Separate System Upgrade and Data Migration Guide

Tivoli® Identity Manager

Separate System Upgrade and Data Migration Guide

Version 5.1

GC27-2412-01

��

Tivoli® Identity Manager

Separate System Upgrade and Data Migration Guide

Version 5.1

GC27-2412-01

��

Note:Before using this information and the product it supports, read the information in Appendix C, “Notices,” on page 43.

Edition notice

This edition applies to version 5.1 of Tivoli Identity Manager and to all subsequent releases and modifications untilotherwise indicated in new editions.

This edition replaces SC23-9756-00.

© Copyright International Business Machines Corporation 2009.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . vWho should read this book . . . . . . . . . vPublications and related information . . . . . . v

Tivoli Identity Manager library . . . . . . . vPrerequisite product publications . . . . . . viiRelated publications . . . . . . . . . . viiiAccessing publications online . . . . . . . viiiOrdering publications . . . . . . . . . . ixTivoli technical training . . . . . . . . . ix

Accessibility . . . . . . . . . . . . . . ixSupport information . . . . . . . . . . . ixConventions used in this book . . . . . . . . x

Typeface conventions . . . . . . . . . . xDefinitions for HOME and other directoryvariables. . . . . . . . . . . . . . . xOperating system differences. . . . . . . . xi

Chapter 1. Overview of the DataMigration to Tivoli Identity ManagerVersion 5.1 . . . . . . . . . . . . . 1Tivoli Identity Manager database server components 2Tivoli Identity Manager directory server components 2Overview of the data migration . . . . . . . . 2Planning activities for deployments at large sites . . 3

Chapter 2. Migrating DB2 UniversalDatabase . . . . . . . . . . . . . . 5Before you begin . . . . . . . . . . . . . 5Migrating DB2 Universal Database data . . . . . 5

Backing up DB2 Universal Database data . . . . 5Installing DB2 Universal Database and copyingdata to the target server environment . . . . . 5

Restoring DB2 Universal Database data . . . . . 6Clearing the service integration bus. . . . . . . 7

Chapter 3. Migrating Oracle Database . . 9Migrating Oracle data . . . . . . . . . . . 9

Exporting Oracle data from the server for TivoliIdentity Manager Version 4.6 or 5.0 . . . . . . 9Installing Oracle database and importing data . . 9

Chapter 4. Migrating SQL Server . . . 13Migrating SQL Server data . . . . . . . . . 13

Backing up SQL Server data . . . . . . . . 13Installing SQL server and importing data . . . 13Clearing the service integration bus . . . . . 14

Chapter 5. Migrating IBM TivoliDirectory Server. . . . . . . . . . . 15Migrating IBM Tivoli Directory Server Version data 15

Preparing IBM Tivoli Directory Server data onthe server running IBM Tivoli Directory Serverfor Tivoli Identity Manager Version 4.6 or 5.0 . . 15

Configuring IBM Tivoli Directory Server on thetarget directory server . . . . . . . . . . 15

Importing IBM Tivoli Directory Server data. . . . 16

Chapter 6. Migrating Sun directoryserver . . . . . . . . . . . . . . . 19Migrating Sun directory server data . . . . . . 19

Exporting Sun directory server data . . . . . 19Importing data to Sun Enterprise DirectoryServer . . . . . . . . . . . . . . . 20

Chapter 7. Performing the Upgrade toTivoli Identity Manager Version 5.1. . . 21Copying the existing Tivoli Identity ManagerVersion home directory to the target environment . 21Running the Tivoli Identity Manager Version 5.1installation program . . . . . . . . . . . 22Post-installation tasks . . . . . . . . . . . 25

Restarting and re-indexing Sun EnterpriseDirectory Server Version 6.3 . . . . . . . . 25Updating the WebSphere Application Serverdefault listening port (cluster only) . . . . . 25Preserving custom logos . . . . . . . . . 26Verifying the installation . . . . . . . . . 26Tuning performance . . . . . . . . . . 26

Chapter 8. Post-upgrade ProductionCutover . . . . . . . . . . . . . . 27Overview of the production cutover process . . . 27

Shutting down WebSphere Application Server onthe new production environment . . . . . . 28Preparing the new production environmentdatabase server and directory server for dataimport . . . . . . . . . . . . . . . 28Capturing and importing the contents of theTivoli Identity Manager Version 4.6 or 5.0production server data . . . . . . . . . 30Clearing the service integration bus . . . . . 31Running the ldapUpgrade and DBUpgradecommands to migrate directory and databasedata . . . . . . . . . . . . . . . . 32Starting WebSphere Application Server . . . . 32New production environment post-cutover tasks 32

Appendix A. Post migrationtroubleshooting and known issues . . 35Known issues for migrating to Tivoli IdentityManager Version 5.1 . . . . . . . . . . . 35

Appendix B. Support information . . . 37Using IBM Support Assistant . . . . . . . . 37Obtaining fixes . . . . . . . . . . . . . 38Receiving weekly support updates . . . . . . 38Contacting IBM Software Support . . . . . . . 39

© Copyright IBM Corp. 2009 iii

Determining the business impact . . . . . . 40Describing problems and gathering information 40Submitting problems . . . . . . . . . . 40

Appendix C. Notices . . . . . . . . . 43

Trademarks . . . . . . . . . . . . . . 44

Glossary . . . . . . . . . . . . . . 47

iv IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Preface

This guide describes how to upgrade and migrate data from IBM Tivoli IdentityManager Version 4.6 or 5.0 to Version 5.1 on new hardware and middlewarerequired by IBM Tivoli Identity Manager Version 5.1.

Who should read this bookThis book is intended for system and security administrators who install, maintain,or administer software on their computer systems. Readers are expected tounderstand system and security administration concepts. Additionally, the readermust understand administration concepts for the following types of products:v Database serversv Directory serversv Application servers

Publications and related informationRead the descriptions of the Tivoli Identity Manager library. To determine whichadditional publications you might find helpful, read the “Prerequisite productpublications” on page vii and the “Related publications” on page viii. After youdetermine the publications you need, refer to the instructions in “Accessingpublications online” on page viii.

Tivoli Identity Manager libraryThe publications in the Tivoli Identity Manager technical documentation librarycan be found at the following URL:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/welcome.htm

The publications in the Tivoli Identity Manager technical documentation library areorganized into the following categories:v Release informationv Online user assistancev Server installation and configurationv Problem determinationv Technical supplementsv Adapter installation and configurationv Performance and tuningv Skills and training

Release Information:

v Tivoli Identity Manager Quick Start Guide

Helps you install a base configuration of Tivoli Identity Manager.v Tivoli Identity Manager Information Center

© Copyright IBM Corp. 2009 v



Provides software and hardware requirements for Tivoli Identity Manager andadditional fix, patch, and other support information. This publication alsoincludes known limitations, problems, and workarounds.

Online user assistance:

Tivoli Identity Manager Information Center provides online help topics and aninformation center for all Tivoli Identity Manager administrative tasks.

Server installation and configuration:

Tivoli Identity Manager Server Installation and Configuration Guide providesinstallation and configuration information for Tivoli Identity Manager in largerenterprise environments.

Problem determination:

Tivoli Identity Manager Problem Determination Guide provides problem determination,and logging information for Tivoli Identity Manager.

Tivoli Identity Manager Messages Guide provides message information for TivoliIdentity Manager.

Database and schema information:

Tivoli Identity Manager Database and Schema Reference describes some of the datastructures used by Tivoli Identity Manager.

Technical supplements:

The following technical supplements are provided by developers or by othergroups who are interested in this product:v IBM® Redbooks® and white papers are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/v Technotes are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.htmlv For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks® Web site:http://www.ibm.com/developerworks/

Adapter installation and configuration:

The Tivoli Identity Manager Server technical documentation library also includesan evolving set of platform-specific installation documents for the adaptercomponents of an IBM Tivoli Identity Manager implementation.

Locate adapter documentation on the Web at:


Performance and tuning:

vi IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

http://www.redbooks.ibm.com/redbooks.nsf/tips/

http://www.ibm.com/software/sysmgmt/products/support/

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

http://www.ibm.com/developerworks/



IBM Tivoli Identity Manager Performance Tuning Guide provides information to helpyou optimize the use of resources for Tivoli Identity Manager.

Skills and training:

Additional skills and technical training information might be available at thefollowing Web sites:v IBM Professional Certification at:

http://www.ibm.com/certify/Search on ″identity manager″ to locate available classes and certificationofferings.

v Virtual Skills Center for Tivoli® Software on the Web at:http://www.cgselearning.com/tivoliskills/

v Tivoli Education Software Training Roadmaps on the Web at:http://www.ibm.com/software/tivoli/education/eduroad_prod.html

v Tivoli Technical Exchange on the Web at:http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

Prerequisite product publicationsTo use the information in this book effectively, you must have knowledge of theproducts that are prerequisites for Tivoli Identity Manager. Publications areavailable from the following locations:v Operating systems

– Red Hat Linux®™

http://www.redhat.com/docs/– SUSE Linux™

http://www.novell.com/documentation/suse.html– Microsoft® Windows® Server™ 2003

- Supporthttp://www.microsoft.com/windowsserver2003/support/default.mspx

- Documentationhttp://www.microsoft.com/windowsserver2003/proddoc/default.mspx

v WebSphere Application Server– Hardware and software requirements

http://www.ibm.com/software/webservers/appserv/was/– Support

http://www.ibm.com/software/webservers/appserv/was/support/– Information center

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jspv IBM DB2 Universal Database™

– Support:http://www.ibm.com/software/data/db2/udb/support.html

– Information center:http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

– Documentationhttp://www-306.ibm.com/software/data/db2/support/db2_9/

Preface vii

http://www.ibm.com/certify/

http://www.cgselearning.com/tivoliskills/

http://www.ibm.com/software/tivoli/education/eduroad_prod.html

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

http://www.redhat.com/docs/

http://www.novell.com/documentation/suse.html

http://www.microsoft.com/windowsserver2003/support/default.mspx

http://www.microsoft.com/windowsserver2003/proddoc/default.mspx

http://www.ibm.com/software/webservers/appserv/was/

http://www.ibm.com/software/webservers/appserv/was/support/

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp

http://www.ibm.com/software/data/db2/udb/support.html

http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

http://www-306.ibm.com/software/data/db2/support/db2_9/

http://www.ibm.com/software/data/db2/udb/support/manualsv9.html– DB2® product family:

http://www.ibm.com/software/data/db2/– Fix packs by version:

http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572– System requirements:

http://www.ibm.com/software/data/db2/udb/sysreqs.html

IBM Tivoli Directory Serverv Support

http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryServer.html

v Information centerhttp://publib.boulder.ibm.com/tividd/td/IBMDirectoryServer6.0.html

IBM Tivoli Directory Integratorv Support

http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryIntegrator.html

v Information centerhttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDI.doc_6.1.1/welcome.htm

Related publicationsInformation that is related to Tivoli Identity Manager Server is available in thefollowing publications:v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, data sheets, demonstrations, redbooks, and announcement letters.The Tivoli Software Library is available on the Web at:http://www.ibm.com/software/tivoli/literature/

v The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available from theGlossary link of the Tivoli Software Library Web page at:http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications onlineIBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli software information centerWeb site. Access the Tivoli software information center at the following Webaddress:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z list, and then click the Tivoli Identity Managerlink to access the product library.

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File → Print window that allows Adobe® Reader to print letter-sizedpages on your local paper.

viii IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

http://www.ibm.com/software/data/db2/udb/support/manualsv9.html

http://www.ibm.com/software/data/db2/

http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572

http://www.ibm.com/software/data/db2/udb/sysreqs.html



http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDS.doc_6.0/welcome.htm



http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDI.doc_6.1.1/welcome.htm

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.IBMDI.doc_6.1.1/welcome.htm

http://www.ibm.com/software/tivoli/literature/

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/public/applications/ publications/cgibin/pbi.cgi.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/

cgibin/pbi.cgi.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

Tivoli technical trainingFor Tivoli technical training information, refer to the following IBM TivoliEducation Web site at http://www.ibm.com/software/tivoli/education.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

The product documentation includes the following features to aid accessibility:v Documentation is available in convertible PDF format to give the maximum

opportunity for users to apply screen-reader software.v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:v IBM Support Assistant: You can search across a large collection of known

problems and workarounds, Technotes, and other information athttp://www.ibm.com/software/support/isa.

v Obtaining fixes: You can locate the latest fixes that are already available for yourproduct.

v Contacting IBM Software Support: If you still cannot solve your problem, andyou need to work with someone from IBM, you can use a variety of ways tocontact IBM Software Support.

