This lab guide walks you through the setup of TAM E-SSO Provisioning Adapter with IBM Tivoli Identity Manager Express 4.6 on a Windows 2003 Server system. Once you complete the steps outlined in this lab guide, you’ll have a fully functional environment which you can use to demonstrate the capabilities of ITAM E-SSO and ITIMx.
The lab is presented in three sections. In Part 1, you will install and configure TAM E-SSO to use Microsoft ADAM as the repository for user credentials and configuration information.
Active Directory Application Mode (ADAM) is a part of Microsoft’s integrated directory services available with Windows Server 2003, and is built specifically to address directory-enabled application scenarios. ADAM runs as a non-operating-system service, and, as such, it does not require deployment on a domain controller.
In Part 2 of the lab, you will install the TAME-SSO Provisioning Adapter (future addition)
Finally, in Part 3 and Part 4 of the lab you will configure the provisioning adapter to integrate with ITIM Express 4.6. Then you will work through a demo scenario that shows the integration of the two products and the value it provides to customers looking to deploy an Identity Management and Desktop Single Sign on solution. (future addition)
PART ONE _______________________________________________________
Installing Microsoft Active Directory Application Mode Service
You are starting with a VMware image that is running Windows 2003 Server, FP 1. On this server, Identity Manager Express has already been installed. Details of this server are:
Hostname: ITIMServer
Adminstrator Name: Adminstrator
Password: tivoli
Domain: ondemandinc.com
ITIMx URL: http://itimserver/itim/identity
Home Page: http://itimserver:81/homepage.html (running IBM HTTP server)
All installation files are located in the directory C:\Studentfiles\Install.
If it is not running, start the ITIMServer VMware image. Log into the server as Administrator.
Installing ADAM
Microsoft recommends that ADAM instances should not be installed on domain controllers. ITIMServer is a stand alone Windows 2003 Server.
1. Navigate to the C:\Studentfiles\Install\ADAM directory and launch the program ADAMSP1_x86_English.exe
Note: ADAM is available as a free download from Microsoft’s download site. It is also part of Windows 2003 Server R2 and can be installed by accessing Windows Control Panel -> Add/Remove Programs.
2. The installation program begins. Click Next> to continue.
3. Accept the License Agreement. Click Next> to continue.
4. The installation program progresses…
5. Click Finish to complete the installation.
The ADAM program group has now been added to your system. You will now create an ADAM instance that will be used by TAMES.
6. Click on Programs -> ADAM -> Create an ADAM instance.
7. The setup wizard starts. Click Next > to continue.
8. Select the radio button for creating a unique instance. Click Next > to continue.
9. Provide an instance name. Use TAMES as the instance name. Click Next > to continue.
10. The first available ports are selected as the defaults. Port 50001 is selected as we have an instance of LDAP listening on port 389 already. The SSL port will not be used for this lab. Click Next > to continue.
11. You will create an application directory partition for the SSO data. Name the partition OU=SSOPartition,dc=ondemandinc,dc=com
Click Next > to continue.
12. Use the defaults for the location of the data files and the recovery files. Click Next > to continue.
13. Accept the default for using the Network service account to perform ADAM operations. Click Next > to continue.
The following pop-up will appear.
14. Click Yes to continue as we will not be using replication with other ADAM instances in this lab.
15. Accept the default to use the currently logged on user for ADAM administration. Click Next > to continue.
16. You do not need to import any LDIF information so click Next > to continue.
17. Click Next > to complete the instance installation.
18. Click Finish to complete the installation.
Configuring the ADAM Instance
First we will create two Windows groups that will be used in this lab for the SSO configuration.
1. Click on the shortcut on your desktop to launch the Users and Groups MMC plugin.
2. Right click on Groups container and select New Group…
3. Create two new groups, SSO Admins and SSO Users. Any user that is going to use TAM E-SSO will need to be a member of this windows group.
4. At this time, also add the Administrator account to the SSO Users group, so you will be able to use this account as and end-user account to test with. Right click on the Administrator User account to display the properties for the user. Then add SSO Users to the Member of tab.
