Tivoli Identity Manager

Version 5.1

Separate System Upgrade and Data Migration Guide

GC27-2412-01

Tivoli Identity Manager

Version 5.1

Separate System Upgrade and Data Migration Guide

GC27-2412-01

Note: Before using this information and the product it supports, read the information in Appendix C, Notices, on page 43.

Edition notice This edition applies to version 5.1 of Tivoli Identity Manager and to all subsequent releases and modifications until otherwise indicated in new editions. This edition replaces SC23-9756-00. Copyright International Business Machines Corporation 2009. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents
Preface . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . v Publications and related information . . . . . . v Tivoli Identity Manager library . . . . . . . v Prerequisite product publications . . . . . . vii Related publications . . . . . . . . . . viii Accessing publications online . . . . . . . viii Ordering publications . . . . . . . . . . ix Tivoli technical training . . . . . . . . . ix Accessibility . . . . . . . . . . . . . . ix Support information . . . . . . . . . . . ix Conventions used in this book . . . . . . . . x Typeface conventions . . . . . . . . . . x Definitions for HOME and other directory variables. . . . . . . . . . . . . . . x Operating system differences. . . . . . . . xi Configuring IBM Tivoli Directory Server on the target directory server . . . . . . . . . . 15 Importing IBM Tivoli Directory Server data. . . . 16

Chapter 6. Migrating Sun directory server . . . . . . . . . . . . . . . 19

Migrating Sun directory server data . . . . Exporting Sun directory server data . . . Importing data to Sun Enterprise Directory Server . . . . . . . . . . . . . . . . . 19 . 19 . 20

Chapter 7. Performing the Upgrade to Tivoli Identity Manager Version 5.1. . . 21

Copying the existing Tivoli Identity Manager Version home directory to the target environment Running the Tivoli Identity Manager Version 5.1 installation program . . . . . . . . . . Post-installation tasks . . . . . . . . . . Restarting and re-indexing Sun Enterprise Directory Server Version 6.3 . . . . . . . Updating the WebSphere Application Server default listening port (cluster only) . . . . Preserving custom logos . . . . . . . . Verifying the installation . . . . . . . . Tuning performance . . . . . . . . . . 21 . 22 . 25 . 25 . . . . 25 26 26 26

Chapter 1. Overview of the Data Migration to Tivoli Identity Manager Version 5.1 . . . . . . . . . . . . . 1
Tivoli Identity Manager database server components Tivoli Identity Manager directory server components Overview of the data migration . . . . . . . . Planning activities for deployments at large sites . . 2 2 2 3

Chapter 2. Migrating DB2 Universal Database . . . . . . . . . . . . . . 5

Before you begin . . . . . . . . . . . . Migrating DB2 Universal Database data . . . . Backing up DB2 Universal Database data . . . Installing DB2 Universal Database and copying data to the target server environment . . . . Restoring DB2 Universal Database data . . . . Clearing the service integration bus. . . . . . . 5 . 5 . 5 . 5 . 6 . 7

Chapter 8. Post-upgrade Production Cutover . . . . . . . . . . . . . . 27

Overview of the production cutover process . . . Shutting down WebSphere Application Server on the new production environment . . . . . . Preparing the new production environment database server and directory server for data import . . . . . . . . . . . . . . . Capturing and importing the contents of the Tivoli Identity Manager Version 4.6 or 5.0 production server data . . . . . . . . . Clearing the service integration bus . . . . . Running the ldapUpgrade and DBUpgrade commands to migrate directory and database data . . . . . . . . . . . . . . . . Starting WebSphere Application Server . . . . New production environment post-cutover tasks 27 28

28

Chapter 3. Migrating Oracle Database . . 9

Migrating Oracle data . . . . . . . . . . Exporting Oracle data from the server for Tivoli Identity Manager Version 4.6 or 5.0 . . . . . Installing Oracle database and importing data . . 9 . 9 . 9

30 31

Chapter 4. Migrating SQL Server

Migrating SQL Server data . . . . Backing up SQL Server data . . . Installing SQL server and importing Clearing the service integration bus . . . . data . .

. . . 13
. . . . . . . . . . . . 13 13 13 14

32 32 32

Appendix A. Post migration troubleshooting and known issues

Known issues for migrating to Tivoli Identity Manager Version 5.1 . . . . . . . . .

. . 35
. . 35

Chapter 5. Migrating IBM Tivoli Directory Server. . . . . . . . . . . 15

Migrating IBM Tivoli Directory Server Version data 15 Preparing IBM Tivoli Directory Server data on the server running IBM Tivoli Directory Server for Tivoli Identity Manager Version 4.6 or 5.0 . . 15
Copyright IBM Corp. 2009

Appendix B. Support information . . . 37

Using IBM Support Assistant . . Obtaining fixes . . . . . . . Receiving weekly support updates Contacting IBM Software Support . . . . . . . . . . . . . . . . . . . . . . . . . 37 38 38 39

iii

Determining the business impact . . . . . . 40 Describing problems and gathering information 40 Submitting problems . . . . . . . . . . 40

Trademarks .

. 44

Glossary . . . . . . . . . . . . . . 47

Appendix C. Notices . . . . . . . . . 43

iv

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Preface
This guide describes how to upgrade and migrate data from IBM Tivoli Identity Manager Version 4.6 or 5.0 to Version 5.1 on new hardware and middleware required by IBM Tivoli Identity Manager Version 5.1.

Who should read this book

This book is intended for system and security administrators who install, maintain, or administer software on their computer systems. Readers are expected to understand system and security administration concepts. Additionally, the reader must understand administration concepts for the following types of products: v Database servers v Directory servers v Application servers

Publications and related information

Read the descriptions of the Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite product publications on page vii and the Related publications on page viii. After you determine the publications you need, refer to the instructions in Accessing publications online on page viii.

Tivoli Identity Manager library

The publications in the Tivoli Identity Manager technical documentation library can be found at the following URL: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/ welcome.htm The publications in the Tivoli Identity Manager technical documentation library are organized into the following categories: v Release information v Online user assistance v Server installation and configuration v Problem determination v Technical supplements v Adapter installation and configuration v Performance and tuning v Skills and training Release Information: v Tivoli Identity Manager Quick Start Guide Helps you install a base configuration of Tivoli Identity Manager. v Tivoli Identity Manager Information Center

Copyright IBM Corp. 2009

Provides software and hardware requirements for Tivoli Identity Manager and additional fix, patch, and other support information. This publication also includes known limitations, problems, and workarounds. Online user assistance: Tivoli Identity Manager Information Center provides online help topics and an information center for all Tivoli Identity Manager administrative tasks. Server installation and configuration: Tivoli Identity Manager Server Installation and Configuration Guide provides installation and configuration information for Tivoli Identity Manager in larger enterprise environments. Problem determination: Tivoli Identity Manager Problem Determination Guide provides problem determination, and logging information for Tivoli Identity Manager. Tivoli Identity Manager Messages Guide provides message information for Tivoli Identity Manager. Database and schema information: Tivoli Identity Manager Database and Schema Reference describes some of the data structures used by Tivoli Identity Manager. Technical supplements: The following technical supplements are provided by developers or by other groups who are interested in this product: v IBM Redbooks and white papers are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ v Technotes are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web site: http://www.ibm.com/developerworks/ Adapter installation and configuration: The Tivoli Identity Manager Server technical documentation library also includes an evolving set of platform-specific installation documents for the adapter components of an IBM Tivoli Identity Manager implementation. Locate adapter documentation on the Web at: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/ welcome.htm Performance and tuning:

vi

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

IBM Tivoli Identity Manager Performance Tuning Guide provides information to help you optimize the use of resources for Tivoli Identity Manager. Skills and training: Additional skills and technical training information might be available at the following Web sites: v IBM Professional Certification at: http://www.ibm.com/certify/ Search on identity manager to locate available classes and certification offerings. v Virtual Skills Center for Tivoli Software on the Web at: http://www.cgselearning.com/tivoliskills/ v Tivoli Education Software Training Roadmaps on the Web at: http://www.ibm.com/software/tivoli/education/eduroad_prod.html v Tivoli Technical Exchange on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html

Prerequisite product publications

To use the information in this book effectively, you must have knowledge of the products that are prerequisites for Tivoli Identity Manager. Publications are available from the following locations: v Operating systems Red Hat Linux http://www.redhat.com/docs/ SUSE Linux http://www.novell.com/documentation/suse.html Microsoft Windows Server 2003 - Support http://www.microsoft.com/windowsserver2003/support/default.mspx - Documentation http://www.microsoft.com/windowsserver2003/proddoc/default.mspx v WebSphere Application Server Hardware and software requirements http://www.ibm.com/software/webservers/appserv/was/ Support http://www.ibm.com/software/webservers/appserv/was/support/ Information center http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp v IBM DB2 Universal Database Support: http://www.ibm.com/software/data/db2/udb/support.html Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp Documentation http://www-306.ibm.com/software/data/db2/support/db2_9/
Preface

vii

http://www.ibm.com/software/data/db2/udb/support/manualsv9.html DB2 product family: http://www.ibm.com/software/data/db2/ Fix packs by version: http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572 System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html IBM Tivoli Directory Server v Support http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectoryServer.html v Information center http://publib.boulder.ibm.com/tividd/td/IBMDirectoryServer6.0.html IBM Tivoli Directory Integrator v Support http://www.ibm.com/software/sysmgmt/products/support/ IBMDirectoryIntegrator.html v Information center http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDI.doc_6.1.1/welcome.htm

Related publications
Information that is related to Tivoli Identity Manager Server is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, data sheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/literature/ v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z list, and then click the Tivoli Identity Manager link to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper.

viii

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Ordering publications
You can order many Tivoli publications online at http:// www.elink.ibmlink.ibm.com/public/applications/ publications/cgibin/pbi.cgi. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/ cgibin/pbi.cgi. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.

Tivoli technical training

For Tivoli technical training information, refer to the following IBM Tivoli Education Web site at http://www.ibm.com/software/tivoli/education.

Accessibility
Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum opportunity for users to apply screen-reader software. v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images.

Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v IBM Support Assistant: You can search across a large collection of known problems and workarounds, Technotes, and other information at http://www.ibm.com/software/support/isa. v Obtaining fixes: You can locate the latest fixes that are already available for your product. v Contacting IBM Software Support: If you still cannot solve your problem, and you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support. For more information about these ways to resolve problems, see Appendix B, Support information, on page 37.

Preface

ix

Conventions used in this book

This book uses several conventions for highlighting terms and actions and for operating system-dependent commands and paths.

Typeface conventions
This book uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), and labels (such as Tip:) v Keywords and parameters in text Italic v Words defined in text v Emphasis of words (words as words) v New terms in text (except in a definition list) v Variables and values that you must provide Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options

Definitions for HOME and other directory variables

The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table. The value of path varies for these operating systems. For Windows operating systems, the default path is drive:\Program Files. For Linux and UNIX-based operating systems, the default path is /opt
Path Variable NEW_ITDS_INSTANCE_HOME Description The directory that contains the IBM Tivoli Directory Server instance used by Tivoli Identity Manager Version 5.1. The directory that contains the IBM Tivoli Directory Server code used by Tivoli Identity Manager Version 4.6 or 5.0.

OLD_ITDS_HOME

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Path Variable OLD_ITIM_HOME

Description The base directory that contains the Tivoli Identity Manager Version 4.6 or 5.0 code, configuration, and documentation. The base directory that contains the Tivoli Identity Manager Version 5.1 code, configuration, and documentation.

