of 77 /77
Product overview

SIM Overview

Embed Size (px)



Text of SIM Overview

  • Product overview

  • ii Product overview

  • ContentsProduct overview. . . . . . . . . . . 1Initial login and password information . . . . . 1Access management with IBM Tivoli IdentityManager and other products . . . . . . . . . 2Support for corporate regulatory compliance . . . 3Identity governance . . . . . . . . . . . . 8Release information . . . . . . . . . . . . 8

    Whats new in this release . . . . . . . . . 9Hardware and software requirements. . . . . 14Installation images and fix packs . . . . . . 21Known limitations, problems, and workarounds 22

    Technical overview . . . . . . . . . . . . 40Users, authorization, and resources . . . . . 40Main components . . . . . . . . . . . 42People overview. . . . . . . . . . . . 43Resources overview . . . . . . . . . . 45System security overview. . . . . . . . . 48Organization tree overview . . . . . . . . 53Policies overview . . . . . . . . . . . 54

    Workflow overview. . . . . . . . . . . 56Features overview . . . . . . . . . . . . 57

    Improved user interface . . . . . . . . . 57Recertification . . . . . . . . . . . . 58Reporting . . . . . . . . . . . . . . 59Static and dynamic roles . . . . . . . . . 59Self-access management . . . . . . . . . 59Provisioning features . . . . . . . . . . 60Resource provisioning . . . . . . . . . . 64

    About this information . . . . . . . . . . 65Intended audience . . . . . . . . . . . 65Publications . . . . . . . . . . . . . 65Tivoli technical training . . . . . . . . . 66Support information . . . . . . . . . . 66Conventions used in this information. . . . . 67Notices . . . . . . . . . . . . . . . 70

    Accessibility . . . . . . . . . . . . . . 72

    Index . . . . . . . . . . . . . . . 73


  • iv Product overview

  • Product overviewThese topics describe the product and its surrounding business and technologycontext.

    They include information about:

    v The particular product release, such as new or deprecated product features andfunctions

    v The open standards, technologies, and architecture on which the product isbased

    v The user model and roles underlying the product featuresv The graphical interfaces and tools provided to support various user rolesv The information center for viewing documentation

    Initial login and password informationTo get started after installing IBM Tivoli Identity Manager, you need to know thelogin URL and the initial user ID and password.

    Login URL

    The login URL enables you to access the IBM Tivoli Identity Manager webinterface.

    The login URL for the IBM Tivoli Identity Manager administrative console is:http://ip-address:port/itim/console/main/

    Where ip-address is the IP address or DNS address of the IBM Tivoli IdentityManager server, and port is the port number. The default port for new installationsof IBM Tivoli Identity Manager is 9080.

    The login URL for the IBM Tivoli Identity Manager self-service console is:http://ip-address:port/itim/self

    Where ip-address is the IP address or DNS address of the IBM Tivoli IdentityManager server, and port is the port number. The default port for new installationsof IBM Tivoli Identity Manager is 9080.

    Initial user ID and password

    The initial user ID and password to authenticate to IBM Tivoli Identity Manager is:

    Table 1. Initial user ID and password for IBM Tivoli Identity ManagerUser ID Password

    itim manager secret


  • Access management with IBM Tivoli Identity Manager and otherproducts

    In a security lifecycle, IBM Tivoli Identity Manager and several other productsprovide access management that enables you to determine who can enter yourprotected systems, what can they access, and how to ensure that users access onlywhat they need for their business tasks.

    Access management addresses three questions from the business point of view:v Who can come into my systems?v What can they do?v Can I easily prove what theyve done with that access?

    These products validate the authenticity of all users with access to resources, andensure that access controls are in place and consistently enforced:v IBM Tivoli Identity ManagerProvides a secure, automated and policy-based user management solution thathelps effectively manage user identities throughout their lifecycle across bothlegacy and e-business environments. IBM Tivoli Identity Manager providescentralized user access to disparate resources in an organization, using policiesand features that streamline operations associated with user-resource access. Asa result, your organization realizes numerous benefits, including: Web self-service and password reset and synchronization; users can

    self-administer their passwords using the rules of a password managementpolicy to control access to multiple applications. Password synchronizationenables a user to use one password for all accounts that IBM Tivoli IdentityManager manages.

    Quick response to audits and regulatory mandates Automation of business processes related to changes in user identities by

    providing life-cycle management Centralized control and local autonomy Enhanced integration with the use of extensive APIs Choices to manage target systems either with an agent or agentless approach Reduced help desk costs Increased access security through the reduction of orphaned accounts Reduced administrative costs through the provisioning of users using

    software automation Reduced costs and delays associated with approving resource access to new

    and changed usersv Tivoli Access ManagerEnables your organization to use centralized security policies for specified usergroups to manage access authorization throughout the network, including thevulnerable, internet-facing Web servers. Tivoli Access Manager can be tightlycoupled with IBM Tivoli Identity Manager to reconcile user groups and accountsmanaged by Tivoli Access Manager with the identities managed by IBM TivoliIdentity Manager to provide an integrated solution for resource access control.Tivoli Access Manager delivers: Unified authentication and authorization access to diverse Web-based

    applications within the entire enterprise

    2 Product overview

  • Flexible single sign-on to Web, Microsoft, telnet and mainframe applicationenvironments

    Rapid and scalable deployment of Web applications, with standards-basedsupport for Java 2 Enterprise Edition (J2EE) applications

    Design flexibility through a highly scalable proxy architecture andeasy-to-install Web server plug-ins, rule- and role-based access control,support for leading user registries and platforms, and advanced APIs forcustomized security

    v Tivoli Federated Identity ManagerHandles all the configuration information for a federation across organizationalboundaries, including the partner relationships, identity mapping, and identitytoken management.Tivoli Federated Identity Manager enables your organization to share serviceswith business partner organizations and obtain trusted information aboutthird-party identities such as customers, suppliers, and client employees. Youcan obtain user information without having to create, enroll, or manage identityaccounts with the organizations that provide access to services that are used byyour organization. Consequently, users are spared from having to register at apartner site, and from having to remember additional logins and passwords. Theresult is improved integration and communication between your organizationand your suppliers, business partners, and customers.

    For more information how access management products fit in larger solutions for asecurity lifecycle, refer to the Tivoli Security Management Web site:http://www.ibm.com/software/tivoli/solutions/security/

    IBM Redbooks and Redpapers also describe implementing IBM Tivoli IdentityManager within a portfolio of IBM security products.

    Support for corporate regulatory complianceIBM Tivoli Identity Manager provides support for corporate regulatory compliance.

    Compliance areas

    Tivoli Identity Manager addresses corporate regulatory compliance in the followingkey areas:v Provisioning and the approval workflow processv Audit trail trackingv Enhanced compliance statusv Password policy and password compliancev Account and access provisioning authorization and enforcementv Recertification policy and processv Reports

    Provisioning and the approval workflow process

    Tivoli Identity Manager provides support for provisioning, user accounts andaccess to various resources. When implemented as one of a suite of securityproducts, Tivoli Identity Manager plays a key role to ensure that resources areprovisioned only to authorized persons, safeguarding the accuracy andcompleteness of information processing methods and granting authorized usersaccess to information and associated assets. Tivoli Identity Manager provides an

    Product overview 3

  • integrated software solution for managing the provisioning of services,applications, and controls to employees, business partners, suppliers, and othersassociated with your organization across platforms, organizations, andgeographies. You can use its provisioning features to control the setup andmaintenance of user access to system and account creation on a managed resource.

    At its highest level, an identity management solution automates and centralizes theprocess of provisioning resources, such as operating systems and applications, topeople in, or affiliated with, an organization. Organizational structure can bealtered to accommodate the provisioning policies and procedures. However, theorganization tree used for provisioning resources does not necessarily reflect themanagerial structure of an organization. Administrators at all levels can usestandardized procedures for managing user credentials. Some levels ofadministration can be reduced or eliminated, depending on the breadth of theprovisioning management solution. Furthermore, you can securely distributeadministration capabilities, manually or automatically, among variousorganizations.

