Set other fields to valuesappropriate to your installation. In most cases, you can accept the defaultvalues. Click OK.

17. Click OK when asked to confirm the installation of this package.

SMIT displays several status messages. A status message indicates that anupgrade is taking place. When the upgrade completes, the WebSEAL serverstarts.

18. When file extraction completes, click Done. Click Cancel to exit SMIT.19. Restore the WebSEAL certificate files that you preserved before starting the

WebSEAL upgrade:



Note: You do not need to configure WebSEAL. WebSEAL automatically usesthe Version 3.8 configuration information.

The upgrade of WebSEAL on AIX is now complete.

Upgrading WebSEAL on HP-UXTo upgrade WebSEAL on HP-UX, complete the following instructions:









# /sbin/pdweb stop






a. Remove IBM SecureWay Directory Client, Version 3.2.1:

# swremove IBMldapc

b. Remove IBM Global Security Toolkit:

# swremove gsk4bas

6. Mount the IBM Tivoli Access Manager Web Security for HP-UX CD.# nohup /usr/sbin/pfs_mountd &# nohup /usr/sbin/pfsd &# /usr/sbin/pfs_mount < mount_device> < mount_point>

For example:


7. Obtain the Access Manager migrate.conf file from the Web Security CD. Thisfile is located on the CD in:

/ mount_point/hp/migrate/migrate.conf


/tmp/migrate.conf


pdadmin-login = sec_masterpdadmin-pwd = sec_master_password


8. If WebSEAL runs on the same computer as the Access Manager policy server,skip this step and go to the next step.

If WebSEAL runs on a different computer from the Access Manager policyserver, upgrade the Version 3.9 WebSEAL software prerequisites:

a. IBM Global Security Toolkit

# swinstall -s / mount_point/hp gsk5basb. IBM SecureWay Directory Client

# swinstall -s / mount_point/hp LDAP

c. IBM Tivoli Access Manager runtime environment

# swinstall -s / mount_point/hp PDRTE


9. Use swinstall to install the WebSEAL package.

# swinstall -s / mount_point/hp PDWeb

A message appears indicating that the analysis phase has succeeded. Files areextracted from the CD and installed on the hard disk. A message appearsindicating that the execution phase has succeeded. The swinstall utility exits.

10. If you want to use the WebSEAL application development kit (ADK) on thiscomputer, install it now. If you do not want to use it, skip this step and go tothe next step.

The WebSEAL ADK has a dependency on the Access Manager ADK. BothADK packages are included on the WebSEAL CD.

a. Use swinstall to install the Access Manager ADK:




# swinstall -s / mount_point/hp PDAuthADK

A status message appears when the analysis phase has succeeded. Files areextracted onto the hard disk. A status message appears when the executionphase has succeeded. The swinstall utility exits.

The Access Manager ADK package does not require any configuration.

b. Use swinstall to install the WebSEAL ADK:# swinstall -s / mount_point/hp PDWebADK


The WebSEAL ADK package does not require any configuration.

11. Restore the Version 3.8 WebSEAL certificate files that you preserved beforestarting the WebSEAL upgrade:


12. Run the WebSEAL upgrade script:# cd /opt/pdweb/sbin# PDWeb_upgrade

Note: After upgrading, the swlist command may still display a listing forPolicy Director WebSEAL 3.8.0. You can ignore this entry. The WebSEAL3.8 binaries have been upgraded to Version 3.9.

The upgrade of WebSEAL on HP-UX is now complete.

Upgrading WebSEAL on Windows

To upgrade WebSEAL on Windows, complete the following instructions:






MSDOS> pdadmin

MSDOS> login -a sec_master -p passwordpdadmin> pdadmin acl list


4. Ensure that the WebSEAL server is not running. Use the Services icon fromthe Control Panel to stop the WebSEAL server.





6. If WebSEAL runs on the same computer as the policy server, skip this step andgo to the next step.

If WebSEAL runs on a different computer from the IBM Tivoli Access Managerpolicy server, complete the following instructions:

a. Remove the previous version of the IBM SecureWay Directory Client. Usethe Add/Remove Programs icon.

Note: You do not need to remove the previous version of IBM GlobalSecurity Toolkit or IBM Tivoli Access Manager runtimeenvironment, Version 3.8.

b. Install IBM Global Security Toolkit (GSKit) for use with Access ManagerWebSEAL Version 3.9. Run the setup program:

MSDOS> E: \Windows\gskit\setup PolicyDirector c:\progra~1

In this example command, E: represents the CD drive.

Edit the system %PATH% variable, to remove the entry for GSKit 4. Thesetup program inserts an entry for GSKit 5. Be sure to leave the GSKit 5entry in the %PATH% variable.

c. Install IBM SecureWay Directory Client for use with Access ManagerWebSEAL Version 3.9. Run the setup program:

MSDOS> E:\Windows\Directory\setup.exe

d. Install IBM Tivoli Access Manager runtime environment. Run the setupprogram:

MSDOS> E:\Windows\PolicyDirector\Disk Images\Disk1\Pdrte\Disk Images\Disk1\setup.exe

Note: Be sure to unselect the InstallShield check box for WebSEAL wheninstalling the Access Manager runtime environment. The WebSEALcheck box is selected by default. Do not install WebSEAL at thistime.

e.If you want to install the WebSEAL ADK, you must install the prerequisiteIBM Tivoli Access Manager ADK. Run the ADK setup program:

MSDOS> E:\Windows\PolicyDirector\Disk Images\Disk1\PDAuthADK\Disk Images\Disk1\setup.exe

The Access Manager ADK does not require any configuration.

