Friday, January 26, 2007

TAI++ Solved my WPM SSO problem

There's a really good Developerworks document on setting up TAI++ for WAS. I used this to configure SSO between WPM and WebSEAL. In my prior posting {Link} I described the problem I was having with TAI where some users could login to WPM via WebSEAL, but other users (most importantly sec_master) could not login.

So we decided to try TAI++ instead. I used this doc from Developerworks {Link} and it solved the problem quite nicely. One thing that I was stuck on for quite a while though was the WAS Configuration section where they have you configure the TAM Java Runtime environment. I originally skipped this section because it looked like it had to do with SSL and I had no intention of doing SSL between WebSEAL and WPM. I'm only dong SSL on WebSEAL. When a web browser hits WebSEAL the HTTPS is terminated and then it is HTTP from there so naturally if this section had to do with SSL then I figured I did not need to do it. The problem was when I started WAS the TAI++ would initialize and throw an error that it could not find Well this file only gets created if you run SSL Configuration. I guess it doesn't mean you have to do SSL, it's just that the file doesn't get created unless you go through this configuration. On my WPM server I ran the following commands to set this up. Note that the document doesn't really mention anything about setting up the classpath.

// Setup the WAS environment:
wpm:/opt/IBM/WebSphere/AppServer/bin # . ./

// Setup the classpath:
wpm:/opt/IBM/WebSphere/AppServer/bin # CLASSPATH=$WAS_HOME/java/jre/lib/ext/PD.jar:$WAS_CLASSPATH

// Configure the AMJrte (Access Manager Java runtime environment)
wpm:/opt/IBM/WebSphere/AppServer/bin # java -cp $CLASSPATH -Djava.ext.dirs -Dpd.home="/opt/IBM/WebSphere/AppServer/java/jre/PolicyDirector" com.tivoli.pd.jcfg.PDJrteCfg -action config -was -host "FQDN of my policy server"

// If the above command works you should see something like this:
HPDBF0021E This Java Runtime Environment (/opt/IBM/WebSphere/AppServer/java/bin/../jre) has already been configured.
Unconfigure first then retry the command.
Configuration of Access Manager Runtime for Java is in progress.
This might take several minutes.
Configuration of Access Manager Runtime for Java completed successfully.

// Run SSL Configuration
wpm:/opt/IBM/WebSphere/AppServer/bin # java -cp $CLASSPATH -Dpd.cfg.home=$WAS_HOME/java/jre -Xnoargsconversion com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd ******** -appsvr_id wpm -policysvr -port 7135 -authzsvr -mode remote -cfg_file $WAS_HOME/java/jre/ -key_file $WAS_HOME/java/jre/lib/security/PdPerm.ks -cfg_action replace

Note: Make sure that the file is named exactly as it is here if you are running Unix/Linux as I am. I mistakenly named it and still had problems until the file name had the proper case.

Next up Portal, Sametime and QuickPlace with TAM

So our Sandbox environment is ever expanding. Since we are running WebSphere Portal, Domino, Sametime, and QuickPlace in production we must start to test all of these in our sandbox so that we can verify that things will work behind WebSEAL. We know WAS works well with TAI++ so it should be a "no brainer" to get a Portal server in line as well.

Or so we thought. We are running Portal 5.1.03 on Linux for zSeries (currently SLES 8). For some reason this guy is giving us some real problems. Again at the section where we need to do AMJrte configuration there are a bunch of errors on GSKit and other errors related to a missing RPM and some other dependancy checks apparently failing. This is a bit different from my WPM server which is running WAS 6 on SLES 9 x86. Well, maybe I'll let my colleague wrestle with this one. :-)

In the meantime I'm in the process of setting up a Sametime and QuickPlace server to accompany the Domino mail server in our sandbox. Need to test SSO between WebSEAL, Portal, and these Domino applications to make sure they will work the way we think they will. For the most part QuickPlace and Sametime will use LTPA just the way the Domino mail server I already setup works. But we need to see how well these will work when Portal is surfacing QP and ST stuff through portlets.