    The approval process can be associated with different types of provisioningrequests, including account and access provisioning requests. Life cycle operationscan also be customized to incorporate the approval process.

    Models for provisioning

    Depending on business needs, Tivoli Identity Manager provides alternatives toprovision resources to authorized users on request-based, role-based, or hybridmodels.

    Approval workflows

    Account and access request workflows are invoked during account and accessprovisioning. You typically use account and access request workflows to defineapproval workflows for account and access provisioning.

    Account request workflows provide a decision-based process to determine if theentitlement provided by a provisioning policy should be granted. The entitlementprovided by a provisioning policy specifies the account request workflow thatapplies to the set of users in the provisioning policy membership. If multipleprovisioning policies apply to the same user for the same service target, and thereare different account request workflows in each provisioning policy, the accountrequest workflow that is invoked for the user is determined based on the priorityof the provisioning policy. If a provisioning policy has no associated workflow andthe policy grants an account entitlement, the operations that are related to therequest run immediately. For example, an operation might add an account.

    However, if a provisioning policy has an associated workflow, that workflow runsbefore the policy grants the entitlement. If the workflow returns a result ofApproved, the policy grants the entitlement. If the workflow has a result ofRejected, the entitlement is not granted. For example, a workflow might require amanagers approval. Until the approval is submitted and the workflow completes,the account is not provisioned. When you design a workflow, consider the intent ofthe provisioning policy and the purpose of the entitlement itself.

    4 Product overview

  • Tracking

    Tivoli Identity Manager provides audit trail information about how and why auser has access. On a request basis, Tivoli Identity Manager provides a process togrant, modify, and remove access to resources throughout a business, and toestablish an effective audit trail using automated reports.

    The steps involved in the process, including approval and provisioning ofaccounts, are logged in the request audit trail, and corresponding audit events aregenerated in the database for audit reports. User and Account lifecyclemanagement events, including account and access changes, recertification, andcompliance violation alerts, are also logged in the audit trail.

    Enhanced compliance status

    Tivoli Identity Manager provides enhanced compliance status on items such asdormant and orphan accounts, provisioning policy compliance status,recertification status, and a variety of reports.v Dormant accounts. You can view a list of dormant accounts using the Reportsfeature. Tivoli Identity Manager includes a dormant account attribute to servicetypes that you can use to find and manage unused accounts on services.

    v Orphan accounts. Accounts on the managed resource whose owner in the TivoliIdentity Manager Server cannot be determined are orphan accounts, which areidentified during reconciliation when the applicable adoption rule cannotsuccessfully determine the owner of an account.

    v Provisioning policy compliance status. The compliance status based on thespecification of provisioning policy is available for accounts and access. Anaccount could be either compliant, non-compliant with attribute value violations,or disallowed. An access is either compliant or disallowed.

    v Recertification status. The recertification status is available for user, account,and access target types, which indicates whether the target type is certified,rejected, or never certified. The timestamp of the recertification is also available.

    Password policy and password compliance

    Tivoli Identity Manager provides the ability to create and manage passwordpolicies. password policy defines the password strength rules that are used todetermine whether a new password is valid. A password strength rule is a rule towhich a password must conform. For example, password strength rules mightspecify that the minimum number of characters of a password must be five andthe maximum number of characters must be ten.

    The Tivoli Identity Manager administrator can also create new rules to be used inpassword policies.

    If password synchronization is enabled, the administrator must ensure thatpassword policies do not have any conflicting password strength rules. Whenpassword synchronization is enabled, Tivoli Identity Manager combines policies forall accounts that are owned by the user to determine the password to be used. Ifconflicts between password policies occur, the password might not be set.

    Provisioning policy and policy enforcement

    A provisioning policy grants access to many types of managed resources, such asTivoli Identity Manager server, Windows NT servers, Solaris servers, and so on.

    Product overview 5

  • Provisioning policy parameters help system administrators define the attributevalues that are required and the values that are allowed.

    Policy enforcement is the manner in which Tivoli Identity Manager allows ordisallows accounts that violate provisioning policies.

    You can specify one of the following policy enforcement actions to occur for anaccount that has a noncompliant attribute.

    Mark Sets a mark on an account that has a noncompliant attribute.

    SuspendSuspends an account that has a noncompliant attribute.

    CorrectReplaces a noncompliant attribute on an account with the correct attribute.

    Alert Issues an alert for an account that has a noncompliant attribute.

    Recertification policy and process

    A recertification policy includes activities to ensure that users provide confirmationthat they have a valid, ongoing need for the target type specified (user, account,and access). The policy defines how frequently users must validate an ongoingneed. Additionally, the policy defines the operation that occurs if the recipientdeclines or does not respond to the recertification request. Tivoli Identity Managersupports recertification policies that use a set of notifications to initiate theworkflow activities that are involved in the recertification process. Depending onthe user response, a recertification policy can mark a users roles, accounts, groups,or accesses as recertified, suspend or delete an account, or delete a role, group, oraccess.

    Audits that are specific to recertification are created for use by several reports thatare related to recertification:

    Accounts, access, or users pending recertificationProvides a list of recertifications that are not completed.

    Recertification historyProvides a historical list of recertifications for the target type specified.

    Recertification policiesProvides a list of all recertification policies.

    User recertification historyProvides history of user recertification.

    User recertification policyProvides a list of all user recertification policies.


    Security administrators, auditors, managers, and service owners in yourorganization can use one or more of the following reports to control and supportcorporate regulatory compliance:v Accesses Report, which lists all access definitions in the system.v Approvals and Rejections Report, which shows request activities that were eitherapproved or rejected.

    v Dormant Accounts Report, which lists the accounts that have not been usedrecently.

    6 Product overview

  • v Entitlements Granted to an Individual Report, which lists all users with theprovisioning policies for which they are entitled.

    v Noncompliant Accounts Report, which lists all noncompliant accounts.v Orphan Accounts Report, which lists all accounts not having an owner.v Pending Recertification Report, which highlights recertification events that canoccur if the recertification person does not take action on an account or access.This report supports data filtering by a specific service type or a specific serviceinstance.

    v Recertification Change History Report, which shows a history of accesses(including accounts) and when they were last recertified. This report serves asevidence of past recertifications.

    v Recertification Policies Report, which shows the current recertificationconfiguration for a given access or service.

    v Separation of Duty Policy Definition Report, which lists the separation of dutypolicy definitions.

    v Separation of Duty Policy Violation Report, which contains the person, policy,and rules violated, approval and justification (if any), and who requested theviolating change.

    v Services Report, which lists services currently defined in the system.v Summary of Accounts on a Service Report, which lists a summary of accountson a specified service defined in the system.

    v Suspended Accounts Report, which lists the suspended accounts.v User Recertification History Report, which lists the history of userrecertifications performed manually (by specific recertifiers), or automatically(due to time out action).

    v User Recertification Policy Definition Report, which lists the user recertificationpolicy definitions.

    All reports are available to all users when the appropriate access controls areconfigured. However, certain reports are designed specifically for certain types ofusers.

    Table 2. Summary of reportsDesigned for Available reports

    Security administrators v Dormant Accountsv Orphan Accountsv Pending Recertificationv Recertification Historyv Recertification Policiesv User Recertification Historyv User Recertification Policies

    Managers v Pending Recertificationv Recertification Historyv Recertification Policiesv User Recertification Historyv User Recertification Policies

    Product overview 7

  • Table 2. Summary of reports (continued)Designed for Available reports

    Service owners v Dormant Accountsv Orphan Accountsv Pending Recertificationv Recertification Historyv Recertification Policiesv User Recertification Historyv User Recertification Policies

    Auditors v Dormant Accountsv Orphan Accountsv Pending Recertificationv Recertification Historyv Recertification Policiesv User Recertification Historyv User Recertification Policies

    End users, help desk,and developers


    Identity governanceIBM Tivoli Identity Manager extends the identity management governancecapabilities with a focus on operational role management. Using roles simplifiesthe management of access to IT resources.

    Identity governance includes these Tivoli Identity Manager features:

    Role managementManages user access to resources, but unlike user provisioning, rolemanagement does not grant or remove user access. Instead, it sets up arole structure to do it more efficiently.