7. Verify that the Access Manager policy server is running.

8. Obtain the Access Manager migrate.conf file from the Web Security CD. Thisfile is located on the CD in:

E:\Windows\migrate\migrate.conf


%TEMP%\migrate.conf

If %TEMP% is not set, place migrate.conf in %TMP%.b. Edit migrate.conf and add the sec_master password for your secure

domain.

pdadmin-login = sec_masterpdadmin-pwd = sec_master_password


9. Run the WebSEAL setup program: (where the letter E: in the followingcommand represents the CD drive):

MSDOS> E:\Windows\PolicyDirector\Disk Images\Disk1\WebSEAL\Disk Images\Disk1\setup.exe






The InstallShield program starts and the Welcome dialog box appears.

11. Click Next.







v PDWeb

This package contains the WebSEAL server and utilities.

v PDWebADKs


The files for the selected packages are extracted to the disk. A message

appears indicating that the packages have been installed.15. Click Finish to exit the setup program.

WebSEAL is automatically configured using the Version 3.8 configurationinformation that was previously backed up.

16. Restore the WebSEAL certificate files that you preserved before starting theWebSEAL upgrade:

MSDOS> copy \<temporary_directory>\pdsrv.kdb C:\Program Files\Tivoli\PDWeb\www\certs\pdsrv.kdbMSDOS> copy \<temporary_directory>\pdsrv.sth C:\Program Files\Tivoli\PDWeb\www\certs\pdsrv.sth


Note: You do not need to configure WebSEAL. WebSEAL automatically usesthe Version 3.8 configuration information.

The upgrade of WebSEAL on Windows is now complete.







Chapter 4. Upgrading WebSEAL from version 3.7

IBM Tivoli Access Manager (Access Manager) supports an upgrade of IBM TivoliAccess Manager WebSEAL (WebSEAL) from Version 3.7 or Version 3.8 to Version

3.9. This chapter describes how to preserve the Version 3.7 WebSEAL informationand how to use that information to upgrade a WebSEAL server to Version 3.9.

Note: If you are installing a new WebSEAL server, do not use this chapter. SeeChapter 2, “Installing WebSEAL” on page 5. If you are upgrading fromVersion 3.8 to Version 3.9, do not use this chapter. See Chapter 3,“Upgrading WebSEAL from version 3.8” on page 17.

Upgrade of WebSEAL is supported from Version 3.7 or Version 3.7.1 to Version 3.9.Upgrade of prior versions of WebSEAL to Version 3.9 is not supported.

The instructions in this chapter will refer to Version 3.7. These instructions apply toVersion 3.7 and point releases such as Version 3.7.1.

The upgrade process consists of two pieces:

v Preserving WebSEAL information

v Upgrading WebSEAL files

Note: Please check the IBM Tivoli Access Manager for e-business Release Notes on theTivoli support Web site for possible limitations to the Access ManagerWebSEAL upgrade process.

To begin the upgrade process, go to “Preserving WebSEAL configuration data” onpage 27.

Preserving WebSEAL configuration data

The upgrade of WebSEAL depends on the successful completion of the upgrade of the Access Manager policy server. During the upgrade of Access Manager policyserver, you must preserve the WebSEAL junction database.

Note: The Access Manager policy server was called the Policy Director managementserver in version 3.7.

When you want to upgrade WebSEAL from Version 3.7 to Version 3.9, you must backup information for both IBM Tivoli Access Manager policy server and theWebSEAL server.

CAUTION:You must complete the backup and upgrade of the Access Manager policy server before you begin upgrading the files on the WebSEAL servers. You mustpreserve WebSEAL junction database information during the policy serverupgrade.

If your deployment consists of only one Access Manager computer which hosts both the policy server and WebSEAL, you can perform all backup steps on onecomputer.




If your deployment consists of more than one computer, and a WebSEAL server islocated on a different host than the policy server, you need to perform backupsteps on both the policy server and on each WebSEAL server. You will perform

backup steps on the policy server first, and then perform backup steps on eachWebSEAL server.

To preserve WebSEAL information, complete the following steps

1. During the Access Manager policy server upgrade from Version 3.7 to Version3.9, you must preserve the WebSEAL junction database information.

The instructions for preserving the WebSEAL junction database are in Appendix A “Upgrading to IBM Tivoli Access Manager” in the IBM Tivoli Access ManagerBase Installation Guide. These instructions describe how to use the migrate37utility to backup a number of important Access Manager databases. Follow thedocumented migrate37 command that saves WebSEAL junction information toan XML file. The XML file is used later by WebSEAL during the WebSEALupgrade.

2. After the Access Manager policy server upgrade has completed, you must adda group membership entry to LDAP.

Choose one of the two sets of instructions below, based on the size of your

LDAP user registry. The instructions for modifying a small LDAP user registryare presented first. The instructions for modifying a large LDAP user registryare presented second. You need to complete only one of the sets of instructions.

v If you have a small user registry, complete the following instructions:

a. Open the IBM SecureWay Directory DMT utility. Log in to the LDAPserver.

b. In the right-hand window pane, select the organization entry. Forexample:

o=tivoli,c=us

c. Select the following entry:

systemName=IBMGSO

d. Select the following entry:cn=Access Groups

e. Select the following entry:

cn=Senior Administrators

f. Click the Edit icon.

g. Select the field labeled members (Group Members).

The Edit multi-valued attribute dialog box appears.

h. Add the following entry:

cn=SecurityMaster,secAuthority=Default

i. Click OK to close the Edit multi-valued attribute dialog box. Click OK toclose the Edit dialog box. Close the DMT utility.

Step 2 is complete. Go to Step 3.

v If you have a large user registry, complete the following steps:

a. Enter the following command:

ldapadd -h <ldap_server> - D <ldap_admin> - w <ldap_admin_password>

The prompt returns and waits for input (no prompt text is displayed).

b. Enter the following line and press Enter:

dn: cn=Senior Administrators,cn=Access Groups,systemname=IBMGSO,<gso_suffix>




For this example, the gso_suffix is:

o=tivoli,c=us


c. Enter the following line and press Enter:

changetype: modify


d. Enter the following line and press Enter:

add: member


e. Enter the following line and press Enter twice:

member: cn=SecurityMaster,secAuthority=Default

f. The following message (for this example) should appear:

modifying entry cn=Senior Administrators,cn=Access Groups,systemname=IBMGSO,o=tivoli,c=us

g. Press Ctrl-D to end the ldapadd session.