Sunday, January 21, 2007

You know what Tivoli needs? Tivolisphere!

For the past 7 years or so I've worked with Lotus Notes and Domino. There is such a passionate community of Notes/Domino supporters, users, bloggers, and innovators. Why not, it's collaboration and what better suite of products are there to collaborate about then the best tools to do it with?

So every year like a cult following Lotusphere in Orlando re-energizes this community with great speakers, hands on labs, and forums to speak with the makers of some of the greatest software available. Having been to a handful of past Lotusphere conferences myself I can say from experience it's the best conference I've ever attended. I've made many contacts there, learned a lot and had a blast doing it.

There should be a Tivolisphere. Obviously the Tivoli product suite is a bit less visible than Notes and Domino, but the best thing about Lotusphere is the ability to network and meet people sharing the same experiences. Tivoli Identity Manager and Tivoli Access Manager are not the simplest of products to wrap your arms around. It would be so helpful if there was a place like Lotusphere were Tivoli professionals could experience the various ways the product is being used in the real world, and work with the developers to find solutions to problems. Maybe someday there will be third party ISVs developing solutions using Tivoli and then hopefully a new cult following will develop.

For now, I don't plan on giving up my interest in Notes and Domino. While my professional role has changed a bit in the last year, I still plan to keep my hands in the Lotus cookie jar from time to time. This year at Lotusphere 2007 I'm sorry to miss one of the biggest years in a long time. (I attended Lotusphere 2002 just months after 9/11 and it wasn't a great turnout and each year after it got better and better). Who could miss Bill Buchan's 40th birthday? Or the 13th annual Turtle Party (not really sure if it's 13, but I think Turtle's been there that many times)? Or Ed Brill's presentations? The showcase floor is sold out. That's never happened in any of the years I was there.

Well, maybe next year I'll be lucky enough to attend. This year I'll just be lurking all the blog sites, watching Lotusphere Live and just imagining what it's like to be there.

Another cool tool...

In the last few days IBM released another tool to help with ITIM Deployments. The ITIM Adapter Development Tool purports to integrate TDI development and ITIM Profiles. Sounds good. I'll have to give it a try. I still haven't gotten the CGE to work yet though.

Again as in my previous post you can get this new tool at the same site:

Just look in the new section (top right).

Saturday, January 20, 2007

Success with SSO between WebSEAL and Lotus Domino

IBM has a pretty good document on setting this up. You will need an IBM user ID to access this document which you can find on the TAM support web site at Just search for "domino integration" to find it. There are two available. For some reason IBM refers to them as adapters, but this is misleading I think, because when they mention adapter I think of ITIM adapters. In this case these two items are just PDFs with instructions on how to put Domino behind WebSEAL doing SSO with LTPA. I'm not sure why they call them adapters. But hey whatever. The documentation is pretty good. If you follow these instructions it will work.

There is one key item the document does not mention:

When you create the junction you need to use pdadmin, but you must be on the WebSEAL server to do this. Yes, you can run pdadmin from the Policy Server or even the authorization server, but if you need to create a junction using LTPA then you must be on the WebSEAL server for it to work. Otherwise, you'll just end up with an error ->

DPWWM1318E Cannot create junction
DPWWA1998W Unable to open the LTPA key file for reading

This stumped me for a handful of hours and even IBM Tech Support never mentioned this little tid bit. My friend Ram from the Tivoli Software group said he usually creates junctions from the WebSEAL server anyhow. I guess maybe I just need to pick the right habits to learn.

Friday, January 19, 2007

ITIM e-Mail with broken graphics

I've been having this problem ever since placing TIM behind WebSEAL. When changes occur to accounts of TIM users, they will receive emails informing them of the changes and such. The problem is that the graphics in the emails are broken because TIM is protected behind WebSEAL. I'm trying to figure out how to handled this and so far I have found nothing on the IBM web site to give me a clue for this specifically.

One option I guess is to change the email template so that these graphics are not part of the template. Maybe moving the graphics somewhere where anonymous users can access will help. Still some of these we may want to be functional like the Logon button for TIM. Maybe we will change the standard Tivoli banner to a company banner, etc.... So far I haven't spent much time researching this option, but I imagine there is a place where we can customize this email template.

