IBM Tivoli Identity Manager Setup How To
|IBM Security Identity Manager|
|ITIM How To's|
|General ITIM Topics|
|How To · Troubleshooting · Technical Notes|
|Security Access Manager · Security Directory Integrator · Tivoli Directory Server|
 How to configure ldapConfig and ldapUpgrade to work with SSL on Windows
Your enroleLDAPConnection.properties needs to have the following option set
Now you need to edit "f:\Program Files\IBM\itim\bin\ldapConfig.lax" and "f:\Program Files\IBM\itim\bin\ldapUpgrade.lax" and change the lax.nl.java.option.additional line to read
lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=F:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=F:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\ext;F:\Progra~1\IBM\WebSphere\AppServer\plugins;F:\Progra~1\IBM\WebSphere\AppServer\lib;F:\Progra~1\WebSphere\AppServer\lib\ext
The short DOS (8.3) file and folder names, as well as the semi-colons in the dir list are important. Make sure that the referenced cacerts file contains your signing CA (open with ikeyman and verify)
changeit is a default WAS password, as documented by IBM
 How to change the DB after ITIM has been configured
And change the parameters was console - resources->jdbc->Data sources > TIM Bus
DataSource -> change the host
Data sources > ITIM Data Source-> change the host
 How to configure ITIM to create SSL connections and accept certificates when actioning as an ssl client
Define javax trustStore custom properties on the JVM of the ITIM application server. Because the Tivoli Identity Manager Server runs as a Java application, and not as an embedded part of WebSphere Application Server, it does not use the WebSphere SSL Configuration Repertoires settings listed under the WebSphere Administrative Console Security -> SSL tab. Instead, you configure SSL settings using the following menus to specify javax properties: In the admin console Servers -> Application Servers -> server1 -> Process Definition -> Additional Properties -> Java Virtual Machine -> Custom Properties -> New Define two new properties, javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. The value of javax.net.ssl.trustStore is the path to the Java KeyStore file created in step1. The value of javax.net.ssl.trustStorePassword is the password for this Java KeyStore from step1. Note these same entries and Java KeyStore file can also be used for SSL setup between ITIM 4.6 and Adapters, and ITIM 4.6 and Tivoli Directory Integrator.
 How to configure TIM to talk secure LDAP
Update the ITIM enRoleLDAPConnections.properties file to use SSL. Edit the <itim home>\data\enRoleLDAPConnections.properties file, change the port number, ldap to ldaps, and uncomment and set the protocol to be ssl. Example original lines in file:
Example new lines in my file:
Define javax trustStore custom properties on the JVM of the ITIM application server. Because the Tivoli Identity Manager Server runs as a Java application, and not as an embedded part of WebSphere Application Server, it does not use the WebSphere SSL Configuration Repertoires settings listed under the WebSphere Administrative Console Security -> SSL tab. Instead, you configure SSL settings using the following menus to specify javax properties: Servers -> Application Servers -> server1 -> Process Definition -> Additional Properties -> Java Virtual Machine -> Custom Properties -> New Define two new properties, javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. The value of javax.net.ssl.trustStore is the path to the Java KeyStore file created in step1. The value of javax.net.ssl.trustStorePassword is the password for this Java KeyStore from step1. Note these same entries and Java KeyStore file can also be used for SSL setup between ITIM 4.6 and Adapters, and ITIM 4.6 and Tivoli Directory Integrator. Save changes in Websphere Admin Console and restart WebSphere Application Server. 
 How to do an SSL lockdown for ITIM
Securing a ITIM-LDAP link On the LDAP server
- Create a self-signed certificate using the iKeyman utility that is included in the IBM Tivoli Directory Server, and then extract the certificate to make it available for secure communication.
- Start the iKeyman utility. F:\Program Files\IBM\GSK7\bin\gsk7ikm
if it complains about java_home , it needs to be set in your personal, or, preferably, server environment variable to F:\Program Files\IBM\LDAP\V6.0\_jvm\jre\
- On the IBM® Key Management page, click Key Database File > New.
- Select a default database type of CMS.