    Entitlement managementSimplifies access control by administering and enforcing fine-grainedauthorizations.

    Access certificationProvides ongoing review and validation of access to resources at role orentitlement level.

    Privileged user managementProvides enhanced user administration and monitoring of system oradministrator accounts that have elevated privileges.

    Separation of dutiesPrevents and detects business-specific conflicts at role or entitlement level.

    Release informationThis section describes new features and hardware and software requirements forIBM Tivoli Identity Manager.

    8 Product overview

  • Whats new in this releaseIBM Tivoli Identity Manager continues to deliver new identity managementcapabilities in line with common standards and best practices. This release extendsidentity management governance capabilities with a focus on compliance.

    Role management capabilitiesRoles manage user access to resources, but unlike user provisioning, rolemanagement does not grant or remove user access. Instead, it sets up a rolestructure to do it more efficiently. IBM Tivoli Identity Manager 5.1 extends identitymanagement governance capabilities with a focus on operational role management.

    Management of access to IT resources using roles is simplified and enhanced withthese role management capabilities:

    Role hierarchiesRole hierarchies allow security administrators to build and plan logical rolehierarchies and to build more meaningful role relationships.v Role relationships can be implemented.v Immediate parent-child role relationships can be tracked and navigated.v Separation of duty can be evaluated where role hierarchy is used.

    Role relationshipsRole relationships allow roles to be logically linked by allowing parent-childrole relationships in the hierarchy, in which child roles inherit theentitlements of their parent roles.v A parent role can have multiple child roles.v A child role can have multiple parent roles.v Role relationships can be evaluated to determine which entitlements areinherited and granted.

    v Provisioning behavior can be changed by role hierarchy assignment; forexample, by making a department role a child of an application role.

    Role classificationRole classification is the ability to classify a role for workflow and policycustomization purposes.v Default role types are business and application types.v Business roles encompass the kind of job that a person does.v Application roles encompass the kind of access that the person requires.v Role relationships and role classification can be used to define howdifferent role types relate.

    Role ownership and approvalsRole owners can be users or other roles.v Roles can have multiple owners.v Workflow participants and access control items (ACIs) are enhanced toanalyze and resolve role participants.

    Role administrationOrganizational roles are a method of providing users with entitlements tomanaged resources by determining which resources are provisioned for a useror set of users who share similar responsibilities. A role is a job function thatidentifies the tasks that a person can perform and the resources to which theperson has access.

    Product overview 9

  • Separation of duty capabilitiesSeparation of duty is a policy-driven feature to manage potential or existing roleconflicts. A separation of duty policy is a logical container of separation rules thatdefine mutually exclusive relationships among roles. Separation of duty policiesare defined by one or more business rules that exclude users from membership inmultiple roles that might present a business conflict.

    The purpose of the separation of duty policy is to group the rules for ease ofadministration. For example, you can assign a set of administrators to a policy,making the administrators responsible for tracking the violations of a set of rules.

    Separation of duty capabilities include:v Violation tracking through the administrative console, which provides identitygovernance and accountability

    v Violation and exemptions auditing through reports, which helps prevent orhighlight inappropriate use of privileges

    v Approval workflow for separation of duties, which helps achieve compliancegoals

    v New access control items (ACIs), which reflect new separation of duty policytargets

    v Evaluation of the separation of duty policy when workflow is used for identityfeeds

    v Prevention of invalid or inconsistent (with business policy) combinations ofroles, which prohibits parent-child relationships within a separation of dutypolicy

    v Workflow participant type (SoD Policy Owner)v Violations entity for workflow and notification customizationv Approval process, which allows for exemptions when a violation occurs; theexemptions can be revoked later

    Separation of duty policiesA separation of duty policy is a logical container of separation rules that definemutually exclusive relationships among roles. Separation of duty policies aredefined by one or more business rules that exclude users from membership inmultiple roles that might present a business conflict.

    Separation of duty policies reportsThis section describes various separation of duty policy reports.

    Separation of duty violation reportThis section describes the separation of duty violation report. This reportcontains the person, policy, and rules violated, approval and justification (ifany), and who requested the violating change.

    SeparationOfDutyRuleViolationObject that provides information about a specific separation of duty ruleviolation. Use this object to get specific information about a separation of dutypolicy violation. This object cannot be created for use by the user. The user canwork only with SeparationOfDutyRuleViolation objects that the system hasgenerated as part of the approveSoDViolation workflow.

    ParticipantTypeWorkflow Participant Type constants.

    10 Product overview

  • User recertificationIBM Tivoli Identity Manager provides the ability to certify and validate a usersaccess to IT resources on a regular interval. User recertification is a type ofcertification process that combines recertification of a users accounts, groupmemberships of accounts, and role memberships into a single activity.

    User recertification activities are completed by a specified participant, such as amanager or application owner. Each user recertification activity lists accounts,group memberships, and role memberships owned by a user. Groups that areenabled as access are displayed within the activity using the access informationrather than the group information. The participant can individually approve orreject whether the user still requires each account, group membership, and rolemembership. Several actions can be taken when a resource or membership isrejected, including suspension of the resource or removal of the membership.

    The user recertification policy provides options for configuring the scope of therecertification, workflow activities, notifications, and timeout and rejectionbehaviors.

    Recertification policiesRecertification simplifies and automates the process of periodically revalidatinga target type (account or access) or a membership (role or resource group). Therecertification process validates whether the target type or membership is stillrequired for a valid business purpose. The process sends recertificationnotification and approval events to the participants that you specify. Arecertification policy includes activities to ensure that users provide confirmationthat they have a valid, ongoing need for a specified resource or membership.

    Creating a user recertification policyAs an administrator, you can create a user recertification policy to recertify theaccounts, group membership of accounts, and memberships of users.

    User recertification history reportThis section describes the report that lists history of user recertificationsperformed manually (by specific recertifiers), or automatically (due to time outaction).

    User recertification policy definition reportThis section describes a report that lists information about the userrecertification policies defined in the system.

    Group management capabilitiesIBM Tivoli Identity Manager provides additional security administrationenhancements through new group management capabilities.

    Group management capabilities include:v Ability to create, change, delete groups on the target resource as long as theTivoli Identity Manager version 5.1 adapter is installed

    v Synchronous group provisioning to the target resource for creating, modifying,and deleting groups

    v Streamlined navigation in the administrative console for group managementv New version 5.1 adapters and profiles take advantage of group managementcapabilities

    Product overview 11

  • Group administrationIBM Tivoli Identity Manager provides predefined groups. You can also createand modify customized groups.

    Tivoli Common ReportingIBM Tivoli Identity Manager features new reporting capabilities for auditingpurposes and provides reports based on a common reporting component namedIBM Tivoli Common Reporting. This component is based on the Eclipse BusinessIntelligence Reporting Tool and provides custom report authoring, reportdistribution, report scheduling capabilities, and the ability to run and managereports from multiple IBM Tivoli products.

    Tivoli Common Reporting is a reporting feature that is available as an additionalbenefit to owners of Tivoli products. Tivoli Common Reporting offers Tivolicustomers a common approach to viewing and administering reports. Tivoliproducts provide report packages based on Tivoli Common Reporting, with reportsthat have a common look and feel across all Tivoli products.

    For more details about the Tivoli Common Reporting component, see thedocumentation on the Tivoli Common Reporting DVD. For more information aboutthe availability of Tivoli Identity Manager reports, see the Tivoli Identity ManagerSupport Site.

    Reports included with Tivoli Common Reportingv Accesses Reportv Approvals and Rejections Reportv Dormant Accounts Reportv Entitlements Granted to an Individual Reportv Noncompliant Accounts Reportv Orphan Accounts Reportv Separation of Duty Policy Definition Reportv Separation of Duty Policy Violation Reportv Services Reportv Summary of Accounts on a Service Reportv Suspended Accounts Reportv User Recertification History Reportv User Recertification Policy Definition Report

    Configuring and administering IBM Tivoli Common ReportingIBM Tivoli Common Reporting (also called the reports pack) focuses onaccount, service, and request information.