3. If you do not have WebSEAL installed on any additional systems (other thanthe policy server system) skip this step. Go to the next step.

a. If you have WebSEAL running on a different computer from the IBM TivoliAccess Manager policy server computer and WebSEAL is running on aUNIX platform, complete the rest of the instructions in this step.

For each and every WebSEAL server on a UNIX system that does not run thepolicy server, you need to run the pdupgrade utility to preserve localWebSEAL configuration information.

Note: You do not need to run this tool on Windows systems. This step isperformed programmatically on Windows systems.

b. On the UNIX system, log in as user root.

c. Mount the IBM Tivoli Access Manager Web Security CD for your operatingsystem.

d. Copy the contents of the /<operating_system_name>/migrate directory tothe hard disk.

e. Verify that the directory /var/PolDir does not exist.

f. Enter the following command:

# /var/pdupgrade -export

The above command assumes that you previously copied pdupgrade to/var. The pdupgrade utility creates /var/PolDir and completes. When itfinishes, it has preserved the Version 3.7 WebSEAL configuration.

4. Next, complete the rest of the upgrade steps by following the instructions inthe section for your operating system:

v “Upgrading WebSEAL on Solaris” on page 30

v “Upgrading WebSEAL on AIX” on page 32

v “Upgrading WebSEAL on HP-UX” on page 33

v “Upgrading WebSEAL on Windows” on page 35




Upgrading WebSEAL on Solaris

To upgrade WebSEAL on Solaris, complete the following instructions:


2. Ensure that you have preserved all necessary Version 3.7 WebSEALconfiguration data. Ensure also that you have restored the necessary Version

3.7 policy server information as part of upgrading the policy server. If youhave not already done so, complete the instructions in “Preserving WebSEALconfiguration data” on page 27.

3. Copy migrate.conf and jct_backup.xml from /var to the following locations:

/tmp/migrate.conf

/tmp/jct_backup.xml

Note: If WebSEAL runs on a different computer from the IBM Tivoli AccessManager policy server, you will need to copy the files from the policyserver system to the WebSEAL system.


a. Verify that the Access Manager policy server for the secure domain has

already been upgraded to Version 3.9.b. Verify that the Access Manager policy server is running, and that you can

contact it. You can do this by executing a sample pdadmin command. Forexample:



5. Stop the WebSEAL server. Enter the following command:

# /usr/bin/pdweb stop

6. Remove the Version 3.7 WebSEAL server. Note that you do not need tounconfigure the software first. When pkgrm prompts you to remove withoutunconfiguring, answer yes.

# pkgrm PDWeb



a. Remove IBM Tivoli Access Manager runtime environment:

# pkgrm PDRTE

b. Remove IBM SecureWay Directory Client, Version 3.2.1:

# pkgrm IBMldapcc. Remove IBM Global Security Toolkit:

# pkgrm gsk4bas

8. Mount the IBM Tivoli Access Manager Web Security for Solaris CD on/cdrom/cdrom0.

9. Change to /cdrom/cdrom0/solaris.


If WebSEAL runs on a different computer from the policy server, install theVersion 3.9 WebSEAL software prerequisites:






b. IBM SecureWay Directory Client, Version 3.2.2



# pkgadd -d . PDRTE


11. Use pkgadd to install the WebSEAL package:

# pkgadd -d . PDWeb

12. When prompted to continue, type y and press Enter.

Files are extracted from the CD and installed on the hard disk. A promptappears indicating that an upgrade is taking place. A prompt appearsindicating that installation of the WebSEAL package was successful. Thepkgadd utility exits.

You do not need to run pdconfig to configure WebSEAL. WebSEALautomatically uses the Version 3.7 configuration information that was savedwhen you backed up the Version 3.7 data.

13. If you want to use the WebSEAL ADK on this computer, install it now. If youdo not want to use it, skip this step.

The WebSEAL ADK has a dependency on the IBM Tivoli Access Managerapplication development kit (ADK). Both ADK packages are included on theWeb Security CD. Use pkgadd to install each package:

# pkgadd -d . PDAuthADK

# pkgadd -d . PDWebADK

Note:This is a new installation of the WebSEAL ADK. There is no upgradefor the WebSEAL ADK. The WebSEAL ADK did not exist in Version 3.7.

When prompted to continue, type y and press Enter.

Files are extracted from the CD and installed on the hard disk. A messageappears indicating that installation of the WebSEAL ADK package wassuccessful. The pkgadd utility exits.

Neither the Access Manager ADK package nor the WebSEAL ADK packagerequire any configuration steps.

Note: The upgrade configuration sets the WebSEAL document root setting to the

default path for Version 3.9: /opt/pdweb/www/docs. Your Version 3.7 docsinformation is still accessible at this location.

The upgrade of WebSEAL on Solaris is now complete.




Upgrading WebSEAL on AIX

To upgrade WebSEAL on AIX, complete the following instructions:

1. Log in as root.

If running on AIX 4.3.3 system, verify that the following patch is installed:

v bos.rte.libpthreads 4.3.3.51 (or greater)

2. Ensure that you have preserved all necessary Version 3.7 WebSEALconfiguration data. Ensure also that you have restored the necessary Version3.7 policy server information as part of upgrading the policy server. If youhave not already done so, complete the instructions in “Preserving WebSEALconfiguration data” on page 27.