NEW_ITIM_HOME

Operating system differences

This guide uses the Windows convention for specifying environment variables and for directory notation. When using the Linux or UNIX command line, replace %variable% with $variable for environment variables, and replace each backslash (\) with a forward slash (/) in directory paths. The names of environment variables are not always the same in Windows, and Linux or UNIX-based operating systems. For example, %TEMP% in the Windows operating system is equivalent to /tmp in a Linux or UNIX-based operating system. Note: If you are using the bash shell on a Windows system, you can use the Linux convention for specifying file path notation.

Preface

xi

xii

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 1. Overview of the Data Migration to Tivoli Identity Manager Version 5.1
This book focuses on the tasks that you must complete in order to migrate database and directory data from an existing Tivoli Identity Manager to a separate environment running Tivoli Identity Manager Version 5.1. These tasks require the installation of middleware and the upgrade and installation of Tivoli Identity Manager Version 5.1. This book also includes best practices for performing the upgrade and migration from production environments. The supported upgrade paths are:
Table 1. Upgrade paths From Tivoli Identity Manager Version 4.6 To Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 6.1 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 7.0 Tivoli Identity Manager Version 5.0 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 6.1 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 7.0 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 6.1 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 7.0

Tivoli Identity Manager Version 5.1 supports data migration among supported UNIX-based operating systems. Data residing in HP_UX environments can be migrated to any of the supported UNIX environments. Data can also be migrated between Windows operating systems. Data, however, cannot be migrated from UNIX environments to Windows environments or from Windows environments to UNIX environments. In order to perform the data migration, previous versions of Tivoli Identity Manager must have the minimum fix packs and interim fixes installed. For Tivoli Identity Manager Version 4.6, you must have at minimum interim fix (IF) 47 installed. To determine the supported release levels and fix pack specifications for the supported UNIX, Linux and Windows operating systems, refer to the Tivoli Identity Manager Information Center, which takes precedence over this document. For information about adapter migration, please refer to the adapter documentation located in the Tivoli Identity Manager Information Center. For information about known issues in migrating data to Tivoli Identity Manager Version 5.1, refer to Appendix A, Post migration troubleshooting and known issues, on page 35.

Copyright IBM Corp. 2009

Tivoli Identity Manager database server components

Tivoli Identity Manager stores transactional and historical data in a database server. For example, the Tivoli Identity Manager provisioning processes use a relational database to maintain their current state as well as their history. Tivoli Identity Manager Version 5.1 supports data migration from most databases supported on Tivoli Identity Manager Version 4.6 or 5.0. To determine the supported release levels and fix packs for database software that these versions use, refer to the hardware and software prerequisites for each version in the Tivoli Identity Manager Information Center.

Tivoli Identity Manager directory server components

Tivoli Identity Manager stores the current state of managed identities in an LDAP directory, including user account and organizational data. Tivoli Identity Manager Version 5.1 supports data migration from directory servers supported on Tivoli Identity Manager Version 4.6 or 5.0. To determine the supported release levels and fix packs for directory server software that these versions use, refer to the hardware and software prerequisites for each version in the Tivoli Identity Manager Information Center.

Overview of the data migration

The data migration can be performed either for a single-server Tivoli Identity Manager environment or a cluster Tivoli Identity Manager environment consisting of multiple computers. Note that middleware can be installed on one or more computers in either environment. The data migration consists of a collection of activities. The major steps to migrate Tivoli Identity Manager and related prerequisite middleware servers are: v On the Tivoli Identity Manager Version 4.6 or 5.0 server environment: 1. Stop WebSphere Application Server and any connections to the Tivoli Identity Manager database if necessary. 2. Back up and export the following data from middleware servers to a temporary file directory: Database server components Directory server components Note: Once the backup and export have been completed, you can bring the Tivoli Identity Manager Version 4.6 or 5.0 server environment back into production. You can load production data into the new Tivoli Identity Manager Version 5.1 system at a later date. This allows you to migrate data to a test environment before performing a production cutover to the new system. It is important to note that any changes you make to Tivoli Identity Manager data on the new system will be overwritten and lost once you re-import the Tivoli Identity Manager Version 4.6 or 5.0 production data during the final cutover. v In the Tivoli Identity Manager Version 5.1 server environment: 1. Install the required middleware (at the required release and fix pack level) and optionally run the middleware configuration utility for DB2 Universal Database and IBM Tivoli Directory Server.

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

For information on installing and configuring middleware, see the Tivoli Identity Manager Server Installation and Configuration Guide. 2. Import the database data to the updated database server. 3. Import the directory data to the updated directory server and re-index the directory server if necessary. 4. Copy the Tivoli Identity Manager Version 4.6 or 5.0 home directory to the server that will run Tivoli Identity Manager Version 5.1. 5. Run the Tivoli Identity Manager Version 5.1 installation program. 6. Manually migrate any custom Java classes that you might have. For example Free EcmaScript Interpreter (FESI) extensions, ibmscripts, or customized password rules.

Planning activities for deployments at large sites

In large organizations, there are additional tasks that require planning before you migrate data from previous versions of Tivoli Identity Manager. For more information, refer to the Planning section of the Tivoli Identity Manager Information Center. To prevent initial deployment problems, consider providing a variation of the following planning activities that are appropriate for your site, in advance of installing Tivoli Identity Manager Version 5.1 and subsequent cumulative fixes: v Establish a working practice that provides comprehensive and relevant Tivoli Identity Manager information to all of the specialists who install middleware. For example, have the team meet regularly to enumerate their problems and share their solutions. v To ensure coordination, designate one person as a focal point for concerns that flow between your site and IBM customer support specialists. v If possible, reduce the number of specialists who install and configure the applications. Encourage communication flow between specialists in the following ways. Provide a comprehensive library or list of FTP and Web sites for prerequisite installation and configuration information. Ensure that the specialists installing Tivoli Identity Manager have root or Administrator authority for the prerequisite middleware on the middleware servers. Ensure that all elements of the system or solution have sufficient privileges to provide accounts. Support a centralized problem and solution database that identifies troubleshooting actions and assigns action owners. Maintain a common library of scripts that automate start up. Create a change control database that coordinates all customization activities. Determine a working practice in which specialists provide a record of critical values of configuration parameters similar to the ones that this publication provides. Ensure that all specialists have access to and use a common worksheet that centralizes the information.

Chapter 1. Overview of the Data Migration to Tivoli Identity Manager Version 5.1

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 2. Migrating DB2 Universal Database

Before you begin
This chapter describes the process to migrate and restore DB2 Universal Database data to a system and version of DB2 Universal Database that Tivoli Identity Manager Version 5.1 supports. Before you begin the migration process, complete these tasks: 1. Ensure that the free disk space and virtual memory requirements are met. Additionally, ensure that there is adequate free disk space in the system temp directory. The target system must meet the hardware and software requirements described in the Release Information section of the Tivoli Identity Manager Information Center. 2. Ensure that you have the needed administrative authority. On Windows systems, the login user ID must be in the Administrators Group. On Linux systems, the login user ID must be root.

Migrating DB2 Universal Database data

DB2 Universal Database provides backup and restore commands that are used for migrating data from the 4.6 or 5.0 system to the 5.1 system before the upgrade.

Backing up DB2 Universal Database data

On the server running DB2 Universal Database for Tivoli Identity Manager Version 4.6 or 5.0, complete these steps: 1. Log in as the instance owner, for example db2admin. 2. Close all connections to the Tivoli Identity Manager database (stop WebSphere and any other tools). If necessary, run this command to force all connections to close:
db2 force application all

3. Back up the Tivoli Identity Manager database:

db2 backup database ITIM_DB to OLD_DB2_BACKUP_DIR

where ITIM_DB is the name of the Tivoli Identity Manager database (for example, itimdb) and OLD_DB2_BACKUP_DIR is a directory path to store the backup, such as /46data/db2 (Linux or UNIX systems) or C:\temp\46data\ db2 (Windows systems). Note: The db2admin might not have access to other file system locations. You might have to use /home/db2admin as an example on an AIX system.

Installing DB2 Universal Database and copying data to the target server environment
On the target database server, complete these steps: 1. Install the new version of DB2 Universal Database. Since this is a migration, make sure you create the same 4.6 or 5.0 database system user, for example, enrole. The user should have the same rights and privileges it had on the old system.

Copyright IBM Corp. 2009

2. Run the middleware configuration tool to create the DB2 instance. When you run the middleware configuration tool to configure DB2 Universal Database, the database user field is set to itimuser as a default value, and you should modify the database user field to the same database user that is used in your previous Tivoli Identity Manager database. You should use the same database user name and the password that is used in Tivoli Identity Manager Version 4.6 or Tivoli Identity Manager Version 5.0 since this name is the schema name and the password is already saved in properties files in the OLD_ITIM_HOME\data directory and these values cannot be changed during the upgrade. 3. Copy the contents of the Tivoli Identity Manager database backup directory to the target server, for example /46data/db2. Ensure that the database instance owner you create has permission to read the target directory and files within. For information on installing and configuring the version of DB2 Universal Database supported by Tivoli Identity Manager Version 5.1, refer to the Tivoli Identity Manager Server Installation and Configuration Guide.

Restoring DB2 Universal Database data

To restore DB2 Universal Database data on the target database server, complete these steps: 1. Open a DB2 command window. v UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2 command window. v Windows: Click Start > Run, and enter db2cmd. When the DB2 command window opens, enter db2. 2. In the DB2 command window, enter these commands to restore the database using the migrated DB2 data:
restore db itimdb from OLD_DB2_TEMP_DATA

where itimdb is the Tivoli Identity Manager database name and OLD_DB2_TEMP_DATA is the location of the migrated DB2 data you have copied over from the previous version, such as C:\temp\46data\db2 3. Stop and start the DB2 server to reset the configuration. After you have created the Tivoli Identity Manager database, stop and start the DB2 server to allow the changes to take effect. Enter the following commands:
db2stop db2start

If entering db2stop fails and the database remains active, enter db2 force application all to inactivate the database. Then enter db2stop again. Once you have completed the upgrade and installation, you need to tune the database for optimal performance by applying the latest tunings in the IBM Tivoli Identity Manager Performance Tuning Guide, available at the following Web site: http://www-1.ibm.com/support/docview.wss?uid=swg27011444 For more information on backup and restore for DB2 Universal Database, refer to the following Web sites: v DB2 Universal Database backup and restore commands and migration documentation: http://publib.boulder.ibm.com/infocenter/db2luw/v8/topic/ com.ibm.db2.udb.doc/core/r0001933.htm

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

v DB2 Universal Database backup and restore operating system compatibilities: http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/ com.ibm.db2.udb.admin.doc/doc/c0005960.htm

Clearing the service integration bus

For Separate Systems Upgrades from Tivoli Identity Manager 5.0 to Tivoli Identity Manager 5.1, it is necessary to clear out the Service Integration Bus (SIB) data from the restored database. On the target Tivoli Identity Manager Version 5.1 DB2 server: 1. Ensure that the Tivoli Identity Manager database is up and running (ITIMDB) 2. Open a DB2 command window. UNIX and Linux operating systems Log on as the DB2 instance owner and enter db2 to open a DB2 command window. Windows operating systems Click Start > Run, and enter db2cmd. When the DB2 command window opens, enter db2. 3. In the DB2 command window, enter the DELETE SQL statements required to delete all data from the tables in the SIB schemas. Issue the following commands for each of the SIB schemas in your environment:
delete from schema_name.SIB000 delete from schema_name.SIB001 delete from schema_name.SIB002 delete from schema_name.SIBCLASSMAP delete from schema_name.SIBKEYS delete from schema_name.SIBLISTING delete from schema_name.SIBXACTS delete from schema_name.SIBOWNER delete from schema_name.SIBOWNERO

where the SIB schema, schema_name is:

Table 2. Service integration bus schema names Tivoli Identity Manager environment Single-server Clustered Schema name ITIML000 ITIML000, ITIML001, ITIML002, ITIML003, and ITIMS000

Note: The SIBOWNERO might not exist in all Tivoli Identity Manager environments. If it does not exist and the delete statement fails, you can ignore the failure.