For more information about these ways to resolve problems, see Appendix B,“Support information,” on page 37.

Preface ix

http://www.elink.ibmlink.ibm.com/public/applications/ publications/cgibin/pbi.cgi

http://www.elink.ibmlink.ibm.com/public/applications/ publications/cgibin/pbi.cgi

http://www.ibm.com/software/tivoli/education

http://www-306.ibm.com/software/support/isa

Conventions used in this bookThis book uses several conventions for highlighting terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThis book uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets), and labels (such as Tip:)

v Keywords and parameters in text

Italic

v Words defined in textv Emphasis of words (words as words)v New terms in text (except in a definition list)v Variables and values that you must provide

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

Definitions for HOME and other directory variablesThe following table contains the default definitions that are used in this guide torepresent the HOME directory level for various product installation paths. You cancustomize the installation directory and HOME directory for your specificimplementation. If this is the case, you need to make the appropriate substitutionfor the definition of each variable represented in this table.

The value of path varies for these operating systems.

For Windows operating systems, the default path is drive:\Program Files.

For Linux and UNIX®-based operating systems, the default path is /opt

Path Variable Description

NEW_ITDS_INSTANCE_HOME The directory that contains the IBMTivoli Directory Server instance used byTivoli Identity Manager Version 5.1.

OLD_ITDS_HOME The directory that contains the IBMTivoli Directory Server code used byTivoli Identity Manager Version 4.6 or5.0.

x IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Path Variable Description

OLD_ITIM_HOME The base directory that contains theTivoli Identity Manager Version 4.6 or5.0 code, configuration, anddocumentation.

NEW_ITIM_HOME The base directory that contains theTivoli Identity Manager Version 5.1code, configuration, and documentation.

Operating system differencesThis guide uses the Windows convention for specifying environment variables andfor directory notation.

When using the Linux or UNIX command line, replace %variable% with $variablefor environment variables, and replace each backslash (\) with a forward slash (/)in directory paths. The names of environment variables are not always the same inWindows, and Linux or UNIX-based operating systems. For example, %TEMP% inthe Windows operating system is equivalent to /tmp in a Linux or UNIX-basedoperating system.

Note: If you are using the bash shell on a Windows system, you can use the Linuxconvention for specifying file path notation.

Preface xi

xii IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 1. Overview of the Data Migration to Tivoli IdentityManager Version 5.1

This book focuses on the tasks that you must complete in order to migratedatabase and directory data from an existing Tivoli Identity Manager to a separateenvironment running Tivoli Identity Manager Version 5.1. These tasks require theinstallation of middleware and the upgrade and installation of Tivoli IdentityManager Version 5.1. This book also includes best practices for performing theupgrade and migration from production environments.

The supported upgrade paths are:

Table 1. Upgrade paths

From To

Tivoli Identity Manager Version 4.6 Tivoli Identity Manager Version 5.1 deployedon WebSphere Application Server 6.1

Tivoli Identity Manager Version 5.1 deployedon WebSphere Application Server 7.0



Tivoli Identity Manager Version 5.1deployed on WebSphere Application Server6.1


Tivoli Identity Manager Version 5.1 supports data migration among supportedUNIX-based operating systems. Data residing in HP_UX environments can bemigrated to any of the supported UNIX environments. Data can also be migratedbetween Windows operating systems. Data, however, cannot be migrated fromUNIX environments to Windows environments or from Windows environments toUNIX environments.

In order to perform the data migration, previous versions of Tivoli IdentityManager must have the minimum fix packs and interim fixes installed. For TivoliIdentity Manager Version 4.6, you must have at minimum interim fix (IF) 47installed.

To determine the supported release levels and fix pack specifications for thesupported UNIX, Linux and Windows operating systems, refer to the Tivoli IdentityManager Information Center, which takes precedence over this document.

For information about adapter migration, please refer to the adapterdocumentation located in the Tivoli Identity Manager Information Center.

For information about known issues in migrating data to Tivoli Identity ManagerVersion 5.1, refer to Appendix A, “Post migration troubleshooting and knownissues,” on page 35.

© Copyright IBM Corp. 2009 1

Tivoli Identity Manager database server componentsTivoli Identity Manager stores transactional and historical data in a databaseserver. For example, the Tivoli Identity Manager provisioning processes use arelational database to maintain their current state as well as their history.

Tivoli Identity Manager Version 5.1 supports data migration from most databasessupported on Tivoli Identity Manager Version 4.6 or 5.0. To determine thesupported release levels and fix packs for database software that these versionsuse, refer to the hardware and software prerequisites for each version in the TivoliIdentity Manager Information Center.

Tivoli Identity Manager directory server componentsTivoli Identity Manager stores the current state of managed identities in an LDAPdirectory, including user account and organizational data.

Tivoli Identity Manager Version 5.1 supports data migration from directory serverssupported on Tivoli Identity Manager Version 4.6 or 5.0. To determine thesupported release levels and fix packs for directory server software that theseversions use, refer to the hardware and software prerequisites for each version inthe Tivoli Identity Manager Information Center.

Overview of the data migrationThe data migration can be performed either for a single-server Tivoli IdentityManager environment or a cluster Tivoli Identity Manager environment consistingof multiple computers. Note that middleware can be installed on one or morecomputers in either environment. The data migration consists of a collection ofactivities.

The major steps to migrate Tivoli Identity Manager and related prerequisitemiddleware servers are:v On the Tivoli Identity Manager Version 4.6 or 5.0 server environment:

1. Stop WebSphere Application Server and any connections to the TivoliIdentity Manager database if necessary.

2. Back up and export the following data from middleware servers to atemporary file directory:– Database server components– Directory server components

Note: Once the backup and export have been completed, you can bring theTivoli Identity Manager Version 4.6 or 5.0 server environment back intoproduction. You can load production data into the new Tivoli IdentityManager Version 5.1 system at a later date. This allows you to migratedata to a test environment before performing a production cutover to thenew system. It is important to note that any changes you make to TivoliIdentity Manager data on the new system will be overwritten and lostonce you re-import the Tivoli Identity Manager Version 4.6 or 5.0production data during the final cutover.

v In the Tivoli Identity Manager Version 5.1 server environment:1. Install the required middleware (at the required release and fix pack level)

and optionally run the middleware configuration utility for DB2 UniversalDatabase and IBM Tivoli Directory Server.

2 IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

For information on installing and configuring middleware, see the TivoliIdentity Manager Server Installation and Configuration Guide.

2. Import the database data to the updated database server.3. Import the directory data to the updated directory server and re-index the

directory server if necessary.4. Copy the Tivoli Identity Manager Version 4.6 or 5.0 home directory to the

server that will run Tivoli Identity Manager Version 5.1.5. Run the Tivoli Identity Manager Version 5.1 installation program.6. Manually migrate any custom Java™ classes that you might have. For

example Free EcmaScript Interpreter (FESI) extensions, ibmscripts, orcustomized password rules.

Planning activities for deployments at large sitesIn large organizations, there are additional tasks that require planning before youmigrate data from previous versions of Tivoli Identity Manager. For moreinformation, refer to the Planning section of the Tivoli Identity ManagerInformation Center.

To prevent initial deployment problems, consider providing a variation of thefollowing planning activities that are appropriate for your site, in advance ofinstalling Tivoli Identity Manager Version 5.1 and subsequent cumulative fixes:v Establish a working practice that provides comprehensive and relevant Tivoli

Identity Manager information to all of the specialists who install middleware.For example, have the team meet regularly to enumerate their problems andshare their solutions.

v To ensure coordination, designate one person as a focal point for concerns thatflow between your site and IBM customer support specialists.

v If possible, reduce the number of specialists who install and configure theapplications. Encourage communication flow between specialists in the followingways.– Provide a comprehensive library or list of FTP and Web sites for prerequisite

installation and configuration information.– Ensure that the specialists installing Tivoli Identity Manager have root or

Administrator authority for the prerequisite middleware on the middlewareservers.

– Ensure that all elements of the system or solution have sufficient privileges toprovide accounts.

– Support a centralized problem and solution database that identifiestroubleshooting actions and assigns action owners.

– Maintain a common library of scripts that automate start up.– Create a change control database that coordinates all customization activities.– Determine a working practice in which specialists provide a record of critical

values of configuration parameters similar to the ones that this publicationprovides. Ensure that all specialists have access to and use a commonworksheet that centralizes the information.

Chapter 1. Overview of the Data Migration to Tivoli Identity Manager Version 5.1 3


Chapter 2. Migrating DB2 Universal Database

Before you beginThis chapter describes the process to migrate and restore DB2 Universal Databasedata to a system and version of DB2 Universal Database that Tivoli IdentityManager Version 5.1 supports.

Before you begin the migration process, complete these tasks:1. Ensure that the free disk space and virtual memory requirements are met.

Additionally, ensure that there is adequate free disk space in the system tempdirectory. The target system must meet the hardware and softwarerequirements described in the Release Information section of the Tivoli IdentityManager Information Center.

2. Ensure that you have the needed administrative authority. On Windowssystems, the login user ID must be in the Administrators Group. On Linuxsystems, the login user ID must be root.

Migrating DB2 Universal Database dataDB2 Universal Database provides backup and restore commands that are used formigrating data from the 4.6 or 5.0 system to the 5.1 system before the upgrade.

Backing up DB2 Universal Database dataOn the server running DB2 Universal Database for Tivoli Identity Manager Version4.6 or 5.0, complete these steps:1. Log in as the instance owner, for example db2admin.2. Close all connections to the Tivoli Identity Manager database (stop WebSphere®

and any other tools). If necessary, run this command to force all connections toclose:db2 force application all

3. Back up the Tivoli Identity Manager database:db2 backup database ITIM_DB to OLD_DB2_BACKUP_DIR

where ITIM_DB is the name of the Tivoli Identity Manager database (forexample, itimdb) and OLD_DB2_BACKUP_DIR is a directory path to store thebackup, such as /46data/db2 (Linux or UNIX systems) or C:\temp\46data\db2 (Windows systems).

Note: The db2admin might not have access to other file system locations. Youmight have to use /home/db2admin as an example on an AIX system.

Installing DB2 Universal Database and copying data to thetarget server environment

On the target database server, complete these steps:1. Install the new version of DB2 Universal Database. Since this is a migration,

make sure you create the same 4.6 or 5.0 database system user, for example,enrole. The user should have the same rights and privileges it had on the oldsystem.


2. Run the middleware configuration tool to create the DB2 instance. When yourun the middleware configuration tool to configure DB2 Universal Database,the database user field is set to itimuser as a default value, and you shouldmodify the database user field to the same database user that is used in yourprevious Tivoli Identity Manager database. You should use the same databaseuser name and the password that is used in Tivoli Identity Manager Version 4.6or Tivoli Identity Manager Version 5.0 since this name is the schema name andthe password is already saved in properties files in the OLD_ITIM_HOME\datadirectory and these values cannot be changed during the upgrade.

3. Copy the contents of the Tivoli Identity Manager database backup directory tothe target server, for example /46data/db2. Ensure that the database instanceowner you create has permission to read the target directory and files within.

For information on installing and configuring the version of DB2 UniversalDatabase supported by Tivoli Identity Manager Version 5.1, refer to the TivoliIdentity Manager Server Installation and Configuration Guide.

Restoring DB2 Universal Database dataTo restore DB2 Universal Database data on the target database server, completethese steps:1. Open a DB2 command window.v UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2

command window.v Windows: Click Start > Run, and enter db2cmd. When the DB2 command

window opens, enter db2.2. In the DB2 command window, enter these commands to restore the database

using the migrated DB2 data:restore db itimdb from OLD_DB2_TEMP_DATA

where itimdb is the Tivoli Identity Manager database name andOLD_DB2_TEMP_DATA is the location of the migrated DB2 data you havecopied over from the previous version, such as C:\temp\46data\db2

3. Stop and start the DB2 server to reset the configuration.After you have created the Tivoli Identity Manager database, stop and start theDB2 server to allow the changes to take effect. Enter the following commands:db2stopdb2start

If entering db2stop fails and the database remains active, enter db2 forceapplication all to inactivate the database. Then enter db2stop again.