/tmp/migrate.conf

/tmp/jct_backup.xml







5. Ensure that the WebSEAL server is not running:# /usr/bin/pdweb stop

6. Remove the Version 3.7 software prerequisites if necessary.

v If WebSEAL runs on the same computer as the policy (management) server,you do not have to remove any prerequisite software at this step. TheVersion 3.7 software prerequisites were removed when you upgraded thepolicy server.

v If WebSEAL runs on a different computer from the policy server, use SMITto remove the Version 3.7 software prerequisites:

– IBM SecureWay Directory Client

– IBM Global Security Toolkit

7. Insert the IBM Tivoli Access Manager Web Security for AIX CD into the CDdrive.


# smit


9. Select Software Installation and Maintenance. Select Install and UpdateSoftware. Select Install and Update Software from LATEST AvailableSoftware.

10. When prompted for input device, enter the location where the CD is mounted.




< mount_point>/usr/sys/inst.images



12. If installing on the same system as Access Manager policy server, skip thisstep. Go to the next step.

If installing on a different system from the Access Manager policy server,install the software prerequisites. Select the following packages:


The install package is gskit. The menu description is AIX Certificate andSSL Base Runtime ACME Toolkit.


The installation package is ldap.client


The installation package is PD.RTE

13. Select the Access Manager WebSEAL package.

The installation package is PDWeb.Web

Optionally, you can also select the Access Manager WebSEAL ADK package.If you select this package, you must also select Access Manager ADK.

Note: The WebSEAL ADK requires the Access Manager ADK. The AccessManager ADK is included on the Web Security CD.

14. Click OK.

15. The Install and Update Software from LATEST Available Software dialog box appears.

16. Verify that the default value of yes is present in the field labeledAUTOMATICALLY install requisite software. Set other fields to valuesappropriate to your installation. In most cases, you can accept the defaultvalues. Click OK.

17. Click OK when asked to confirm the installation of this package.

SMIT displays several status messages. A status message indicates that anupgrade is taking place. When the upgrade completes, the WebSEAL serverstarts.

18. When file extraction completes, click Done. Click Cancel to exit SMIT.

Note: The upgrade configuration sets the WebSEAL document root setting to thedefault path for Version 3.9: /opt/pdweb/www/docs. Your Version 3.7 docsinformation is still accessible at this location.

The upgrade of WebSEAL on AIX is now complete.

Upgrading WebSEAL on HP-UX

To upgrade WebSEAL on HP-UX, complete the following instructions:







/tmp/migrate.conf

/tmp/jct_backup.xml








# /sbin/pdweb stop

6. Remove the Version 3.7 WebSEAL server. Note that you do not need tounconfigure the software first.

Before removing any packages, enter the following command:

# rm -f /opt/PolicyDirector/.configure/*

Next, remove the Version 3.7 WebSEAL package.

# swremove PDWeb


If WebSEAL runs on a different computer from the policy server, removeVersion 3.7 WebSEAL and the Version 3.7 software prerequisites:

a. Remove IBM Tivoli Access Manager runtime environment:

# swremove PDRTE

b. Remove IBM SecureWay Directory Client:

# swremove LDAP

c. Remove IBM Global Security Toolkit:

# swremove gsk4bas

8. Mount the IBM Tivoli Access Manager Web Security for HP-UX CD.

# nohup /usr/sbin/pfs_mountd &# nohup /usr/sbin/pfsd &

# /usr/sbin/pfs_mount < mount_device> < mount_point>

For example:


9. If WebSEAL runs on the same computer as the Access Manager policy server,skip this step and go to the next step.

If WebSEAL runs on a different computer from the Access Manager policyserver, install the Version 3.9 WebSEAL software prerequisites:


# swinstall -s /cdrom/hp gsk5bas




b. IBM SecureWay Directory Client

# swinstall -s /cdrom/hp LDAP


# swinstall -s /cdrom/hp PDRTE

You do not need to run pdconfig to configure the runtime environment.

For complete information on upgrading the IBM Tivoli Access Managerruntime environment, see the IBM Tivoli Access Manager Base InstallationGuide.

10. Use swinstall to install the WebSEAL package.

# swinstall -s /cdrom/hp PDWeb

A message appears indicating that the analysis phase has succeeded. Files areextracted from the CD and installed on the hard disk. A message appearsindicating that the execution phase has succeeded. The swinstall utility exits.

11. Run the WebSEAL upgrade script:

cd /opt/pdweb/sbin# ./PDWeb_upgrade

12. If you want to use the WebSEAL application development kit (ADK) on thiscomputer, install it now. If you do not want to use it, skip this step.

The WebSEAL ADK has a dependency on the Access Manager ADK. BothADK packages are included on the WebSEAL CD. Use swinstall to install theAccess Manager ADK:

# swinstall -s /cdrom/hp PDAuthADK


Use swinstall to install the WebSEAL ADK:

# swinstall -s /cdrom/hp PDWebADK


Note: This is a new installation of the WebSEAL ADK. There is no upgradefor the WebSEAL ADK. The WebSEAL ADK did not exist in Version 3.7.

Neither the Authorization ADK package nor the WebSEAL ADK packagerequire any configuration.

Note: The upgrade configuration sets the WebSEAL document root setting to the

default path for Version 3.9: /opt/pdweb/www/docs. Your Version 3.7 docsinformation is still accessible at this location.

The upgrade of WebSEAL on HP-UX is now complete.

Upgrading WebSEAL on Windows

To upgrade WebSEAL on Windows, complete the following instructions:






3. Ensure that the WebSEAL server is not running. Use the Services icon fromthe Control Panel to stop the WebSEAL server.


5. Copy the jct_backup.xml file to a new location:

MSDOS> copy jct_backup.xml C:\Program Files\Tivoli\PolicyDirector\save37

The above example command assumes that Access Manager is installed on theC: drive. If WebSEAL runs on a different computer from the Access Managerpolicy server, you will need to copy the file from the policy server computerto the WebSEAL system.


If WebSEAL runs on a different computer from the IBM Tivoli Access Managerpolicy server, complete the following instructions:

a. Copy migrate.conf from the policy server system to the WebSEAL system.Place it in the following location:

%TMP%\migrate.conf

Note: The %TMP% variable is a Windows system variable. If %TMP% is not set,the upgrade program looks in %TEMP%.

b. Remove the previous version of the IBM SecureWay Directory Client. Usethe Add/Remove Programs icon.