Chapter 2. Migrating DB2 Universal Database

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 3. Migrating Oracle Database

This chapter describes steps to migrate and import Oracle data to a system and version of Oracle Database supported by Tivoli Identity Manager Version 5.1. Before you begin the migration process, complete these tasks: 1. Ensure that the free disk space and virtual memory requirements are met. Additionally, ensure that there is adequate free disk space in the system temp directory. The target system must meet the hardware and software requirements described in the Release Information section of the Tivoli Identity Manager Information Center. 2. Ensure that you have the needed administrative authority. On Windows systems, the login user ID must be in the Administrators Group. On Linux systems, the login user ID must be root.

Migrating Oracle data

The Oracle Database export (EXP) and import (IMP) utilities are used to perform logical database backup and recovery. They are also used to migrate Oracle data from one server, database or schema to another.

Exporting Oracle data from the server for Tivoli Identity Manager Version 4.6 or 5.0
On the server running Oracle Database for Tivoli Identity Manager Version 4.6 or 5.0, complete these steps: 1. Log in as the Oracle database instance owner. 2. Ensure that the ORACLE_HOME (Oracle default installation directory) and ORACLE_SID (the Tivoli Identity Manager database instance) environment variables are properly set. Check your environmental variables for the following entries (the following example is for a Windows home directory):
ORACLE_HOME=c:\oracle\ora92 ORACLE_SID=itim

3. Export the Oracle Database dump and log files with the following command:
exp system/system_pwd file=path\itim46.dmp log=path\itim46exp.log owner=itim_username

where system_pwd is the password for the system user, path is the path of the file, such as C:\46data\oracle or /opt/46data/oracle, and itim_username is the Tivoli Identity Manager Version 4.6 or 5.0 database user, such as enrole or itimuser. 4. Copy the contents of the directory you exported over to the target server, for example /46data/oracle. Ensure that the database instance owner enrole that you created above has permission to read the target directory and files within.

Installing Oracle database and importing data

On the target Tivoli Identity Manager Version 5.1 server, complete these steps: 1. Install the supported version of Oracle Database following the instructions from the Tivoli Identity Manager Server Installation and Configuration Guide.

Copyright IBM Corp. 2009

2. Configure the Oracle database instance. The following enrole_admin.sql file helps to configure the new Oracle database instance for the migration. Edit the file, replacing itimuserTag with your Tivoli Identity Manager Version 4.6 or 5.0 database user, such as enrole and replacing itimuserPwdtag with the Tivoli Identity Manager Version 4.6 or 5.0 database user password. The Tivoli Identity Manager upgrade will fail if the database user ID and password are not the same as the previous version.
CREATE TABLESPACE enrole_data DATAFILE 'enrole1_data_001.dbf' SIZE 64M AUTOEXTEND ON NEXT 64M MAXSIZE unlimited DEFAULT STORAGE (INITIAL 10M NEXT 1M PCTINCREASE 10) PERMANENT ONLINE LOGGING; CREATE TABLESPACE enrole_indexes DATAFILE 'enrole1_idx_001.dbf' SIZE 32M AUTOEXTEND ON NEXT 32M MAXSIZE unlimited DEFAULT STORAGE (INITIAL 10M NEXT 1M PCTINCREASE 10) PERMANENT ONLINE LOGGING; CREATE USER itimuserTag IDENTIFIED BY itimuserPwdtag DEFAULT TABLESPACE enrole_data QUOTA UNLIMITED ON enrole_data QUOTA UNLIMITED ON enrole_indexes; GRANT CREATE SESSION TO itimuserTag; GRANT CREATE TABLE to itimuserTag; GRANT CREATE ANY PROCEDURE to itimuserTag; GRANT CREATE VIEW to itimuserTag;

3. On the target computer, ensure the ORACLE_HOME and ORACLE_SID environmental variables are set properly. 4. Run the above enrole_admin.sql file using the sqlplus utility:
sqlplus system/system_pwd @path\enrole_admin.sql

where system_pwd is the password for the system user, path is the path of the file. Running this script file creates the required Tivoli Identity Manager table spaces and creates the database user (specified by itimuserTag) with required permissions. 5. After creating the table spaces, enter the following command to import the Tivoli Identity Manager Version 4.6 or 5.0 exported data:
imp system/system_pwd file=path\itim46.dmp log=path\itim46exp.log fromuser=itim_username

where system_pwd is the password for the system user, path is the path of the file you copied over (such as C:\46data\oracle or /opt/46data/oracle) and itim_username is the name of the Tivoli Identity Manager Version 4.6 database user, such as enrole or itimuser.

10

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

After you have completed the upgrade and installation, you need to tune the database for optimal performance by applying the latest tunings in the IBM Tivoli Identity Manager Performance Tuning Guide, available at the following Web site: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/ welcome.htm

Chapter 3. Migrating Oracle Database

11

12

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 4. Migrating SQL Server

This chapter provides information on migrating and importing Microsoft SQL Server data to a system and version of SQL Server supported by Tivoli Identity Manager Version 5.1. Before you begin the migration process, complete these tasks: 1. Ensure that the free disk space and virtual memory requirements are met. Additionally, ensure that there is adequate free disk space in the system temp directory. The target system must meet the hardware and software requirements described in the Release Information section of the Tivoli Identity Manager Information Center. 2. Ensure that you have the needed administrative authority. On Windows systems, the login user ID must be in the Administrators Group. On Linux systems, the login user ID must be root.

Migrating SQL Server data

The Microsoft SQL Server backup and restore utilities are used to perform database backup and recovery. They can also be used to move SQL Server data from one server, database or schema to another.

Backing up SQL Server data

On the server running SQL Server for Tivoli Identity Manager Version 4.6 or 5.0, complete these steps: 1. Start SQL Server Enterprise Manager and navigate to the Tivoli Identity Manager database 2. Right click on the Tivoli Identity Manager database (itimdb) and select All Tasks > Backup Database. 3. Click Add to provide a file name such as itimdb.bak. 4. Accept the defaults for the other options, and click OK.

Installing SQL server and importing data

On the target Tivoli Identity Manager Version 5.1 SQL server: 1. Install SQL Server 2005 following the instructions in the Tivoli Identity Manager Server Installation and Configuration Guide. Since this is a migration and upgrade, ensure that the same Tivoli Identity Manager Version 4.6 or 5.0 database system user is created and used. 2. After creating the Tivoli Identity Manager Version 5.1 database, right click on the database and select Tasks > Restore > Database. 3. In the Restore Database window under the General page, select the From device source for restore option, click the ellipsis (...) button and provide the Tivoli Identity Manager Version 4.6 or 5.0 database backup file name (itimdb.bak). 4. After adding the backup file to the list, select the check box to select the file and click on the Options page in the left pane. 5. On the Options page, select Overwrite the existing database option and click OK. 6. Configure SQL with the following user script:
Copyright IBM Corp. 2009

13

sp_addlogin itimuserTag, itimuserPwdTag; sp_adduser itimuserTag, itimuserTag, db_owner; use master; sp_grantdbaccess itimuserTag, itimuserTag; sp_addrolemember [SqlJDBCXAUser], itimuserTag; use itimdbTag;

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 or 5.0 database user, for example enrole; replace itimuserPwdTag with the Tivoli Identity Manager Version 4.6 or 5.0database user password; and replace itimdbTag with the database instance name. 7. Next configure SQL with the following user script:
sp_change_users_login 'Update_One', 'itimuserTag', 'itimuserTag'

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 database user, for example enrole. 8. Restart SQL Server 2005.

Clearing the service integration bus

For Separate Systems Upgrades from Tivoli Identity Manager 5.0 to Tivoli Identity Manager 5.1, it is necessary to clear out the Service Integration Bus (SIB) data from the restored database. On the target Tivoli Identity Manager Version 5.1 DB2 server: 1. Start the SQL Server Enterprise Manager and navigate to the database to be used for Tivoli Identity Manager 5.1 2. Right click on the database and click New Query. 3. Enter the DELETE SQL statements required to delete all data from the tables in the SIB schemas. Issue the following commands for each of the SIB schemas in your environment:
delete from schema_name.SIB000 delete from schema_name.SIB001 delete from schema_name.SIB002 delete from schema_name.SIBCLASSMAP delete from schema_name.SIBKEYS delete from schema_name.SIBLISTING delete from schema_name.SIBXACTS delete from schema_name.SIBOWNER delete from schema_name.SIBOWNERO

where the SIB schema, schema_name is:

Table 3. Service integration bus schema names Tivoli Identity Manager environment Single-server Clustered Schema name ITIML000 ITIML000, ITIML001, ITIML002, ITIML003, and ITIMS000

Note: The SIBOWNERO might not exist in all Tivoli Identity Manager environments. If it does not exist and the delete statement fails, you can ignore the failure.

14

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 5. Migrating IBM Tivoli Directory Server

This chapter provides information on migrating and importing data to a system and version of IBM Tivoli Directory Server supported by Tivoli Identity Manager Version 5.1. Tivoli Identity Manager Version 4.6 supports IBM Tivoli Directory Server Version 5.2 and 6.1, while Tivoli Identity Manager Version 5.0 supports IBM Tivoli Directory Server Version 6.0 and 6.1. Note that the migration commands vary between directory server versions. You must be logged in as an administrator with root privileges to perform the migration.

Migrating IBM Tivoli Directory Server Version data Preparing IBM Tivoli Directory Server data on the server running IBM Tivoli Directory Server for Tivoli Identity Manager Version 4.6 or 5.0
For a server running IBM Tivoli Directory Server Version 5.2, run the following command:
db2ldif -s ldap_suffix -o ldap_output_file

where ldap_suffix is the name of the suffix (such as dc=com) on which Tivoli Identity Manager is configured, and ldap_output_file is the name of the .ldif output file (such as old_ldif_data.ldif). For a server running IBM Tivoli Directory Server Version 6.x, run the following command:
db2ldif -s ldap_suffix -o ldap_output_file -I ldap_instance_name

where ldap_suffix is the name of the suffix (such as dc=com) on which Tivoli Identity Manager is configured, ldap_output_file is the name of the .ldif output file (such as old_ldif_data.ldif), and ldap_instance_name is the name of the LDAP server instance, which can be obtained through the IBM Tivoli Directory Server Instance Administration Tool. Note: The LDAP server does not need to be stopped for you to enter this command for either version of IBM Tivoli Directory Server.

Configuring IBM Tivoli Directory Server on the target directory server

On the target Tivoli Identity Manager Version 5.1 directory server, complete these steps: 1. Install the supported version of IBM Tivoli Directory Server following the instructions in the Tivoli Identity Manager Server Installation and Configuration Guide.