5. You are ready to move on to the next task customizing ADAM. Close the User and Group management window.
ADAM can be managed using the ADAM ADSI Editor. Next you will create a connection to your ADAM instance.
6. Start the ADAM ADSI editor by selecting Programs => ADAM => ADAM ADSI Edit
7. Right click on the ADAM ADSI Edit container and select Connect to…
8. Complete the Connection Settings Window as follows:
Connection Name: TAMES ADAM
Connection
Server Name: itimserver
Port: 50001
Naming context: Configuration
Credentials: the account of the
Currently logged on
User.
Then, click OK to continue.
9. Expand the containers so your window looks like the above. Click on the CN=Partitions container. Notice the container we specified when we created the ADAM instance; it is the first entry in the list. Right click on the OU=SSOPartition entry.
10. Select New Connection to Naming Context.
11. Expand the new container entry created. Your window should now look like this.
Next you will specify rights available to new Windows groups you just created within the ADAM instance. You will use the two Windows groups you created, SSO Admins and SSO Users.
12. Click on CN=Roles in the upper part of the tree.
13. Right click on the CN=Administrators group and bring up the Properties window.
14. Select the member attribute then click the Edit button.
15. Next click the Add Windows Account button.
16. Click the OK button.
Your results should look like this.
17. On this window and the next window, then click OK to return to the ADSI Edit window.
Still in the top part of the ADAM ADSI Edit tree, you will add the SSO Users group to both the CN=Readers and CN=Users groups. Follow the steps you just did for the SSO Admin group.
18. Click on CN=Readers in the CN=Roles container in the top part of the tree. Double-click to bring up the properties page. Select the member attribute, then click the Edit button.
19. Click on the Add Windows account button. Add the SSO Users group to this attribute.
20. Your window should look like the above. Click OK to close the window. Click OK again to close the Properties window.
21. Click on the role CN=Users. Add the group SSO Users to the member attribute as done is the previous step.
22. Now click on the CN=Roles container in the bottom portion of the tree.
Complete the following:
- Add SSO Admins group to CN=Administrators group membership.
- Add SSO Users group to CN=Readers group membership.
- Add SSO Users grop to CN=Users group membership.
This completes the configuration of ADAM using the ADAM ADSI Editor. You can close the application.
The installation and configuration of ADAM is now complete. So far you have
created an ADAM instance and container for TAM-ESSO to store information. All of the TAM-ESSO data will be stored inside the ADAM directory just created. You are now going to install the TAM-ESSO application. _______________________________________________________
Installing and Configuring TAM E-SSO
Now that the repository is created that will store the TAM E-SSO data, the following tasks must be completed to build our demonstration environment:
Ø Install the TAM ESSO Console
Ø Configure the TAM ESSO Console to use the ADAM repository
Ø Install the TAME ESSO Client
Ø Configure the ADAM Synchronizer
Ø Run the First Time Setup for the Client
Ø Verify the communications between the client and the repository.
This section provides you with step by step instructions to complete each of these tasks.
Installing the TAM E-SSO Administrative Console
1. Navigate to the directory c:\Studentfiles\Install\TAMES.
2. Launch the program IBM Tivoli Access Manager for Enterprise Single Sign-On Admin Console.exe
3. Choose your language and click OK…
4. Click Next to continue…
5. Accept the license agreement and click Next to continue…
6. Select ∙Complete and click Next to continue…
7. Then click the Install button.
8. Click Finish to complete the installation.
Configuring the TAM E-SSO Console to Use the ADAM Repository
This task will prepare the ADAM repository to properly store the TAM E-SSO data. The steps in this section will add the attributes and objectclasses need for TAM E-SSO
1. Start the TAM E-SSO Console.
Start → Programs → IBM → TAM E-SSO → TAM E-SSO Console
2. Click on Repository → Extend Schema
3. Complete the connection details as follows:
Server Name: itimserver
Repository Type: Microsoft ADAM
Port: 50001
De-select the checkbox for SSL – we will NOT use SSL for our demo
Username: Administrator
Password: tivoli
Then click OK to continue…
The task should complete SUCCESSFUL.