Once you have completed the upgrade and installation, you need to tune thedatabase for optimal performance by applying the latest tunings in the IBM TivoliIdentity Manager Performance Tuning Guide, available at the following Web site:

http://www-1.ibm.com/support/docview.wss?uid=swg27011444

For more information on backup and restore for DB2 Universal Database, refer tothe following Web sites:v DB2 Universal Database backup and restore commands and migration

documentation:http://publib.boulder.ibm.com/infocenter/db2luw/v8/topic/com.ibm.db2.udb.doc/core/r0001933.htm



http://publib.boulder.ibm.com/infocenter/db2luw/v8/topic/com.ibm.db2.udb.doc/core/r0001933.htm

http://publib.boulder.ibm.com/infocenter/db2luw/v8/topic/com.ibm.db2.udb.doc/core/r0001933.htm

v DB2 Universal Database backup and restore operating system compatibilities:http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ibm.db2.udb.admin.doc/doc/c0005960.htm

Clearing the service integration busFor Separate Systems Upgrades from Tivoli Identity Manager 5.0 to Tivoli IdentityManager 5.1, it is necessary to clear out the Service Integration Bus (SIB) data fromthe restored database.

On the target Tivoli Identity Manager Version 5.1 DB2 server:1. Ensure that the Tivoli Identity Manager database is up and running (ITIMDB)2. Open a DB2 command window.

UNIX and Linux operating systemsLog on as the DB2 instance owner and enter db2 to open a DB2command window.

Windows operating systemsClick Start > Run, and enter db2cmd. When the DB2 command windowopens, enter db2.

3. In the DB2 command window, enter the DELETE SQL statements required todelete all data from the tables in the SIB schemas.Issue the following commands for each of the SIB schemas in yourenvironment:delete from schema_name.SIB000delete from schema_name.SIB001delete from schema_name.SIB002delete from schema_name.SIBCLASSMAPdelete from schema_name.SIBKEYSdelete from schema_name.SIBLISTINGdelete from schema_name.SIBXACTSdelete from schema_name.SIBOWNERdelete from schema_name.SIBOWNERO

where the SIB schema, schema_name is:

Table 2. Service integration bus schema names

Tivoli Identity Manager environment Schema name

Single-server ITIML000

Clustered ITIML000, ITIML001, ITIML002, ITIML003,and ITIMS000

Note: The SIBOWNERO might not exist in all Tivoli Identity Managerenvironments. If it does not exist and the delete statement fails, you canignore the failure.

Chapter 2. Migrating DB2 Universal Database 7

http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ibm.db2.udb.admin.doc/doc/c0005960.htm

http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ibm.db2.udb.admin.doc/doc/c0005960.htm


Chapter 3. Migrating Oracle Database

This chapter describes steps to migrate and import Oracle data to a system andversion of Oracle Database supported by Tivoli Identity Manager Version 5.1.




Migrating Oracle dataThe Oracle Database export (EXP) and import (IMP) utilities are used to performlogical database backup and recovery. They are also used to migrate Oracle datafrom one server, database or schema to another.

Exporting Oracle data from the server for Tivoli IdentityManager Version 4.6 or 5.0

On the server running Oracle Database for Tivoli Identity Manager Version 4.6 or5.0, complete these steps:1. Log in as the Oracle database instance owner.2. Ensure that the ORACLE_HOME (Oracle default installation directory) and

ORACLE_SID (the Tivoli Identity Manager database instance) environmentvariables are properly set. Check your environmental variables for thefollowing entries (the following example is for a Windows home directory):ORACLE_HOME=c:\oracle\ora92ORACLE_SID=itim

3. Export the Oracle Database dump and log files with the following command:exp system/system_pwd file=path\itim46.dmp log=path\itim46exp.logowner=itim_username

where system_pwd is the password for the system user, path is the path of thefile, such as C:\46data\oracle or /opt/46data/oracle, and itim_username is theTivoli Identity Manager Version 4.6 or 5.0 database user, such as enrole oritimuser.

4. Copy the contents of the directory you exported over to the target server, forexample /46data/oracle. Ensure that the database instance owner enrole thatyou created above has permission to read the target directory and files within.

Installing Oracle database and importing dataOn the target Tivoli Identity Manager Version 5.1 server, complete these steps:1. Install the supported version of Oracle Database following the instructions from

the Tivoli Identity Manager Server Installation and Configuration Guide.


2. Configure the Oracle database instance. The following enrole_admin.sql filehelps to configure the new Oracle database instance for the migration. Edit thefile, replacing itimuserTag with your Tivoli Identity Manager Version 4.6 or 5.0database user, such as enrole and replacing itimuserPwdtag with the TivoliIdentity Manager Version 4.6 or 5.0 database user password. The Tivoli IdentityManager upgrade will fail if the database user ID and password are not thesame as the previous version.CREATE TABLESPACE enrole_dataDATAFILE 'enrole1_data_001.dbf'SIZE 64MAUTOEXTEND ONNEXT 64MMAXSIZE unlimitedDEFAULT STORAGE (INITIAL 10M

NEXT 1MPCTINCREASE 10)

PERMANENTONLINELOGGING;

CREATE TABLESPACE enrole_indexesDATAFILE 'enrole1_idx_001.dbf'SIZE 32MAUTOEXTEND ONNEXT 32MMAXSIZE unlimitedDEFAULT STORAGE (INITIAL 10M


PERMANENTONLINELOGGING;CREATE USER itimuserTag IDENTIFIED BY itimuserPwdtag

DEFAULT TABLESPACE enrole_dataQUOTA UNLIMITED ON enrole_dataQUOTA UNLIMITED ON enrole_indexes;

GRANT CREATE SESSION TO itimuserTag;GRANT CREATE TABLE to itimuserTag;GRANT CREATE ANY PROCEDURE to itimuserTag;GRANT CREATE VIEW to itimuserTag;

3. On the target computer, ensure the ORACLE_HOME and ORACLE_SIDenvironmental variables are set properly.

4. Run the above enrole_admin.sql file using the sqlplus utility:sqlplus system/system_pwd @path\enrole_admin.sql

where system_pwd is the password for the system user, path is the path of thefile. Running this script file creates the required Tivoli Identity Manager tablespaces and creates the database user (specified by itimuserTag) with requiredpermissions.

5. After creating the table spaces, enter the following command to import theTivoli Identity Manager Version 4.6 or 5.0 exported data:imp system/system_pwd file=path\itim46.dmp log=path\itim46exp.logfromuser=itim_username

where system_pwd is the password for the system user, path is the path of thefile you copied over (such as C:\46data\oracle or /opt/46data/oracle) anditim_username is the name of the Tivoli Identity Manager Version 4.6 databaseuser, such as enrole or itimuser.


After you have completed the upgrade and installation, you need to tune thedatabase for optimal performance by applying the latest tunings in the IBM TivoliIdentity Manager Performance Tuning Guide, available at the following Web site:


Chapter 3. Migrating Oracle Database 11




Chapter 4. Migrating SQL Server

This chapter provides information on migrating and importing Microsoft SQLServer data to a system and version of SQL Server supported by Tivoli IdentityManager Version 5.1.




Migrating SQL Server dataThe Microsoft SQL Server backup and restore utilities are used to perform databasebackup and recovery. They can also be used to move SQL Server data from oneserver, database or schema to another.

Backing up SQL Server dataOn the server running SQL Server for Tivoli Identity Manager Version 4.6 or 5.0,complete these steps:1. Start SQL Server Enterprise Manager and navigate to the Tivoli Identity

Manager database2. Right click on the Tivoli Identity Manager database (itimdb) and select All

Tasks > Backup Database.3. Click Add to provide a file name such as itimdb.bak.4. Accept the defaults for the other options, and click OK.

Installing SQL server and importing dataOn the target Tivoli Identity Manager Version 5.1 SQL server:1. Install SQL Server 2005 following the instructions in the Tivoli Identity Manager

Server Installation and Configuration Guide. Since this is a migration and upgrade,ensure that the same Tivoli Identity Manager Version 4.6 or 5.0 database systemuser is created and used.

2. After creating the Tivoli Identity Manager Version 5.1 database, right click onthe database and select Tasks > Restore > Database.

3. In the Restore Database window under the General page, select the Fromdevice source for restore option, click the ellipsis (...) button and provide theTivoli Identity Manager Version 4.6 or 5.0 database backup file name(itimdb.bak).

4. After adding the backup file to the list, select the check box to select the fileand click on the Options page in the left pane.

5. On the Options page, select Overwrite the existing database option and clickOK.

6. Configure SQL with the following user script:


sp_addlogin itimuserTag, itimuserPwdTag;sp_adduser itimuserTag, itimuserTag, db_owner;use master;sp_grantdbaccess itimuserTag, itimuserTag;sp_addrolemember [SqlJDBCXAUser], itimuserTag;use itimdbTag;

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 or 5.0database user, for example enrole; replace itimuserPwdTag with the TivoliIdentity Manager Version 4.6 or 5.0database user password; and replaceitimdbTag with the database instance name.

7. Next configure SQL with the following user script:sp_change_users_login 'Update_One', 'itimuserTag', 'itimuserTag'

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 databaseuser, for example enrole.

8. Restart SQL Server 2005.

Clearing the service integration busFor Separate Systems Upgrades from Tivoli Identity Manager 5.0 to Tivoli IdentityManager 5.1, it is necessary to clear out the Service Integration Bus (SIB) data fromthe restored database.

On the target Tivoli Identity Manager Version 5.1 DB2 server:1. Start the SQL Server Enterprise Manager and navigate to the database to be

used for Tivoli Identity Manager 5.12. Right click on the database and click New Query.3. Enter the DELETE SQL statements required to delete all data from the tables in

the SIB schemas.Issue the following commands for each of the SIB schemas in yourenvironment:delete from schema_name.SIB000delete from schema_name.SIB001delete from schema_name.SIB002delete from schema_name.SIBCLASSMAPdelete from schema_name.SIBKEYSdelete from schema_name.SIBLISTINGdelete from schema_name.SIBXACTSdelete from schema_name.SIBOWNERdelete from schema_name.SIBOWNERO

where the SIB schema, schema_name is:

Table 3. Service integration bus schema names

Tivoli Identity Manager environment Schema name

Single-server ITIML000

Clustered ITIML000, ITIML001, ITIML002, ITIML003,and ITIMS000

Note: The SIBOWNERO might not exist in all Tivoli Identity Managerenvironments. If it does not exist and the delete statement fails, you canignore the failure.


Chapter 5. Migrating IBM Tivoli Directory Server

This chapter provides information on migrating and importing data to a systemand version of IBM Tivoli Directory Server supported by Tivoli Identity ManagerVersion 5.1.

Tivoli Identity Manager Version 4.6 supports IBM Tivoli Directory Server Version5.2 and 6.1, while Tivoli Identity Manager Version 5.0 supports IBM TivoliDirectory Server Version 6.0 and 6.1. Note that the migration commands varybetween directory server versions.

You must be logged in as an administrator with root privileges to perform themigration.

Migrating IBM Tivoli Directory Server Version data

Preparing IBM Tivoli Directory Server data on the serverrunning IBM Tivoli Directory Server for Tivoli Identity ManagerVersion 4.6 or 5.0

For a server running IBM Tivoli Directory Server Version 5.2, run the followingcommand:db2ldif -s ldap_suffix -o ldap_output_file

where ldap_suffix is the name of the suffix (such as dc=com) on which TivoliIdentity Manager is configured, and ldap_output_file is the name of the .ldif outputfile (such as old_ldif_data.ldif).

For a server running IBM Tivoli Directory Server Version 6.x, run the followingcommand:db2ldif -s ldap_suffix -o ldap_output_file -I ldap_instance_name

where ldap_suffix is the name of the suffix (such as dc=com) on which TivoliIdentity Manager is configured, ldap_output_file is the name of the .ldif output file(such as old_ldif_data.ldif), and ldap_instance_name is the name of the LDAP serverinstance, which can be obtained through the IBM Tivoli Directory Server InstanceAdministration Tool.

Note: The LDAP server does not need to be stopped for you to enter thiscommand for either version of IBM Tivoli Directory Server.

Configuring IBM Tivoli Directory Server on the target directoryserver

On the target Tivoli Identity Manager Version 5.1 directory server, complete thesesteps:1. Install the supported version of IBM Tivoli Directory Server following the

instructions in the Tivoli Identity Manager Server Installation and ConfigurationGuide.


2. Run the middleware configuration tool to create and configure the IBM TivoliDirectory Server instance. Ensure that the same Tivoli Identity Manager Version4.6 or 5.0 root suffix is created and used.

Note: Use the same encryption seed value as the old Tivoli Directory Serverinstance. Otherwise the data from the old Tivoli Directory Serverinstance needs to be exported using the seed and salt keys from the newinstance.