Copyright IBM Corp. 2009

15

2. Run the middleware configuration tool to create and configure the IBM Tivoli Directory Server instance. Ensure that the same Tivoli Identity Manager Version 4.6 or 5.0 root suffix is created and used. Note: Use the same encryption seed value as the old Tivoli Directory Server instance. Otherwise the data from the old Tivoli Directory Server instance needs to be exported using the seed and salt keys from the new instance. 3. Copy over the schema file V3.modifiedschema from the OLD_ITDS_HOME\etc directory of the IBM Tivoli Directory Server home directory used by Tivoli Identity Manager Version 4.6 or 5.0 server to the NEW_ITDS_INSTANCE_HOME\etc directory of the IBM Tivoli Directory Server instance that the Tivoli Identity Manager Version 5.1 server uses. Notes: a. If you have made customizations or modifications to the schema files, verify which schema file have you modified. Manually merge the changes with the new schema files. b. When running the bulkload command, the following errors might occur:
GLPCRY007E The directory key stash file is inconsistent with the associated encrypted data. GLPBLK071E Bulkload is unable to run because of an initialization error.

To correct these errors you need to know encryption seed and salt values of the target instance. (The target instance is the directory server instance where you are performing the bulkload operation.) To determine the salt value of target instance run this command:
ldapsearch -D bind DN -w password -h hostname -s base -b cn=crypto,cn=localhost cn=* -p port

Replace the value of ibm-slapdCryptoSync, ibm-slapdCryptoSalt in the ldap_output_file file (generated as output of the db2ldif command, for example old_ldif_data.ldif) with the values returned by the ldapsearch command. Run the bulkload command again. 4. Stop and start IBM Tivoli Directory Server for the changes to take effect.

Importing IBM Tivoli Directory Server data

To import IBM Tivoli Directory Server data, stop the LDAP server and run the following command from the directory server:
bulkload -i OLD_ITDS_TEMP_DATA\ldif_output_file -I ldap_instance_name

where OLD_ITDS_TEMP_DATA is the temporary directory location of the migrated IBM Tivoli Directory Server data you have copied over from the previous version, such as C:\temp\46data\ids\, ldif_output_file is the name of the .ldif file you exported from the previous step, such as old_ldif_data.ldif, and ldap_instance_name is the name of the LDAP server instance, such as itimldap, which can be obtained through the IBM Tivoli Directory Server Instance Administration Tool. On Windows systems, you must run the bulkload utility command within the DB2 command line interpreter. You can access the command line interpreter by clicking Start > Run, typing db2cmd, and clicking OK. Note: The bulkload will fail if any of the entries in the input LDIF file already exist in LDAP. This might occur if the suffix you have defined exists as an

16

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

entry in the directory server. It may be necessary to delete the suffix entry from LDAP before running the command. After you have completed the upgrade and installation of Tivoli Identity Manager, tune LDAP for optimal performance by applying the latest tuning settings in the IBM Tivoli Identity Manager Performance Tuning Guide, available at the following Web site: http://www-1.ibm.com/support/docview.wss?uid=swg27011444

Chapter 5. Migrating IBM Tivoli Directory Server

17

18

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 6. Migrating Sun directory server

This chapter provides information on migrating and importing data to a system and version of Sun directory server supported by Tivoli Identity Manager Version 5.1. You must be logged in as an administrator with root privileges to perform this migration.

Migrating Sun directory server data

For complete information about migrating Sun directory servers to Sun Directory Enterprise Server 6.3 go to the Sun Web site at http://docs.sun.com/app/docs/ doc/820-2762/dsoutline?a=view.

Exporting Sun directory server data

To export from Sun ONE Directory Server Version 5.2 for Tivoli Identity Manager Version 4.6 or 5.0, run the following command (you do not need to stop LDAP):
db2ldif -n instance_name -a ldif_output_file -s "ldap_suffix"

where instance_name is the name of the database instance of the directory server, ldif_output_file is the name (such as 46_ldif_data.ldif) of the LDIF output file, and ldap_suffix is the root suffix (such as dc=com) on which Tivoli Identity Manager data is stored. Note that the LDAP suffix should be delimited by quotation marks. To find the instance name, run the following command (on one line):
OLD_SUN_INSTALL_HOME/shared/bin/ldapsearch -h hostname -p port_number -D "cn=Directory Manager" -w password -b "cn=ldbm database,cn=plugins,cn=config" "(nsslapd-suffix=rootSuffix)" cn

The variables for this command are: v OLD_SUN_INSTALL_HOME The installation directory of Sun ONE Directory Server. v hostname The host name or IP address of the directory server. v port_number The port number of the directory server. v cn=Directory Manager The binding dn for the directory manager. v password The password for the cn=Directory Manager user. v rootSuffix The root suffix for Tivoli Identity Manager, for example dc=com. For example, if the Sun ONE directory server for Tivoli Identity Manager is running at 10.10.10.10 on port 389, the dn for the directory manager is cn=Directory Manager, the password for the directory manager is pwd4sunone, and the root suffix for Tivoli Identity Manager is dc=com, then the command should be:

Copyright IBM Corp. 2009

19

OLD_SUN_INSTALL_HOME/shared/bin/ldapsearch -h 10.10.10.10 -p 389 -D "cn=Directory Manager" -w pwd4sunone -b "cn=ldbm database,cn=plugins,cn=config" "(nsslapd-suffix=dc=com)" cn

The output of the command should appear in the following form:

version: 1 dn: cn=com, cn=ldbm database, cn=plugins, cn=config cn: com

In this example, the database instance name is "com".

Importing data to Sun Enterprise Directory Server

To import to Sun Enterprise Directory Server for Tivoli Identity Manager Version 5.1, complete these steps on the directory server: 1. Install the supported version of Sun Enterprise Directory Server and create a brand new LDAP instance. 2. Create a root suffix that is the same as root suffix of the previous version of Sun ONE Directory Server. 3. Copy the 99user.ldif schema file from the OLD_SUN_INSTALL_HOME/slapdserverID/config/schema directory to the Tivoli Identity Manager Version 5.1 directory server schema directory. 4. Stop the LDAP server. 5. Run the following command to import the data:
ldif2db -n instance_name -i ldif_output_file

where instance_name is the name of the old instance and ldif_output_file is the name of the file you exported from the previous version of Sun ONE Directory Server.

20

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 7. Performing the Upgrade to Tivoli Identity Manager Version 5.1

This chapter provides information on how to upgrade to Tivoli Identity Manager Version 5.1, both for single-server and cluster environments. The supported upgrade paths are:
Table 4. Upgrade paths From Tivoli Identity Manager Version 4.6 To Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 6.1 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 7.0 Tivoli Identity Manager Version 5.0 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 6.1 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 7.0 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 6.1 Tivoli Identity Manager Version 5.1 deployed on WebSphere Application Server 7.0

Copying the existing Tivoli Identity Manager Version home directory to the target environment
In order to run the installation program to upgrade to Tivoli Identity Manager Version 5.1, copy the existing Tivoli Identity Manager home directory to the target environment. The OLD_ITIM_HOME location from the previous version of Tivoli Identity Manager should be preserved when you copy the home directory. For example, if the OLD_ITIM_HOME directory was C:\itim46 (Windows) or /opt/IBM/itim46 (UNIX/Linux), then you should copy the directory to the same path on the new server before you run the installation program. To copy the existing Tivoli Identity Manager home directory, complete these steps for UNIX/Linux and Windows environments: v UNIX/Linux 1. Go to the UNIX or Linux root directory. 2. Create a tar file by entering the full path of OLD_ITIM_HOME. For example,
tar cvf itim.tar OLD_ITIM_HOME

If you are running Tivoli Identity Manager in a cluster environment, create separate tar files for the deployment manager and cluster members. 3. Copy the tar file itim.tar to the target server root directory. If you are running Tivoli Identity Manager in a cluster environment, copy the tar file from the old deployment manager to the new deployment manager and old cluster members to new cluster members.
Copyright IBM Corp. 2009

21

4. Extract the OLD_ITIM_HOME directory on one or more servers using the following command:
tar xvf itim.tar

v Windows 1. Create a .zip file of the OLD_ITIM_HOME directory. If you are running Tivoli Identity Manager in a cluster environment, create separate .zip files for the deployment manager and cluster members. 2. Copy the .zip file to the target server. If you are running Tivoli Identity Manager in a cluster environment, copy the .zip file from the old deployment manager to the new deployment manager and old cluster members to new cluster members. 3. Extract the OLD_ITIM_HOME directory on one or more servers to the same drive location where Tivoli Identity Manager was installed.

Running the Tivoli Identity Manager Version 5.1 installation program

Before you run the Tivoli Identity Manager Version 5.1 installation program. you should have imported or restored the directory and database data you copied onto the respective directory and database servers. Additionally, you should ensure that the following middleware is running at the supported release level and fix pack: v WebSphere Application Server v DB2 Universal Database or other supported middleware v IBM Tivoli Directory Server or other supported middleware Refer to the Tivoli Identity Manager Server Installation and Configuration Guide for explicit instructions on configuring these middleware for the installation. If you are installing Tivoli Identity Manager in a cluster environment, you need to install Tivoli Identity Manager on the deployment manager to upgrade the database and directory server before installing Tivoli Identity Manager on cluster members. To upgrade to Tivoli Identity Manager Version 5.1, complete these steps: 1. Log on to an account with system administration privileges on the computer where the Tivoli Identity Manager Server will be installed. On Windows systems, the login user ID must be in the Administrators Group. On Linux systems, the login user ID must be root. 2. Download the installation program, or insert the Tivoli Identity Manager product DVD into the DVD drive. 3. To run the installation program, complete these steps: v Windows: a. Click Start > Run. b. Enter the drive and path where the installation program is located and then enter the following command:
instwin.exe

The Welcome window opens. v UNIX or Linux: a. Open a command shell prompt window, and navigate to the directory where the installation program is located. b. Enter the following command for the Tivoli Identity Manager installation program: AIX:

22

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

instaix.bin

Linux:
instlinux.bin

pLinux:
instplinux.bin

zLinux:
instzlinux.bin

Solaris:
instsol.bin

The installation program starts and displays the Welcome window. If you are running the installation program on a UNIX/Linux system that does not have at least 150 MB of free space in the /tmp directory, you should set the IATEMPDIR environment variable to a directory on a disk partition with enough free disk space. To set the variable, enter one of the following commands at the command line prompt before running the installation program again: Bourne shell (sh), ksh, bash, and zsh:
$ IATEMPDIR=temp_dir $ export IATEMPDIR

C shell (csh) and tcsh:

$ setenv IATEMPDIR temp_dir

where temp_dir is the path to the directory, for example /your/free/directory, where free disk space is available. 4. Select the language and click OK. 5. If you agree with the terms, accept the license agreement and click Next. 6. In the Choose Install Directory window, you must select the existing Tivoli Identity Manager home directory that you want to upgrade. Accept the default directory, or click Choose and select the correct directory. Then, click Next. 7. In the Upgrade IBM Tivoli Identity Manager window, click Continue to Next to start the upgrade. 8. Read the caution windows to ensure that the prerequisite applications meet the requirements that Tivoli Identity Manager supports. Then, click Next. 9. In the Installation Directory of WebSphere Application Server window, confirm the WebSphere Application Server directory and click Next. 10. In the WebSphere Profile Selection window, select the WebSphere Application Server profile name, and click Next. 11. If you are running Tivoli Identity Manager in a cluster environment, enter the application and messaging cluster names, and click Next. Note: The cluster names you enter do not have to match the previous version of Tivoli Identity Manager, but they should already exist from the configuration of WebSphere Application Server. For more information on configuring WebSphere Application Server for Tivoli Identity Manager, refer to the Tivoli Identity Manager Server Installation and Configuration Guide. 12. In the WebSphere Application Server Data window, enter or accept the application server name and ensure that the correct host name for the new computer is shown, and click Next.

