Monday, October 30, 2006

On Track - ITIM 4.6

My ITIM installation is going much better now that I've had a chance to start from scratch a few times. VMWare is so invaluable here. I've got a clean Linux server with all the ITIM software downloaded and extracted. I created separate directories for all the components so that everything we need is easy to find. I'm running SLES 9 with Service Pack 3 applied as recommended by at least some of the components.

The DB2 install went great the 3rd time I tried it. Looking back now I think one of my problems was caused by applying Fix Pack 1 for DB2 V8.2. The fix pack installed just fine, however I believe I forgot to update the instance I had created prior to installing the fix pack. The stupid thing is that the error message you get when you try to start db2 does not give you any clue that the fix pack had anything to do with it. You have to run db2iupdt on each instance after applying a fix pack. It sure would be nice if IBM would just make that automatic when applying the fix pack in the first place. Anyhow, there is probably good reason for the way it works.

Once I was past all the DB2 stuff, the next component to install was TDS 6.0. There's a few other gotcha's with TDS, but for the most part if you follow the instructions carefully it will work pretty well. There are quite a few steps to do this right and for TIM you have to configure the referential integrity plug-in towards the end. A few of these steps can really cause you problems if you don't plan ahead and document things properly. Before installing any software I had already created all the user accounts I needed for the DB2 Admin, the TIM user, TIM Instance owner, and the TDS Instance owner. I documented each before hand so that during the install things would not get confused. So far so good. I'm at least part of the way through this. WAS is next and then TIM after that.

I'm documenting all the steps as I go and capturing screen shots as well. I'll call these my "newbe" ITIM instructions. Maybe they will benefit someone in the future. I'll post them as soon as I get through this and clean them up. So far the instructions are already 45 pages long, but there's quite a few screen shots.

Thursday, October 26, 2006

Don't sneeze.... Don't even blink....

Round two. Second verse same as the first. I got no where with my TIM server since the TDS part of my installation just tanked. Not sure what the problem was, but since the TDS server would not start in anything but config only mode and I could not add the suffix to the directory I decided to attempt to remove the database and instance then re configure. This just kept getting worse and worse. I tried using the idsxinst tool and it looks like somehow I may have removed the instance with out the database. And once that was done, there was no way to get rid of the database from what I could tell. If I re-installed TDS and tried to create another instance and database with the same name, this failed. I decided it was time to start over.

Gotta love VMWare. Thankfully I simply reverted to my snapshot and I was back in business. Only I had to install Firefox and then the java plugin so that I could use the IBM download director to download all the Tivoli code again.

Once I got all the code again I took another snapshot so that will save me time if I end up back at the beginning again.

So this is attempt #2.

A.) All my user accounts are already created:

db2inst1 for the ITIM Instance
enrole for the ITIM user
db2admin for the db2 admin account
db2fenc1 for the db2 fenced account
idsldap for the TDS instance

B.) Installed db2 8.2

This went fine. I configured the db2inst1 instance and the install completed successfully.

C.) Next, I logged in as db2inst1 and ran the db2fs (First Start). Just for kicks, I ran the Control Center just to make sure things looked like they were installed right.

D.) Then I installed the db2 8.2 fixpack 1. This went well.

E.) Now is where the fun began. Time to create the TIM database. My db name will be itimdb.

So you login as the instance owner (In my case db2inst1)
Then type db2 at the prompt. This will put you in the db2 Command Line Interface (CLI)

F.) Now I'm supposed to type:

db2 => create db itimdb using codeset UTF-8 territory US

What I actually typed was
db2 => create db intimdb using codeset UTF-8 territory US

And I saw this the moment I hit enter and just instinctively I hit ctrl-c or something to that effect and I exited the CLI.

People, this is not good as I found out about 15 minutes later.

I typed db2 again at the prompt so I was right back in the CLI

This time I typed what I was supposed to type and it worked just fine:

db2 => create db itimdb using codeset UTF-8 territory US

Next, I had to type a few more commands to setup the database:
db2 => update db cfg for itimdb using applheapsz 2048
db2 => update db cfg for itimdb using app_ctl_heap_sz 1024

Again, both of those commands went successfully.

Now it was time to stop and start db2. NOT.