3. Copy over the schema file V3.modifiedschema from the OLD_ITDS_HOME\etcdirectory of the IBM Tivoli Directory Server home directory used by TivoliIdentity Manager Version 4.6 or 5.0 server to theNEW_ITDS_INSTANCE_HOME\etc directory of the IBM Tivoli Directory Serverinstance that the Tivoli Identity Manager Version 5.1 server uses.

Notes:

a. If you have made customizations or modifications to the schema files, verifywhich schema file have you modified. Manually merge the changes withthe new schema files.

b. When running the bulkload command, the following errors might occur:GLPCRY007E The directory key stash file is inconsistent with the

associated encrypted data.

GLPBLK071E Bulkload is unable to run because of an initialization error.

To correct these errors you need to know encryption seed and salt values ofthe target instance. (The target instance is the directory server instancewhere you are performing the bulkload operation.)To determine the salt value of target instance run this command:ldapsearch -D bind DN -w password -h hostname -p port-s base -b cn=crypto,cn=localhost cn=*

Replace the value of ibm-slapdCryptoSync, ibm-slapdCryptoSalt in theldap_output_file file (generated as output of the db2ldif command, forexample old_ldif_data.ldif) with the values returned by the ldapsearchcommand. Run the bulkload command again.

4. Stop and start IBM Tivoli Directory Server for the changes to take effect.

Importing IBM Tivoli Directory Server dataTo import IBM Tivoli Directory Server data, stop the LDAP server and run thefollowing command from the directory server:bulkload -i OLD_ITDS_TEMP_DATA\ldif_output_file -I ldap_instance_name

where OLD_ITDS_TEMP_DATA is the temporary directory location of the migratedIBM Tivoli Directory Server data you have copied over from the previous version,such as C:\temp\46data\ids\, ldif_output_file is the name of the .ldif file youexported from the previous step, such as old_ldif_data.ldif, and ldap_instance_nameis the name of the LDAP server instance, such as itimldap, which can be obtainedthrough the IBM Tivoli Directory Server Instance Administration Tool. OnWindows systems, you must run the bulkload utility command within the DB2command line interpreter. You can access the command line interpreter by clickingStart > Run, typing db2cmd, and clicking OK.

Note: The bulkload will fail if any of the entries in the input LDIF file alreadyexist in LDAP. This might occur if the suffix you have defined exists as an


entry in the directory server. It may be necessary to delete the suffix entryfrom LDAP before running the command.

After you have completed the upgrade and installation of Tivoli Identity Manager,tune LDAP for optimal performance by applying the latest tuning settings in theIBM Tivoli Identity Manager Performance Tuning Guide, available at the followingWeb site:


Chapter 5. Migrating IBM Tivoli Directory Server 17



Chapter 6. Migrating Sun directory server

This chapter provides information on migrating and importing data to a systemand version of Sun directory server supported by Tivoli Identity Manager Version5.1. You must be logged in as an administrator with root privileges to perform thismigration.

Migrating Sun directory server dataFor complete information about migrating Sun directory servers to Sun DirectoryEnterprise Server 6.3 go to the Sun Web site at http://docs.sun.com/app/docs/doc/820-2762/dsoutline?a=view.

Exporting Sun directory server dataTo export from Sun ONE Directory Server Version 5.2 for Tivoli Identity ManagerVersion 4.6 or 5.0, run the following command (you do not need to stop LDAP):db2ldif -n instance_name -a ldif_output_file -s "ldap_suffix"

where instance_name is the name of the database instance of the directory server,ldif_output_file is the name (such as 46_ldif_data.ldif) of the LDIF output file, andldap_suffix is the root suffix (such as dc=com) on which Tivoli Identity Managerdata is stored. Note that the LDAP suffix should be delimited by quotation marks.

To find the instance name, run the following command (on one line):OLD_SUN_INSTALL_HOME/shared/bin/ldapsearch -h hostname -p port_number-D "cn=Directory Manager" -w password -b "cn=ldbm database,cn=plugins,cn=config"

"(nsslapd-suffix=rootSuffix)" cn

The variables for this command are:v OLD_SUN_INSTALL_HOME

The installation directory of Sun ONE Directory Server.v hostname

The host name or IP address of the directory server.v port_number

The port number of the directory server.v cn=Directory Manager

The binding dn for the directory manager.v password

The password for the cn=Directory Manager user.v rootSuffix

The root suffix for Tivoli Identity Manager, for example ″dc=com″.

For example, if the Sun ONE directory server for Tivoli Identity Manager isrunning at 10.10.10.10 on port 389, the dn for the directory manager is″cn=Directory Manager″, the password for the directory manager is ″pwd4sunone″,and the root suffix for Tivoli Identity Manager is ″dc=com″, then the commandshould be:


http://docs.sun.com/app/docs/doc/820-2762/dsoutline?a=view

http://docs.sun.com/app/docs/doc/820-2762/dsoutline?a=view

OLD_SUN_INSTALL_HOME/shared/bin/ldapsearch -h 10.10.10.10 -p 389 -D"cn=Directory Manager" -w pwd4sunone -b "cn=ldbm database,cn=plugins,cn=config""(nsslapd-suffix=dc=com)" cn

The output of the command should appear in the following form:version: 1dn: cn=com, cn=ldbm database, cn=plugins, cn=configcn: com

In this example, the database instance name is "com".

Importing data to Sun Enterprise Directory ServerTo import to Sun Enterprise Directory Server for Tivoli Identity Manager Version5.1, complete these steps on the directory server:1. Install the supported version of Sun Enterprise Directory Server and create a

brand new LDAP instance.2. Create a root suffix that is the same as root suffix of the previous version of

Sun ONE Directory Server.3. Copy the 99user.ldif schema file from the OLD_SUN_INSTALL_HOME/slapd-

serverID/config/schema directory to the Tivoli Identity Manager Version 5.1directory server schema directory.

4. Stop the LDAP server.5. Run the following command to import the data:

ldif2db -n instance_name -i ldif_output_file

where instance_name is the name of the old instance and ldif_output_file is thename of the file you exported from the previous version of Sun ONE DirectoryServer.


Chapter 7. Performing the Upgrade to Tivoli Identity ManagerVersion 5.1

This chapter provides information on how to upgrade to Tivoli Identity ManagerVersion 5.1, both for single-server and cluster environments.

The supported upgrade paths are:

Table 4. Upgrade paths

From To





Tivoli Identity Manager Version 5.1deployed on WebSphere Application Server6.1


Copying the existing Tivoli Identity Manager Version home directory tothe target environment

In order to run the installation program to upgrade to Tivoli Identity ManagerVersion 5.1, copy the existing Tivoli Identity Manager home directory to the targetenvironment.

The OLD_ITIM_HOME location from the previous version of Tivoli IdentityManager should be preserved when you copy the home directory. For example, ifthe OLD_ITIM_HOME directory was C:\itim46 (Windows) or /opt/IBM/itim46(UNIX/Linux), then you should copy the directory to the same path on the newserver before you run the installation program.

To copy the existing Tivoli Identity Manager home directory, complete these stepsfor UNIX/Linux and Windows environments:v UNIX/Linux

1. Go to the UNIX or Linux root directory.2. Create a tar file by entering the full path of OLD_ITIM_HOME. For example,

tar –cvf itim.tar OLD_ITIM_HOME

If you are running Tivoli Identity Manager in a cluster environment, createseparate tar files for the deployment manager and cluster members.

3. Copy the tar file itim.tar to the target server root directory. If you arerunning Tivoli Identity Manager in a cluster environment, copy the tar filefrom the old deployment manager to the new deployment manager and oldcluster members to new cluster members.


4. Extract the OLD_ITIM_HOME directory on one or more servers using thefollowing command:tar –xvf itim.tar

v Windows1. Create a .zip file of the OLD_ITIM_HOME directory. If you are running Tivoli

Identity Manager in a cluster environment, create separate .zip files for thedeployment manager and cluster members.

2. Copy the .zip file to the target server. If you are running Tivoli IdentityManager in a cluster environment, copy the .zip file from the old deploymentmanager to the new deployment manager and old cluster members to newcluster members.

3. Extract the OLD_ITIM_HOME directory on one or more servers to the samedrive location where Tivoli Identity Manager was installed.

Running the Tivoli Identity Manager Version 5.1 installation programBefore you run the Tivoli Identity Manager Version 5.1 installation program. youshould have imported or restored the directory and database data you copied ontothe respective directory and database servers. Additionally, you should ensure thatthe following middleware is running at the supported release level and fix pack:v WebSphere Application Serverv DB2 Universal Database or other supported middlewarev IBM Tivoli Directory Server or other supported middleware

Refer to the Tivoli Identity Manager Server Installation and Configuration Guide forexplicit instructions on configuring these middleware for the installation.

If you are installing Tivoli Identity Manager in a cluster environment, you need toinstall Tivoli Identity Manager on the deployment manager to upgrade thedatabase and directory server before installing Tivoli Identity Manager on clustermembers.

To upgrade to Tivoli Identity Manager Version 5.1, complete these steps:1. Log on to an account with system administration privileges on the computer

where the Tivoli Identity Manager Server will be installed. On Windowssystems, the login user ID must be in the Administrators Group. On Linuxsystems, the login user ID must be root.

2. Download the installation program, or insert the Tivoli Identity Managerproduct DVD into the DVD drive.

3. To run the installation program, complete these steps:v Windows:

a. Click Start > Run.b. Enter the drive and path where the installation program is located and

then enter the following command:instwin.exe

The Welcome window opens.v UNIX or Linux:

a. Open a command shell prompt window, and navigate to the directorywhere the installation program is located.

b. Enter the following command for the Tivoli Identity Managerinstallation program:– AIX®:


instaix.bin

– Linux:instlinux.bin

– pLinux:instplinux.bin

– zLinux:instzlinux.bin

– Solaris:instsol.bin

The installation program starts and displays the Welcome window.If you are running the installation program on a UNIX/Linux system thatdoes not have at least 150 MB of free space in the /tmp directory, youshould set the IATEMPDIR environment variable to a directory on a diskpartition with enough free disk space. To set the variable, enter one of thefollowing commands at the command line prompt before running theinstallation program again:– Bourne shell (sh), ksh, bash, and zsh:

$ IATEMPDIR=temp_dir$ export IATEMPDIR

– C shell (csh) and tcsh:$ setenv IATEMPDIR temp_dir

where temp_dir is the path to the directory, for example/your/free/directory, where free disk space is available.

4. Select the language and click OK.5. If you agree with the terms, accept the license agreement and click Next.6. In the Choose Install Directory window, you must select the existing Tivoli

Identity Manager home directory that you want to upgrade. Accept thedefault directory, or click Choose and select the correct directory. Then, clickNext.

7. In the Upgrade IBM Tivoli Identity Manager window, click Continue to Nextto start the upgrade.

8. Read the caution windows to ensure that the prerequisite applications meetthe requirements that Tivoli Identity Manager supports. Then, click Next.

9. In the Installation Directory of WebSphere Application Server window,confirm the WebSphere Application Server directory and click Next.

10. In the WebSphere Profile Selection window, select the WebSphere ApplicationServer profile name, and click Next.

11. If you are running Tivoli Identity Manager in a cluster environment, enter theapplication and messaging cluster names, and click Next.

Note: The cluster names you enter do not have to match the previous versionof Tivoli Identity Manager, but they should already exist from theconfiguration of WebSphere Application Server. For more informationon configuring WebSphere Application Server for Tivoli IdentityManager, refer to the Tivoli Identity Manager Server Installation andConfiguration Guide.

12. In the WebSphere Application Server Data window, enter or accept theapplication server name and ensure that the correct host name for the newcomputer is shown, and click Next.

Chapter 7. Performing the Upgrade to Tivoli Identity Manager Version 5.1 23

13. If you are running Tivoli Identity Manager in a cluster environment, verify thehost name of the system on which WebSphere Application Server and TivoliIdentity Manager will install, and click Next.

14. If WebSphere administrative security and application security is turned on, inthe WebSphere Application Server Administrator Credentials window, enterthe WebSphere Application Server administrator user ID and password, andclick Next.

15. If you are prompted for the Java Database Connectivity (JDBC) driver, enterthe directory location for the JDBC driver and the driver name, and clickNext.

