Concept topic
Federated Identity Manager, Version 6.2
A Tivoli® Federated Identity Manager domain is a deployment of the Tivoli Federated Identity Manager runtime component to either a WebSphere® single server or a WebSphere cluster.
There is one domain per WebSphere cluster. In a single server environment, there can be only one domain.
Each domain is managed independently. You can use installation of the Tivoli Federated Identity Manager management console to manage multiple domains. You can manage only one domain at a time. The domain that is being managed is known as the active domain.
When Tivoli Federated Identity Manager is installed, no domains exist. You will use the management console to create a domain. When you installed Tivoli Federated Identity Manager the management service was deployed to a WebSphere server (single server mode) or WebSphere Deployment Manager (WebSphere cluster mode). You will connect with this management service and choose a WebSphere server or cluster to which you will deploy the Tivoli Federated Identity Manager runtime component. When the runtime is deployed and configured, you are ready to configure the trust chain modules that are needed to support Kerberos Constrained Delegation.
In a WebSphere Network Deployment environment, the deployment and configuration of the Tivoli Federated Identity Manager runtime to cluster members is an automated process. It is not necessary to perform additional installation of Tivoli Federated Identity Manager or Tivoli Access Manager software onto the WebSphere cluster computers. Deployment and configuration of the runtime application to distributed cluster members is performed by the Tivoli Federated Identity Manager management service utilizing the application deployment services of the WebSphere Deployment Manager.
The management console provides a wizard to guide you through the creation of the domain. The following sections list the properties that the wizard prompts you to supply.
idp.example.com
WebSphere Application Server can optionally have global security enabled. When global security is enabled, the security properties must be configured for the Tivoli Federated Identity Manager management service. Global security is enabled in most deployments.
When you have installed Tivoli Federated Identity Manager on a computer that uses an existing WebSphere installation, the default path is
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/etc/trust.p12
When you have installed embedded WebSphere as part of the TFIM installation, the default path is:
/opt/IBM/FIM/ewas/profiles/itfimProfile/etc/trust.p12
The default password for the WebSphere key is:
WebAS
This keystore file is an optional configuration item. Some WebSphere deployments do not use an SSL Client Keystore file.
The domain wizard prompts for the WebSphere server or cluster name when creating a domain.
The server is a single server, not part of a cluster.
The default name is automatically built by the wizard. For example, on host named host1:
WebSphere:cell=host1Node01Cell,node=host1Node01,server=server1
The wizard prompts whether you want to configure into a Tivoli Access Manager environment. You do not need to configure into a Tivoli Access Manager environment in order to deploy Tivoli Federated Identity Manager as a token exchange service in a Kerberos constrained delegation environment. In this deployment scenario,Tivoli Federated Identity Manager does not use Tivoli Access Manager authentication services to authenticate a user. The authentication is done by Tivoli Access Manager prior to the use of Tivoli Federated Identity Manager. The role of Tivoli Federated Identity Manager is limited to exchanging authentication information obtained from a Kerberos token into a token type that can be processed by Tivoli Access Manager
The wizard presents the following prompt:
Concept topic