Stopping db2 was fine, but when I tried to start db2 here's what I got:

10/26/2006 21:10:26 0 0 SQL1042C An unexpected system error occurred.
SQL1032N No start database manager command was issued. SQLSTATE=57019

This was about the point I wanted to scream, which is why I say don't sneeze and don't blink when you are setting this stuff up. It seems that one wrong move and you just blew up your database. I've looked at the db2diag.log file for some help and it basically shows some severe entries on the intimdb. It seems that maybe my whole instance is hosed. I've tried a lot of things so far, but nothing I do seems to make a difference.

I may just be getting set to start all over again.

Maybe the 3rd time will be a charm?

Monday, October 23, 2006

Problem with TDS 6.0

OK, I know this whole install is not starting off well, but I'm sure it's just a couple of oversights on my part somehow. First of all I'm missing a bunch of files from the /opt/ibm/ldap/V6.0/sbin directory, one of them being idscfgdb. I've installed TDS successfully at least 4 or 5 times so this should not be a big deal. I think it's time to go back to the TDS install documentation and try that route unless I can figure out how to fix this. More tomorrow...

Tuesday, October 17, 2006

TIM Server

It's been a few days since I've posted, but with the weather related issues going on around here there's not much to talk about besides the weather. The past few days I've continued to work on getting TIM installed on our test server. I'm just installing everything on one Linux server for now just to try and keep it simple. Yet, this so far has not been so simple. DB2 installed OK it appears, but then when I got to the steps to install TDS things started going south. I sent this to IBM Tech Support just to get another set of eyes on the problem.

I'm following the instructions for installing ITIM 4.6, more specifically the IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments. So far this experience has left little to be desired. Chapter 2: Installing and configuring a database was not too bad. We installed DB2 successfully although the step to run db2fs does not work. We just got an error. I forged ahead and successfully created a database for ITIM and db2 started up ok etc...

Next the instructions say to install TDS 6.0. This code came from the passport site bundled with ITIM 4.6. It's included with one of the supplemental packages. When installing TDS it saw that DB2 was already installed. This process allowed me to create an instance (idsldap) and it automatically created a Linux user and group with the same name. Next, I applied FP 00003 which I downloaded from the support web site. At this point the instructions say to stop and start LDAP using ibmdirctrl -D admindn -w adminpw -h hostname -p port, etc.... This doesn't work. It just says something like "can't contact the ldap" or something like that. Also in the instructions it says to create the suffix using idscfgsuf . This doesn't work either. I can't even find any file on the linux machine with this name at all. While the instructions don't say to do this, I opted to try creating the suffix using idsxcfg instead. This worked just fine as I've done it this way in the past. Finally since starting the LDAP does not work using ibmdirctrl I instead started up LDAP using idsslapd - I idsldap. This worked, but the LDAP would only start in configuration only mode. Now I figured that maybe this is because the suffix name still has to be added to the directory. So next according to the instructions it says to make an ldif of my suffix and do an ldapadd. This too fails. Then I figured instead I'll try starting up the web administration tool and add it that way. Again a failure. The web server starts up, but when I try to web to the server on port 12100 I get a "page cannot be displayed".

My intention was to get an ITIM server up and running to learn it. We are starting the architecture phase of our project in the next 3 weeks, but in the meantime I wanted to learn. My plan for this test system was to install DB2, WAS, TDS, and ITIM all on the same box. Simple enough I figured. How wrong was I about that? I would hope that I don't have to hire an army of IBM professional services staff to install this test system.

Saturday, October 14, 2006

Buffalo get's pounded...

Wow, no one was ready for this one! Thursday evening we left work around 4:00pm. It was snowing, but not too bad. Traffic was slow though and we in my car pool were yelling at the slow pokes who forgot how to drive in the snow. Actually the roads seemed more like it was just raining because the snow wasn't really sticking to the roads yet. It was only 45 degress or so anyhow. Well as we got into Amherst it just got worse and worse. We stopped at our car pool spot and I cleaned off my car. The snow was so heavy it was like 4 inches of slush with a few inches of powder on top. Instead of going to the gym like I normally would on a Thursday I figured going straight home would be smarter because traffic would just be getting worse as the later it got. Good thing too because later that night people all over the Buffalo area started loosing power. We were fine at our house so I really didn't think anything of it.