Note: If you are upgrading from Tivoli Identity Manager 5.1 to Tivoli IdentityManager 5.1 on WebSphere Application Server 7.0, the JDBC driversetup panel is not displayed. Additional manual steps are needed forthe Oracle database.a. After deploying Tivoli Identity Manager 5.1 on WebSphere

Application Server 7.0 Fix Pack 5, remove the ojdbc.jar file fromITIM_HOME/lib and replace it with ojdbc6.jar. Then, renameojdbc6.jar to ojdbc.jar. This is necessary because WebSphereApplication Server 7.0 uses JDK1.6.

16. In the Tivoli Common Directory window, select the location of the TivoliCommon Directory or another directory, and click Next. The directory youselect is the central location for all serviceability-related files, such as logs andfirst-failure capture data.

17. In the Pre-Installation Summary window, verify the information is correct andclick Install.

18. When the System Configuration tool window is shown on the screen, enterthe correct values for Tivoli Identity Manager Version 5.1. Confirm or updatethe correct values for the following directory, database, and mail server fieldson each tab, which must be changed from the old information used in theprevious version of Tivoli Identity Manager. Click OK only after you havemade all necessary changes and verified that the values on all tabs are correct:v Database

– JDBC URLEnter the JDBC URL with the correct database host name, port number,and database name for Tivoli identity Manager Version 5.1. For example,if you are using the DB2 database “itimdb” running at the host 10.1.1.1on port 50000, then you enter:jdbc:db2://10.1.1.1:50000/itimdb

Note: The host name can be a fully qualified domain name, IPv4 or[IPv6] address. The IPv6 address must be enclosed in squarebrackets.

When you have entered the information, click Test to test the connection.

Note: The Database User and User Password fields are disabled. When youcreate the database user for Tivoli Identity Manager Version 5.1,make sure that you use the same database user ID and the passwordthat you used for the previous Tivoli Identity Manager server.

v Directory– Principal DN– Password


– Host Name– Port

When you have entered the information, click Test to test the connection.v Mail

– Identity Manager Server Base URL

Click OK when you have changed or verified all the fields on all the tabs.19. The database upgrade program is invoked to upgrade the database schema

and data. If you are upgrading from Tivoli Identity Manager Version 4.6 withWebSphere Application Server 5.1, you are prompted to provide the databaseadministrative user ID and password to create the database schema for themessaging engine. The database upgrade can take some time to complete, andprogress is not displayed. After it is complete, the LDAP upgrade program isinvoked to upgrade the LDAP schema and data. This can also take some time.You can look at the log files in the ITIM_HOME\install_logs directory to seethe upgrade progress, specifically the following log files:v itim_install_activity.logv dbUpgrade.stdoutv ldapUpgrade.stdoutv runConfigFirstTime.stdout

20. When the installation program has completed, click Done.21. Confirm you can log on to the Tivoli Identity Manager Version 5.1 system.

You should be able to log in with the itim manager user ID and the passwordthat was used in the previous version of Tivoli Identity Manager.

Post-installation tasks

Restarting and re-indexing Sun Enterprise Directory ServerVersion 6.3

If you migrated data from Sun ONE Directory Server, after the Tivoli IdentityManager Version 5.1 installation is completed, you must stop Tivoli IdentityManager, restart your directory server and then re-index, otherwise Tivoli IdentityManager cannot connect to the directory server after restart.

To re-index Sun Enterprise Directory Server, complete these steps:1. From the Sun Enterprise Directory Server console, click the Configuration tab.2. Select the directory server, open the Data tree, click on the exported root suffix

and select Reindex.3. Select Check All and click OK.

Updating the WebSphere Application Server default listeningport (cluster only)

For cluster environments, after the installation has completed, check if the defaulthost ports of each application cluster member are included in the host aliases ofdefault_host. If not, you might need to update the WebSphere Application Serverdefault listening port by manually entering a new host alias for the port. Completethese steps:1. From the WebSphere administrative console, click Environment > Virtual Hosts

> default_host > Host Aliases.2. In Host Aliases, click New to create a new alias.

Chapter 7. Performing the Upgrade to Tivoli Identity Manager Version 5.1 25

3. In the Host Name field, enter *, and in the Port field, enter the port numberand click OK.

Note: To find the default host port, click Servers > Applications Servers >serverName > ports.

For WebSphere Application Server 7.0, click Servers > Server Types >Applications Servers > serverName > ports.

Look for the values of WC_defaulthost and WC_defaulthost_secure.where serverName is the server name of the application cluster memberwhere Tivoli Identity Manager is deployed.

4. Save the configuration changes.

Preserving custom logosCustom logos used in the UI are not preserved after upgrade. This is a normalbehavior of upgrade. The ui.properties file property namedenrole.ui.customerLogo.image still points to the location specified in 4.6 or 5.0.However, this defaults to a path inside the enrole.ear or ITIM.ear directory. Youneed to copy the image file from the old location to the new location. A section forcustomizing logos and style sheets provides this information in the Tivoli IdentityManager Server Installation and Configuration Guide.

Verifying the installationWhen you have completed the installation, confirm you can log on to the TivoliIdentity Manager Version 5.1 system. You should be able to log in with the TivoliIdentity Manager administrator user ID (for example, itim manager) and passwordthat was used in the previous version of Tivoli Identity Manager.

For more information on verifying the installation, see the Tivoli Identity ManagerServer Installation and Configuration Guide.

For additional assistance troubleshooting a post-migration system, see Appendix A,“Post migration troubleshooting and known issues,” on page 35.

Tuning performanceOnce you have completed verifying the new system, you should applyperformance tunings to confirm that the new system meets your performancerequirements.

For instance, on systems running DB2 Universal Database, you might benefit fromenabling autoresize on your table spaces. This is the default with Tivoli IdentityManager Version 5.1. To check that you have autoresize enabled, use the followingcommand:db2 get snapshot for tablespaces on itimdb

and look for the "Auto-resize enabled" line in the output.

For more information on performance tunings for Tivoli Identity Manager Version5.1, refer to the IBM Tivoli Identity Manager Performance Tuning Guide.


Chapter 8. Post-upgrade Production Cutover

This chapter provides information on how to perform a post-upgrade productioncutover.

While you are performing the upgrade process and testing the new productionsystem, the old production system should continue to capture changes made inproduction. The Tivoli Identity Manager upgrade does not provide a mechanism tocapture these changes made from the old production system and port them to theupgraded system running Tivoli Identity Manager Version 5.1. However TivoliIdentity Manager does provide the capability to capture current data from the oldproduction system and import it to the new production environment without theneed to install an entirely new Tivoli Identity Manager Version 5.1 environment.

The following data and settings are preserved from the new production system:v WebSphere Application Server configuration settings, including performance

tuningv Tivoli Identity Manager configuration settings stored in property files

The following data and settings are not preserved from the new productionsystem:v All database server datav All directory server datav Any middleware tunings (such as those for DB2 Universal Database and IBM

Tivoli Directory Server)

Overview of the production cutover processThe cutover of the production environment consists of the following steps:1. Shutdown WebSphere Application Server on the new production environment.2. Prepare the following new production servers for data import:v directory serverv database server (preparing data is not necessary for DB2 Universal Database

or SQL Server)3. Shutdown WebSphere Application Server on the old production environment.4. Capture the data from the following old production servers:v directory serverv database server

5. Import the Tivoli Identity Manager directory data from the old productionenvironment to the new environment.

6. Import the Tivoli Identity Manager database data from the old productionenvironment to the new environment.

7. Run the LDAP upgrade tool to migrate directory server data to Tivoli IdentityManager Version 5.1.

8. Run the database upgrade tool to migrate database server data to TivoliIdentity Manager Version 5.1.

9. Start WebSphere Application Server on the new production environment.10. Apply performance tunings to directory and database servers.


Shutting down WebSphere Application Server on the newproduction environment

To shutdown WebSphere Application Server on the new production environment,run the following commands to stop the server:v Windows

"WAS_PROFILE_HOME\bin\stopServer.bat servername"

v UNIX/LinuxWAS_PROFILE_HOME/bin/stopServer.sh servername

Note: If WebSphere administrative security is enabled, append the following flagto the end of the previous command:-user WAS_username -password WAS_user_password

where WAS_username is the WebSphere Application Server administrativeuser name and WAS_user_password is the password for the administrativeuser.

Preparing the new production environment database serverand directory server for data import

Before preparing the new production environment for database and directoryserver data import, ensure that you have first stopped WebSphere ApplicationServer on the new production environment.

Note: You do not need to prepare or reconfigure data for DB2 or SQL Server,because the process of restoring the database will overwrite anyconfiguration.

Reconfiguring the IBM Tivoli Directory Server instanceTo reconfigure the IBM Tivoli Directory Server instance, complete these steps:1. Stop IBM Tivoli Directory Server by running the following command:

ibmslapd -I ldap_instance_name -k

2. Start the IBM Tivoli Directory Server Instance Administration Tool by runningthis command, which is located in the ITDS_HOME\sbin directory:idsxinst

3. Use the Instance Administration Tool (idsxinst) to delete the current TivoliIdentity Manager LDAP instance. Additionally, choose to delete the database.

4. Run the Tivoli Identity Manager middleware configuration utility to create anew Tivoli Identity Manager LDAP instance. The instance name and passwordsshould be the same as the previously created instance. For more information oncreating the LDAP instance, refer to “Configuring IBM Tivoli Directory Serveron the target directory server” on page 15.

Note: If you do not want to destroy the LDAP instance and run the middlewareconfiguration utility again, you can reconfigure the database using theidsxcfg command or the idsucfgdb and idscfgdb commands. Once youhave reconfigured the database, the tunings that were applied to the LDAPinstance by the middleware configuration utility will not be saved. You needto update the database with the tunings which are recommended in the IBMTivoli Identity Manager Performance Tuning Guide and also install andconfigure the referential integrity plug-in.


Reconfiguring the Sun Enterprise Directory Server instanceTo reconfigure the Sun Enterprise Directory Server instance, complete these steps:1. Load the Sun Enterprise Directory Server console and log in as an

administrator.2. Select the migrated LDAP server and click Open to open the management

console for the server.3. Click the Configuration tab and expand the Data subtree.4. Find the suffix that houses the current Tivoli Identity Manager data, right click

on the suffix, and select Delete.5. After the suffix is deleted, right click on the Data subtree and click New Suffix.

Then recreate the same suffix as before.6. Stop the LDAP server.

Reconfiguring the Oracle Database instanceTo update Oracle data on the new production server, complete these steps:1. Use the dbca command or other tools to remove the Tivoli Identity Manager

database and instance that was created for the test environment.2. When the database has been removed, create a new database with the same

name by using the migration commands previously provided. For moreinformation, refer to “Migrating Oracle data” on page 9.

3. Configure the Oracle database instance. The following enrole_admin.sql filehelps to configure the new Oracle 10g database instance for the migration. Editthe file, replacing itimuserTag with your Tivoli Identity Manager Version 4.6 or5.0 database user, such as enrole and replacing itimuserPwdtag with the TivoliIdentity Manager Version 4.6 or 5.0 database user password. The Tivoli IdentityManager upgrade will fail if the database user ID and password are not thesame as the previous version.CREATE TABLESPACE enrole_dataDATAFILE 'enrole1_data_001.dbf'SIZE 64MAUTOEXTEND ONNEXT 64MMAXSIZE unlimitedDEFAULT STORAGE (INITIAL 10M


PERMANENTONLINELOGGING;

CREATE TABLESPACE enrole_indexesDATAFILE 'enrole1_idx_001.dbf'SIZE 32MAUTOEXTEND ONNEXT 32MMAXSIZE unlimitedDEFAULT STORAGE (INITIAL 10M


PERMANENTONLINELOGGING;CREATE USER itimuserTag IDENTIFIED BY itimuserPwdtag

DEFAULT TABLESPACE enrole_dataQUOTA UNLIMITED ON enrole_dataQUOTA UNLIMITED ON enrole_indexes;

Chapter 8. Post-upgrade Production Cutover 29

GRANT CREATE SESSION TO itimuserTag;GRANT CREATE TABLE to itimuserTag;GRANT CREATE ANY PROCEDURE to itimuserTag;GRANT CREATE VIEW to itimuserTag;

4. Run the enrole_admin.sql file that you edited in the previous step using thesqlplus utility:sqlplus system/system_pwd @path\enrole_admin.sql

where system_pwd is the password for the system user, path is the path of thefile. Running this script file creates the required Tivoli Identity Manager tablespaces and creates the database user (enrole) with required permissions.

