Chapter 3. Installation 71
IBM Tivoli Directory Server 6.0 overview
Although Access Manager supports a number of different user registries, IBM
Tivoli Directory Server is supplied with Access Manager, and the Directory
Server LDAP client is used by the Access Manager aznAPI implementation to
provide LDAP client services. IBM Tivoli Directory Server 6.0 is supplied with
IBM Tivoli Access Manager 6.0 and it is envisaged that this will be the Directory
Server version used with any new deployments of Access Manager 6.0. As we
mentioned in 2.7.1, “Additional upgrade considerations” on page 65, it is possible
to use older versions of the Directory Server with Access Manager 6.0 (for
migration purposes) but the Directory Server 6.0 client must always be used
whenever an LDAP client is required.
The user registry contains user information, additional Access Manager
information, and mappings between Access Manager users and users in the
registry. Access Manager information is stored under the suffix
secAuthority=default, which needs to be manually created in LDAP before you
can begin to configure the Policy Server. The only exception is the automatic
installer for IBM Tivoli Directory Server v6.0 shipped with the Access Manager
install set. This installer automatically creates the secAuthority=default suffix.
The installer also creates a suffix for user data (users are stored under a
separate DIT from the Access Manager configuration).
Also, when using this particular installer, the Directory Server instance created is
configured for SSL communication (using the LDAPS port 636 by default). In
order for this to happen, a private key and public certificate pair must be
available. In Tivoli Access Manager v5.1, the Access Manager Directory Server
installer supplied a static “test” certificate/key for the Directory Server to use SSL.
This was not useful for production because it was the same certificate for every
installation. In addition, the KDB file that contained this test certificate used a
fixed password (which was
key4ssl). For Tivoli Access Manager v6.0, the Access
Manager Directory Server installer generates a new self-signed certificate/key
pair every time. It prompts the user to specify a password and this password is
used to secure a new certificate database (KDB) file.
Directory Server 6.0 includes an optional proxy component. This component is
not part of the freely available Directory Server 6.0 distribution and is not part of
the bundle that is shipped with Access Manager 6.0. In order to make use of this
feature it must be independently licensed. The Directory Server Proxy can be
used for two purposes:
Provide a proxy component so that Directory Servers can be accessed from
the Internet but the Directory Servers (and their associated databases) are
not located in the DMZ.
Provide an entry point to a distributed directory that allows very large
registries to be set up. All client requests are routed to load-balanced proxies