The next morning though it was like Armageddon outside. The snow was just pounding the area and the trees and bushes were being flattened by the heavy slush/snow combination. I got up at about 6:30am thinking that I would still be going to work, but soon figured out everything was shut down. By mid day we saw reports that over 300,000 people were without power. Now usually a power outage in our area might last just a few hours, but the snow was bringing down trees all over Buffalo and the surrounding suburbs and taking power lines with them. I'll have to post some pictures as soon as I find a cable to transfer them off my camera phone. In the meantime pictures can be found:

Thursday, October 12, 2006

How easy is it to change the authoritative sources for Identities?

We had an interesting meeting today regarding our planning of the ITIM architecture. Since we are a service provider the initial goals of our Identity Management project revolve around delivering services to our customers. So we want to provision our customers to the applications they have "signed up for". We call it participation. If a customer participates in a service they are entitled to access a given application. Depending on what type of user is sponsored by that customer, they may have access to do certain things while others have access to do other things. In most normal Identity Management implementations the HR system is authoritative for staff identities. In our case we are building our ITIM with the identities of our customers as well as our own so what is essentially becoming the authoritative source for identities is some system that is easily accessible like an LDAP (Novell, Active Directory, or even Domino) where the bulk of the customer identities exist. But, what if later on we want to change this?

Some parts of our conversation today was about trying to see into the future. Lets say that today we want to deliver our customers to applications. So to do that we connect up to the customers' directory and pull out the Identities and attributes we are interested in to feed the ITIM. Since connecting up to that customers' HR system could be a political issue going after the identities in the customers' email system of file/print system is easier. Also, since many of these systems are LDAP's the connectors already exist in TDI to detect changes. So we can count on the customers to maintain their users as normal and as users get added or removed from their directories we will detect those changes and take action accordingly in the ITIM.

But, what if later on the customer asks us to provide a complete Identity Management solution for them using our existing ITIM. The relationship with our customers today make this a likely scenario since we are their primary technology service provider already. Maybe we would rather handle each customer on an individual basis doing a separate identity management project for each with separate ITIMs. Or, maybe it would be better to just architect our ITIM so that if we do choose to provide Identity Management to the customer sites we can do it with one big ITIM. This was one of the more complicated discussion items we are pondering. I think some more answers will flush out in the discovery phases of our Identity and Access Management project, but I thought it would be a good discussion item for the blog.

More fun with DB2...

OK so it really helps to do things right the first time. I finally did in fact install DB2 successfully using the Setup Wizard. Had a little glitch since I never dropped the original instance, but once I realized that we were in business. Still though the db2fs still fails and I think maybe it's a path issue. I think now it's time to read some more documentation. I would have made much more progress than this however half of the day I was in meetings. More tomorrow on this.

Wednesday, October 11, 2006

Fun with DB2...

Today I spent most of my day accomplishing very little. Our test environment for Identity and Access Management largely consists of a pretty beefy Dell server with loads of memory. We're running VMWare GSX Server so all of our test servers are VMs. I figured building a Linux server and downloading all the necessary software should be a simple enough task and largly it was except for a few issues getting software.

I am always remided why the world will be slow to adopt Linux on the desktop. After having the Linux server all set I needed to download all the Tivoli Identity Manager software from the IBM Passport site. It sure would be easier if IBM would make this stuff available via FTP. I generally build my Linux servers to boot to run level 3 since most of it's real use does not require a GUI. But when you download all the components needed for ITIM it's about 2.7GB of software and at least 6 or 7 components so using the Download Director is preferred. Problem is that requires the Java plugin for the web browser which in my case is Firefox. Of course with Linux installing this plugin is completely manual. BTW, I'm using SLES 9. OK so finally got beyond that point and downloaded all the software to the server.