Note: You do not need to remove the previous version of IBM GlobalSecurity Toolkit or IBM Tivoli Access Manager runtimeenvironment, Version 3.7.

c. Install IBM Global Security Toolkit for use with Access Manager WebSEALVersion 3.9. Run the setup program:

MSDOS> E: \Windows\gskit\setup PolicyDirector C:\progra~1

In this example command, E: represents the CD drive.

d. Install IBM SecureWay Directory Client for use with Access ManagerWebSEAL Version 3.9. Run the setup program:

MSDOS> E:\Windows\Directory\setup.exe

e. Install IBM Tivoli Access Manager runtime environment Version 3.9. Runthe setup program:

MSDOS> E:\Windows\PolicyDirector\Disk Images\Disk1\Pdrte\Disk Images\Disk1\setup.exe

Note: Be sure to unselect the InstallShield check box for WebSEAL wheninstalling the Access Manager runtime environment. The WebSEALcheck box is selected by default. Do not install WebSEAL at thistime.

f. If you want to install the WebSEAL ADK, you must install the prerequisiteIBM Tivoli Access Manager ADK. Run the ADK setup program:




MSDOS> E:\Windows\PolicyDirector\Disk Images\Disk1\PDAuthADK\Disk Images\Disk1\setup.exe

The Access Manager ADK does not require any configuration.




MSDOS> pdadminMSDOS> login -a sec_master -p passwordpdadmin> pdadmin acl list


8. Run the WebSEAL setup program: (where the letter E: in the followingcommand represents the CD drive):

MSDOS> E:\Windows\PolicyDirector\Disk Images\Disk1\WebSEAL\Disk Images\Disk1\setup.exe



The InstallShield program starts and the Welcome dialog box appears.

10. Click Next.







v PDWebThis package contains the WebSEAL server and utilities.

v PDWebADKs


Note that this is a new install of WebSEAL ADK. There is no upgrade of theWebSEAL ADK because the WebSEAL ADK did not exist in Version 3.7.

The files for the selected packages are extracted to the disk. A messageappears indicating that the packages have been installed.

14. Click Finish to exit the setup program.

You do not need to run the IBM Tivoli Access Manager configuration utility.WebSEAL is automatically configured using the Version 3.7 configurationinformation that was previously backed up.

The upgrade configuration sets the WebSEAL document root setting to the defaultpath for Version 3.9:

C:\Program Files\Tivoli\PolicyDirector\PDWeb\www\docs

Your Version 3.7 docs information is still accessible at this location.




The upgrade of WebSEAL on Windows is now complete.




Chapter 5. Removing WebSEAL

This chapter describes how to unconfigure and remove WebSEAL and theWebSEAL ADK.

Note: Unconfiguring of WebSEAL removes all information from the WebSEAL junctions database. Ensure that this information is no longer needed beforeremoving it.

WebSEAL depends on the IBM Tivoli Access Manager runtime environment. Thischapter does not describe how to remove the runtime environment. To remove theruntime environment, follow the instructions in the IBM Tivoli Access Manager BaseInstallation Guide.

To unconfigure and remove WebSEAL, complete the instructions in one of thefollowing sections:

v

“Removing WebSEAL on Solaris”v “Removing WebSEAL on Windows” on page 42

v “Removing WebSEAL on AIX” on page 40

v “Removing WebSEAL on HP-UX” on page 41

Removing WebSEAL on Solaris

Removal of WebSEAL for Solaris is a two part process. Use the pdconfig tool tounconfigure the WebSEAL package. Then use pkgrm to remove the files for eachpackage.

1. Log in as root.

2. Start the IBM Tivoli Access Manager configuration utility:

# pdconfig


3. Type the menu number for Access Manager Unconfiguration.

The Access Manager Unconfiguration Menu appears.

4. Type the menu number for Access Manager WebSEAL.

A prompt appears requesting the password for the IBM Tivoli Access ManagerAdministrator.


A series of status messages appear. These messages indicate that the server is being unconfigured, that log files are being cleaned up, and that outgoing

endpoints are being reclaimed. The WebSEAL server is stopped, and a finalstatus message indicates that the unconfiguration was successful.

The unconfiguration is complete.

6. Exit the pdconfig utility.

7. Choose one of the following commands:

v To remove the WebSEAL ADK, enter the following command:

# pkgrm PDWebADK

v To remove WebSEAL, enter the following command:

# pkgrm PDWeb




Note: You must remove PDWebADK before removing PDWeb.

v To remove both WebSEAL and the WebSEAL ADK, enter the followingcommand:

# pkgrm PDWeb PDWebADK

A prompt appears asking you to confirm the removal of the selected package.

8. Enter the letter y.

A status message lists each file as it is removed. After the postremove script runs, astatus message indicates that the removal of the software package was successful.The pkgrm utility exits.

Removal of the selected packages is complete.

If you want to remove the IBM Tivoli Access Manager runtime environment,follow the instructions in the IBM Tivoli Access Manager Base Installation Guide.

Removing WebSEAL on AIX

Removal of WebSEAL from AIX is a two part process. First, unconfigure WebSEAL.Next, remove the WebSEAL files.

Note: You do not have to unconfigure the WebSEAL ADK before removing itsfiles.

To unconfigure and remove WebSEAL, complete the following steps:

1. Log in as root.

2. Start SMIT.

3. Select Communications Applications and Services.

The Communications Applications and Services menu appears.

4.Select

Access Manager.The Access Manager menu appears.

5. From the Access Manager menu, select Access Manager Unconfiguration.

The list of configured IBM Tivoli Access Manager packages appears.

6. Select the Access Manager WebSEAL Unconfiguration.

A prompt appears requesting the password of the Access ManagerAdministrator.