- In the File Name field, type a name for the CMS key database file.
timserverd-ldap.kdb, located in f:\
- On the Password menu that appears, type and then confirm a password. Then, specify Stash the password to a file. No password expiration Click OK.
- Click Create > New Self Signed Certificate and specify a label that matches the CMS key database file name, such as timserverD-LDAP.
- Type PGE in the Organization field, change expiration to 3650 days (approx 10yrs), accept the remaining field default values, and then click OK.
- A self-signed certificate now exists, including public and private keys.
- For subsequent use with clients, extract the contents of the certificate into an ASCII Base-64 Encoded file. Complete these steps:
- In iKeyman, Select Extract Certificate (bottom right corner)
- Specify a data type of Binary DER Data.
- Specify the name of the certificate file name you created, such as timserverd-ldap.der. Specify a location such as F:\, in which you previously stored the key database file. Click OK.
- Verify that the F:\ directory contains the following files:
timserverd-ldap.crl Certificate revocation list. Not used. timserverd-ldap.der The certificate. timserverd-ldap.kbd Key database file that has the certificate. timserverd-ldap.rdb Not used in this example. timserverd-ldap.sth Stash file that has the password.
- Next, set up the WebSphere Application Server to enable SSL communication between Tivoli Identity Manager and the directory server.Complete these steps:
- On TIM server
- Manually copy all aforementioned files from the F:\ directory on the directory server to the F:\ directory on the WebSphere Application Server.
- Start the iKeyman utility. F:\Program Files\IBM\GSK7\bin\gsk7ikm. If it complains about java_home, it needs to be set in your personal, or, preferably, server environment to F:\Program Files\ibm\WebSphere\AppServer\java\jre
- Click New Key Database File. In the New page, complete these steps:
- In the Key database type field, select JKS. In the File Name field, browse for a file name such as timserver-was.jks. In the Location field, type f:\. Then, click OK. Type and confirm the password and then click OK.
- Click Add to add a certificate from a file. On the Add CA's Certificate from a File menu, complete these steps, and then click OK:
- Specify a data type of Binary DER Data.
- Browse for the certificate name, such as timserverd-ldap.der. Type a value for the location, such as f:\.
- Type a label for the certificate, such as ITIM2LDAP, which is a convenience in remembering the purpose of the certificate on the WebSphere Application Server. Then, click OK.
- Examine the list of signer certificates to ensure that it contains the ITIM2LDAP certificate.
- Exit the iKeyman utility.
- Next, start the WebSphere Application Server Administrative Console to enable SSL communication between Tivoli Identity Manager and the directory server.
- Open the WebSphere Application Server Administrative Console. https://timserver:9043/ibm/console/logon.jsp. Log on as the WebSphere Application Server administrator.
- Click Servers > Application servers > Server1 > Java and Process Management > Process Definition > Java Virtual Machine > Custom Properties. In the Applications Servers page, select New to specify these custom properties:
javax.net.ssl.trustStore f:\timserver-was.jks javax.net.ssl.trustStorePassword password that you initially specified for the self-signed certificate. javax.net.ssl.trustStoreType jks
- Click Save.
- Next, configure the Tivoli Identity Manager Server to communicate with the computer and port on which the directory server listens for secure communication. Complete these steps:
- On the computer that has the Tivoli Identity Manager Server, edit the property that specifies the LDAP connection. Complete these steps:
- In the f:\program files\IBM\itim\data directory, edit the enRoleLDAPConnection.properties file.
- In the properties file, change the java.naming.provider.url property to specify the computer and port on which the directory server is listening.
- Save and close the enRoleLDAPConnection.properties file.
- Restart the WebSphere Application Server.
- Finally, test the SSL communication between the Tivoli Identity Manager Server and the directory server.Complete these steps:
- Test that the directory server is listening. on AxTIMD run
ldapsearch –p 636 –K f:\timserverd-ldap.kdb -s base objectclass=* -b dc=com
- The result has entries for the top level schema similar to these:
dc=com objectclass=top objectclass=domain dc=com
- Try to login to ITIM
Securing Browser-ITIM link:
- Request a web server certificate from PGE's certificate singing authority
- Generate a certificate request
- On TIM, start iKeyman following the procedure mentioned in the ITIM-LDAP section. Create timserver-ihs.kdb store
- Select "personal certificate requests" in the drop down box and click New.