    New APIsThese new application programming interfaces (APIs) are available to support thenew features of IBM Tivoli Identity Manager 5.1.v Groupv GroupEntityv GroupFactoryv GroupManagerv GroupMOv GroupSearch

    12 Product overview

  • v GroupServicev New methods on the Role, RoleEntity, and RoleMO classesv SeparationOfDutyPolicyv SeparationOfDutyPolicyManagerv SeparationOfDutyPolicyMOv SeparationOfDutyRulev UserRecertificationCompletionImpactv UserRecertificationWorkflowAssignmentMO

    New workflow extensionsThese new workflow extensions are available to support the new features of IBMTivoli Identity Manager 5.1.v approveRolesByOwnerv approveRolesWithOperationv callApprovalOperationv addSeparationOfDutyPolicyv callSODApprovalOperationv constructApprovalDocumentv remediateAccountsAndGroupsv remediateRoleMembershipsv updateRecertificationStatusAllApprovedv updateRecertificationStatusEmptyDocument

    Sample workflow: sequential approval for user recertification usingpackaged approval nodeThis scenario shows an organization policy that requires user recertification tobe approved by two levels of approvers. The first approver submits decisionsthat are reviewed by the second approver. The second approver can change thedecisions made by the first approver and then submit the final decisions. Therequest in this scenario is for recertification approval of user resources(accounts, groups, or roles).

    Sample workflow: user recertification role membership approval by roleownerThis scenario shows an organization with a policy that requires that rolemembership recertifications are completed by individual role owners, while theusers accounts and groups are recertified by the manager. After all approvalshave been completed, the individual resource decisions are combined andremediated.

    New JavaScript functionsThese new JavaScript functions are available to support the new features of IBMTivoli Identity Manager 5.1.v PackagedApprovalDocumentv PackagedApprovalItemv RecertificationWorkflowv SeparationOfDutyRuleViolation

    PackagedApprovalDocumentA relevant data object used in multi-item approval, used exclusively in userrecertification workflows. This object is made up of multiple

    Product overview 13

  • PackagedApprovalItem objects from the user recertification approval and allowsfor searching and retrieving recertification items.

    PackagedApprovalItemA relevant data object used in IBM Tivoli Identity Manager multi-itemapproval, used exclusively in user recertification workflows. This objectrepresents the individual roles, accounts, and groups that are presented to theuser during the recertification process. Some items might contain a decisioncode indicating the choice of the approvers for that item. Each item alsocontains a list of children that is used to represent relationships betweenaccounts and groups.

    RecertificationWorkflowProvides extended capabilities to user recertification workflows, including auditsupport for the reporting and view requests functions.

    SeparationOfDutyRuleViolationObject that provides information about a specific separation of duty ruleviolation. Use this object to get specific information about a separation of dutypolicy violation. This object cannot be created for use by the user. The user canwork only with SeparationOfDutyRuleViolation objects that the system hasgenerated as part of the approveSoDViolation workflow.

    Hardware and software requirementsHardware and software requirements that are stated here for IBM Tivoli IdentityManager take precedence over any other mention in other IBM Tivoli IdentityManager publications.

    These requirements were current when this publication went to production. Forpossible updates to this information, contact your customer support representative.

    Operating system requirementsThe IBM Tivoli Identity Manager installation program checks to ensure thatspecific operating systems and levels are present before starting the installationprocess.

    Table 3 identifies the operating systems, patches, and minimum requirements forinstallation:

    Table 3. Operating system requirements for IBM Tivoli Identity ManagerOperating system Patch or maintenance level requirements

    AIX Version 5.3 None

    AIX Version 6.11 None

    Sun Server Solaris 10 (SPARC)2 None

    Windows Server 2003 StandardEdition and Enterprise Edition


    Windows Server 2008 StandardEdition and Enterprise Edition


    Red Hat Linux Enterprise 4.0for Intel, System p and Systemz


    Red Hat Linux Enterprise 5.0 forIntel, System p and System z


    14 Product overview

  • Table 3. Operating system requirements for IBM Tivoli Identity Manager (continued)Operating system Patch or maintenance level requirements

    SUSE Linux Enterprise Server9.0 for Intel, System p andSystem z


    SUSE Linux Enterprise Server10.0 for Intel, System p andSystem z


    SUSE Linux Enterprise Server11.0 for Intel, System p andSystem z



    1. Support is also available for AIX 6.1 WPAR.2. Support is also available for Sun Server Solaris 10 64-bit LDOM.

    Hardware requirementsIBM Tivoli Identity Manager has these hardware requirements:

    Table 4. Hardware requirements for IBM Tivoli Identity ManagerSystem components Minimum values* Recommended values**

    System memory (RAM) 2 gigabytes 4 gigabytes

    Processor speed Single 2.0 gigahertz Intel orpSeries processor

    Dual 3.2 gigahertz Intel orpSeries processors

    Disk space for product andprerequisite products

    20 gigabytes 25 gigabytes

    * Minimum values: These values enable a basic use of IBM Tivoli Identity Manager.

    ** Recommended values: You might need to use larger values that are appropriate for yourproduction environment.

    Software prerequisitesIBM Tivoli Identity Manager has these software prerequisites:

    Java Runtime Environment (JRE) requirements:

    IBM Tivoli Identity Manager requires JRE version 1.5 SR9, which is installed in theWAS_HOME/java directory when WebSphere Application Server Fix pack 23 isinstalled.

    Use of an independently installed development kit for Java, from IBM or othervendors, is not supported. The JRE requirements for using a browser to create aclient connection to the IBM Tivoli Identity Manager server are different than theJRE requirements for running the WebSphere Application Server.

    WebSphere Application Server requirements:

    The following table lists the required version of WebSphere Application Server andany applicable fix pack or APAR requirements.

    Product overview 15

  • Table 5. Requirements for using WebSphere Application Server with IBM Tivoli IdentityManagerApplicationserver
















    None None


    Fixpack 5

    None None

    Database server requirements:

    IBM Tivoli Identity Manager has these database server requirements:

    Table 6. Database server requirementsDatabaseserver














    Fix pack4


    Fix pack3B



    16 Product overview

  • Table 6. Database server requirements (continued)Databaseserver
















    1. IBM DB2 Enterprise 9.5 is not supported on Linux 32 bit operating systems oron any Linux operating systems on pSeries hardware. IBM DB2 9.5 WorkGroupEdition is bundled for Linux 32 bit operating systems.

    2. IBM Tivoli Identity Manager must be running on a supported Windowsoperating system if Microsoft SQL Server is used for the IBM Tivoli IdentityManager database.

    3. The Oracle database driver is required for both Oracle 10gR2 andOracle 11g databases.

    4. Oracle 11g version supports Windows Server 2008 32 and 64 bitoperating systems.

    Directory server requirements:

    IBM Tivoli Identity Manager has these directory server requirements:

    Table 7. Directory server requirementsDirectoryserver
















    Product overview 17

  • Table 7. Directory server requirements (continued)Directoryserver














    1. Supported with Tivoli Directory Server 6.1 Fix pack 1.2. Supported with Tivoli Directory Server 6.1 Fix pack 4.

    Directory Integrator requirements:

    Tivoli Identity Manager has these optional directory integrator requirements:

    You can optionally install IBM Tivoli Directory Integrator Version 6.1.1, Version6.1.2, or Version 7.0 for use with IBM Tivoli Identity Manager.

    IBM Tivoli Directory Integrator is used to enable communication between theinstalled agentless adapters and IBM Tivoli Identity Manager. For moreinformation on agentless adapters, refer to the IBM Tivoli Identity ManagerInstallation and Configuration Guide.

    Table 8. Directory integrator requirementsDirectoryintegrator














    18 Product overview

  • Table 8. Directory integrator requirements (continued)Directoryintegrator














    For the UNIX and Linux adapter IBM Tivoli Identity Manager requires:Version 6.1.1, Fix Pack FP0003 or higherVersion 6.1.2, Fix Pack FP0001 or higherVersion 7.0, Fix Pack FP0001 or higher

    Report server requirements:

    The following table lists the required version of Tivoli Common Reporting Serverand any applicable fix pack or APAR requirements.