A messages indicates that the WebSEAL server is being stopped andunconfigured. A status message then indicates that the WebSEAL serverpackage has been successfully unconfigured.

8. Press Enter to continue.The unconfiguration is complete.

9. Verify that you have unconfigured the WebSEAL for AIX package.

10. In the SMIT utility, return to Software Installation and Maintenance.

11. Select Software Maintenance and Utilities.

12. Select Remove Installed Software.

13. Click the List button next to SOFTWARE name.

The Multi-Select List appears. The following package names are displayed:

v PDWeb.Web




v PDWeb.ADK

This name is displayed only when it is installed.

If you have other IBM Tivoli Access Manager application packages installed,such as IBM Tivoli Access Manager runtime environment, the list also containsan entry for those packages.

14. To remove the WebSEAL ADK, select the Access Manager WebSEAL ADK for

AIX package.15. Select the Access Manager WebSEAL for AIX package. Click OK.

Note: The WebSEAL ADK has a dependency on WebSEAL. RemovePDWeb.ADK either before PDWeb.Web or at the same time.

The Remove Installed Software dialog box appears.

16. Change the value of the PREVIEW only field to no.

17. Accept the default value of no for all other fields. Click OK.

18. The Are You Sure message window appears. Click OK.

A status message appears indicating that the software is being deinstalled.

Another status message lists all packages that were removed.19. Click Done.

The Remove Installed Software dialog box appears.

20. Click Cancel. Click Exit to exit SMIT.

Removal of WebSEAL is complete.


Removing WebSEAL on HP-UX

Removal of WebSEAL is a two part process. Use the pdconfig utility tounconfigure the WebSEAL package. Then use swremove to remove the WebSEALfiles.


To remove WebSEAL, complete the following instructions:

1. Log in as root.

2. Start the IBM Tivoli Access Manager configuration utility:

# pdconfig


3. Type the menu number for Access Manager Unconfiguration.

The Access Manager Unconfiguration Menu appears.

4. Type the menu number for Access Manager WebSEAL (PDWeb)Unconfiguration.

A prompt appears requesting the password for the Access ManagerAdministrator.


Chapter 5. Removing WebSEAL 41



A message indicates that the WebSEAL server is stopped and unconfigured. Astatus message then indicates that the package has been successfullyunconfigured.

The unconfiguration is complete. You can now remove the WebSEAL files.

6. Exit the pdconfig utility.

7. Choose one of the following commands:

v To remove the WebSEAL ADK, enter the following command:# swremove PDWebADK

v To remove WebSEAL, enter the following command:

# swremove PDWeb

Note: WebSEAL ADK has a dependency on WebSEAL. Do not try to removeWebSEAL when WebSEAL ADK is still on the system. RemoveWebSEAL ADK first.

A series of status messages appear for each removal selection. A status messageappears indicating that the analysis phase has succeeded. The swremove utilityremoves the WebSEAL files from the hard disk.

When the removal is complete, the swremove utility exits.

Removal of WebSEAL on HP-UX is now complete.


Removing WebSEAL on Windows

WebSEAL on the Windows platform consists of two components: WebSEAL andWebSEAL ADK. You can either remove both components, or can choose to removeonly the WebSEAL ADK component.

If you choose to remove the WebSEAL server, the WebSEAL ADK is automaticallyremoved.

Follow the instructions in the appropriate section:

v “Removing WebSEAL and WebSEAL ADK”

v “Removing WebSEAL ADK only” on page 43

Removing WebSEAL and WebSEAL ADKRemoval of WebSEAL for Windows is a two step process. Use the IBM TivoliAccess Manager configuration utility to unconfigure WebSEAL. Then use theWindows Add/Remove Programs icon interface to remove the files for eachpackage.

To unconfigure and remove WebSEAL and WebSEAL ADK on Windows, completethe following instructions:

1. Log in as a Windows user with administrator privilege.

2. Click Start > Programs > Access Manager > Configuration

The Access Manager Configuration dialog box appears.

3. Click Access Manager WebSEAL (PDWeb). Click Unconfigure.

The Access Manager Administrator Password dialog box appears.




4. Enter the password for sec_master. Click OK.

A message appears indicating that WebSEAL is being unconfigured. TheAccess Manager Configuration dialog box appears.

5. Verify that you have unconfigured WebSEAL. Press Close to exit the IBMTivoli Access Manager configuration utility and return to the Windowsdesktop.

6. Click the Add/Remove Programs icon.7. Select Access Manager WebSEAL.

8. Click Change/Remove.


9. Select a language and click OK.

10. Select the Remove radio button. Click Next.

The Confirm File Deletion dialog box appears.

11. Click OK.

The WebSEAL files are removed. The WebSEAL ADK files are also removed.

The Maintenance Complete dialog box appears.

12.Click Finish.

Removal of WebSEAL is complete.


Removing WebSEAL ADK onlyYou can remove the WebSEAL ADK files without removing the WebSEAL serverfiles.


To remove only the WebSEAL ADK on Windows, complete the followinginstructions:

1. Click the Add/Remove Programs icon.

2. Select Access Manager WebSEAL.

3. Click Change/Remove.


4. Select a language and click OK.

5. Select the Modify radio button. Click Next.


6. Unselect the check box for PDWebADKs.

Note: InstallShield designates this component for removal when you unselectthe check box.

7. Click Next.

The WebSEAL ADK files are removed.

8. Click Finish to exit the program.

Removal of the WebSEAL ADK on Windows is now complete.

Chapter 5. Removing WebSEAL 43






Appendix A. Easy installation guide

IBM Tivoli Access Manager WebSEAL provides easy installation programs that youcan use to install and configure WebSEAL, the WebSEAL ADK, and the necessary

prerequisite software. You can use the easy installation programs as an alternativeto installing WebSEAL or WebSEAL ADK by using operating system utilities suchas pkgadd, SMIT, swinstall or InstallShield.