Another option I did spend some time on was Dynamic URL's. Chapter 34 of the WebSEAL Admin Guide goes into detail about how to control access to dynamic content using the dynurl.conf file. Supposedly I should be able to add entries for the location of the ITIM graphics and then after restarting WebSEAL, these .gif files should show up in the TAM Object Space. Then I can add ACLs to just the graphics allowing anonymous users to see them which would theoretically allow them to be visible in the ITIM emails. The Dynamic URL chapter does not mention how to handle static files like these .gifs especially when they are part of an application like TIM. In other words they are buried in a .ear file on the TIM server so I'm not sure if this is even on the right track to fix this problem.

Stay tuned...

SSO between WPM and WebSEAL - Follow up from my previous posting...

I'm gathering that most people do not bother bringing Web Portal Manager behind WebSEAL very often. While it's doable the problem I ran into was the fact that sec_master is sort of a special user. It's not really a TAM user residing in the LDAP like all the rest of the TAM users so when you try to login to WPM as sec_master via WebSEAL you get a logon error from WebSEAL. Checking the WAS Log for details this is what I found:

[1/19/07 9:34:50:394 EST] 00000058 LdapRegistryI E SECJ0361E: Authentication failed for sec_master because user is not found in the registry.
[1/19/07 9:34:50:429 EST] 00000058 LdapRegistryI E SECJ0336E: Authentication failed for user sec_master because of the following exception {1}
[1/19/07 9:34:50:442 EST] 00000058 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is No user sec_master found.
[1/19/07 9:34:50:475 EST] 00000058 JaasLoginHelp A SECJ0222E: An unexpected exception occurred when trying to create a LoginContext. The LoginModule alias is system.WEB_INBOUND and the exception is No user sec_master found.

For reference Technote #1153647 shows how to set this up at

In my previous posting, I mentioned that step 3 said to modify the authMethod in the pdwpm.conf file and that it simply wasn't there. I believe this is because the doc is referring to TAM 5.1 and since I'm running TAM 6.0 these properties are now located in I found this file buried here on my WPM server:


I also since made a few other changes to my SSO configuration and then everything started working correctly with WPM behind WebSEAL except of course the issue with not being able to login as sec_master.

Anyhow here are the other items I changed on my SSO config for WPM:

1.) added iv_creds to the /wpm junction
2.) on the WPM server for WAS Global Security, modified:
Global Security > LTPA > Trust Association > Interceptors > WebSealTAI > Custom Props > Ports:
Changed 443 to 443,80
Global Security > LDAP User Registry > Type:
Changed Tivoli Directory Server to Custom

Not sure which if any of these solved the problem, but I can now login to WPM via WebSEAL as any TAM user. Again sec_master is a problem, but that's because sec_master is not a normal TAM user so I'm not sure what I'll do about it. We really don't gain a whole lot by putting WPM behind WebSEAL anyhow. I just wanted to do it for the sake of learning.


Friday, January 12, 2007

SSO Between WPM and TAM using TAI

We though since SSO between TIM and TAM was so easy then naturally Web Portal Manager (WPM) would be just as easy. No such luck. WPM is a bit more involved. First of all we have Web Portal Manager and WebSeal on two separate VMs. Our LDAP (TAM User Registry) is also a separate VM. I followed TechNote #1153647 from the IBM Support Web Site. This is regarding TAMeb 5.1 so it's a little dated, but IBM Tech Support says it should work for the newer environment as well. That being TAMeb 6.0 and my WPM server is using WAS 6.0 with refresh pack 2.

So, the instructions were pretty straight forward accept for Step 3. Modify the "authMethod" in the pdwpm.conf file to the value SSO. This file was supposed to be at /opt/PolicyDirector/etc on the WPM server, but is wasn't. The only file that was close was pdwpm.conf.template. So I assumed that they wanted me to copy this to pdwpm.conf and make the modification as noted in the step.