    Table 9. Requirements for using Tivoli Reporting Server with IBM Tivoli Identity ManagerReport server Fix pack, patch, and maintenance level

    requirementsCumulative fix Additional APARs

    Tivoli Common ReportingServer, Version

    Interim fix 02 of fix pack 2 None None

    You can download the latest fixes for Tivoli Common Reporting Server from theFix Central Web site at http://www.ibm.com/support/fixcentral/

    Browser requirements for client connections:

    IBM Tivoli Identity Manager has browser requirements for client connections.

    The IBM Tivoli Identity Manager administrative user interface uses applets thatrequire a Java plug-in provided by Sun Microsystems JRE Version 1.5 or higher.When the browser requests a page that contains an applet, it attempts to load theapplet using the Java plug-in. If the required JRE is not present on the system, thebrowser prompts the user for the correct Java plug-in, or fails to complete thepresentation of the items in the window. The Tivoli Identity Manager user interfaceis displayed correctly for all pages that do not contain a Java applet, regardless ofJRE installation.

    Cookies must be enabled in the browser to establish a session with IBM TivoliIdentity Manager.

    Product overview 19

  • Note: Do not start two or more separate browser sessions from the same clientcomputer. The two sessions are regarded as one session ID, which will causeproblems with the data.

    The following table lists the browser and browser versions that are supported byIBM Tivoli Identity Manager. Supported browsers are not included with theproduct installation.

    Table 10. Browser requirementsBrowserFix























    1. Supported with Windows Server 2003 Service Pack 1 (SP1).

    Supported adapter levelsIBM Tivoli Identity Manager supports the use of agentless and agent-basedadapters.

    The IBM Tivoli Identity Manager installation program will always install thefollowing adapter profiles:v AIX profile (UNIX and Linux adapter)v Solaris profile (UNIX and Linux adapter)v HP-UX profile (UNIX and Linux adapter)v Linux profile (UNIX and Linux adapter)v LDAP profiles (LDAP adapter)

    20 Product overview

  • The IBM Tivoli Identity Manager installation program will optionally install theagentless adapter profiles for the IBM Tivoli Identity Manager LDAP adapter andIBM Tivoli Identity Manager UNIX and Linux adapter. It is recommended that youinstall the latest adapter profile before you start using the adapter.

    You must take additional steps to install adapters if you choose not to install themduring the IBM Tivoli Identity Manager installation or if the adapter is notinstalled as a service profile with IBM Tivoli Identity Manager.

    The LDAP adapter supports an LDAP directory that uses the RFC 2798 schema,which enables communication between the IBM Tivoli Identity Manager andsystems running IBM IBM Tivoli Directory Server or Sun ONE directory server.The IBM Tivoli Identity Manager LDAP Adapter Installation Guide describes how toconfigure the LDAP adapter. The following table lists the UNIX and Linux systemsand versions that are supported by the UNIX and Linux adapter.

    Table 11. Prerequisites to run the UNIX and Linux adapterOperating system Version

    AIX AIX 5.1, AIX 5.2, AIX 5.3

    HP-UX HP-UX 11i Trusted, HP-UX 11i Non-Trusted

    Red Hat Linux Red Hat Enterprise Linux Advanced Server 3.0

    Red Hat Enterprise Linux Advanced Server 4.0

    Red Hat Enterprise Linux Enterprise Server 3.0

    Red Hat Enterprise Linux Enterprise Server 4.0

    Solaris Solaris 9, Solaris 10

    SUSE Linux SLES 8, SLES 9

    Adapters are available at the following IBM Passport Advantage Web site:


    Installation and configuration guides for adapters can be found at the followingTivoli Identity Manager information center Web site:


    Installation images and fix packsIBM Tivoli Identity Manager installation files and fix packs can be obtained usingthe IBM Passport Advantage Web site, or by another means, such as a CD or DVDas provided by your IBM sales representative.

    The Passport Advantage Web site provides packages, referred to as eAssemblies,for various IBM products. The IBM Tivoli Identity Manager Installation andConfiguration Guide provides full instructions for installing and configuring IBMTivoli Identity Manager and the prerequisite middleware products.

    The procedure that is appropriate for your organization depends on the followingconditions:v Operating system used by IBM Tivoli Identity Manager

    Product overview 21

  • v Language requirements for using the productv Type of installation you need to perform:eAssembly for the product and all prerequisites

    The IBM Tivoli Identity Manager installation program enables you toinstall IBM Tivoli Identity Manager, prerequisite products, and requiredfix packs as described in the IBM Tivoli Identity Manager Installation andConfiguration Guide. This type of installation is recommended if yourorganization does not currently use one or more of the productsrequired by IBM Tivoli Identity Manager.

    eAssembly for a manual installationYou can install IBM Tivoli Identity Manager separately from theprerequisites, and you can install separately any of the prerequisiteproducts that are not installed. In addition, you must verify that eachprerequisite product is operating at the required fix or patch level.

    Known limitations, problems, and workaroundsIBM Tivoli Identity Manager has these known software limitations, problems, andworkarounds.

    As limitations and problems are discovered and resolved, the IBM SoftwareSupport team updates the online knowledge base. By searching the knowledgebase, you can find workarounds or solutions to problems that you experience. Thefollowing link launches a customized query of the live Support knowledge base foritems specific to version 5.0:

    Tivoli Identity Manager Version 5.0 tech notes

    To create your own query, go to the Advanced search page on the IBM SoftwareSupport Web site.

    Product installation, upgrade, and removal limitations, problemsand workaroundsYou might encounter these IBM Tivoli Identity Manager Server installation,upgrade, or product removal problems, and use these workarounds:v Problem: The dollar sign ($) has special meaning in the installer frameworksused by IBM Tivoli Identity Manager Server and non-Windows operatingplatforms. The installer framework or operating system might do variablesubstitution for the value. For example, on UNIX-like platforms, $$ will bereplaced with the process ID. For installers based on ISMP (InstallShieldMultiplatform), $$ are replaced with a single $.Workaround: Avoid using $ as a value in any field in a IBM Tivoli IdentityManager Server installation or configuration page.

    v Problem: If you uninstall and then quickly reinstall IBM Tivoli Identity ManagerServer, the performance of the graphical user interface degrades significantlyand might become unusable. The performance of the WebSphere ApplicationServer might also degrade. Although no messaging engine problem is the cause,the symptom is a message such as:CWSIT0019E: No suitable messaging engine is available on bus itim_bus

    Workaround: Remove the WebSphere Application Server transaction log files. Inthe WAS_PROFILE_HOME/tranlog/cell_name/node_name/server_name/transaction/tranlog/ directory, the files are named log1 and log2.Additionally, in the WAS_PROFILE_HOME/tranlog/cell_name/node_name/server_name/transaction/partnerlog/ directory, the files are named log1 and log2.