Capturing and importing the contents of the Tivoli IdentityManager Version 4.6 or 5.0 production server data

Once you have completed preparing the new production server to import data,you should perform data capture and import as provided in the following sections:v Complete these steps for IBM Tivoli Directory Server:

1. On the old production server, export the directory server data. For moreinformation, refer to “Preparing IBM Tivoli Directory Server data on theserver running IBM Tivoli Directory Server for Tivoli Identity ManagerVersion 4.6 or 5.0” on page 15.

2. Copy the schema file V3.modifiedschema from the OLD_ITDS_HOME\etcdirectory of the IBM Tivoli Directory Server used by Tivoli Identity ManagerVersion 4.6 or 5.0 server to the NEW_ITDS_INSTANCE_HOME\etc directoryof the IBM Tivoli Directory Server used by Tivoli Identity Manager Version5.1 server.

3. Import the directory server data. For more information, refer to “ImportingIBM Tivoli Directory Server data” on page 16.

v Complete these steps for Sun ONE Directory Server:1. On the old production server, export the directory server data. For more

information, refer to “Exporting Sun directory server data” on page 19.2. Copy the 99user.ldif schema file from the path/slapd-serverID/config/

schema directory to the Tivoli Identity Manager Version 5.1 directory serverschema directory.

3. Stop the LDAP server.4. Run the following command to import the data:

ldif2db -n instance_name -i ldif_output_file

where instance_name is the name of the old instance and ldif_output_file is thename of the file you exported from the previous version of Sun iPlanetDirectory Server.

v Complete these steps for DB2 Universal Database:1. Back up the DB2 Universal Database data. For more information, refer to

“Backing up DB2 Universal Database data” on page 5.2. Copy the contents of the Tivoli Identity Manager database backup directory

to the target server, for example /46data/db2. Ensure that the databaseinstance owner enrole that you created above has permission to read thetarget directory and files within.

3. Restore the database data. For more information, refer to “Restoring DB2Universal Database data” on page 6.

v Complete these steps for Oracle Database:


1. Export the Oracle Database data. For more information, refer to “ExportingOracle data from the server for Tivoli Identity Manager Version 4.6 or 5.0” onpage 9.

2. Enter the following command to import the Tivoli Identity Manager Version4.6 or 5.0 exported data:imp system/system_pwd file=path\itim46.dmp log=path\itim46exp.logfromuser=itim_username

where system_pwd is the password for the system user, path is the path of thefile you copied (such as C:\46data\oracle or /opt/46data/oracle) anditim_username is the name of the Tivoli Identity Manager Version 4.6 databaseuser, such as enrole.

v Complete these steps for Microsoft SQL Server:1. Export the SQL Server database. For more information, see “Backing up SQL

Server data” on page 13.2. On the new production server database, right click on the database and

select Tasks > Restore > Database.3. In the Restore Database window under the General page, select the From

device source for restore option, click the ellipsis (...) button and provide theTivoli Identity Manager Version 4.6 database backup file name (itimdb.bak).

4. After adding the backup file to the list, select the check box to select the fileand click on the Options page in the left pane.

5. On the Options page, select Overwrite the existing database option andclick OK.

6. Configure SQL with the following user script:sp_addlogin itimuserTag, itimuserPwdTag;sp_adduser itimuserTag, itimuserTag, db_owner;use master;sp_grantdbaccess itimuserTag, itimuserTag;sp_addrolemember [SqlJDBCXAUser], itimuserTag;use itimdbTag;

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 databaseuser, for example enrole; replace itimuserPwdTag with the Tivoli IdentityManager Version 4.6 database user password; and replace itimdbTag with thedatabase instance name.

7. Next configure SQL with the following user script:sp_change_users_login 'Update_One', 'itimuserTag', 'itimuserTag'

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 databaseuser, for example enrole.

8. Restart SQL Server 2005.

Clearing the service integration busThis section applies only if you are using DB2 or Microsoft SQL databases. ForSeparate Systems Upgrades from Tivoli Identity Manager 5.0 to Tivoli IdentityManager 5.1, it is necessary to clear out the Service Integration Bus (SIB) data fromthe restored database.v For DB2 servers, see “Clearing the service integration bus” on page 7.v For Microsoft SQL servers, see “Clearing the service integration bus” on page 14.


Running the ldapUpgrade and DBUpgrade commands tomigrate directory and database data

After importing the directory and database data on the new productionenvironment, run the ldapUpgrade and DBUpgrade utilities to upgrade importeddata to the Tivoli Identity Manager Version 5.1 level. Depending on the size of thedata pool, this process can take some time. To confirm the upgrade has completed,you can check the DBUpgrade.stdout and ldapUpgrade.stdout log files located inthe NEW_ITIM_HOME\install_logs directory.

To upgrade LDAP, run the following command:v Windows: NEW_ITIM_HOME\bin\ldapUpgradev UNIX/Linux: NEW_ITIM_HOME/bin/ldapUpgrade

To upgrade the database, run the following command:v Windows: NEW_ITIM_HOME\bin\DBUpgradev UNIX/Linux: NEW_ITIM_HOME/bin/DBUpgrade

If you are running Tivoli Identity Manager in a cluster environment, theldapUpgrade and DBUpgrade commands should be run on the system where thenetwork deployment manager resides.

If Sun ONE Directory Server is used, you need to re-index the directory server. Formore information, see “Restarting and re-indexing Sun Enterprise Directory ServerVersion 6.3” on page 25.

Starting WebSphere Application ServerWhen you have completed running ldapUpgrade and DBUpgrade with theimported data, start WebSphere Application Server to complete the productioncutover.

To start WebSphere Application Server on the new production environment, runthe following commands:v Windows

"WAS_PROFILE_HOME\bin\startServer.bat servername"

v UNIX/LinuxWAS_PROFILE_HOME/bin/startServer.sh servername

New production environment post-cutover tasksOnce you have completed the production cutover, you need to complete somepost-cutover tasks.

Restarting and re-indexing Sun Enterprise Directory ServerVersion 6.3If you migrated data from Sun ONE Directory Server, after the Tivoli IdentityManager Version 5.1 configuration is completed, you must stop Tivoli IdentityManager, restart your directory server and then re-index, otherwise Tivoli IdentityManager cannot connect to the directory server after restart.

To re-index Sun Enterprise Directory Server, complete these steps:1. From the Sun Enterprise Directory Server console, click the Configuration tab.2. Select the directory server, open the Data tree, click on the exported root suffix

and select Reindex.


3. Select Check All and click OK.

Cleaning up the LDAP recycle binIf the enrole.recyclebin.enable property from enRole.properties is set to false,ensure the recycle bin is empty in LDAP. If this property is set to false and therecycle bin contains deleted entries after the upgrade, the entries that have beendeleted from previous version of Tivoli Identity Manager appear in the TivoliIdentity Manager Version 5.1 user interface when searching for entries. If thisproblem exists then you need to delete all the entries from the recycle bin in LDAPserver or set this property to true.

For more information about emptying the recycling bin, refer to the IBM TivoliIdentity Manager Performance Tuning Guide.

Verifying the data migration after configurationWhen you have completed the configuration, you should verify the data migration.For more information, see “Verifying the installation” on page 26.

Tuning performanceOnce you have completed verifying the new system, you should applyperformance tunings to confirm that the new system meets your performancerequirements. For more information, see “Tuning performance” on page 26.



Appendix A. Post migration troubleshooting and knownissues

This appendix provides information on known issues once the migration hascompleted and provides tips for troubleshooting.

Known issues for migrating to Tivoli Identity Manager Version 5.1The following issues are known to occur after performing an upgrade to TivoliIdentity Manager Version 5.1:v The "homepage" attribute remains on the Tivoli Identity Manager account form

after the upgrade.This attribute has no meaning in Tivoli Identity Manager Version 5.1 and itspresence has no adverse impact on the functioning of Tivoli Identity Manager. Ifyou want to remove this attribute from the user interface, you can remove thefield using the form designer. This issue occurs for Tivoli Identity ManagerVersion 4.6 upgrades.

v In Tivoli Identity Manager versions 4.6 and earlier, the eralias attribute was thedefault basis for the global adoption policy. After version 5.0 the global adoptionpolicy is based on the UID attribute. If you are upgrading to Tivoli IdentityManager version 5.1 from version 4.6 or earlier, you need to preserve theexisting adoption policy.

v Some default data specific to Tivoli Identity Manager Version 5.1 are not loadedat upgrade time.For example, default access control items (ACIs) are not loaded. This is done toprevent interference with ACIs from previous versions. This issue occurs forboth Tivoli Identity Manager Version 4.6 and Version 5.0 upgrades.

v If services, for example, point to a file on the file system such as an identityfeed, it will be important to copy the given file to the new Tivoli IdentityManager Version 5.1 server and update the service to point to the new filelocation on the Tivoli Identity Manager Version 5.1 server. This book onlyinstructs you to copy over the contents of the OLD_ITIM_HOME directory.

v Before upgrade, ensure no reports are using the GetDN function on anyattributes other than the provisioning policy attributes erPolicyMembership orerPolicyTarget. This database function is only intended for those two attributes.In Tivoli Identity Manager Version 5.1, the GetDN function is no longer neededand will not work for other attributes, and the report will be invalid and willnot parse successfully. This issue extends to custom reports.

v You might encounter the following error restoring the DB2 Universal Databasein Windows:SQL2519N The database was restored but the restored database was not migratedto the current release. Error "-1704" with tokens "3" is returned.

If this issue occurs, run the following commands to correct the issue:update db cfg for itimdb using LOGFILSIZ 1000update db cfg for itimdb using LOGPRIMARY 30update db cfg for itimdb using LOGSECOND 20migrate db itimdb

where itimdb is the database name for Tivoli Identity Manager. For moreinformation on this error, refer to the DB2 information center.


http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jspv Because of differences between FESI and the IBM JavaScript Engine, some of the

JavaScript that you used from the previous version of Tivoli Identity Managerwould not return anything after the upgrade since the explicit return statementis needed with the IBM JavaScript Engine. For more information, see the IBMTivoli Identity Manager Information Center.

v Some example classes from the extensions directory do not compile uponcompletion of the upgrade, due to changes in the class and package names.

v When installing in a clustered environment, the installation process might returnthe following message in the ITIM_HOME\install_logs\runConfig.stdoutdirectory:WASX7017E: Exception received while running file

"C:\Program Files\IBM\itim\config\was\setEVCluster.jacl";exception information:com.ibm.websphere.management.exception.ConfigServiceExceptionjava.lang.reflect.UndeclaredThrowableException:java.lang.reflect.UndeclaredThrowableException

If this happens, verify that the WebSphere Application Server environmentvariables are defined correctly for the cluster member.1. Verify that the NodeAgent and Deployment Manager are running.2. Verify the that the WebSphere Application Server nodes are synchronized.3. Run the ITIM_HOME\bin\runConfig -install program for the cluster

member.


http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp

Appendix B. Support information

If you have a problem with your IBM software, you want to resolve it quickly. Thissection describes the following options for obtaining support for IBM softwareproducts:v “Using IBM Support Assistant”v “Obtaining fixes” on page 38v “Receiving weekly support updates” on page 38v “Contacting IBM Software Support” on page 39

Using IBM Support AssistantThe IBM Support Assistant is a free, standalone application that you can install onany workstation. You can then enhance the application by installingproduct-specific plug-in modules for the IBM products you use.

The IBM Support Assistant saves you time searching product, support, andeducational resources. The IBM Support Assistant helps you gather supportinformation when you need to open a problem management record (PMR), whichyou can then use to track the problem.

The product-specific plug-in modules provide you with the following resources:v Support linksv Education linksv Ability to submit problem management reports

For more information, see the IBM Support Assistant Web site athttp://www.ibm.com/software/support/isa/

To go directly to the product-specific URL for your product, see

If your product does not use IBM Support Assistant, use the links to support topicsin your information center. In the navigation frame, check the links for resourceslisted in the ibm.com® and related resources section where you can search thefollowing resources:v Support and assistance (includes search capability of IBM technotes and IBM

downloads for interim fixes and workarounds)v Training and certificationv IBM developerWorksv IBM Redbooksv General product information

If you cannot find the solution to your problem in the information center, searchthe following Internet resources for the latest information that might help youresolve your problem:v Forums and newsgroupsv Google.com


http://www-306.ibm.com/software/support/isa

Obtaining fixesA product fix might be available to resolve your problem. To determine what fixesare available for your IBM software product, follow these steps:1. Go to the IBM Software Support Web site at http://www.ibm.com/software/

support.2. Under Find product support, click All IBM software (A-Z). This opens the

software product list.3. In the software product list, find Tivoli Identity Manager and click Support.

