Domain configuration

A Tivoli® Federated Identity Manager domain is a deployment of the Tivoli Federated Identity Manager runtime component to either a WebSphere® single server or a WebSphere cluster.

There is one domain per WebSphere cluster. In a single server environment, there can be only one domain.

Each domain is managed independently. You can use installation of the Tivoli Federated Identity Manager management console to manage multiple domains. You can manage only one domain at a time. The domain that is being managed is known as the active domain.

When Tivoli Federated Identity Manager is installed, no domains exist. You will use the management console to create a domain. When you installed Tivoli Federated Identity Manager the management service was deployed to a WebSphere server (single server mode) or WebSphere Deployment Manager (WebSphere cluster mode). You will connect with this management service and choose a WebSphere server or cluster to which you will deploy the Tivoli Federated Identity Manager runtime component. When the runtime is deployed and configured, you are ready to configure additional features such as federated single sign-on or Web services security management.

In a WebSphere Network Deployment environment, the deployment and configuration of the Tivoli Federated Identity Manager runtime to cluster members is an automated process. It is not necessary to perform additional installation of Tivoli Federated Identity Manager or Tivoli Access Manager software onto the WebSphere cluster computers. Deployment and configuration of the runtime application to distributed cluster members is performed by the Tivoli Federated Identity Manager management service utilizing the application deployment services of the WebSphere Deployment Manager.

The management console provides a wizard to guide you through the creation of the domain. The following sections list the properties that the wizard prompts you to supply.

Domain management service endpoints properties

Host

The fully qualified domain name for the Host where the WebSphere Application Server is running. For example:

idp.example.com

SOAP Connector Port

The default WebSphere Application Server (standalone) SOAP port is 8880. When you are creating a domain for use with a WebSphere Application Server that is a member of a WebSphere cluster, the SOAP port number might differ. For example, 8879. If you are unsure of the correct SOAP port number, use the WebSphere Application Server administrative console to determine the port.

WebSphere global security properties

WebSphere Application Server can optionally have global security enabled. When global security is enabled, the security properties must be configured for the Tivoli Federated Identity Manager management service. Global security is enabled in most deployments.

Note for z/OS®: When deploying on z/OS, WebSphere is typically configured to use a RACF® (or other security product) keyring for certificates. For instructions on setting up certificates for use with Tivoli Federated Identity Manager on z/OS, see the README document on the z/OS distribution media. The instructions describe how to take a certificate from a RACF Keyring, and add it to a Java™ Key Store file for use by Tivoli Federated Identity Manager. The trusted keystore and the optional client keystore files and passwords created by using those instructions should be used instead of the default values (for example, the trust.p12 file) shown below.

Administrative user name

The WebSphere Application Server administrator name. For example, wsadmin

Administrative user password

Password for the WebSphere Application Server administrator, as specified during the WebSphere installation.

SSL Trusted Keystore file

Keystore file used by WebSphere Application Server.

When you have installed Tivoli Federated Identity Manager on a computer that uses an existing WebSphere installation, the default path on Linux® or UNIX® is:

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/etc/trust.p12

On Windows®:

C:\Program Files\IBM\WebSphere\AppServer\
  profiles\AppSrv01\etc\trust.p12

When you have installed embedded WebSphere as part of the Tivoli Federated Identity Manager installation, the default path on Linux or UNIX is:

/opt/IBM/FIM/ewas/profiles/
 itfimProfile/etc/trust.p12

On Windows:

C:\Program Files\IBM\FIM\ewas\
   profiles\AppSrv01\etc\trust.p12

SSL Trusted Keystore password

The password needed to access the SSL trusted keystore file.

The default password for the WebSphere key is:

WebAS

SSL Client Keystore file

Keystore file used by WebSphere Application Server.

This keystore file is an optional configuration item. Some WebSphere deployments do not use an SSL Client Keystore file.

SSL Client Keystore password

The password needed to access the SSL client keystore file. This field is needed when you have entered an SSL client keystore file.

WebSphere server or cluster name

The domain wizard prompts for the WebSphere server or cluster name when creating a domain.

Server name

The name of the WebSphere Application Server into which the Tivoli Federated Identity Manager management service will be configured.

The server is a single server, not part of a cluster.

The default name is automatically built by the wizard. For example, on host named host1:

WebSphere:cell=host1Node01Cell,node=host1Node01,server=server1

Cluster name

The name of the WebSphere Application Server cluster into which the Tivoli Federated Identity Manager management service will be configured.

Tivoli Access Manager environment properties

The wizard prompts whether you want to configure into a Tivoli Access Manager environment. Do not configure into a Tivoli Access Manager environment if you are using a point of contact server other than WebSEAL. For example, do not configure into a Tivoli Access Manager environment if you are using WebSphere as a point of contact server.

The wizard presents the following prompt:

This environment uses Tivoli Access Manager: If you deselect this check box, you do not have to set any properties for Tivoli Access Manager.
If you select this check box, you must specify the properties listed in the following table

Administrator Username

The Tivoli Access Manager administrator. The default ID is sec_master. If you chose an alternate administrator ID when you installed Tivoli Access Manager enter it here.

Administrator Password

The password for the Tivoli Access Manager administrator.

Policy Server Hostname

The fully qualified host name of the computer running the Tivoli Access Manager policy server. For example:

idp.example.com

Port

The port number used to communicate with the policy server. This number matches the port number that you specified when you configured Tivoli Access Manager The Tivoli Access Manager default value is 7135.

Authorization Server Hostname

The fully qualified host name of the computer running the Tivoli Access Manager authorization server. For example:

idp.example.com

Port

The port number used to communicate with the authorization server. This number matches the port number that you specified when you configured Tivoli Access Manager The Tivoli Access Manager default value is 7136.

Tivoli Access Manager Domain

The name of the administrative Tivoli Access Manager domain that you specified when you configured Tivoli Access Manager The default value is Default.