Another little difference is that when you web to the WAS server to get to the Admin console, prior to version 6 the default port was 9090. For WAS 6 it is 9060. The instructions here walk you through the Admin Console to set up LTPA and User Registry parameters. Essentially you will be pointing the WAS server to the LDAP so this Admin Console will also be secure when you are done. No longer will you be able to just type anything in the login prompt to get into the Admin console. You may have to create some LDAP users along the way for this to work. I created a WAS Admin ID and a WPM User ID for this whole process. One thing to note is that in Step 11 you will have to complete the User Registry Form and the Bind (DN) shown in the example uses cn=root. I tried a different user ID that has basically just read access to the LDAP and when I tried to apply the User Registry settings I had a credential failure. I had to use the cn=root as shown in the instructions. I'm guessing this is because my other user did not have enough access to something in the LDAP, the instructions do not really explain what exactly all these accounts need to do.

The only thing I did not do from these instructions is enable the Diagnostic Trace Service. (I may need to go back and do this)

The Problem:

When I try to access Web Portal Manager via WebSeal I get a login prompt:

a.) If I try to login as sec_master or other TAM users I get an error "Could not Sign User on"

b.) If I try to web directly to the WPM Server I get basic authentication (not sure why that is), but I cannot login as sec_master at all. I keep getting prompted for login

If I try to login as another TAM user I get a different error "Delegate credential was specified but its value is null"

At this point I can hit the Back button in the error message and WPM will present me with the logon form instead of basic. Then I can actually login as sec_master.

At this point I'm pretty sure there is something I've missed or maybe the difference between TAM 5.1 and 6 or WAS 5 and 6 is causing this. I eventually found the file where I found the "authMethod" parameter that was supposed to be in pdwpm.conf. The thought was that maybe this is where we should be setting this parameter instead of the pdwpm.conf. You would not believe where the amconf.peoperties file is buried:


Well, I should hopefully have an answer from IBM Tech support soon on this. If not, then maybe I wont worry about putting the WPM behind TAM at all.

SSO Between TIM and TAM

Well, this week we had some success. SSO now works well between TIM and TAM. This was relatively easy following the ITIM Information Center documentation. It really amounted to creating a TCP Junction from WebSeal to TAM, create an ACL and tweaking a few properties files on the TIM Server. Once we restarted WAS on the TIM server we were able to web to TIM via webseal and if I logged into TAM I was already authenticated to TIM. Cool. At this stage of the game I am easily impressed. :-)

Cool Tools to help manage ITIM

One of our friends at IBM let us in on these two handy tools for ITIM Administrators. The Graphical Configuration Editor (GCE) is an Eclipse based tool that will connect to your ITIM Server and download all of the objects, workflow, policies, etc... into an ICE Project. In the GCE you can develop your ITIM environment and then import your changes back into ITIM. This seems like a really good tool to use when testing things out in Development, then moving to Test region, and then again to Production. This way you do not have to do everything by hand multiple times as you move from development to production. This tool installs on Unix or Windows environments and is generally used on your development workstation.

The other tool ITIM DocTool must be installed directly on the ITIM Server. It works for Unix or Windows environments and will read your entire ITIM Configuration into either an HTML or an XML file. This is pretty cool, because if you walk into an environment you are unfamiliar with you can just run this tool and review the associated documentation to get an understanding of the environment. It's also a useful tool in tech support scenarios where IBM Tech Support needs to understand how things are set up.

You can find these tools at . It happens to be currently in the new column over on the right hand side of the web page and can be downloaded from there. BTW, there is a really nice flash demo of the GCE. I attached it here in the downloads.