    22 Product overview

  • The cause of the problem is that after reinstallation, transaction recovery maynot be able to complete properly. The cause is a problem in the transaction log.The messaging engine detects this condition as identifiers in the transaction logthat remain from the previous IBM Tivoli Identity Manager Server installation,and that differ from the current database.

    v Problem: When user groups are migrated from Version 4.6 of IBM Tivoli IdentityManager Express, a help desk assistant at IBM Tivoli Identity Manager Version 5is able to change the role of a group member, but not the IBM Tivoli IdentityManager account.Workaround: At IBM Tivoli Identity Manager Express Version 4.6, groups androles were not separated. A help desk user could assign any user to any groupby changing the users personal profile, because groups and roles were treatedas the same. At Version 4.6, however, a help desk user could not update orrequest a IBM Tivoli Identity Manager account. To provide change permission,create a new access control item that targets IBM Tivoli Identity Manageraccounts and grants that permission.

    v Problem: After an upgrade from IBM Tivoli Identity Manager Express Version4.6 to IBM Tivoli Identity Manager Version 5, a manager who clicks Manageusers to manage a specific subordinate will observe these results: All the users in IBM Tivoli Identity Manager are displayed. The details of the subordinates were read only.Workaround: Immediately after upgrading from Version 4.6 to Version 5, assystem administrator, adjust the views and access control items for managers, toproduce the correct results:

    views IBM Tivoli Identity Manager Express Version 4.6 provided independentview settings for manager tasks. These independent tasks no longer existin IBM Tivoli Identity Manager Version 5. Instead, managers use thesame tasks as help desk assistants. In this scenario, the ChangeSubordinates Profile task no longer exists. After the upgrade, you mustenable Change User in the manager view. This also applies to the othermanager-specific tasks from IBM Tivoli Identity Manager ExpressVersion 4.6 such as requesting, changing, or deleting an account.

    access control itemsThe *default* access control items in IBM Tivoli Identity ManagerExpress Version 4.6 allowed managers to search for all users, but thelogic in the manager-specific tasks, such as Change Subordinates Profile,displayed only the managers subordinates. Since those special tasks nolonger exist in IBM Tivoli Identity Manager Version 5, you must adjustthe access control items so that managers can search only for theirsubordinates.

    v Problem: After an upgrade from IBM Tivoli Identity Manager Express Version4.6 to IBM Tivoli Identity Manager Version 5, for the users created previously onVersion 4.6, the Identity Manager login ID field is also displayed in a usersprofile in the Personal Information page at Version 5. However, for the defaultSystem Administrator which is a system generated person, the attribute IdentityManager login ID is not displayed. Creating a new person on the upgradedVersion 5 does not display the Identity Manager login ID.Workaround: Upgrade disables the default identity policy for ITIM Service,which is responsible for populating the erpersonuid (Identity Manager Login ID)attribute when a user is created. To hide the field for the users createdpreviously on Version 4.6, use the Form Designer to hide the TIM Account

    Product overview 23

  • userID in the Person form. To enable all previous and new end-users to see thefield, enable the IBM Tivoli Identity Manager Express Version 4.6 identity policythat copies the userID to that attribute.The Identity Manager login ID field was used in IBM Tivoli Identity ManagerExpress Version 4.6 because the IBM Tivoli Identity Manager Express accountwas hidden, and users needed a field that displayed their user ID. Afterupgrading to Version 5, the IBM Tivoli Identity Manager accounts are no longerhidden and there is no need for the field. Users can find their user ID bylooking at the IBM Tivoli Identity Manager accounts.The identity policy might not function if you migrate a deployment fromsingle-server deployment of IBM Tivoli Identity Manager Express Version 4.6 toa cluster environment at Version 5, because a cluster environment uses anin-memory cache to avoid ID collisions that would be unique to each clustermember.

    v Problem: Middleware configuration errors occur if you use InstallShieldMultiPlatform to install IBM Tivoli Identity Manager on RedHat EnterpriseLinux Version 5.0, which provides 64-bit JVM. For example, an error messagemight be:The installer is unable to run in graphical mode.Try running the installer with the -console or -silent flag.

    Additionally, some X display programs might not work.Workaround: During installation on RedHat Enterprise Linux Version 5.0, theInstallShield MultiPlatform middleware configuration tool requires 32-bit JVM,including the 32-bit version of libXmu.so.6, which must reside in the /usr/libdirectory. These 32-bit libraries are not installed by default. Before installing IBMTivoli Identity Manager, obtain the following files and write them to the/usr/lib directory: 64-bit zLinux systems

    libXmu-1.0.2-5.s390.rpm 64-bit X86 systems

    libXmu-1.0.2-5.i386.rpmv Problem: When you upgrade IBM Tivoli Identity Manager Version 5.0, youmight perform tasks similar to this scenario:1. Create a new organization and create users in the new organization.2. Create a hosted ITIM service and provide at least one of the newly created

    users with an account on the service. For example, the newly created usersaccount might have the user ID of helpdeskuser.

    3. Add helpdeskuser to the Help Desk Assistant group.4. Log out and log in as helpdeskuser.5. Navigate to Manage users in the portfolio and search for users.

    Although users exist, the search by the Help Desk member displays no users.The default search page does not automatically search the logged in usersorganization.

    Workaround: Use the Advanced search feature to select to the new organizationand perform the search. The users are then found and listed.

    v Problem: After an upgrade from a previous version of Tivoli Identity Manager,errors can occur when you attempt to view requests made before the upgrade.Additionally, a similar error occurs in viewing requests if you create identicallynamed services and then delete them.

    24 Product overview

  • Workaround: Pending a fix, a method in the service search returns items fromthe recycle bin. To correct this, remove all service entries from the recycle bin.For example, to remove a service entry, complete these steps:1. Use the ldap browser to connect to the directory server.2. Expand the entries under ou=recycleBin, ou=itim, , where the

    value of is the actual DN.3. Delete the entry matching objectClass=erServiceItem attribute under

    ou=recycleBin, ou=itim, .v Problem: Problems might arise from an improper configuration of the JDBCdriver at upgrade time for IBM Tivoli Identity Manager. At upgrade time, theIBM Tivoli Identity Manager installation prompts for the location of the JDBCdriver for IBM Tivoli Identity Manager to use in connecting to the database. Ifthe administrator does not reference an Oracle 10.x JDBC driver (ojdbc14.jar),problems can occur when users attempt to reconcile services following an Oracleupgrade from Version 9.x to 10.x. The error produces a message similar to this:CTGIMU552E An error occurred while communicating with the server.

    Workaround: IBM Tivoli Identity Manager requires the JDBC driver to bematched with the database server level; therefore, the driver needs to beupdated with the Oracle 10.x driver. Replace the ojdbc14.jar file inITIM_HOME/lib with the JAR file provided by the Oracle Version 10.xinstallation, and then restart the WebSphere Application Server. The JDBC driverlevel used by the WebSphere Application Server is printed in the SystemOut.logat server startup.This is an example log record in SystemOut.log for the Oracle 9.x JDBC driver,which is the wrong driver:[12/6/07 10:32:02:369 EST] 00000156 DSConfigurati IDSRA8205I: JDBC driver name : Oracle JDBC driver[12/6/07 10:32:02:372 EST] 00000156 DSConfigurati IDSRA8206I: JDBC driver version :

    This is an example log record in SystemOut.log for the Oracle 10.x JDBC driver,which is the correct driver:[12/6/07 10:54:41:913 EST] 00000024 InternalOracl IDSRA8205I: JDBC driver name : Oracle JDBC driver[12/6/07 10:54:41:918 EST] 00000024 InternalOracl IDSRA8206I: JDBC driver version :

    v Problem: If there are two or more nodes that contain node.xml files on theWebSphere Application Server, errors can occur when the IBM Tivoli IdentityManager installation program checks in alphabetic order for the existence of theNODE_NAME directory as the node that the WebSphere Application Servershould use as the target server to deploy IBM Tivoli Identity Manager to.For example, you might see an error message similar to this one:Server name is not valid

    This is a critical failure. Although the installation process will continue, theinstallation will later fail.On the WebSphere Application Server, the node.xml file is in this directory:WAS_HOME/config/cells/CELL_NAME/nodes/NODE_NAME/servers/SERVER_NAME/


    WAS_HOMEThe installation directory, such as /opt/IBM/WebSphere/AppServer/profiles/AppSrv01.

    Product overview 25

  • CELL_NAMEThe cell name, such as tivmvs12Node01Cell.

    NODE_NAMEThe node name, such as tivmvs12Node01.

    SERVER_NAMEThe server name, such as server1.

    Workaround: To work around the error, complete these tasks:1. Back up in your sequence of completing the installation panels to the

    previous panel.2. Temporarily rename the node.xml files that exist in the wrong nodes, to

    allow the installation program to find the correct node.xml file.3. Continue forward in the installation panels, passing the Server Name is not

    valid error message to continue the installation.4. Rename the files back to their original names when installation is complete.