Chapter 7. Performing the Upgrade to Tivoli Identity Manager Version 5.1

23

13. If you are running Tivoli Identity Manager in a cluster environment, verify the host name of the system on which WebSphere Application Server and Tivoli Identity Manager will install, and click Next. 14. If WebSphere administrative security and application security is turned on, in the WebSphere Application Server Administrator Credentials window, enter the WebSphere Application Server administrator user ID and password, and click Next. 15. If you are prompted for the Java Database Connectivity (JDBC) driver, enter the directory location for the JDBC driver and the driver name, and click Next. Note: If you are upgrading from Tivoli Identity Manager 5.1 to Tivoli Identity Manager 5.1 on WebSphere Application Server 7.0, the JDBC driver setup panel is not displayed. Additional manual steps are needed for the Oracle database. a. After deploying Tivoli Identity Manager 5.1 on WebSphere Application Server 7.0 Fix Pack 5, remove the ojdbc.jar file from ITIM_HOME/lib and replace it with ojdbc6.jar. Then, rename ojdbc6.jar to ojdbc.jar. This is necessary because WebSphere Application Server 7.0 uses JDK1.6. 16. In the Tivoli Common Directory window, select the location of the Tivoli Common Directory or another directory, and click Next. The directory you select is the central location for all serviceability-related files, such as logs and first-failure capture data. 17. In the Pre-Installation Summary window, verify the information is correct and click Install. 18. When the System Configuration tool window is shown on the screen, enter the correct values for Tivoli Identity Manager Version 5.1. Confirm or update the correct values for the following directory, database, and mail server fields on each tab, which must be changed from the old information used in the previous version of Tivoli Identity Manager. Click OK only after you have made all necessary changes and verified that the values on all tabs are correct: v Database JDBC URL Enter the JDBC URL with the correct database host name, port number, and database name for Tivoli identity Manager Version 5.1. For example, if you are using the DB2 database itimdb running at the host 10.1.1.1 on port 50000, then you enter:
jdbc:db2://10.1.1.1:50000/itimdb

Note: The host name can be a fully qualified domain name, IPv4 or [IPv6] address. The IPv6 address must be enclosed in square brackets. When you have entered the information, click Test to test the connection. Note: The Database User and User Password fields are disabled. When you create the database user for Tivoli Identity Manager Version 5.1, make sure that you use the same database user ID and the password that you used for the previous Tivoli Identity Manager server. v Directory Principal DN Password

24

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

 Host Name Port When you have entered the information, click Test to test the connection. v Mail Identity Manager Server Base URL Click OK when you have changed or verified all the fields on all the tabs. 19. The database upgrade program is invoked to upgrade the database schema and data. If you are upgrading from Tivoli Identity Manager Version 4.6 with WebSphere Application Server 5.1, you are prompted to provide the database administrative user ID and password to create the database schema for the messaging engine. The database upgrade can take some time to complete, and progress is not displayed. After it is complete, the LDAP upgrade program is invoked to upgrade the LDAP schema and data. This can also take some time. You can look at the log files in the ITIM_HOME\install_logs directory to see the upgrade progress, specifically the following log files: v itim_install_activity.log v dbUpgrade.stdout v ldapUpgrade.stdout v runConfigFirstTime.stdout 20. When the installation program has completed, click Done. 21. Confirm you can log on to the Tivoli Identity Manager Version 5.1 system. You should be able to log in with the itim manager user ID and the password that was used in the previous version of Tivoli Identity Manager.

Post-installation tasks Restarting and re-indexing Sun Enterprise Directory Server Version 6.3
If you migrated data from Sun ONE Directory Server, after the Tivoli Identity Manager Version 5.1 installation is completed, you must stop Tivoli Identity Manager, restart your directory server and then re-index, otherwise Tivoli Identity Manager cannot connect to the directory server after restart. To re-index Sun Enterprise Directory Server, complete these steps: 1. From the Sun Enterprise Directory Server console, click the Configuration tab. 2. Select the directory server, open the Data tree, click on the exported root suffix and select Reindex. 3. Select Check All and click OK.

Updating the WebSphere Application Server default listening port (cluster only)
For cluster environments, after the installation has completed, check if the default host ports of each application cluster member are included in the host aliases of default_host. If not, you might need to update the WebSphere Application Server default listening port by manually entering a new host alias for the port. Complete these steps: 1. From the WebSphere administrative console, click Environment > Virtual Hosts > default_host > Host Aliases. 2. In Host Aliases, click New to create a new alias.
Chapter 7. Performing the Upgrade to Tivoli Identity Manager Version 5.1

25

3. In the Host Name field, enter *, and in the Port field, enter the port number and click OK. Note: To find the default host port, click Servers > Applications Servers > serverName > ports. For WebSphere Application Server 7.0, click Servers > Server Types > Applications Servers > serverName > ports. Look for the values of WC_defaulthost and WC_defaulthost_secure. where serverName is the server name of the application cluster member where Tivoli Identity Manager is deployed. 4. Save the configuration changes.

Preserving custom logos

Custom logos used in the UI are not preserved after upgrade. This is a normal behavior of upgrade. The ui.properties file property named enrole.ui.customerLogo.image still points to the location specified in 4.6 or 5.0. However, this defaults to a path inside the enrole.ear or ITIM.ear directory. You need to copy the image file from the old location to the new location. A section for customizing logos and style sheets provides this information in the Tivoli Identity Manager Server Installation and Configuration Guide.

Verifying the installation

When you have completed the installation, confirm you can log on to the Tivoli Identity Manager Version 5.1 system. You should be able to log in with the Tivoli Identity Manager administrator user ID (for example, itim manager) and password that was used in the previous version of Tivoli Identity Manager. For more information on verifying the installation, see the Tivoli Identity Manager Server Installation and Configuration Guide. For additional assistance troubleshooting a post-migration system, see Appendix A, Post migration troubleshooting and known issues, on page 35.

Tuning performance
Once you have completed verifying the new system, you should apply performance tunings to confirm that the new system meets your performance requirements. For instance, on systems running DB2 Universal Database, you might benefit from enabling autoresize on your table spaces. This is the default with Tivoli Identity Manager Version 5.1. To check that you have autoresize enabled, use the following command:
db2 get snapshot for tablespaces on itimdb

and look for the "Auto-resize enabled" line in the output. For more information on performance tunings for Tivoli Identity Manager Version 5.1, refer to the IBM Tivoli Identity Manager Performance Tuning Guide.

26

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Chapter 8. Post-upgrade Production Cutover

This chapter provides information on how to perform a post-upgrade production cutover. While you are performing the upgrade process and testing the new production system, the old production system should continue to capture changes made in production. The Tivoli Identity Manager upgrade does not provide a mechanism to capture these changes made from the old production system and port them to the upgraded system running Tivoli Identity Manager Version 5.1. However Tivoli Identity Manager does provide the capability to capture current data from the old production system and import it to the new production environment without the need to install an entirely new Tivoli Identity Manager Version 5.1 environment. The following data and settings are preserved from the new production system: v WebSphere Application Server configuration settings, including performance tuning v Tivoli Identity Manager configuration settings stored in property files The following data and settings are not preserved from the new production system: v All database server data v All directory server data v Any middleware tunings (such as those for DB2 Universal Database and IBM Tivoli Directory Server)

Overview of the production cutover process

The cutover of the production environment consists of the following steps: 1. Shutdown WebSphere Application Server on the new production environment. 2. Prepare the following new production servers for data import: v directory server v database server (preparing data is not necessary for DB2 Universal Database or SQL Server) 3. Shutdown WebSphere Application Server on the old production environment. 4. Capture the data from the following old production servers: v directory server v database server 5. Import the Tivoli Identity Manager directory data from the old production environment to the new environment. 6. Import the Tivoli Identity Manager database data from the old production environment to the new environment. 7. Run the LDAP upgrade tool to migrate directory server data to Tivoli Identity Manager Version 5.1. 8. Run the database upgrade tool to migrate database server data to Tivoli Identity Manager Version 5.1. 9. Start WebSphere Application Server on the new production environment. 10. Apply performance tunings to directory and database servers.
Copyright IBM Corp. 2009

27

Shutting down WebSphere Application Server on the new production environment

To shutdown WebSphere Application Server on the new production environment, run the following commands to stop the server: v Windows
"WAS_PROFILE_HOME\bin\stopServer.bat servername"

v UNIX/Linux
WAS_PROFILE_HOME/bin/stopServer.sh servername

Note: If WebSphere administrative security is enabled, append the following flag to the end of the previous command:
-user WAS_username -password WAS_user_password

where WAS_username is the WebSphere Application Server administrative user name and WAS_user_password is the password for the administrative user.

Preparing the new production environment database server and directory server for data import
Before preparing the new production environment for database and directory server data import, ensure that you have first stopped WebSphere Application Server on the new production environment. Note: You do not need to prepare or reconfigure data for DB2 or SQL Server, because the process of restoring the database will overwrite any configuration.

Reconfiguring the IBM Tivoli Directory Server instance

To reconfigure the IBM Tivoli Directory Server instance, complete these steps: 1. Stop IBM Tivoli Directory Server by running the following command:
ibmslapd -I ldap_instance_name -k

2. Start the IBM Tivoli Directory Server Instance Administration Tool by running this command, which is located in the ITDS_HOME\sbin directory:
idsxinst

3. Use the Instance Administration Tool (idsxinst) to delete the current Tivoli Identity Manager LDAP instance. Additionally, choose to delete the database. 4. Run the Tivoli Identity Manager middleware configuration utility to create a new Tivoli Identity Manager LDAP instance. The instance name and passwords should be the same as the previously created instance. For more information on creating the LDAP instance, refer to Configuring IBM Tivoli Directory Server on the target directory server on page 15. Note: If you do not want to destroy the LDAP instance and run the middleware configuration utility again, you can reconfigure the database using the idsxcfg command or the idsucfgdb and idscfgdb commands. Once you have reconfigured the database, the tunings that were applied to the LDAP instance by the middleware configuration utility will not be saved. You need to update the database with the tunings which are recommended in the IBM Tivoli Identity Manager Performance Tuning Guide and also install and configure the referential integrity plug-in.

28

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Reconfiguring the Sun Enterprise Directory Server instance

To reconfigure the Sun Enterprise Directory Server instance, complete these steps: 1. Load the Sun Enterprise Directory Server console and log in as an administrator. 2. Select the migrated LDAP server and click Open to open the management console for the server. 3. Click the Configuration tab and expand the Data subtree. 4. Find the suffix that houses the current Tivoli Identity Manager data, right click on the suffix, and select Delete. 5. After the suffix is deleted, right click on the Data subtree and click New Suffix. Then recreate the same suffix as before. 6. Stop the LDAP server.

Reconfiguring the Oracle Database instance

To update Oracle data on the new production server, complete these steps: 1. Use the dbca command or other tools to remove the Tivoli Identity Manager database and instance that was created for the test environment. 2. When the database has been removed, create a new database with the same name by using the migration commands previously provided. For more information, refer to Migrating Oracle data on page 9. 3. Configure the Oracle database instance. The following enrole_admin.sql file helps to configure the new Oracle 10g database instance for the migration. Edit the file, replacing itimuserTag with your Tivoli Identity Manager Version 4.6 or 5.0 database user, such as enrole and replacing itimuserPwdtag with the Tivoli Identity Manager Version 4.6 or 5.0 database user password. The Tivoli Identity Manager upgrade will fail if the database user ID and password are not the same as the previous version.
CREATE TABLESPACE enrole_data DATAFILE 'enrole1_data_001.dbf' SIZE 64M AUTOEXTEND ON NEXT 64M MAXSIZE unlimited DEFAULT STORAGE (INITIAL 10M NEXT 1M PCTINCREASE 10) PERMANENT ONLINE LOGGING; CREATE TABLESPACE enrole_indexes DATAFILE 'enrole1_idx_001.dbf' SIZE 32M AUTOEXTEND ON NEXT 32M MAXSIZE unlimited DEFAULT STORAGE (INITIAL 10M NEXT 1M PCTINCREASE 10) PERMANENT ONLINE LOGGING; CREATE USER itimuserTag IDENTIFIED BY itimuserPwdtag DEFAULT TABLESPACE enrole_data QUOTA UNLIMITED ON enrole_data QUOTA UNLIMITED ON enrole_indexes;

Chapter 8. Post-upgrade Production Cutover

29

GRANT GRANT GRANT GRANT

CREATE CREATE CREATE CREATE

SESSION TO itimuserTag; TABLE to itimuserTag; ANY PROCEDURE to itimuserTag; VIEW to itimuserTag;

4. Run the enrole_admin.sql file that you edited in the previous step using the sqlplus utility:
sqlplus system/system_pwd @path\enrole_admin.sql

where system_pwd is the password for the system user, path is the path of the file. Running this script file creates the required Tivoli Identity Manager table spaces and creates the database user (enrole) with required permissions.