Now the only problem I had was with the GCE. I installed it fine and can run the tool. Note that you must be using an IBM JRE for it to work. I could create a new project and specify the ITIM Server properties so that the GCE can connect to ITIM. However, when I click File -> Import then choose the project to import to, enter the user name and password for itim manager, the CGE connects to the ITIM Server then just stops. I cannot click Next as expected and there is a message in the dialog box that says "". See the screen below:

There is a log file available. If you Cancel the import dialog, then from the main GCE window click Help -> About GCE, then click Configuration Details there is a button for the error log:

So the error I'm getting is this:

!SESSION 2007-01-12 10:40:50.379 -----------------------------------------------
java.fullversion=J2RE 1.5.0 IBM J9 2.3 Windows XP x86-32 j9vmwi3223-20060222a (JIT enabled)
J9VM - 20060220_05389_lHdSMR
JIT - 20060220_2133_r8
GC - 20060214_AA
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=en_US
Command-line arguments: -os win32 -ws win32 -arch x86

!ENTRY 1.2.2 4 0 2007-01-12 10:56:52.553
!MESSAGE Unexpected Exception

I started poking around the Server Configuration Properties and I noticed that there is a Server Type property. When you click that drop down there seems to be different types depending on which FixPack you are running on your ITIM.

I initially chose the item without a fixpack, even though I am running FixPack 28. FP28 isn't a choice in the Server Type property. I tried a few of the options and it did not make a difference. 1st of all I don't even know if this is my problem, but if it is then I guess I'll have to wait until IBM releases an update. It appears that you can't get support for either of these two tools because they are on an as is basis.

Monday, January 8, 2007

ITIM Self Care Examples

ITIM 4.6 installs with a self care application that you have to do some work with to set it up. On linux this should be in the /opt/IBM/itim/extensions/example/self_care directory. There is a readme.html file which is pretty good. I didn't have any problem at all getting this up and running following the instructions.

I will say though that when I self registered some users, I never received the emails that were supposed to be sent to each user. Not sure why. Also now that I enabled the challenge/response, every time I login to ITIM, I'm prompted to answer a challenge question. I'll have to play with this a bit yet.

I thought that this was going to be primarily a tool that existing users could use, but it also has self registration functionality already built in so a user can create a new identity. What would be cool is if TIM could automatically suspend or disable accounts that are not active after some specified amount of time or something. I can just see users creating tons of accounts over and over again as they can't remember what their user id was in the first place. Anyhow, it's worth taking a look.

TIM/TAM Helpful docs

A bit dated, but still very useful, this Identity and Access Management solutions document is a good read. Well it's not exactly the latest Dean Koontz novel, but as geek material goes it is pretty good. This will walk you through the entire process of design and implementation of a fairly simple ITIM and TAM solution.

Also, if you have any Portal developers on staff then you may want to pass alonng these docs for using the ITIM API to develop password management and self care in Portal:

Sunday, January 7, 2007

Planning your TIM/TAM Server Environment

If your trying to deploy TIM and TAM the one thing it seems you cannot get away from is lots of servers. If your doing your project for thousands of users then plan on setting up 3 environments:

Sandbox (development)


Your Sandbox environment is where you will do your initial development and testing. This does not require a lot of physical servers, but will require VMs so expect to make an investment in memory. The sandbox may contain a test version of many of your target resources even so it's not just TIM and TAM you have to consider. My sandbox is a Dell PowerEdge 2650. It's a Dual Xeon machine with 12GB RAM and 250GB RAID 5. The Host OS is Windows Server 2003 Enterprise Edition. VMWare GSX Server runs 12 VMs on this box. I figure on being able to run about 16 VMs max. Here's my list of sandbox servers:

TAM Policy Server (SLES 9, 1GB RAM, 10GB Virtual Disk)
TAM Authorization Server (SLES 9, 1GB RAM, 10GB Virtual Disk)
TAM WebSeal Server (SLES 9, 1GB RAM, 10GB Virtual Disk)
TAM WPM Server (SLES 9, 1GB RAM, 10GB Virtual Disk)
TDS Server 1 (SLES 9, 1GB RAM, 8GB Virtual Disk)
TDS Server 2 (SLES 9, 1GB RAM, 8GB Virtual Disk)
ITIM Server (SLES 9, 2GB RAM, 8GB Virtual Disk)
Active Directory Server 1 (Windows Server 2003 Std, 1GB RAM, 8GB Virtual Disk)
Active Directory Server 2 (Windows Server 2003 Std, 1GB RAM, 8GB Virtual Disk) *Also have Domino 6.5 installed for some testing
Novell eDirectory Server 1 (SLES 9, 1GB RAM, 8GB Virtual Disk)
Domino Server 1 (SLES 9, 1GB RAM, 8GB Virtual Disk)
TDI Server 1 (Windows 2000, 1GB RAM, 20GB Disk)