    To rename a node.xml file, for example, type: Windows systems:

    rename node.xml node.xml.original

    UNIX/Linux systems:mv node.xml node.xml.original

    v Problem: When running the manual uninstallation of IBM Tivoli IdentityManager Version 5.0 from the ITIM_HOME\itim\itimUninstallerData directory,the messages Preparing SILENT Mode Installation... and InstallationComplete appear. These messages are not indicative of the proper function of theuninstaller.Limitation: This is a known limitation of the InstallAnywhere platform that isused to customize the manual uninstallation of IBM Tivoli Identity Manager.

    v Problem: After upgrading from IBM Tivoli Identity Manager version 4.6 andviewing requests in the Identity Manager console, the following warning isissued in the trace log: Unable to parse erworkflow attribute value for viewrequests -- using default query.This message occurs because the formatting of the users view requestspreferences was changed between releases. This trace entry indicates that thepreferences cannot be parsed, and is replaced with the default query.Limitation: This is a onetime occurrence for each user as they use the viewrequests function after the upgrade. The message can safely be ignored. The userpreferences are updated, using the default query as a starting point.

    v Problem: Passwords might be displayed in the clear in the itim_install.stderrinstallation log file.Limitation: This is a onetime installation log file. After a successful installationthe log can be deleted.

    v Problem: The script files changeCipher andstartIncrementalSynchronizerCMD_WAS are not working correctly.Workaround: To use the scripts changeCipher.sh, changeCipher.bat,startIncrementalSynchronizerCMD_WAS.sh andstartIncrementalSynchronizerCMD_WAS.bat, you must first set the ITIM_HOMEand WAS_HOME variables in the scripts.

    26 Product overview

  • IBM Tivoli Identity Manager Server limitations, problems, andworkaroundsThese are IBM Tivoli Identity Manager Server problems, workarounds, andlimitations:v Problem: APARS that were fixed in IBM Tivoli Identity Manager Version 4.6 andin IBM Tivoli Identity Manager Express Version 4.6 are still pending resolutionfor IBM Tivoli Identity Manager Version 5.0.Limitation: APARS pending resolution at Version 5.0 include:IY86885, IY86991, IY88093, IY91022, IY91040, IY91106, IY91896, IY92097, IY92176,IY92227, IY92688, IY92841, IY92851, IY93514, IY94096, IY94415, IY94425, IY94471,IY94616, IY94708, IY94774, IY94978, IY94980, IY94986, IY95478, IY95684, IY95834,IY96118, IY96257, IY96616, IY96967, IY97292, IY97340, IY97662, IY97665, IY97769,IY98312, IY98464, IY98612, IY99084, IY99175, IY99208, IY99295, IY99300, IY99416,IY99624, IY99659, IY99660, IY99813, IY99826, IZ00148, IZ00153, IZ00195, IZ00197,IZ00311, IZ00318, IZ00812, IZ00815, IZ01021, IZ01059, IZ01074, IZ01107, IZ01112,IZ01125, IZ01187, IZ01588, IZ01602, IZ01654, IZ01763, IZ01768, IZ01799, IZ01890,IZ01953, IZ02057, IZ02355, IZ02621, IZ02744, IZ03822, IZ03983, IZ04263, IZ04631,IZ47646, IZ04801, IZ05063, IZ05103, IZ05313, IZ05732, IZ05951, IZ06712, IZ07364,IZ07571, IZ08011, IZ08157, IZ08190, IZ08287, IZ08459

    v Problem: When you apply the IBM Tivoli Identity Manager Server Fix Pack forLdapUpgrade, the Fix Pack application fails with error 80 if the TAM-ESSOTivoli Access Manager for Enterprise Single Sign-On Provisioning Adapter hasbeen integrated into IBM Tivoli Identity Manager Server. The process ofTAM-ESSO integration introduces new attributes into the IBM Tivoli IdentityManager Server system object classes erAccountItem and erServiceItem.LdapUpgrade will fail with the message Error in loading schema - LDAP:error code 80-Other. The NamingException should be logged inITIM_HOME/install_logs/ldapUpgrade.stdout file.Limitation: To resolve the error, complete these manual steps:1. Click OK when the Error in loading schema message occurs.2. After the Fix Pack application is done, update the ITIM_HOME/config/

    ldap/er-schema.dsml file by modifying IBM Tivoli Identity Manager Serverobject classes, erAccountItem and erServiceItem.a. After the object-identifier1. object-identifier of

    erAccountItem, add the entries below:

    b. After the object-identifier1. oferServiceItem, add the entries below:

    c. Run ITIM_HOME/bin/ldapUpgrade.v Problem: The forms designer provides the ability to edit the Person formtemplate. During an editing session, under the personal tab, you can replace the

    Product overview 27

  • initials text field with the password pop-up widget. The field will then containinitials of a person which are encrypted because of change in widget. However,a correct error message does not appear after you create the Person instance, andthen put incorrect initials in the text field.Limitation: To avoid issues with popup blocking software, the password pop-upwidget does not launch a new window.

    v Problem: During a change or modify operation, the password widget used incustom form pages can cause display of a blank password field, rather than asequence of asterisks (***).However, if the widget is part of the first tab in a notebook or first step in awizard, the field will be blank.Limitation: Use of a blank value prevents a user from discovering the value of apassword by viewing the page source file.

    v Problem: How to define default values for attributes not shown on an accountform using a form widget is not described.Workaround: To use a form widget to define an account default when theattribute is not on the form, complete the following steps:1. Select Configure System > Design Forms task to add the attribute to the

    account form.2. Select a widget for the attribute and save the form.3. Select Manage Services > Manage Default task to define the default value.

    You can use the widget configured for the attribute on the form to define thedefault value.

    4. Remove the attribute from the account form, using the Configure System >Design Forms task and save the form.

    v Problem: Errors occur if a semicolon is used within a password on the Windowsoperating system.Workaround: When you define a password, do not use a semicolon.

    v Problem: If you start an activity as a user, and while the activity is pending,delete the service to which the activity applies, the activity remains in theactivity list for the user, and an error message occurs if you attempt to view thetarget activity.Limitation: Cleanup of pending activities does not immediately occur forrunning workflows that reference a service, when the service is deleted. Theinformation is not easily available (if at all) to the running workflows. Theworkflow runs to completion, or until an error occurs.For example, if a workflow is assigned to account creation for a given serviceand an account on that service is requested, the workflow starts. If the service isdeleted during the run, the account request workflow continues to run,including any required approvals, and other operations. When the workflowattempts to create the account on the deleted service, the workflow fails becausethe service no longer exists.

    v Problem: In a key=value pair in a property file such as CustomLabels.propertiesfile, you must specify a key name that is entirely lowercase. Otherwise, an erroroccurs.Limitation: Because the method that fetches the schema class for an attributewill return only lowercase characters, you must specify in any properties file, akey name that is entirely lowercase.

    v Problem: If you suspend and then restore an account, the e-mail notification ofaccount restoration does not contain the account password. This occurs if the

    28 Product overview

  • person initiating the restore is the owner of the account, or if the password wasnot changed as part of the restore operation (the account is restored with thesame password as before).Limitation: This notification behavior is working as designed. The person whoowns the restored account, and did not change the password, still knows theexisting password.

    v Problem: Using LDAP Data Interchange Format (LDIF) files to importbacked-up directory information can cause problems if the system is notstopped, or workflows are incomplete.Workaround: When you use LDIF files to import backed-up directoryinformation, ensure that the application servers have been stopped. If the LDIFimport modifies workflows or operations, ensure that all workflows arecomplete before you perform the import operation. For more information aboutimporting LDIF files, refer to your directory server documentation.

    v Problem: When you create a service and add an attribute, there might beattribute with the same name that already exists, but does not yet have any userdata stored. If you add a duplicate attribute with same name in other servicetype, the change to attribute with the duplicate name will affect data in otherservice profiles.For example, adding a single-valued attribute in the case where a previouslyexisting attribute is multi-valued, will change the attribute type to single-valuedin all service profiles in which this attribute exists. If no data exists, there is nowarning message.Workaround: Before you create an attribute for a service, ensure that the newattribute does not already exist in other service profiles.

    v Problem: When configuring an entitlement parameter for a provisioning policy,if the attribute value is defined to be of type JavaScript, but only a single stringis entered, such as my password, the string is automatically converted to typeConstant.Limitation: A single string of type JavaScript is automatically converted to typeConstant, for an attribute of an entitlement parameter of a provisioning policy.

    v Problem: When selecting objects for a partial export, other objects that theselected objects depend on are automatically added to the export list by thesystem. If you then remove a selected object, the objects that the selected objectdepends on are not also automatically removed from the export list, nor canthey be removed manually.Workaround: Either continue to export the list and ignore the extraneous objects,or save the list, and then delete it and make a new partial export list without theobject that you wanted to remove. Then, perform the export.

    v Problem: If a user has a IBM Tivoli Identity Manager account in multiple IBMTivoli Identity Manager groups, an e-mail notification that the user receivesmight contain links to both the administrator and self-care user interfaces.Workaround: Use either link. This is working as designed. Two links aregenerated because of users membership in two different types of IBM TivoliIdentity Manager groups (end user and non-end user) through the users IBMTivoli Identity Manager accounts.

    v Problem: In some circumstances, when you click Test Connection for an ADOrganizationalPerson identity feed service, and you have provided incorrectinformation, an error message is displayed without the remaining content of thepage.Workaround: Refresh your browser page, or exit the task and perform it againusing correct information.

