You must create a domain and deploy a runtime application
for each instance of the Tivoli® Federated
Identity Manager.
Before you begin
Note: IBM® deprecated
the Tivoli Federated Identity
Manager Security Token Service (STS) Client in this release.
If
you use WebSphere® 6.X,
you can still use the Tivoli Federated
Identity Manager Security STS client while Tivoli Federated Identity Manager supports WebSphere 6.X. When Tivoli Federated Identity Manager
discontinues its support for WebSphere 6.X,
use WebSphere Application
Server version 7 Update 11 and later. See WS-Trust client API and WS-Trust Clients for details.
A wizard
prompts you to supply the necessary configuration properties. You
can use the properties on the worksheet that you prepared. For more
information about the worksheet, see
Domain configuration
About this task
This task is a prerequisite to configure additional
Tivoli Federated
Identity Manager features such as federated
single sign-on or Web Services Security Management. It is also a prerequisite
for deployments that use the
Tivoli Federated
Identity Manager security
token service for token exchange.
An example of a token exchange
scenario is deployment of Tivoli Federated
Identity Manager Kerberos
constrained delegation with WebSEAL junctions.
Procedure
- Verify that the WebSphere Application
Server application is running.
- Copy all the WebSphere key
files from the Deployment Manager to all the nodes in the cluster
under the following circumstances:
- When you deploy a domain into a WebSphere Application
Server cluster,
- When the WebSphere global
security is enabled
Place the keys on each node in the same directory as on the Deployment
Manager. WebSphere 6.1
does this process automatically. However, ensure that
when the administration console is remote from the DMgr (Management
Service), the server certificate presented by the DMgr is trusted
by the console. One way to do this verification is to copy the truststore
from the DMgr to the console profile.
- Log on to the WebSphere console.
- Click Tivoli Federated
Identity Manager → Getting Started.
The Getting
Started portlet opens.
- Click Manage Domains. The
Domains portlet opens.
- Click Create. The Domain
wizard opens the Welcome panel.
- Click Next. The Management
Service Endpoint panel opens.
- Enter values for the specified properties.
- Click Next. The WebSphere Security
panel opens.
- Specify whether WebSphere global
security is enabled.
- When global security is enabled, enter values for the specified
properties and click Next.
- When global security is not enabled, leave the remaining properties
blank. Click Next.
- Click Test Connection. When
successful, you can see an information message:
FBTCON317I Tivoli Federated Identity Manager connected successfully.
- Click Next. The WebSphere Target Mapping panel opens.
- Select or enter the name of your server or cluster.
- When finished, click Next.
- When
the WebSphere environment
consists of a single server, the panel shows a Server name menu with
a default name.
- When the WebSphere environment
consists of a cluster, the panel shows the Cluster Name menu. This
menu lists the names of clusters defined in the cell. Select the name
of the cluster to use.
The Select Domain panel opens. A default name is
provided.
- Accept default name or enter a name for the new domain.
The Tivoli Access Manager
Environment Settings panel opens.
- Select or clear This Environment Uses Tivoli
Access Manager as appropriate.
- Click Next. When you
select this option, provide values for the rest of the properties.
The Summary panel opens
- Verify that the domain information is correct.
- Click Finish.
The domain
is created and the domain wizard exits. The Create Domain Complete
panel opens.
- Select both of the check boxes on the Create Domain Complete
panel.
- Click OK.
You
must complete both of the tasks as part of the initial creation and
deployment of the Tivoli Federated
Identity Manager management
service and runtime:
- Make this domain the active management domain
- Open Runtime Node Management upon completion
- When you are deploying Tivoli Federated
Identity Manager into a WebSphere cluster, ensure that the WebSphere Node Agent is running
on all the nodes in the cluster.
Use the WebSphere administrative to
verify the status of the node agents.
The Current Domain portlet and the
Runtime Node Management portlet open.
- In the Runtime Node Management portlet, click Deploy
Runtime. A message shows:
FBTCON355I - A request to deploy the Tivoli Federated Identity Manager
Runtime is in progress.
The following link shows:
Click to refresh runtime deployment status and check for completion.
The Deployment operation might take several minutes. During this
time, you can click the link to check for completion. When the deployment
is complete, then click the link to return to the message:
FBTCON132I The Runtime was successfully deployed to the domain.
The Runtime Node Management portlet is redrawn. An entry for
the runtime is added to the Runtime Nodes table
for each node in the domain. The Configure button
is also activated.
- In the Runtime Node table, select the check box for your
node.
- Click Configure.
The runtime application is configured into the environment.
- In a WebSphere cluster
environment, configure each node in the cluster by repeating the previous
step.
- When all nodes are configured, click the Load
configuration changes to the Tivoli Federated Identity Runtime button.
The button is located in the Current Domain portlet.
- Continue with the instructions that apply to your deployment:
- In a WebSphere cluster environment,
continue with Mapping the runtime to a Web server.
- In a WebSphere non-clustered (stand-alone
server) environment, the domain creation, and deployment is now complete.
Continue with the appropriate instructions for your scenario.
What to do next
Restart
the WebSphere Application
Server under the following circumstances:
- If you specified inaccurate information in the WebSphere Security panel in the Domain
wizard
- While creating a Tivoli Federated
Identity Manager domain, or a connection
to a domain
If you attempted to correct the information and you still
cannot connect to the Tivoli Federated
Identity Manager console, restart the WebSphere Application
Server.
Use Test
Connection in the panel to verify the connection between
the Tivoli Federated
Identity Manager console and the Management
Service.