70 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
3.1 Installation overview
The environment based on IBM Tivoli Access Manager is called a secure
domain,
and it consists of many components. These components have specific
software dependencies and require prerequisites with respect to hardware and
operating system platforms that are supported. For hardware requirements like
disk size, memory, and so on, refer to the IBM Tivoli Access Manager for
e-business Version 6.0 Release Notes, SC32-1702. Access Manager is
supported on the following operating systems:
򐂰 AIX 5.1
򐂰 SLES 8
򐂰 RHEL 3.0
򐂰 Solaris 8
򐂰 HP-UX 11i
򐂰 Windows 2003
For details about minimum operating system fix pack levels review the Release
Notes document.
Access Manager 6.0 also supports the IPv6 protocol on those operating
systems.
3.1.1 User registry
The first core component of the Access Manager system is the user registry. The
installation of a user registry is product specific. Access Manager supports all
major user registries:
򐂰 LDAP-based user registry
IBM Tivoli Directory Server version 5.1, 5.2, and 6.0
IBM z/OS LDAP Server 1.4, 1.5, and 1.6
Novell eDirectory 8.6.x and 8.7.x
Sun ONE™ Directory Server 5.1, 5.2, and 6.0
Sun Java System Directory Server 6.1
򐂰 Lotus Domino Enterprise Server 5.0.10, 6.0.2, and 6.5
With the following restriction: Tivoli Access Manager supports the use of IBM
Lotus Domino as a user registry only on the Windows platform.
򐂰 Microsoft Active Directory 2003
With the following restriction: Tivoli Access Manager Policy Server needs to
be deployed on the Windows platform.
Chapter 3. Installation 71
IBM Tivoli Directory Server 6.0 overview
Although Access Manager supports a number of different user registries, IBM
Tivoli Directory Server is supplied with Access Manager, and the Directory
Server LDAP client is used by the Access Manager aznAPI implementation to
provide LDAP client services. IBM Tivoli Directory Server 6.0 is supplied with
IBM Tivoli Access Manager 6.0 and it is envisaged that this will be the Directory
Server version used with any new deployments of Access Manager 6.0. As we
mentioned in 2.7.1, “Additional upgrade considerations” on page 65, it is possible
to use older versions of the Directory Server with Access Manager 6.0 (for
migration purposes) but the Directory Server 6.0 client must always be used
whenever an LDAP client is required.
The user registry contains user information, additional Access Manager
information, and mappings between Access Manager users and users in the
registry. Access Manager information is stored under the suffix
secAuthority=default, which needs to be manually created in LDAP before you
can begin to configure the Policy Server. The only exception is the automatic
installer for IBM Tivoli Directory Server v6.0 shipped with the Access Manager
install set. This installer automatically creates the secAuthority=default suffix.
The installer also creates a suffix for user data (users are stored under a
separate DIT from the Access Manager configuration).
Also, when using this particular installer, the Directory Server instance created is
configured for SSL communication (using the LDAPS port 636 by default). In
order for this to happen, a private key and public certificate pair must be
available. In Tivoli Access Manager v5.1, the Access Manager Directory Server
installer supplied a static “test” certificate/key for the Directory Server to use SSL.
This was not useful for production because it was the same certificate for every
installation. In addition, the KDB file that contained this test certificate used a
fixed password (which was
key4ssl). For Tivoli Access Manager v6.0, the Access
Manager Directory Server installer generates a new self-signed certificate/key
pair every time. It prompts the user to specify a password and this password is
used to secure a new certificate database (KDB) file.
Directory Server 6.0 includes an optional proxy component. This component is
not part of the freely available Directory Server 6.0 distribution and is not part of
the bundle that is shipped with Access Manager 6.0. In order to make use of this
feature it must be independently licensed. The Directory Server Proxy can be
used for two purposes:
򐂰 Provide a proxy component so that Directory Servers can be accessed from
the Internet but the Directory Servers (and their associated databases) are
not located in the DMZ.
򐂰 Provide an entry point to a distributed directory that allows very large
registries to be set up. All client requests are routed to load-balanced proxies

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.