Capturing and importing the contents of the Tivoli Identity Manager Version 4.6 or 5.0 production server data
Once you have completed preparing the new production server to import data, you should perform data capture and import as provided in the following sections: v Complete these steps for IBM Tivoli Directory Server: 1. On the old production server, export the directory server data. For more information, refer to Preparing IBM Tivoli Directory Server data on the server running IBM Tivoli Directory Server for Tivoli Identity Manager Version 4.6 or 5.0 on page 15. 2. Copy the schema file V3.modifiedschema from the OLD_ITDS_HOME\etc directory of the IBM Tivoli Directory Server used by Tivoli Identity Manager Version 4.6 or 5.0 server to the NEW_ITDS_INSTANCE_HOME\etc directory of the IBM Tivoli Directory Server used by Tivoli Identity Manager Version 5.1 server. 3. Import the directory server data. For more information, refer to Importing IBM Tivoli Directory Server data on page 16. v Complete these steps for Sun ONE Directory Server: 1. On the old production server, export the directory server data. For more information, refer to Exporting Sun directory server data on page 19. 2. Copy the 99user.ldif schema file from the path/slapd-serverID/config/ schema directory to the Tivoli Identity Manager Version 5.1 directory server schema directory. 3. Stop the LDAP server. 4. Run the following command to import the data:
ldif2db -n instance_name -i ldif_output_file

where instance_name is the name of the old instance and ldif_output_file is the name of the file you exported from the previous version of Sun iPlanet Directory Server. v Complete these steps for DB2 Universal Database: 1. Back up the DB2 Universal Database data. For more information, refer to Backing up DB2 Universal Database data on page 5. 2. Copy the contents of the Tivoli Identity Manager database backup directory to the target server, for example /46data/db2. Ensure that the database instance owner enrole that you created above has permission to read the target directory and files within. 3. Restore the database data. For more information, refer to Restoring DB2 Universal Database data on page 6. v Complete these steps for Oracle Database:

30

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

1. Export the Oracle Database data. For more information, refer to Exporting Oracle data from the server for Tivoli Identity Manager Version 4.6 or 5.0 on page 9. 2. Enter the following command to import the Tivoli Identity Manager Version 4.6 or 5.0 exported data:
imp system/system_pwd file=path\itim46.dmp log=path\itim46exp.log fromuser=itim_username

where system_pwd is the password for the system user, path is the path of the file you copied (such as C:\46data\oracle or /opt/46data/oracle) and itim_username is the name of the Tivoli Identity Manager Version 4.6 database user, such as enrole. v Complete these steps for Microsoft SQL Server: 1. Export the SQL Server database. For more information, see Backing up SQL Server data on page 13. 2. On the new production server database, right click on the database and select Tasks > Restore > Database. 3. In the Restore Database window under the General page, select the From device source for restore option, click the ellipsis (...) button and provide the Tivoli Identity Manager Version 4.6 database backup file name (itimdb.bak). 4. After adding the backup file to the list, select the check box to select the file and click on the Options page in the left pane. 5. On the Options page, select Overwrite the existing database option and click OK. 6. Configure SQL with the following user script:
sp_addlogin itimuserTag, itimuserPwdTag; sp_adduser itimuserTag, itimuserTag, db_owner; use master; sp_grantdbaccess itimuserTag, itimuserTag; sp_addrolemember [SqlJDBCXAUser], itimuserTag; use itimdbTag;

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 database user, for example enrole; replace itimuserPwdTag with the Tivoli Identity Manager Version 4.6 database user password; and replace itimdbTag with the database instance name. 7. Next configure SQL with the following user script:
sp_change_users_login 'Update_One', 'itimuserTag', 'itimuserTag'

Replace itimuserTag with your Tivoli Identity Manager Version 4.6 database user, for example enrole. 8. Restart SQL Server 2005.

Clearing the service integration bus

This section applies only if you are using DB2 or Microsoft SQL databases. For Separate Systems Upgrades from Tivoli Identity Manager 5.0 to Tivoli Identity Manager 5.1, it is necessary to clear out the Service Integration Bus (SIB) data from the restored database. v For DB2 servers, see Clearing the service integration bus on page 7. v For Microsoft SQL servers, see Clearing the service integration bus on page 14.

Chapter 8. Post-upgrade Production Cutover

31

Running the ldapUpgrade and DBUpgrade commands to migrate directory and database data
After importing the directory and database data on the new production environment, run the ldapUpgrade and DBUpgrade utilities to upgrade imported data to the Tivoli Identity Manager Version 5.1 level. Depending on the size of the data pool, this process can take some time. To confirm the upgrade has completed, you can check the DBUpgrade.stdout and ldapUpgrade.stdout log files located in the NEW_ITIM_HOME\install_logs directory. To upgrade LDAP, run the following command: v Windows: NEW_ITIM_HOME\bin\ldapUpgrade v UNIX/Linux: NEW_ITIM_HOME/bin/ldapUpgrade To upgrade the database, run the following command: v Windows: NEW_ITIM_HOME\bin\DBUpgrade v UNIX/Linux: NEW_ITIM_HOME/bin/DBUpgrade If you are running Tivoli Identity Manager in a cluster environment, the ldapUpgrade and DBUpgrade commands should be run on the system where the network deployment manager resides. If Sun ONE Directory Server is used, you need to re-index the directory server. For more information, see Restarting and re-indexing Sun Enterprise Directory Server Version 6.3 on page 25.

Starting WebSphere Application Server

When you have completed running ldapUpgrade and DBUpgrade with the imported data, start WebSphere Application Server to complete the production cutover. To start WebSphere Application Server on the new production environment, run the following commands: v Windows
"WAS_PROFILE_HOME\bin\startServer.bat servername"

v UNIX/Linux
WAS_PROFILE_HOME/bin/startServer.sh servername

New production environment post-cutover tasks

Once you have completed the production cutover, you need to complete some post-cutover tasks.

Restarting and re-indexing Sun Enterprise Directory Server Version 6.3

If you migrated data from Sun ONE Directory Server, after the Tivoli Identity Manager Version 5.1 configuration is completed, you must stop Tivoli Identity Manager, restart your directory server and then re-index, otherwise Tivoli Identity Manager cannot connect to the directory server after restart. To re-index Sun Enterprise Directory Server, complete these steps: 1. From the Sun Enterprise Directory Server console, click the Configuration tab. 2. Select the directory server, open the Data tree, click on the exported root suffix and select Reindex.

32

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

3. Select Check All and click OK.

Cleaning up the LDAP recycle bin

If the enrole.recyclebin.enable property from enRole.properties is set to false, ensure the recycle bin is empty in LDAP. If this property is set to false and the recycle bin contains deleted entries after the upgrade, the entries that have been deleted from previous version of Tivoli Identity Manager appear in the Tivoli Identity Manager Version 5.1 user interface when searching for entries. If this problem exists then you need to delete all the entries from the recycle bin in LDAP server or set this property to true. For more information about emptying the recycling bin, refer to the IBM Tivoli Identity Manager Performance Tuning Guide.

Verifying the data migration after configuration

When you have completed the configuration, you should verify the data migration. For more information, see Verifying the installation on page 26.

Tuning performance
Once you have completed verifying the new system, you should apply performance tunings to confirm that the new system meets your performance requirements. For more information, see Tuning performance on page 26.

Chapter 8. Post-upgrade Production Cutover

33

34

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Appendix A. Post migration troubleshooting and known issues

This appendix provides information on known issues once the migration has completed and provides tips for troubleshooting.

Known issues for migrating to Tivoli Identity Manager Version 5.1

The following issues are known to occur after performing an upgrade to Tivoli Identity Manager Version 5.1: v The "homepage" attribute remains on the Tivoli Identity Manager account form after the upgrade. This attribute has no meaning in Tivoli Identity Manager Version 5.1 and its presence has no adverse impact on the functioning of Tivoli Identity Manager. If you want to remove this attribute from the user interface, you can remove the field using the form designer. This issue occurs for Tivoli Identity Manager Version 4.6 upgrades. v In Tivoli Identity Manager versions 4.6 and earlier, the eralias attribute was the default basis for the global adoption policy. After version 5.0 the global adoption policy is based on the UID attribute. If you are upgrading to Tivoli Identity Manager version 5.1 from version 4.6 or earlier, you need to preserve the existing adoption policy. v Some default data specific to Tivoli Identity Manager Version 5.1 are not loaded at upgrade time. For example, default access control items (ACIs) are not loaded. This is done to prevent interference with ACIs from previous versions. This issue occurs for both Tivoli Identity Manager Version 4.6 and Version 5.0 upgrades. v If services, for example, point to a file on the file system such as an identity feed, it will be important to copy the given file to the new Tivoli Identity Manager Version 5.1 server and update the service to point to the new file location on the Tivoli Identity Manager Version 5.1 server. This book only instructs you to copy over the contents of the OLD_ITIM_HOME directory. v Before upgrade, ensure no reports are using the GetDN function on any attributes other than the provisioning policy attributes erPolicyMembership or erPolicyTarget. This database function is only intended for those two attributes. In Tivoli Identity Manager Version 5.1, the GetDN function is no longer needed and will not work for other attributes, and the report will be invalid and will not parse successfully. This issue extends to custom reports. v You might encounter the following error restoring the DB2 Universal Database in Windows:
SQL2519N The database was restored but the restored database was not migrated to the current release. Error "-1704" with tokens "3" is returned.

If this issue occurs, run the following commands to correct the issue:
update db cfg for itimdb using LOGFILSIZ 1000 update db cfg for itimdb using LOGPRIMARY 30 update db cfg for itimdb using LOGSECOND 20 migrate db itimdb

where itimdb is the database name for Tivoli Identity Manager. For more information on this error, refer to the DB2 information center.
Copyright IBM Corp. 2009

35

http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp v Because of differences between FESI and the IBM JavaScript Engine, some of the JavaScript that you used from the previous version of Tivoli Identity Manager would not return anything after the upgrade since the explicit return statement is needed with the IBM JavaScript Engine. For more information, see the IBM Tivoli Identity Manager Information Center. v Some example classes from the extensions directory do not compile upon completion of the upgrade, due to changes in the class and package names. v When installing in a clustered environment, the installation process might return the following message in the ITIM_HOME\install_logs\runConfig.stdout directory:
WASX7017E: Exception received while running file "C:\Program Files\IBM\itim\config\was\setEVCluster.jacl"; exception information: com.ibm.websphere.management.exception.ConfigServiceException java.lang.reflect.UndeclaredThrowableException: java.lang.reflect.UndeclaredThrowableException

If this happens, verify that the WebSphere Application Server environment variables are defined correctly for the cluster member. 1. Verify that the NodeAgent and Deployment Manager are running. 2. Verify the that the WebSphere Application Server nodes are synchronized. 3. Run the ITIM_HOME\bin\runConfig -install program for the cluster member.