4. Click Close to continue …
5. Click on Repository at the bottom of the left pane and then the Click here to connect link.
6. Complete the connection details, then click OK.
7. In the right pane on the screen, navigate to the OU=SSPartition,DC=ondemandinc,DC=com object. Right click on the object and select Configure E-SSO Support.
8. Choose Administrative Console button, then choose Standard mode. Click Next to continue…
9. Take the default, ∙Do Not send apps and click Next to continue. Then click Finish.
The result will be that the OU=People container will be created under the
OU=SSOPartition,DC=ondemandinc,DC=com container. The OU=People container will be where our users store their username/password credentials.
Note, to view the containers, make sure that both the Show User Credential Containers and the Show Users items are checked under the Repository menu as shown above.
10. Click on the container OU=SSOPartition,DC=ondemandinc,DC=com to highlight it.
Right click on the container and select New Container from the drop down menu.
11. Create a container named SSOConfig. This is where the TAM ESSO application templates will be stored. Click OK to create the container.
You now have two containers created to store the TAM ESSO data. Next you will install the TAM ESSO Client and configure synchronization. You can minimize the TAM ESSO console while you perform the steps in the next section.
Installing the TAMESSO Client
Next you will install the TAM ESSO client which will communicate with the ADAM repository. You need to do a custom installation to make sure the ADAM synchronizer gets selected.
Navigate to the c:\Studentfiles\Install\TAMES directory.
1. Launch the program IBM Tivoli Access Manager for Enterprise Single Sign-Onv5.0MLE.exe. Complete the following installation steps…
then, select the language…
then select Next to continue…
then accept the license...
2. Select a Custom installation. This is required to select the correct synchronizer
3. Expand the Logon Methods folder. Make sure Windows Logon is selected.
4. Next, expand the Extensions folder and then the Synchronization Manager folder. Select the ADAM Synchronizer menu and select This feature will be installed on the local hard drive from the list. This will change the to and install the ADAM synchronizer.
Click Next to continue with the installation.
Click the Install button to
start the installation.
Click Finish to complete the installation.
Configure the ADAM Synchronizer
In this section you will configure the Global Agent settings for theADAM synchronizer with the connection parameters to our ADAM directory.
Return to the TAME ESSO Administration Console. You will need to close and restart the console to pick up the new registry information.
1. Click on the object Global Agent Settings.
2. Right click and from the menu and select Import → From Live HKLM. What you have just done is to load the local machine’s necessary registry settings into the SSO Admin console. The next step is to configure the Global Agent/Registry settings using the SSO Administrative Console.
3. Expand the Global Agent Settings → Live keys and expand Synchronization as shown above.
There are three (3) things that you need to have configured at a minimum to allow the agent to properly communicate with the ADAM instance:
4. Click on Synchronization to display the Synchronization properties. Enable role/group security (select the check box) and select Use role/group security from the list.
Next, select Required under the ADAMSyncExt object.
Next, you need to specify the server where the ADAM directory is running.
5. Click on the check box for Servers and then click on the icon to get the input popup window. In the window, type the server name and the port number that ADAM is listening on. Enter itimserver:50001 in the input box and click OK to continue.
6. Next, select Tools →Write Global Agent Settings to HKLM to save the configuration.
Next you will test that the synchronization is working and users are able to write their credentials to the ADAM repository.
You will now go through the first time SSO Adapter setup.
1. Select Programs → IBM → TAM E-SSO → TAM E-SSO. This will start the First Time User Setup Wizard.
Click Next to continue...
Click Next to continue again...
2. Windows Logon is the defaults to the primary login authentication method. Click Next to continue.
3. Enter the Administrator’s password, which is tivoli
4. Click Finish to complete the client setup.
Now return to the TAM ESSO Console. Let’s verify that the user’s credentials were written to the ADAM repository in the containers created earlier
5. Connect to the repository.
6. Expand the ou=SSOConfig,DC=ondemandinc,DC=com container, then the OU=People container