The easy installation programs present a character-based front-end user interface tothe operating system utilities and to the IBM Tivoli Access Manager configurationutility. The programs are shell scripts on UNIX platforms, and batch files onWindows.

The easy installation programs prompt the user to supply the informationnecessary for installation and configuration of WebSEAL, WebSEAL ADK, and theprerequisite software. The programs provide default values when appropriate.

When the user has supplied the necessary configuration parameters, the easyinstallation programs install and configure WebSEAL, WebSEAL ADK, and thesoftware prerequisites without any further intervention.

The easy installation programs save the configuration information supplied by theuser into a data file called a response file. The easy installation programs can readthe configuration settings from this file during future installations instead of prompting the user to supply them. This feature enables the easy installationprogram to be run in a non-interactive or silent mode.

The WebSEAL easy installation programs are useful in a variety of deploymentscenarios. You can combine them with the easy installation program for the policy

server to quickly install and configure WebSEAL into a single system AccessManager secure domain. This can be useful for prototyping, applicationdevelopment, testing, or demonstration purposes. You can also use them whendeploying multiple WebSEAL servers. In this case, you can use the response filesto expedite the deployment. In addition, the WebSEAL ADK easy installationprogram is useful for quickly setting up a WebSEAL development environment.

Note: You cannot use the easy installation scripts to upgrade WebSEAL fromVersion 3.7 or Version 3.8 to Version 3.9.

WebSEAL easy installation programs

The following easy installation programs are included on the WebSEAL CD:

v ezinstall_pdweb

v ezinstall_pdwebadk

v ezinstall_pdrte

v ezinstall_authadk

The ezinstall_pdrte program installs the software prerequisites needed byWebSEAL and WebSEAL ADK. The ezinstall_authadk program installsprerequisites needed only by the WebSEAL ADK. The ezinstall_pdweb and




ezinstall_pdwebadk scripts call ezinstall_pdrte when needed. Administrators donot need to run ezinstall_pdrte before running ezinstall_pdweb orezinstall_pdwebadk.

For more information on the ezinstall_pdrte and ezinstall_authadk programs, seethe IBM Tivoli Access Manager Base Installation Guide.

The WebSEAL easy installation scripts are described in the following sections:v “Using the WebSEAL easy installation program”

v “Using the WebSEAL ADK easy installation program” on page 47

Using the WebSEAL easy installation programThe WebSEAL installation program ezinstall_pdweb installs the followingsoftware:

v IBM Tivoli Access Manager WebSEAL




The ezinstall_pdweb program is typically used in one of the following scenarios:

v Creating a new Access Manager secure domain in order to use WebSEAL toprotect Web-based resources.

In this case one computer will host both the IBM Tivoli Access Manager policyserver and the WebSEAL server. The policy server has a corresponding easyinstallation program called ezinstall_pdmgr. You should first useezinstall_pdmgr to install and configure the policy server. and then useezinstall_pdweb to install and configure WebSEAL.

The ezinstall_pdmgr program is distributed on the IBM Tivoli Access ManagerBase CD for your operating system. To use this program, see the instructions inthe IBM Tivoli Access Manager Base Installation Guide.

v Adding a WebSEAL server onto a computer that already has the policy serverinstalled and configured.

In this case, the Access Manager secure domain has already been established,and you are now extending the domain security to use WebSEAL to secureWeb-based resources. You need only run ezinstall_pdweb. The easy installationprogram prompts the user for the WebSEAL installation and configurationinformation.

v Adding a WebSEAL server when adding a new computer into the AccessManager secure domain.

In this case, the WebSEAL server will run on a computer that does not host thepolicy server, but instead will communicate with a remote policy server over thenetwork. Computers in this role require that the IBM Tivoli Access Managerruntime environment be installed and configured to establish communicationwith the remote policy server. This is a prerequisite to installing WebSEAL.

The WebSEAL easy installation script ezinstall_pdweb will detect whether ornot the runtime environment has been installed and configured.

If the runtime environment is not configured, ezinstall_pdweb automaticallycalls ezinstall_pdrte to install and configure the following software:

– IBM Tivoli Access Manager runtime environment






If the runtime environment is installed, ezinstall_pdweb skips this step and goesdirectly to the task of installing and configuring WebSEAL.

Using the WebSEAL ADK easy installation programThe WebSEAL installation program ezinstall_pdwebadk installs the followingsoftware:

v

IBM Tivoli Access Manager WebSEAL ADKv IBM Tivoli Access Manager WebSEAL

v IBM Tivoli Access Manager ADK




The ezinstall_pdwebadk program is typically used in one of the followingscenarios:

v Installing a WebSEAL development environment as part of creating a newAccess Manager secure domain in order to use WebSEAL to protect Web-based

resources.In this case one computer will host the IBM Tivoli Access Manager policy server,the WebSEAL server, and the WebSEAL ADK. The policy server has acorresponding easy installation program called ezinstall_pdmgr. You should firstuse ezinstall_pdmgr to install and configure the policy server, and then useezinstall_pdwebadk to install and configure WebSEAL and WebSEAL ADK.

Note: On Windows NT only, you must first run ezinstall_pdweb to install theWebSEAL server and then run ezinstall_pdwebadk to install theWebSEAL ADK. On Windows 2000 and on all UNIX platforms, you needonly run ezinstall_pdwebadk to install both WebSEAL and WebSEALADK.

The WebSEAL ADK has a dependency on the IBM Tivoli Access Manager ADKpackage. This package is distributed on the IBM Tivoli Access Manager WebSecurity CD and has its own easy installation program, ezinstall_authadk. Theezinstall_pdwebadk program automatically calls ezinstall_authadk if the ADKhas not already been installed.

The ezinstall_authadk program is distributed on the IBM Tivoli Access ManagerBase CD for your operating system. To use this program, see the instructions inthe IBM Tivoli Access Manager Base Installation Guide.

v Adding a WebSEAL server and development environment onto a computer thatalready has the policy server installed and configured.