- Label it ITIM certificate, make sure the proper server name is in the CN field (timserver.corp.dom) - this should match the name what is referenced in the e-mails sent to people. Use of any other name (http://timserver) will result in a browser warning once SSL is enabled. Enter the file name F:\certreq.arm and click ok.
- Generate a certificate request
- Request the certificate
- Login to https://ipvcert/certsrv/
- Click on advanced certificate request< Font> >
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Open the F:\certreq.arm file in notepad, copy and paste the contents into the "Base-64-encoded certificate request" box in the browser Click Submit
- Call the person responsible for approving certificate requests to approve it (Megan?). Download newly issued certificate with chain using both available formats.
- In iKeyman, open timserver-ihs.kdb store and import the newly approved certificate. Approve all chained certificates.
- Exit iKeyman, the kdb is saved automatically.
- Enable SSL directives in the httpd.conf configuration file of the IBM HTTP Server.
- On AxTIM Edit "F:\Program Files\ibm\HTTPServer\conf\httpd.conf"
- Uncomment the LoadModule ibm_ssl_module modules/mod_ibm_ssl.dll configuration directive.
- Create an SSL virtual host stanza in the httpd.conf file using the following examples and directives.
<IfModule mod_ibm_ssl.c> Listen 0.0.0.0:443 <VirtualHost *:443> SSLEnable </VirtualHost> </IfModule> SSLDisable KeyFile "f:\timserver-ihs.kdb"
- Restart the IBM HTTP Server.
- Test the configuration by using a browser in an HTTPS session to the IBM HTTP Server (https://timserver).
- Test by going to ITIM over SSL (https://timserver/itim/console).
- Change "F:\Program Files\ibm\HTTPServer\conf\httpd.conf.down" similarly to display a downtime notice over SSL
- Once tests are successful first make sure that the e-mails are updated to include only the SSL enabled link, communicate the change to the users, give grace period for the old e-mails to be looked at, keeping both the SSL and the NON-SSL access open and then, eventually disable non-ssl access by editing httpd.conf file and removing SSLDisable and the port 80 bindings. Change "A:\Program Files\ibm\HTTPServer\conf\httpd.conf.down" accordingly.
Securing the ITIM-ITDI link
- On TDI server. Create a self-signed certificate.
- Start ITDI, click on Tools > Keymanager to start iKeyman
- Follow the steps outlined in the ITIM-LDAP section to create a self-signed certificate in a JKS store
- Export the certificate as DER file.
- Import the WAS certificate as the signer certificate.
- Change F:\ITDI_Config2\solution.properties (Adapters), I:\ITDI_Config2\Standalone\solution.properties (Standalones) and F:\ITDI_Config2\Feeds\solution.properties (Feeds) to all have the following lines
javax.net.ssl.trustStore=F:\timserverp-itdi.jks javax.net.ssl.trustStorePassword=password javax.net.ssl.trustStoreType=jks javax.net.ssl.keyStore=F:\timserverp-itdi.jks javax.net.ssl.keyStorePassword=secret javax.net.ssl.keyStoreType=jks
- Edit root_directory/jvm/lib/security/java.security for the security provider list.
security.provider.1=com.ibm.jsse.IBMJSSEProvider security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath
- Restart all ITDI services
- In ITIM
- Reconfigure all ITDI services to use the HTTPS protocol.
For more details see 
One link that is still left unsecured is ITIM-SQL. This, however, requires that SSL is to be enabled on the MSSQL side first and needs to be worked out with the DB team. SSL is not required for WAS-IHS Plug-in link, if both components are on the same server.
 How to install a custom logo
The logo is copied to:
 How to recreate TIM schema after TIM has been installed
On IDS you might get by just copying the v3.modifiedschema file from the system that has TIM schema installed. Otherwise run the following on the TIM system (for DSML schema mods only)
e:\program files\ibm\itim\bin\win\loadDSLMSchema.cmd ..\..\config\ldap\er-schema.dsml ldap://server.com "cn=root" password