36

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Appendix B. Support information

If you have a problem with your IBM software, you want to resolve it quickly. This section describes the following options for obtaining support for IBM software products: v v v v Using IBM Support Assistant Obtaining fixes on page 38 Receiving weekly support updates on page 38 Contacting IBM Software Support on page 39

Using IBM Support Assistant

The IBM Support Assistant is a free, standalone application that you can install on any workstation. You can then enhance the application by installing product-specific plug-in modules for the IBM products you use. The IBM Support Assistant saves you time searching product, support, and educational resources. The IBM Support Assistant helps you gather support information when you need to open a problem management record (PMR), which you can then use to track the problem. The product-specific plug-in modules provide you with the following resources: v Support links v Education links v Ability to submit problem management reports For more information, see the IBM Support Assistant Web site at http://www.ibm.com/software/support/isa/ To go directly to the product-specific URL for your product, see If your product does not use IBM Support Assistant, use the links to support topics in your information center. In the navigation frame, check the links for resources listed in the ibm.com and related resources section where you can search the following resources: v Support and assistance (includes search capability of IBM technotes and IBM downloads for interim fixes and workarounds) v Training and certification v IBM developerWorks v IBM Redbooks v General product information If you cannot find the solution to your problem in the information center, search the following Internet resources for the latest information that might help you resolve your problem: v Forums and newsgroups v Google.com

Copyright IBM Corp. 2009

37

Obtaining fixes
A product fix might be available to resolve your problem. To determine what fixes are available for your IBM software product, follow these steps: 1. Go to the IBM Software Support Web site at http://www.ibm.com/software/ support. 2. Under Find product support, click All IBM software (A-Z). This opens the software product list. 3. In the software product list, find Tivoli Identity Manager and click Support. This opens the Tivoli Identity Manager support site. 4. Under Solve a problem, click APARs to go to a list of fixes, fix packs, and other service updates for Tivoli Identity Manager. 5. Click the name of a fix to read the description and optionally download the fix. You can also search for a specific fix; for tips on refining your search, click Search tips. 6. In the Downloads & drivers search section, select one software category from the Category list. 7. Select one product from the Sub-category list. 8. Type more search terms in the Search within Download if you want to refine your search. 9. Click Search. 10. From the list of downloads returned by your search, click the name of a fix to read the description of the fix and to optionally download the fix. For more information about the types of fixes that are available, see the IBM Software Support Handbook at http://techsupport.services.ibm.com/guides/ handbook.html.

Receiving weekly support updates

To receive weekly e-mail notifications about fixes and other software support news, follow these steps: 1. Go to the IBM Software Support Web site at http://www.ibm.com/software/ support. 2. Click My support in the far upper-right corner of the page under Personalized support. 3. If you have already registered for My support, sign in and skip to the next step. If you have not registered, click register now. Complete the registration form using your e-mail address as your IBM ID and click Submit. 4. Click Edit profile. 5. In the Products list, select Software. A second list is displayed. 6. In the second list, select a product segment, for example, Systems management. A third list is displayed. 7. In the third list, select a product sub-segment, for example, Application Performance & Availability. A list of applicable products is displayed. 8. Select the products for which you want to receive updates. 9. Click Add products. 10. After selecting all products that are of interest to you, click Subscribe to email on the Edit profile tab. 11. Select Please send these documents by weekly email.

38

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

12. 13. 14. 15.

Update your e-mail address as needed. In the Documents list, select Software. Select the types of documents that you want to receive information about. Click Update.

If you experience problems with the My support feature, you can obtain help in one of the following ways: Online Send an e-mail message to [email protected], describing your problem. By phone Call 1-800-IBM-4YOU (1-800-426-4968).

Contacting IBM Software Support

IBM Software Support provides assistance with product defects. Before contacting IBM Software Support, your company must have an active IBM software maintenance contract, and you must be authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you have: v For IBM distributed software products (including, but not limited to, Tivoli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows, or UNIX operating systems), enroll in Passport Advantage in one of the following ways: Online Go to the Passport Advantage Web site at http://www-306.ibm.com/ software/howtobuy/passportadvantage/pao_customers.htm . By phone For the phone number to call in your country, go to the IBM Software Support Web site at http://techsupport.services.ibm.com/guides/ contacts.html and click the name of your geographic region. v For customers with Subscription and Support (S & S) contracts, go to the Software Service Request Web site at https://techsupport.services.ibm.com/ssr/ login. v For customers with IBMLink, CATIA, Linux, OS/390, iSeries, pSeries, zSeries, and other support agreements, go to the IBM Support Line Web site at http://www.ibm.com/services/us/index.wss/so/its/a1000030/dt006. v For IBM eServer software products (including, but not limited to, DB2 and WebSphere products that run in zSeries, pSeries, and iSeries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information about support for eServer software products, go to the IBM Technical Support Advantage Web site at http://www.ibm.com/servers/eserver/techsupport.html. If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States. From other countries, go to the contacts page of the IBM Software Support Handbook on the Web at http://techsupport.services.ibm.com/guides/contacts.html and click the name of your geographic region for phone numbers of people who provide support for your location. To contact IBM Software support, follow these steps:
Appendix B. Support information

39

1. Determining the business impact 2. Describing problems and gathering information 3. Submitting problems

Determining the business impact

When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem that you are reporting. Use the following criteria: Severity 1 The problem has a critical business impact. You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Severity 2 The problem has a significant business impact. The program is usable, but it is severely limited. Severity 3 The problem has some business impact. The program is usable, but less significant features (not critical to operations) are unavailable. Severity 4 The problem has minimal business impact. The problem causes little impact on operations, or a reasonable circumvention to the problem was implemented.

Describing problems and gathering information

When describing a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. v Can you recreate the problem? If so, what steps were performed to recreate the problem? v Did you make any changes to the system? For example, did you make changes to the hardware, operating system, networking software, and so on. v Are you currently using a workaround for the problem? If so, be prepared to explain the workaround when you report the problem.

Submitting problems
You can submit your problem to IBM Software Support in one of two ways: Online Click Submit and track problems on the IBM Software Support site at http://www.ibm.com/software/support/probsub.html. Type your information into the appropriate problem submission form. By phone For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook at http://techsupport.services.ibm.com/ guides/contacts.html and click the name of your geographic region. If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis

40

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround that you can implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the Software Support Web site daily, so that other users who experience the same problem can benefit from the same resolution.

Appendix B. Support information

41

42

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Appendix C. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Copyright IBM Corp. 2009

43

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at http://www.ibm.com/legal/ copytrade.shtml. Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

44

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

Appendix C. Notices

45

46

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Glossary A
access. (1) The ability to read, update, delete, or otherwise use a resource. Access to protected resources is usually controlled by system software. (2) The ability to use data that is stored and protected on a computer system. access control. In computer security, the process of ensuring that users can access only those resources of a computer system for which they are authorized. access control list. In computer security, a list that is associated with a resource that identifies all the principals that can access the resource and the permissions for those principals. See also permission and principal. access control item (ACI). Data that (a) identifies the permissions of principals and (b) is assigned to a resource. account. An entity that contains a set of parameters that define the application-specific attributes of a principal, which include the identity, user profile, and credentials. ACI target. The resource for which you define the access control items. For example, an ACI target can be a service. activity. In a workflow, the smallest unit of work. When a request requires approval, information, or additional actions, the workflow for that request generates the appropriate activities that are presented in the appropriate users to-do lists. See also workflow. adapter. (1) A set of software components that communicate with an integration broker and with applications or technologies in order to perform tasks, such as executing application logic or exchanging data. (2) A transparent, intermediary software component that allows different software components with different interfaces to work together. administrative domain. A logical collection of resources that is used to separate responsibilities and manage permissions. See also permission. adopt. To assign an orphan account to the appropriate owner. See also orphan account. adoption rules. The set of rules that determine which orphan accounts belong to which owners. See also orphan account. agent. A process that manages target resources on behalf of a system such that the system can respond to requests. aggregate message. A collection of notification messages that are combined into a single e-mail, along with optional user defined text. alias. In identity management, an identity for a user, which might match the user ID. The alias can be used during reconciliation to determine who owns the account. A person can have several aliases, for example, GSmith, GWSmith, and SmithG. application server. A server program in a distributed network that provides the execution environment for an application program. application user administrator. A type of person who uses Tivoli Identity Manager to set up and administer (a) the services that are managed by Tivoli Identity Manager or (b) the Tivoli Identity Manager users of those services. approval. A type of workflow activity that allows someone to approve or reject a request. See also workflow. audit trail. A chronological record of events or transactions. You can use audit trails for examining or reconstructing a sequence of events or transactions, managing security, and for recovering lost transactions. authentication. The process of verifying that an entity is the entity that it claims to be, often by verifying a user ID and password combination. Authentication does not identify the permissions that a person has in the system. See also authorization. authorization. The process of granting a user, system, or process either complete or restricted access to an object, resource, or function. See also authentication. authorization owner. A user who can manage access control items (ACIs) for a resource.

C
certificate. In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority. See also certificate authority. Certificate Authority (CA). An organization that issues certificates. The CA authenticates the certificate

Copyright IBM Corp. 2009

47

owners identity and the services that the owner is authorized to use, issues new certificates, renews existing certificates, and revokes certificates that belong to users who are no longer authorized to use them. challenge-response authentication. An authentication method that requires users to respond to a prompt by providing information to verify their identity when they log in to the system. For example, when users forget their password, they are prompted (challenged) with a question to which they must provide an answer (response) in order to either receive a new password or receive a hint for specifying the correct password. comma separated values (CSV) file. See CSV file. Common Criteria. A standardized method, which is used by international governments, the United States federal government, and other organizations, for expressing security requirements in order to assess the security and assurance of technology products. connector. A plug-in that is used to access and update data sources. A connector accesses the data and separates out the details of data manipulations and relationships. See also adapter. credentials. Authentication information that is associated with a principal. See also authentication and principal. CSV file. A common type of file that contains data that is separated by commas.

delegate administration. The ability to apply all or a subset of administrator privileges to another user (the delegate administrator), such that the user can perform all or a subset of administrator activities for a specific set of the users. deprovision. To remove a service or component. For example, to deprovision an account means to delete an account from a resource. See also provision. digital certificate. An electronic document that is used to identify an individual, server, company, or some other entity, and to associate a public key with the entity. A digital certificate is issued by a certification authority and is digitally signed by that authority. See also Certificate Authority. Directory Access Markup Language (DAML). An XML specification that extends the functions of Directory Services Markup Language (DSML) 1.0 in order to represent directory operations. In Tivoli Identity Manager, DAML is mainly used for server to agent communications. See also Directory Services Markup Language v2.0. directory server. A server that can add, delete, change, or search directory information on behalf of a client. Directory Services Markup Language v1.0 (DSMLv1). An XML implementation that describes the structure of data in a directory and the state of the directory. DSML can be used to locate data into a directory. DSMLv1 is an open standard defined by OASIS. See alsoDirectory Services Markup Language v2.0. Directory Services Markup Language v2.0 (DSMLv2). An XML implementation that describes the operations that a directory can perform (such as how to create, modify, and delete data) as well as the results of those operations. Whereas DSMLv1 can be used to describe the structure of data in a directory, DSMLv2 can be used to communicate with other products about that data. DSMLv2 is an open standard defined by OASIS. See also Directory Services Markup Language v1.0. distinguished name (DN and dn). The name that uniquely identifies an entry in a directory. A distinguished name is made up of name-component pairs. For example: cn=John Doe,o=My Organization,c=US domain administrator. The owner of an administrative domain. See also administrative domain. dynamic content tags. A set of XML tags (based on the XML Text Template Language (XTTL) schema) that enables the administrator to provide customized information in a message, notification, or report. See also XML Text Template Language. dynamic organizational role. An organizational role that is assigned to a person by using an LDAP filter. When a user is added to the system and the LDAP

D
DAML. See Directory Access Markup Language. data model. A description of the organization of data in a manner that reflects the information structure of an enterprise. data warehouse. (1) A subject-oriented collection of data that is used to support strategic decision making. (2) A central repository for all or significant parts of the data that an organizations business systems collect. delegate (noun). The user who is designated to approve requests or provide information for requests for another user. delegate (verb). (1) To assign all or a subset of administrator privileges to a user, such that the user can perform all or a subset of administrator activities for a specific set of users. (2) To designate a user to approve requests or provide information for requests for another user. delegate administrator. The user who has all or a subset of administrator privileges over a specific set of users.

