Question & Answer
Question
Installation of the ITIM TAM Combo Adapter requires the installation of the TAM Java Run Time component (JRTE). The install manual does not provide tips or configuration info for the TAM JRTE installation.
Answer
The TAM Combo Adapter installation works best if IBM Tivioli Directory Integrator (ITDI) is installed before the TAM JRTE is installed. This way, the TAM JRTE can be installed directly into the ITDI java provided. Thus, when installing the TAM JRTE (via the "pdjrtecfg" configuration utility") specify the $ITDI-HOME/jvm/jre as the java component into which it will be installed (the PD.jar part of the TAM JRTE component must be found in the $ITDI-HOME/jvm/jre/lib/ext directory for the TAM Combo Adapter to work properly due to the way ITDI handles java classpaths).
Additionally, the TAM JRTE SvrSslCfg command must be executed on the machine where ITDI and the TAM Combo Adapter are being installed in order to create the "TAM Config File" that is required on the "TAM Setup" section of the service defined in the ITIM UI for the TAM Combo Adapter. This "TAM Config File" is used to define secure communication between Tivoli Directory Integrator and Tivoli Access Manager policy server and authorization server, and for Tivoli Directory Integrator to become an authorized Tivoli Access Manager Java application.
An example of the SvrSslCfg command, from the $ITDI-HOME/jvm/jre/bin directory, enter the following command (as one line):
- <ITDI-HOME>/jvm/jre/bin/java com.tivoli.pd.jcfg.SvrSslCfg
- -action config
-admin_id sec_master
-admin_pwd SEC_MASTER_PASSWORD
-appsvr_id itdi_tam
-port 1234
-mode remote
-policysvr amserver.example.com:7135:1
-authzsvr amserver.example.com:7136:1
-cfg_file /opt/IBM/TDI/V6.1.1/timsol/tam.conf
-key_file /opt/IBM/TDI/V6.1.1/timsol/tam.ks
<ITDI-HOME>/jvm/jre/bin/java com.tivoli.pd.jcfg.SvrSslCfg
- -action config
-admin_id sec_master
-admin_pwd SEC_MASTER_PASSWORD
-appsvr_id itdi_tam
-port 1234
-mode remote
-policysvr amserver.example.com:7135:1
-authzsvr amserver.example.com:7136:1
-cfg_file /opt/IBM/TDI/V6.1.1/timsol/tam.conf
-key_file /opt/IBM/TDI/V6.1.1/timsol/tam.ks
-ldap_mgmt true
-ldap_svrs ldapserver:389:readwrite:5
-ldap_ssl_enable false
-ldap.ssl-truststore <-------- if ldap.ssl_enable is set to true
-ldap.ssl-truststore-pwd <-------- if ldap.ssl_enable is set to true
For complete information on the SvrSslCfg utility, refer to the Tivoli Access Manager Authorization Java Classes Developer Reference (specifically Appendix A):
- http://www.ibm.com/support/knowledgecenter/SSPREK_6.1.1/com.ibm.itame.doc_6.1.1/am611_authJ_devref63.htm%23svrsslcfg
http://www.ibm.com/support/knowledgecenter/SSPREK_6.1.1/com.ibm.itame.doc_6.1.1/am611_adminJ_devref132.htm%23configsection
1. Use idsldapsearch to test the ldap ssl connection using the keystore being used:
idsldapsearch -h <host> -p 636 -D cn=root -w <password> -b ou=<tenant>,<suffix> -s one -K <keystore> -P <keystore password> "(objectclass=*)"
2. Enable javax.net.debug=ssl debugging
- In the <ITDI-HOME>/timsol/solution.properties, set "javax.net.debug=ssl" (the attribute should be present already and make sure it's uncommented)
- Stop the Dispatcher
- From the command prompt, cd to <ITDI-HOME> directory
- Issue the following command:
- Test the TAM Comb Connection
- When it fails, do a CTRL+C to kill the process
- Reviewed the ssl.log file
ibmdisrv -c ITIM_RMI.xml -s "<ITDI-HOME>\timsol" -d > ssl.log
Product Synonym
ITIM TIM ISIM SIM
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21299655