In this case, the Access Manager secure domain has already been established,

and you are adding WebSEAL to secure Web-based resources, and adding aWebSEAL development environment. You need only run ezinstall_pdwebadk.The easy installation program calls ezinstall_authadk if necessary to install theprerequisite ADK development environment, and then prompts the user for boththe WebSEAL and WebSEAL ADK installation and configuration information.


Appendix A. Easy installation guide 47



v Adding a WebSEAL server and WebSEAL development environment whenadding a new computer into the Access Manager secure domain.

In this case, the WebSEAL server and WebSEAL ADK will run on a computerthat does not host the policy server, but instead will communicate with a remotepolicy server over the network. Computers in this role require that the IBMTivoli Access Manager runtime environment be installed and configured toestablish communication with the remote policy server. This is a prerequisite to

installing WebSEAL. These computers must also have the IBM Tivoli AccessManager ADK package installed as a prerequisite to using the WebSEAL ADK.

The ezinstall_pdwebadk program automatically checks for each softwareprerequisite. The easy installation program prompts the user for installation andconfiguration settings for each of the following packages, unless each is alreadyconfigured:



– IBM Tivoli Access Manager runtime environment

– IBM Tivoli Access Manager ADK

– IBM Tivoli Access Manager WebSEAL

The easy installation program then installs and configures the WebSEAL ADK.


Configuring WebSEAL using the easy installation programs

The easy installation programs can obtain the necessary configuration settings intwo different ways. The first time a program is run, it prompts the user to supplyall necessary configuration settings. When the installation is complete, the easyinstallation programs save the settings in a data file called a response file. The nexttime, and all subsequent times that the easy installation program is called on thesame computer, the program gives the user the option of using the saved datafrom the response file, instead of entering the configuration information at acommand prompt.

These two methods of using the easy installation programs are described in thefollowing sections:

v “Obtaining configuration settings interactively”

v “Obtaining configuration settings from response files” on page 49

Obtaining configuration settings interactivelyThe WebSEAL and WebSEAL ADK easy installation programs prompt for allnecessary configuration information. When any software prerequisites have not

been installed, the WebSEAL and WebSEAL ADK easy installation programsprompt for the necessary information.

The only exception is the prerequisite that WebSEAL has on the installation andconfiguration of an Access Manager policy server on one system in the securedomain. If you are creating a new secure domain, you must satisfy this




dependence by running the policy server ’s own easy installation program. Thisprogram is distributed on the IBM Tivoli Access Manager Base CDs.

The table below shows configuration information that you may need to providewhen installing WebSEAL or WebSEAL ADK. Note that some of the information isneeded to configure the prerequisite runtime environment.

When appropriate, the table below also shows the default values that the easyinstallation program provides. You can change each of the default values asnecessary.

Note: The WebSEAL easy installation program uses default values for some of theWebSEAL configuration settings. You cannot change these settings. See“Easy installation limitations” on page 50.

Configuration Parameter Setting

IBM Global Security Toolkit

No configuration parameters are required.

IBM SecureWay Directory Client

No configuration parameters are required. Communication with the LDAP server isconfigured during the runtime environment configuration.

IBM Tivoli Access Manager runtime environment

Registry Type Default: Ldap

LDAP Server Hostname No default. Use a fully qualified domainname.

LDAP Server Port Default: 389

Access Manager policy server Hostname No default. Use a fully qualified domainname.

SSL Server Port 7135

Access Manager CA Certificate Filename No default.IBM Tivoli Access Manager ADK

No configuration parameters are required.


Enable SSL communication Default is No.

LDAP SSL Client Key File No default. Example pathname:/var/ldap/keytabs/pd_ldapkey.kdb

SSL Client Key File Password No default

SSL Client Certificate Label No default

LDAP Server SSL port number 636

IBM Tivoli Access Manager WebSEAL ADKNo configuration settings are required.

Obtaining configuration settings from response filesWhen you run the easy installation programs in interactive mode, your responsesto prompts are saved into a data file called a response file. For example, theresponse file for ezinstall_pdweb is ezinstall_pdweb.rsp.

Appendix A. Easy installation guide 49



You can use the saved response file as automated input when you run the easyinstallation program later. This feature enables a non-interactive or silentinstallation. This feature is useful when deploying a series of WebSEAL serverswithin one secure domain. You can edit the response file to set values specific to aparticular server, and then execute the script to complete a non-interactiveinstallation.

Each time an easy installation program runs, it checks to see if a response filealready exists. If a response file is found, the easy installation program asks if youwant to use it. If you choose to use the response file, the easy installation programprompts you for the necessary passwords, and then completes the installation byreading the configuration settings from the response file.

The easy installation program does not save passwords because of the security riskof storing a password in clear text. You can use a text editor to add theadministrator passwords.

You will need to edit the following values:

v Administrator password

v

SSL Keyfile Password (optional)This password is used only when you choose to configure SSL communication

between the WebSEAL server and the LDAP server.

Easy installation limitations

When using the easy installation programs be aware of the following limitations:

v You cannot use the easy installation programs when upgrading WebSEAL fromVersion 3.7 to Version 3.8.

v You cannot use the ezinstall_pdweb program when you want to configureWebSEAL to use non-default values for the following WebSEAL configurationsettings:

Parameter Value

Enable TCP HTTP Yes

TCP Port Number 80

Enable HTTPS yes

HTTPS Port Number 443

Web document root hierarcy UNIX: /opt/pdweb/www/docs

Windows:

C:\Progam Files\Tivoli\PolicyDirector\PDWeb\www\docs




Appendix B. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM Corporation500 Columbus AvenueThornwood, NY 10594U.S.A

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.




Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/101

11400 Burnet RoadAustin, TX 78758USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrates programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have not

been thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM’s application programming interfaces.




Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

Trademarks

The following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2IBMIBM logoSecureWayTivoliTivoli logo

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix B. Notices 53








Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

Amweb39 Install

Documents