This opens the Tivoli Identity Manager support site.4. Under Solve a problem, click APARs to go to a list of fixes, fix packs, and

other service updates for Tivoli Identity Manager.5. Click the name of a fix to read the description and optionally download the

fix. You can also search for a specific fix; for tips on refining your search, clickSearch tips.

6. In the Downloads & drivers search section, select one software category fromthe Category list.

7. Select one product from the Sub-category list.8. Type more search terms in the Search within Download if you want to refine

your search.9. Click Search.

10. From the list of downloads returned by your search, click the name of a fix toread the description of the fix and to optionally download the fix.

For more information about the types of fixes that are available, see the IBMSoftware Support Handbook at http://techsupport.services.ibm.com/guides/handbook.html.

Receiving weekly support updatesTo receive weekly e-mail notifications about fixes and other software support news,follow these steps:1. Go to the IBM Software Support Web site at http://www.ibm.com/software/

support.2. Click My support in the far upper-right corner of the page under

Personalized support.3. If you have already registered for My support, sign in and skip to the next

step. If you have not registered, click register now. Complete the registrationform using your e-mail address as your IBM ID and click Submit.

4. Click Edit profile.5. In the Products list, select Software. A second list is displayed.6. In the second list, select a product segment, for example, Systems

management. A third list is displayed.7. In the third list, select a product sub-segment, for example, Application

Performance & Availability. A list of applicable products is displayed.8. Select the products for which you want to receive updates.9. Click Add products.

10. After selecting all products that are of interest to you, click Subscribe to emailon the Edit profile tab.

11. Select Please send these documents by weekly email.


http://www.ibm.com/software/support


http://techsupport.services.ibm.com/guides/handbook.html

http://techsupport.services.ibm.com/guides/handbook.html



12. Update your e-mail address as needed.13. In the Documents list, select Software.14. Select the types of documents that you want to receive information about.15. Click Update.

If you experience problems with the My support feature, you can obtain help inone of the following ways:

OnlineSend an e-mail message to [email protected], describing your problem.

By phoneCall 1-800-IBM-4YOU (1-800-426-4968).

Contacting IBM Software SupportIBM Software Support provides assistance with product defects.

Before contacting IBM Software Support, your company must have an active IBMsoftware maintenance contract, and you must be authorized to submit problems toIBM. The type of software maintenance contract that you need depends on thetype of product you have:v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus®, and Rational® products, as well as DB2 and WebSphere products thatrun on Windows, or UNIX operating systems), enroll in Passport Advantage® inone of the following ways:

OnlineGo to the Passport Advantage Web site at http://www-306.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm .

By phoneFor the phone number to call in your country, go to the IBM SoftwareSupport Web site at http://techsupport.services.ibm.com/guides/contacts.html and click the name of your geographic region.

v For customers with Subscription and Support (S & S) contracts, go to theSoftware Service Request Web site at https://techsupport.services.ibm.com/ssr/login.

v For customers with IBMLink, CATIA, Linux, OS/390®, iSeries®, pSeries®,zSeries®, and other support agreements, go to the IBM Support Line Web site athttp://www.ibm.com/services/us/index.wss/so/its/a1000030/dt006.

v For IBM eServer™ software products (including, but not limited to, DB2 andWebSphere products that run in zSeries, pSeries, and iSeries environments), youcan purchase a software maintenance agreement by working directly with anIBM sales representative or an IBM Business Partner. For more informationabout support for eServer software products, go to the IBM Technical SupportAdvantage Web site at http://www.ibm.com/servers/eserver/techsupport.html.

If you are not sure what type of software maintenance contract you need, call1-800-IBMSERV (1-800-426-7378) in the United States. From other countries, go tothe contacts page of the IBM Software Support Handbook on the Web athttp://techsupport.services.ibm.com/guides/contacts.html and click the name ofyour geographic region for phone numbers of people who provide support foryour location.

To contact IBM Software support, follow these steps:

Appendix B. Support information 39

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

http://techsupport.services.ibm.com/guides/contacts.html


https://techsupport.services.ibm.com/ssr/login

https://techsupport.services.ibm.com/ssr/login

http://www.ibm.com/services/us/index.wss/so/its/a1000030/dt006

http://www.ibm.com/servers/eserver/techsupport.html


1. “Determining the business impact”2. “Describing problems and gathering information”3. “Submitting problems”

Determining the business impactWhen you report a problem to IBM, you are asked to supply a severity level.Therefore, you need to understand and assess the business impact of the problemthat you are reporting. Use the following criteria:

Severity 1The problem has a critical business impact. You are unable to use theprogram, resulting in a critical impact on operations. This conditionrequires an immediate solution.

Severity 2The problem has a significant business impact. The program is usable, butit is severely limited.

Severity 3The problem has some business impact. The program is usable, but lesssignificant features (not critical to operations) are unavailable.

Severity 4The problem has minimal business impact. The problem causes little impacton operations, or a reasonable circumvention to the problem wasimplemented.

Describing problems and gathering informationWhen describing a problem to IBM, be as specific as possible. Include all relevantbackground information so that IBM Software Support specialists can help yousolve the problem efficiently. To save time, know the answers to these questions:v What software versions were you running when the problem occurred?v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.v Can you recreate the problem? If so, what steps were performed to recreate the

problem?v Did you make any changes to the system? For example, did you make changes

to the hardware, operating system, networking software, and so on.v Are you currently using a workaround for the problem? If so, be prepared to

explain the workaround when you report the problem.

Submitting problemsYou can submit your problem to IBM Software Support in one of two ways:

OnlineClick Submit and track problems on the IBM Software Support site athttp://www.ibm.com/software/support/probsub.html. Type yourinformation into the appropriate problem submission form.

By phoneFor the phone number to call in your country, go to the contacts page ofthe IBM Software Support Handbook at http://techsupport.services.ibm.com/guides/contacts.html and click the name of your geographic region.

If the problem you submit is for a software defect or for missing or inaccuratedocumentation, IBM Software Support creates an Authorized Program Analysis


http://www.ibm.com/software/support/probsub.html



Report (APAR). The APAR describes the problem in detail. Whenever possible,IBM Software Support provides a workaround that you can implement until theAPAR is resolved and a fix is delivered. IBM publishes resolved APARs on theSoftware Support Web site daily, so that other users who experience the sameproblem can benefit from the same resolution.

Appendix B. Support information 41


Appendix C. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged should contact:

IBM Corporation2ZA4/10111400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corporation in the United States, other countries,or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol (® or ™), these symbolsindicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered or commonlaw trademarks in other countries. A current list of IBM trademarks is available onthe Web at ″Copyright and trademark information″ at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are eitherregistered trademarks or trademarks of Adobe Systems Incorporated in the UnitedStates, other countries, or both.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.


http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Java and all Java-based trademarks are trademarks of SunMicrosystems, Inc. in the United States, other countries, orboth.

Other company, product, or service names may be trademarks or service marks ofothers.

Appendix C. Notices 45


Glossary

Aaccess. (1) The ability to read, update, delete, orotherwise use a resource. Access to protected resourcesis usually controlled by system software. (2) The abilityto use data that is stored and protected on a computersystem.

access control. In computer security, the process ofensuring that users can access only those resources of acomputer system for which they are authorized.

access control list. In computer security, a list that isassociated with a resource that identifies all theprincipals that can access the resource and thepermissions for those principals. See also permissionand principal.

access control item (ACI). Data that (a) identifies thepermissions of principals and (b) is assigned to aresource.

account. An entity that contains a set of parametersthat define the application-specific attributes of aprincipal, which include the identity, user profile, andcredentials.

ACI target. The resource for which you define theaccess control items. For example, an ACI target can bea service.

activity. In a workflow, the smallest unit of work.When a request requires approval, information, oradditional actions, the workflow for that requestgenerates the appropriate activities that are presentedin the appropriate users’ to-do lists. See also workflow.

adapter. (1) A set of software components thatcommunicate with an integration broker and withapplications or technologies in order to perform tasks,such as executing application logic or exchanging data.(2) A transparent, intermediary software componentthat allows different software components withdifferent interfaces to work together.

administrative domain. A logical collection ofresources that is used to separate responsibilities andmanage permissions. See also permission.

adopt. To assign an orphan account to the appropriateowner. See also orphan account.

adoption rules. The set of rules that determine whichorphan accounts belong to which owners. See alsoorphan account.

agent. A process that manages target resources onbehalf of a system such that the system can respond torequests.

aggregate message. A collection of notificationmessages that are combined into a single e-mail, alongwith optional user defined text.

alias. In identity management, an identity for a user,which might match the user ID. The alias can be usedduring reconciliation to determine who owns theaccount. A person can have several aliases, for example,GSmith, GWSmith, and SmithG.

application server. A server program in a distributednetwork that provides the execution environment foran application program.

application user administrator. A type of person whouses Tivoli Identity Manager to set up and administer(a) the services that are managed by Tivoli IdentityManager or (b) the Tivoli Identity Manager users ofthose services.

approval. A type of workflow activity that allowssomeone to approve or reject a request. See alsoworkflow.

audit trail. A chronological record of events ortransactions. You can use audit trails for examining orreconstructing a sequence of events or transactions,managing security, and for recovering lost transactions.

authentication. The process of verifying that an entityis the entity that it claims to be, often by verifying auser ID and password combination. Authenticationdoes not identify the permissions that a person has inthe system. See also authorization.

authorization. The process of granting a user, system,or process either complete or restricted access to anobject, resource, or function. See also authentication.

authorization owner. A user who can manage accesscontrol items (ACIs) for a resource.

Ccertificate. In computer security, a digital documentthat binds a public key to the identity of the certificateowner, thereby enabling the certificate owner to beauthenticated. A certificate is issued by a certificateauthority and is digitally signed by that authority. Seealso certificate authority.

Certificate Authority (CA). An organization thatissues certificates. The CA authenticates the certificate


owner’s identity and the services that the owner isauthorized to use, issues new certificates, renewsexisting certificates, and revokes certificates that belongto users who are no longer authorized to use them.

challenge-response authentication. An authenticationmethod that requires users to respond to a prompt byproviding information to verify their identity whenthey log in to the system. For example, when usersforget their password, they are prompted (challenged)with a question to which they must provide an answer(response) in order to either receive a new password orreceive a hint for specifying the correct password.

comma separated values (CSV) file. See CSV file.

Common Criteria. A standardized method, which isused by international governments, the United Statesfederal government, and other organizations, forexpressing security requirements in order to assess thesecurity and assurance of technology products.

connector. A plug-in that is used to access and updatedata sources. A connector accesses the data andseparates out the details of data manipulations andrelationships. See also adapter.

credentials. Authentication information that isassociated with a principal. See also authentication andprincipal.

CSV file. A common type of file that contains datathat is separated by commas.

DDAML. See Directory Access Markup Language.

data model. A description of the organization of datain a manner that reflects the information structure of anenterprise.

data warehouse. (1) A subject-oriented collection ofdata that is used to support strategic decision making.(2) A central repository for all or significant parts of thedata that an organization’s business systems collect.

delegate (noun). The user who is designated toapprove requests or provide information for requestsfor another user.

delegate (verb). (1) To assign all or a subset ofadministrator privileges to a user, such that the usercan perform all or a subset of administrator activitiesfor a specific set of users. (2) To designate a user toapprove requests or provide information for requestsfor another user.

delegate administrator. The user who has all or asubset of administrator privileges over a specific set ofusers.

delegate administration. The ability to apply all or asubset of administrator privileges to another user (thedelegate administrator), such that the user can performall or a subset of administrator activities for a specificset of the users.

deprovision. To remove a service or component. Forexample, to deprovision an account means to delete anaccount from a resource. See also provision.

digital certificate. An electronic document that is usedto identify an individual, server, company, or someother entity, and to associate a public key with theentity. A digital certificate is issued by a certificationauthority and is digitally signed by that authority. Seealso Certificate Authority.

Directory Access Markup Language (DAML). AnXML specification that extends the functions ofDirectory Services Markup Language (DSML) 1.0 inorder to represent directory operations. In TivoliIdentity Manager, DAML is mainly used for server toagent communications. See also Directory ServicesMarkup Language v2.0.

directory server. A server that can add, delete, change,or search directory information on behalf of a client.

Directory Services Markup Language v1.0 (DSMLv1).An XML implementation that describes the structure ofdata in a directory and the state of the directory. DSMLcan be used to locate data into a directory. DSMLv1 isan open standard defined by OASIS. See alsoDirectoryServices Markup Language v2.0.