The test environment needs to more closely mirror your production environment. In this environment you should be testing the processes and code developed in your sandbox against target resources that closely emulate production target resources. You may have test portal servers in this environment as well. This environment may also be a part of other peoples test environments. In my case the Portal Development Team will have to place their test Portal systems behind the TAM Test security environment. We will have to have the Test ITIM system provision users to the Test Portal and other Test resources that other departments use this way the other teams affected by TIM and TAM can work closely with us for testing before things get moved to production. I have not yet set this environment up yet, but when I do it might look something like this:

TAM Policy Server (SLES 9, 1GB RAM, 20GB Virtual Disk)
TAM Authorization Server (SLES 9, 1GB RAM, 20GB Virtual Disk)
TAM WebSeal Server 1 (SLES 9, 1GB RAM, 20GB Virtual Disk)
TAM WebSeal Server 2 (SLES 9, 1GB RAM, 20GB Virtual Disk)
TAM WPM Server (SLES 9, 1GB RAM, 20GB Virtual Disk)
TDS Server 1 (SLES 9, 1GB RAM, 40GB Virtual Disk)
TDS Server 2 (SLES 9, 1GB RAM, 40GB Virtual Disk)
ITIM Server (SLES 9, 1GB RAM, 20GB Virtual Disk)
ITIM LDAP (SLES 9, 1GB RAM, 40GB Virtual Disk)
ITIM DB Server (SLES 9, 2GB RAM, 40GB Virtual Disk)
TDI Server (Windows 2003 Std, 2GB RAM, 40GB Virtual Disk)

Other Servers - Test servers acting as managed resources or feeds belonging to other support teams could include Domino, WebSphere, Novell, Active Directory, and several others. These servers should be managed by the various support teams that support these systems in production.


Since we are still doing the architecture project in our environment I'll post something about the production servers later. It will look a lot like the Test environment, however we will also be using load balancers for the items that are being clustered (TDS and WebSeal).

ITIM - Organization Design Tips #1 and #2

As I work with the pros trying to build our Identity and Access Management system one of my goals is to learn as much as possible along the way. The pros I'm referring to are top business partners like SCS and SPS or the guys/gals straight from the Tivoli Software group.

The first tips I've learned is regarding the ITIM Organization tree:

1.) It's all about admin - The tree needs to be designed based on who will be managing it. If you are delegating administration of the ITIM to departments, divisions, countries, cities or buildings then it makes sense to organize it in such a way that users are grouped into "administration containers".

2.) 1000 or less is best - ITIM will have performance and usability issues if you place more than 1000 or so users into a container. It's helpful to keep your containers under that number. So you may have to divide the users up. In my case we have thousands of users so we might be looking at 5 or 6 levels deep.

A good brain melting

It's been a while since I've posted, but the best excuse I can come up with is that my brain has been melting as I try to absorb all the technical and nontechnical issues with implementing TIM and TAM.

The last several weeks I've spent most of my days and nights reading mountains of documentation, taking Tivoli Web Courses and building a sandbox for testing and development. I've come across several items that I thought would be good topics for the blog, but I failed to follow through which is something I plan to work on.

The nontechnical part of architecting a TIM and TAM implementation can be a bit tougher than the technical stuff. I've spent a good deal of time in the last few weeks talking to application owners and HR people, electronic forms people to try and figure out what roles are already defined, what roles still need defining, where are we getting feeds from, how clean is the data coming in from those feeds, etc.... This can be mind numbing. The best advice I can pass along which has been passed along to me is Simplify. Try to temper the expectations, take the complex and break it down into simpler parts. Keep in mind that the Identity and Access Management system is an evolving system.