Next, try and figure out what software is what when the downloaded files are cryptic names like C485PLZ.tar.gz. The ITIM documentation requires that you install DB2 8, WAS, TDS, and the TIM components. DB2 and WAS needs to go first since TIM will need to see that they exist. I'm planning to install everything on a single server for this first test to try and keep things as simple as possible although that's almost funny given this software. My first attempt at installing DB2 essentially failed due to the poor documentation. The DB2 accounts were created and I chose to use the db2 Install script instead of the wizard only because I didn't feel like running X Windows. I figure what the heck the text mode installer should work fine. Problem is the ITIM documentation didn't specify how to do this so I referred to my handy IBM Press book Understanding DB2. Nice book, but the section on installing DB2 shows you how to install DB2 using the install script, but after your done nothing works. It does not create an instance for you. When you try to run the db2fs to verify the installation I just got an error unable to find command: db2javit. WTF? Maybe I have to specify the PATH properly? Who knows. Moving forward I decided to see if I could create an instance. That worked, but DB2 would not start and still the db2fs did not work. The silly IBM Press book does not clearly show you how to do everything required to install and make db2 work with using the Install Wizard. So after burning several hours on this, I will resort to trying again tomorrow using the GUI.

BTW, I actually do have experience installing DB2, but by installing TDS and of course there was a wizard that sort of walked you through everything. Oh well maybe more success tomorrow.

Friday, October 6, 2006

Welcome to my blog

I have followed a number of blogs in the Lotus Notes world for some time and while my job over the past several years has primarily revolved around supporting collaboration systems with Lotus Notes and Domino, I have found myself dropped into the world of Identity Management as of late.

First, our organization started looking at building a better web presence and being able to deliver applications to staff and customers using WebSphere Portal. It was also a "no brainer" early on to integrate our Domino infrastructure into Portal since so many of our productivity applications were already in Domino. Another key to deploying WebSphere Portal was the fact that it needed an LDAP with our users and customers identities. It just so happened that our Domino infrastructure already consisted of a centrally located server with replica's of all our customers' Domino directories. Within a few days, I had a Domino LDAP up and running with 30,000 users that we could connect up to Portal for authentication. Way cool. The other benefit here was that our customers continue to maintain their Domino directories as they always have and as changes occur, our LDAP is updated automatically thanks to Domino replication. This would be a reasonable LDAP for the time being while we learn Portal and explore the possibilities for delivering our applications and services in new ways.

A year later we recognized what we had in the back of our minds early on. For one the Domino LDAP we had configured was limited to only our Domino customers unless we desired to manually add users and maintain them. Two, we expect to someday have maybe hundreds of thousands of entries in our LDAP and we were questioning the scalability of Domino for that purpose. Our IBM consultants recommended using Tivoli Directory Server and since it comes included with several of IBM's other software offerings it seemed logical.

Over the last year my colleague and I have spent a significant amount of time getting to know some of IBMs software for building an enterprise LDAP. Tivoli Directory Server and Tivoli Directory Integrator. This has been quite an experience. For those of you Domino experts out there, if you ever get the chance to work with TDS or TDI you will quickly be reminded how cool Domino is. Take replication for example. This is nothing for Domino. Creating a replica is one of the easiest operations. TDS on the other hand is far more complex and the documentation is severely lacking. I remember countless tech support calls before we were able to successfully get two TDS servers to replicate in a cluster. TDI is some seriously cool software. I'll have to post a separate entry about that, but as cool as it is we always ran into issues that made us wonder if this stuff was really ready for prime time. Either way our experience with TDI has been good and we have used it successfully to build prototypes for detecting changes in disparate systems and writing those changes to TDS.

After a year of this TDS LDAP, TDI and developing assembly lines to detect changes in directories and write them to an enterprise LDAP we recognized that building the LDAP was certainly not enough. We always new that access control and provision were going to be necessary, but in what order? Do you build the LDAP first? Provisioning system first? Access control? After countless hours reading talking with consultants, meeting internally trying to figure out our requirements, it was finally clear that Identity and Access Management was the next step to pulling all this together. We finally realized that our goal is to synchronize user accounts from many (as many as 100 or more) disparate systems to the Identity Management system and then provision those users to LDAP and any other managed resource including Portal and applications surfaced by Portal.

So here we are at the beginning of a very large Identity and Access Management project. As I mentioned at the beginning of this post I follow many very good blogs about Notes and Domino. After scouring the Internet for some good blogs about Tivoli security software, I have come up with really nothing even close to the blogging community for Domino. The only thing close is the Tivoli forums on IBMs web site. So, I figure maybe I'll blog about my experiences with Identity Management. With any luck I'll learn something along the way and possibly contribute in some small way.