Directory Services Markup Language v2.0 (DSMLv2).An XML implementation that describes the operationsthat a directory can perform (such as how to create,modify, and delete data) as well as the results of thoseoperations. Whereas DSMLv1 can be used to describethe structure of data in a directory, DSMLv2 can beused to communicate with other products about thatdata. DSMLv2 is an open standard defined by OASIS.See also Directory Services Markup Language v1.0.

distinguished name (DN and dn). The name thatuniquely identifies an entry in a directory. Adistinguished name is made up of name-componentpairs. For example:

cn=John Doe,o=My Organization,c=US

domain administrator. The owner of anadministrative domain. See also administrative domain.

dynamic content tags. A set of XML tags (based onthe XML Text Template Language (XTTL) schema) thatenables the administrator to provide customizedinformation in a message, notification, or report. Seealso XML Text Template Language.

dynamic organizational role. An organizational rolethat is assigned to a person by using an LDAP filter.When a user is added to the system and the LDAP


filter parameters are met, the user is automaticallyadded to the dynamic organizational role. See alsoorganizational role.

Eentitlement. In security management, a data structure,service, or list of attributes that contains externalizedsecurity policy information.

entitlement workflow. A workflow that defines thebusiness logic that is used when provisioning a policy.For example, an entitlement workflow is used to defineapprovals for managing accounts. See also workflow.

entity. An object about which you want to storeinformation or manage. For example, a person and anaccount are both entities.

entity type. Categories of managed objects. See alsoentity.

escalation. The process that defines what happens andwho acts when an activity was not completed in thespecified amount of time.

escalation limit. The amount of time, for example,hours or days, that a participant has to respond to arequest, before an escalation occurs. See also escalation.

event. The encapsulated data that is sent as a result ofan occurrence, or situation, in the system.

Ffailover. An automatic operation that switches to aredundant or standby system in the event of asoftware, hardware, or network interruption.

FESI. See Free EcmaScript Interpreter.

FESI extension. A Java extension that can be used toenhance JavaScript™ code and then be embeddedwithin a FESI script.

Free EcmaScript Interpreter (FESI). Animplementation of the EcmaScript scripting language,which is an ISO standard scripting language that issimilar to the JavaScript scripting language.

Ggroup. A collection of Tivoli Identity Manager users.

Hhelp desk assistant. A person who uses Tivoli IdentityManager to assist users and managers with managingtheir accounts and passwords.

Iidentity. The subset of profile data that uniquelyrepresents a person or entity and that is stored in oneor more repositories.

identity feed. The automated process of creating oneor more identities from one or more common sourcesof identity data.

identity policy. The policy that defines the user ID tobe used when creating an account for a user.

IIOP (Internet Inter-ORB Protocol). A protocol usedfor communication between Common Object RequestBroker Architecture (CORBA) object request brokers

ITIM group. A list of Tivoli Identity Manageraccounts. Membership within an ITIM groupdetermines the access to data within Tivoli IdentityManager.

ITIM user. A user who has a Tivoli Identity Manageraccount.

JJava Database Connectivity. See JDBC.

JDBC (Java Database Connectivity). An industrystandard for database-independent connectivitybetween the Java platform and a wide range ofdatabases. The JDBC interface provides a call-level APIfor SQL-based and XQuery-based database access.

join directive. The set of rules that define how tohandle attributes when two or more provisioningpolicies are applied. Two or more policies might haveoverlapping scope, so the join directive specifies whatactions to take when this overlap occurs.

LLDAP (Lightweight Directory Access Protocol). Anopen protocol that uses TCP/IP to provide access todirectories that support an X.500 model and that doesnot incur the resource requirements of the morecomplex X.500 Directory Access Protocol (DAP). Forexample, LDAP can be used to locate people,organizations, and other resources in an Internet orintranet directory.

LDAP Data Interchange Format. See LDIF.

LDAP directory. A type of repository that storesinformation on people, organizations, and otherresources and that is accessed using the LDAP protocol.The entries in the repository are organized into ahierarchical structure, and in some cases thehierarchical structure reflects the structure orgeography of an organization.

Glossary 49

LDAP filter. A search filter that narrows the resultsfrom an LDAP search.

LDIF (LDAP Data Interchange Format). A file formatthat is used to describe directory information as well aschanges that need to be applied to a directory, suchthat directory information can be exchanged betweendirectory servers that are using LDAP.

life cycle. Passage or transformation through differentstages over time. For example markets, brands andofferings have life cycles.

life cycle rules. A set of rules in a policy thatdetermine which operations to use when automaticallyhandling commonly occurring events, such assuspending an account that has been inactive for aperiod of time.

Lightweight Directory Access Protocol. See LDAP.

location. An entity that is a subdivision of anorganization, usually based on geographical area.

Mmail. A type of workflow activity that sends anotification to one or more users about a request.

managed resource. An entity that exists in the runtimeenvironment of an IT system and that can be managed.

manager. A type of person who uses Tivoli IdentityManager to manage their own accounts and passwordsor the accounts and passwords of those people thatthey supervise.

manual service. A type of service that requiresmanual intervention by the service owner to completethe provisioning request.

Nnamespace. (1) The set of unique names that a servicerecognizes. (2) Space reserved by a file system tocontain the names of its objects.

nested group. A group that is contained withinanother group. See also group.

notification. A message that is sent to users orsystems that indicates that a change was made thatmight be of interest to the receiver.

Oobject class. (1) The specific type of object, orsubcategory of classes, that an access control item canprotect. For example, if the protection category isaccount, then the object class can be the type ofaccount, such as an LDAP user account. See also

protection category. (2) An entity that defines theschema for a service or an account.

operation. A specific action (such as add, multiply, orshift) that the computer performs when requested.

operational workflow. A workflow that defines thelifecycle process for accounts, persons, and otherentities. See also workflow.

organization. A hierarchical arrangement oforganizational units, such that each user is includedonce and only once. See also organizational unit.

organization tree. A hierarchical structure of anorganization that provides a logical place to create,access, and store organizational information.

organizational container. An organization,organizational unit, location, business partner unit, oradministration domain.

organizational role. In identity management, a list ofaccount owners that is used to determine whichentitlements are provisioned to them. See also dynamicorganizational role and static organizational role.

organizational unit. A type of organizationalcontainer that represents a department or similargrouping of people.

orphan account. On a managed resource, an accountwhose owner cannot be automatically determined bythe provisioning system.

Pparticipant. In identity management, an individual, arole, a group, or a JavaScript script that has theauthority to respond to a request that is part of aworkflow. See also workflow.

password. In computer and network security, aspecific string of characters that is used by a program,computer operator, or user to access the system and theinformation stored within it.

password retrieval. In identity management, themethod of retrieving a new or changed password byaccessing a designated Web site and specifying ashared secret. See also shared secret.

password strength rules. The set of rules that apassword must conform to, such as the length of thepassword and the type of characters that are allowed(or not allowed) in the password.

password policy. A policy that defines the passwordstrength rules. A password strength policy is appliedwhenever a password is set or modified. See alsopassword strength rules.


password synchronization. The process ofcoordinating passwords across services and systemssuch that only a single password is needed to accessthose multiple services and systems.

permission. Authorization to perform activities, suchas reading and writing local files, creating networkconnections, and loading native code.

person. An individual in the system that has a personrecord in one or more corporate directories.

personal profile. The data that describes a user withinthe system, such as the user name, password, contactinformation, and so on.

plug-in. A software module that adds function to anexisting program or application.

policy. A set of considerations that influence thebehavior of a managed resource or a user.

post office. A component that collects notificationsfrom the appropriate workflow activities anddistributes those notifications to the appropriateworkflow participants.

principal. (1) A person or group that has been grantedpermissions. (2) An entity that can communicatesecurely with another entity.

privilege. See permission.

profile. Data that describes the characteristics of auser, group, resource, program, device, or remotelocation.

protection category. The category of classes that anaccess control item can protect. For example, accountsor persons. See also object class.

provision. (1) In identity management, to set up andmaintain the access of a user to a system. (2) In identitymanagement, to create an account on a managedresource.

provisioning. In identity management, the process ofproviding, deploying, and tracking a service orcomponent.

provisioning policy. A policy that defines the accessto various managed resources, such as applications oroperating systems. Access is granted to all users, userswith a specific role, or users who are not members of aspecific role.

Rrecertification. The process of validating and possiblyupdating your credentials with a system, usually after aspecified time interval.

recertification policy. A policy that defines the lifecycle rule for automatically validating accounts andusers in the provisioning system after a certain periodof time. See also life cycle rules.

reconciliation. The process of synchronizing data in acentral data repository with data on a managedresource.

registration. The process of accessing a system andrequesting an account on that system.

registry. A repository that contains access andconfiguration information for users, systems, andsoftware.

relationship. A defined association between two ormore data entities, which is used when defining a FreeEcmaScript Interpreter (FESI) extension or whencustomizing the graphical user interface.

relevant data. The data that is used to complete aworkflow activity in a workflow operation at runtime.See also workflow.

repository. A persistent storage area for data andother application resources. Common types ofrepositories are databases, directories, and file systems.

request. The item that initiates a workflow andinstigates the various activities of a workflow. See alsoworkflow.

request for information (RFI). A workflow activitythat requests additional information from the specifiedparticipant. See also workflow.

resource. A hardware, software, or data entity. Seealso managed resource.

restore. To activate an account that was suspended.

rights. See permission.

rule. A set of conditional statements that enablecomputer systems to identify relationships and issueautomated responses accordingly.

Sschema. The fields and rules in a repository thatcomprise a profile. See also profile.

scope. In identity management, the set of entities thata policy or an access control item (ACI) can affect.

Secure Sockets Layer (SSL). A security protocol thatprovides communication privacy. With SSL,client/server applications can communicate in a waythat is designed to prevent eavesdropping, tampering,and message forgery.

Glossary 51

security. The protection of data, system operations,and devices from accidental or intentional ruin,damage, or exposure.

security administrator. A type of person who sets upand administers Tivoli Identity Manager for users,managers, help desk assistants, and application useradministrators.

self-registration. See registration.

service. A representation of a managed resource,application, database, or system.

service owner. An individual who uses Tivoli IdentityManager to set up and administer the accounts on theservices that are managed by Tivoli Identity Manager.See also service.

service selection policy. A policy that determineswhich service to use in a provisioning policy. See alsoprovisioning policy.

service type. A category of related services that sharethe same schemas. See also service.

shared secret. An encrypted value that is used toretrieve the initial password of a user. This value isdefined when the personal information for the user isinitially loaded into the system.

single sign-on (SSO). The ability of a user to log ononce and access multiple applications without havingto log on to each application separately.

static organizational role. An organizational role thatis manually assigned to a person. See alsoorganizational role.

supervisor. A role that identifies the person whosupervises another set of users and who is oftenresponsible for approving or rejecting requests that aremade by those users.

suspend. To deactivate an account so that the accountowner cannot access the service.

system administrator. An individual who isresponsible for the configuration, administration, andmaintenance of Tivoli Identity Manager.

Ttenant. In a hosted service environment, a virtualenterprise instance of an application. Each tenant can

share directory servers or relational databases whileremaining completely separate service instances.

to-do list. A collection of outstanding activities. Seealso activity.

topic. The subject of a notification message, whichallows messages to be grouped together based on thesame task.

transition. A connection between two workflowelements. See also workflow.

Uuniversally unique identifier (UUID). The 128–bitnumerical identifier that is used to ensure that twoentities do not have the same identifier. The identifier isunique for all space and time.

user. (1) Any individual, organization, process, device,program, protocol, or system that uses the services of acomputing system. (2) The individual who uses TivoliIdentity Manager to manage their accounts andpasswords.

Vview. A collection of various graphical user interfacesfor a product that represent the set of tasks that aparticular type of user is allowed to perform.Administrators can customize views to contain differentcollections of graphical user interfaces.

Wworkflow. The sequence of activities performed inaccordance with the business processes of an enterprise.See also activity.

work order. A workflow activity that requires aparticipant to perform an activity outside of the scopeof the system. See also workflow.

XXML Text Template Language (XTTL). An XMLschema that provides a means for representing dynamiccontent within a message, notification, or report. TheXML tags are also called dynamic content tags. See alsodynamic content tags.


��

Program Number: 5724–C34

Printed in USA

GC27-2412-01

Separate System Upgrade and Data Migration Guide

Documents

imp systemsystempwd

dmp logpathitim46exp

sqlplus systemsystempwd

enroledata

free ecmascript

size 64m autoextend

size 32m autoextend

dynamic content