78 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
The minimal LDAP data format is valid only for IBM Tivoli Access Manager
version 6.0 or later. Use of this format reduces the size of your user registry
information by storing minimal user and group tracking information. However,
previous versions of Tivoli Access Manager and Tivoli Access Manager products
do not support this format and cannot access the user and group tracking
standard LDAP data format, which is the same format used in previous
versions of Tivoli Access Manager, permits any version of Tivoli Access Manager
to use the user and group information in the LDAP registry.
If there is no previous user registry information, as is the case with a new
installation, and minimal format is selected, fewer LDAP objects are used to
maintain the user and group tracking information. However, previous versions of
Tivoli Access Manager do not support this format and cannot access the user
and group information.
If upgrading all Tivoli Access Manager products to version 6.0, the existing user
registry information can be converted to use the minimal format for user and
group tracking information, if desired. Use the Tivoli Access Manager amldif2V6
tool for this LDAP data conversion. You can find technical support for the
amldif2V6 tool at the IBM Tivoli Access Manager for e-business Web site.
After installation, you can use the pdconfig tool to configure the Access Manager
Runtime and Policy Server components. This tool prompts for answers to certain
questions and then configures the Access Manager components. The PDRTE
component is always configured before Policy Server (PDMGR), but not before
PDMGR is installed.
Initial configuration creates new key and stash files and generates new CA
certificates for the Policy Server called PDCA certificate. This certificate is stored
in the ivmgr.kdb certificate database. This certificate also is stored in the file
pdcacert.b64 on the Policy Server as a base-64 DER-encoded version of the
PDCA certificate. This file must be distributed to each machine in your secure
domain that utilizes SSL communication with the Tivoli Access Manager Policy
Server. If this certificate is for any reason compromised, it must be regenerated.
If this happens, each key file and each certificate in the domain needs to be
regenerated. Use mgrsslcfg to create or modify the SSL certificates of the Policy
Server. This tool is called in the background when you use the pdconfig tool.
3.2.7 Access Manager Authorization Server (PDAcld)
Access Manager Authorization Server is an optional component in the Access
Manager secure domain. The Access Manager Authorization Server provides