48

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

filter parameters are met, the user is automatically added to the dynamic organizational role. See also organizational role.

I
identity. The subset of profile data that uniquely represents a person or entity and that is stored in one or more repositories. identity feed. The automated process of creating one or more identities from one or more common sources of identity data. identity policy. The policy that defines the user ID to be used when creating an account for a user. IIOP (Internet Inter-ORB Protocol). A protocol used for communication between Common Object Request Broker Architecture (CORBA) object request brokers ITIM group. A list of Tivoli Identity Manager accounts. Membership within an ITIM group determines the access to data within Tivoli Identity Manager. ITIM user. A user who has a Tivoli Identity Manager account.

E
entitlement. In security management, a data structure, service, or list of attributes that contains externalized security policy information. entitlement workflow. A workflow that defines the business logic that is used when provisioning a policy. For example, an entitlement workflow is used to define approvals for managing accounts. See also workflow. entity. An object about which you want to store information or manage. For example, a person and an account are both entities. entity type. Categories of managed objects. See also entity. escalation. The process that defines what happens and who acts when an activity was not completed in the specified amount of time. escalation limit. The amount of time, for example, hours or days, that a participant has to respond to a request, before an escalation occurs. See also escalation. event. The encapsulated data that is sent as a result of an occurrence, or situation, in the system.

J
Java Database Connectivity. See JDBC. JDBC (Java Database Connectivity). An industry standard for database-independent connectivity between the Java platform and a wide range of databases. The JDBC interface provides a call-level API for SQL-based and XQuery-based database access. join directive. The set of rules that define how to handle attributes when two or more provisioning policies are applied. Two or more policies might have overlapping scope, so the join directive specifies what actions to take when this overlap occurs.

F
failover. An automatic operation that switches to a redundant or standby system in the event of a software, hardware, or network interruption. FESI. See Free EcmaScript Interpreter. FESI extension. A Java extension that can be used to enhance JavaScript code and then be embedded within a FESI script. Free EcmaScript Interpreter (FESI). An implementation of the EcmaScript scripting language, which is an ISO standard scripting language that is similar to the JavaScript scripting language.

L
LDAP (Lightweight Directory Access Protocol). An open protocol that uses TCP/IP to provide access to directories that support an X.500 model and that does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). For example, LDAP can be used to locate people, organizations, and other resources in an Internet or intranet directory. LDAP Data Interchange Format. See LDIF. LDAP directory. A type of repository that stores information on people, organizations, and other resources and that is accessed using the LDAP protocol. The entries in the repository are organized into a hierarchical structure, and in some cases the hierarchical structure reflects the structure or geography of an organization.
Glossary

G
group. A collection of Tivoli Identity Manager users.

H
help desk assistant. A person who uses Tivoli Identity Manager to assist users and managers with managing their accounts and passwords.

49

LDAP filter. A search filter that narrows the results from an LDAP search. LDIF (LDAP Data Interchange Format). A file format that is used to describe directory information as well as changes that need to be applied to a directory, such that directory information can be exchanged between directory servers that are using LDAP. life cycle. Passage or transformation through different stages over time. For example markets, brands and offerings have life cycles. life cycle rules. A set of rules in a policy that determine which operations to use when automatically handling commonly occurring events, such as suspending an account that has been inactive for a period of time. Lightweight Directory Access Protocol. See LDAP. location. An entity that is a subdivision of an organization, usually based on geographical area.

protection category. (2) An entity that defines the schema for a service or an account. operation. A specific action (such as add, multiply, or shift) that the computer performs when requested. operational workflow. A workflow that defines the lifecycle process for accounts, persons, and other entities. See also workflow. organization. A hierarchical arrangement of organizational units, such that each user is included once and only once. See also organizational unit. organization tree. A hierarchical structure of an organization that provides a logical place to create, access, and store organizational information. organizational container. An organization, organizational unit, location, business partner unit, or administration domain. organizational role. In identity management, a list of account owners that is used to determine which entitlements are provisioned to them. See also dynamic organizational role and static organizational role. organizational unit. A type of organizational container that represents a department or similar grouping of people. orphan account. On a managed resource, an account whose owner cannot be automatically determined by the provisioning system.

M
mail. A type of workflow activity that sends a notification to one or more users about a request. managed resource. An entity that exists in the runtime environment of an IT system and that can be managed. manager. A type of person who uses Tivoli Identity Manager to manage their own accounts and passwords or the accounts and passwords of those people that they supervise. manual service. A type of service that requires manual intervention by the service owner to complete the provisioning request.

P
participant. In identity management, an individual, a role, a group, or a JavaScript script that has the authority to respond to a request that is part of a workflow. See also workflow. password. In computer and network security, a specific string of characters that is used by a program, computer operator, or user to access the system and the information stored within it. password retrieval. In identity management, the method of retrieving a new or changed password by accessing a designated Web site and specifying a shared secret. See also shared secret. password strength rules. The set of rules that a password must conform to, such as the length of the password and the type of characters that are allowed (or not allowed) in the password. password policy. A policy that defines the password strength rules. A password strength policy is applied whenever a password is set or modified. See also password strength rules.

N
namespace. (1) The set of unique names that a service recognizes. (2) Space reserved by a file system to contain the names of its objects. nested group. A group that is contained within another group. See also group. notification. A message that is sent to users or systems that indicates that a change was made that might be of interest to the receiver.

O
object class. (1) The specific type of object, or subcategory of classes, that an access control item can protect. For example, if the protection category is account, then the object class can be the type of account, such as an LDAP user account. See also

50

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

password synchronization. The process of coordinating passwords across services and systems such that only a single password is needed to access those multiple services and systems. permission. Authorization to perform activities, such as reading and writing local files, creating network connections, and loading native code. person. An individual in the system that has a person record in one or more corporate directories. personal profile. The data that describes a user within the system, such as the user name, password, contact information, and so on. plug-in. A software module that adds function to an existing program or application. policy. A set of considerations that influence the behavior of a managed resource or a user. post office. A component that collects notifications from the appropriate workflow activities and distributes those notifications to the appropriate workflow participants. principal. (1) A person or group that has been granted permissions. (2) An entity that can communicate securely with another entity. privilege. See permission. profile. Data that describes the characteristics of a user, group, resource, program, device, or remote location. protection category. The category of classes that an access control item can protect. For example, accounts or persons. See also object class. provision. (1) In identity management, to set up and maintain the access of a user to a system. (2) In identity management, to create an account on a managed resource. provisioning. In identity management, the process of providing, deploying, and tracking a service or component. provisioning policy. A policy that defines the access to various managed resources, such as applications or operating systems. Access is granted to all users, users with a specific role, or users who are not members of a specific role.

recertification policy. A policy that defines the life cycle rule for automatically validating accounts and users in the provisioning system after a certain period of time. See also life cycle rules. reconciliation. The process of synchronizing data in a central data repository with data on a managed resource. registration. The process of accessing a system and requesting an account on that system. registry. A repository that contains access and configuration information for users, systems, and software. relationship. A defined association between two or more data entities, which is used when defining a Free EcmaScript Interpreter (FESI) extension or when customizing the graphical user interface. relevant data. The data that is used to complete a workflow activity in a workflow operation at runtime. See also workflow. repository. A persistent storage area for data and other application resources. Common types of repositories are databases, directories, and file systems. request. The item that initiates a workflow and instigates the various activities of a workflow. See also workflow. request for information (RFI). A workflow activity that requests additional information from the specified participant. See also workflow. resource. A hardware, software, or data entity. See also managed resource. restore. To activate an account that was suspended. rights. See permission. rule. A set of conditional statements that enable computer systems to identify relationships and issue automated responses accordingly.

S
schema. The fields and rules in a repository that comprise a profile. See also profile. scope. In identity management, the set of entities that a policy or an access control item (ACI) can affect. Secure Sockets Layer (SSL). A security protocol that provides communication privacy. With SSL, client/server applications can communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.

R
recertification. The process of validating and possibly updating your credentials with a system, usually after a specified time interval.

Glossary

51

security. The protection of data, system operations, and devices from accidental or intentional ruin, damage, or exposure. security administrator. A type of person who sets up and administers Tivoli Identity Manager for users, managers, help desk assistants, and application user administrators. self-registration. See registration. service. A representation of a managed resource, application, database, or system. service owner. An individual who uses Tivoli Identity Manager to set up and administer the accounts on the services that are managed by Tivoli Identity Manager. See also service. service selection policy. A policy that determines which service to use in a provisioning policy. See also provisioning policy. service type. A category of related services that share the same schemas. See also service. shared secret. An encrypted value that is used to retrieve the initial password of a user. This value is defined when the personal information for the user is initially loaded into the system. single sign-on (SSO). The ability of a user to log on once and access multiple applications without having to log on to each application separately. static organizational role. An organizational role that is manually assigned to a person. See also organizational role. supervisor. A role that identifies the person who supervises another set of users and who is often responsible for approving or rejecting requests that are made by those users. suspend. To deactivate an account so that the account owner cannot access the service. system administrator. An individual who is responsible for the configuration, administration, and maintenance of Tivoli Identity Manager.

share directory servers or relational databases while remaining completely separate service instances. to-do list. A collection of outstanding activities. See also activity. topic. The subject of a notification message, which allows messages to be grouped together based on the same task. transition. A connection between two workflow elements. See also workflow.

U
universally unique identifier (UUID). The 128bit numerical identifier that is used to ensure that two entities do not have the same identifier. The identifier is unique for all space and time. user. (1) Any individual, organization, process, device, program, protocol, or system that uses the services of a computing system. (2) The individual who uses Tivoli Identity Manager to manage their accounts and passwords.

V
view. A collection of various graphical user interfaces for a product that represent the set of tasks that a particular type of user is allowed to perform. Administrators can customize views to contain different collections of graphical user interfaces.

W
workflow. The sequence of activities performed in accordance with the business processes of an enterprise. See also activity. work order. A workflow activity that requires a participant to perform an activity outside of the scope of the system. See also workflow.

X
XML Text Template Language (XTTL). An XML schema that provides a means for representing dynamic content within a message, notification, or report. The XML tags are also called dynamic content tags. See also dynamic content tags.

T
tenant. In a hosted service environment, a virtual enterprise instance of an application. Each tenant can

52

IBM Tivoli Identity Manager: Separate System Upgrade and Data Migration Guide

Program Number: 5724C34

Printed in USA

GC27-2412-01