    Product overview 29

  • v Problem: To configure SSL connections between the IBM Tivoli Identity ManagerServer and adapters, the following two parameters are required to be defined inthe WebSphere Application Server as parameters to JVM. javax.net.ssl.trustStore javax.net.ssl.trustStorePasswordWhen you inquire for a process list by typing the ps -ef command, the passwordof the Java Key Store is listed in the result output.Workaround: Describe these parameters in a file, then specify the file with the-Xoptionsfile option. Complete these tasks:1. Create a file, then describe these parameters on the same line as follows:


    2. Specify the file name with the -Xoptionsfile option as a parameter to JVM.a. Open the WebSphere Application Server Administrative Console.b. Select Server Application Server servername Process Definition

    Java Virtual Machine.c. Add the-Xoptionsfile option as follows:


    d. Restart the WebSphere Application Server.v Problem: A filter change to a lifecycle rule does not take effect immediatelywhen running it manually. Lifecycle rule operations can take an extended periodof time to finish for the entire result set returned from the evaluation of thelifecycle rule filter, primarily due to the manual workflow activities associatedwith the operation.Additional information: For lifecycle rules that are associated with profiles orcategories, execution is dependent on the enrole.profile.timeout property, definedin minutes, in the enRole.properties file. Even if the filter that is present in thelifecycle rule is modified and run manually, it takes the previous filter themaximum time of the refresh interval to elapse, specified in minutes for theenrole.profile.timeout property. Once this period is over, the modified value forthe filter is then used during lifecycle execution.

    v Problem: Owners of disabled IBM Tivoli Identity Manager accounts still receivenotification e-mails targeted to them as the participant of a request forinformation or approval request.Limitation: This is a current limitation.

    v Problem: When you have access control items for default Person and customPerson (derived from inetOrgPerson) entities in IBM Tivoli Identity Manager, theaccess control item for the default Person entity also affects the custom Personentity. For example, a custom Person entity that is defined as customPersoninherits from inetOrgPerson. Any access control item that applies to theinetOrgPerson entity also applies to the customPerson entity, in addition toaccess control items defined for the customPerson entity.

    Note: The behavior of the access control items was changed in IBM TivoliIdentity Manager at Version 4.6 to enforce the inheritance. An access control itemdefined for an objectclass not only applies to entities of the objectclass, but alsoto entities belonging to objectclasses that inherit this objectclass directly orindirectly.Workaround: Define an access control item exclusively for inetOrgPerson toallow for the access control item to apply only to the default person entity. Setthe following access control item target filter:(!(objectclass=customPerson))

    30 Product overview

  • v Problem: To allow some users to change a users role, you might configureaccess control items for both Person and custom Person objects with Read andWrite access on erRoles (as well as Search/Modify operations). An additionalaccess control item would allow users to search for organizational roles.However, when a user then attempts to modify the erRole attribute, you mightfind that IBM Tivoli Identity Manager does not allow the modification.Workaround: For an organizational role, create an additional access control itemthat grants Modify rights to users.To assign an organizational role to a person or remove the person from anorganizational role, define appropriate access control items that give a user all ofthe following permissions and operations: Write attribute permission for the erRoles attribute of the Person to be

    modified. Modify operation on the Person to be modified. Modify operation for the organizational role that is to be removed from or

    added to the Person.v Problem: To provide a role for a service owner, you must change the Categoryowner field on the service form to Static Organizational Role. However, it is notrecommended to change the owner type (from Person to Static OrganizationalRole and vice versa) for a service profile when one or more service instanceshave been defined for that profile.Workaround: If you want to specify Static Organizational Role on the serviceform for a profile that already has existing services, remove the service owner ofall services of the profile. For example, if you want to specify StaticOrganizational Role for a WinLocal service, you must remove all service ownersof all Winlocal services.

    v Problem: If you use the Form Designer to configure a date on a form, you canconfigure the attribute and see the value correctly displayed, as long as it is notset to null in LDAP.Workaround: The DateInput Type allows users to select a default or analternative date. The Default date input type allows the user to specify that theattribute value never expires, by selecting Never in the administrative console,or No date selected in the self-service console. The Alternative Date date inputtype does not allow the user to specify that the attribute value never expires,and should be used if the attribute value must expire at some point in time.For a default date, a null or empty value for the attribute is interpreted as theattribute never expires, and is displayed on the administrative console withNever selected, and on the self-service console with No date selectedselected.

    v Problem: When you preview a change to a provisioning policy, the list size ofthe display of the affected accounts is limited by the combination of twoproperties in ui.properties file: enrole.ui.pageSize and enrole.ui.pageLinkMax.The account list size limit is determined by the value of enrole.ui.pageSizeproperty multiplied by the value of enrole.ui.pageLinkMax property plus 1(one).For example, by default, if enrole.ui.pageSize=50 and enrole.ui.pageLinkMax=10,the maximum affected account list size would be calculated as:50 x 10 + 1 = 501

    Workaround: If you have a large number of affected accounts to preview for achange in a provisioning policy, increase these two properties appropriately.

    Product overview 31

  • Start by increasing only the enrole.ui.pageLinkMax value, because increasing thevalue of enrole.ui.pageSize will affect other parts of the IBM Tivoli IdentityManager user interface.

    v Problem: A provisioning policy preview will time out if the preview summarypage is idled for more than 10 minutes after evaluation completion, or if younavigate away from the preview summary page for more than 10 minutes.When the preview times out, navigating to obtain detail from the summary pageis not possible. If timeout occurs, you can only click Close on the summarypage.Workaround: To prevent timeout, avoid idling or navigating away from thepreview summary page for more than 10 minutes. To correct the problem after itoccurs, resubmit the preview request.

    v Problem: If an access definition for a group on a service is referenced by arecertification policy and the access definition is undefined for the group, therecertification policy is not fully updated with the removal of the accessdefinition. The target of the recertification policy will be listed in the userinterface as null or None, due to an improper update of the recertification policyfor the access removal. Although the recertification policy user interface willshow the target as None, running the recertification policy will continue torecertify accounts which make use of the group for which the access wasdefined.Workaround: Edit the recertification policy by using the user interface for thepolicy which referenced the access definition to be deleted:1. First, remove the access to be deleted from the recertification policy with

    which it is associated. If the access definition is removed before removing thetarget from the recertification policy, the recertification policy pages can beused to work around the issue.

    2. Once the recertification policy is opened in edit mode, navigate to the AccessTarget tab and remove the target listed as None.

    3. Save the recertification policy to properly update the policy.If None is the only target for the recertification policy, you might want to deletethe recertification policy entirely, because it is not used for other accessdefinitions.A similar issue can occur when you modify an access definition to deselectDisplay in an Access list. If this option is not selected in the access definition,the recertification policy that references that access definition will not besearchable by access name.

    v Problem: When you manage identities, no default operations appear for aPerson object at the Entity Level. Operations do appear at the Entity Type level.However, when they are changed, the operations still indicate they aresystem-defined operations.Limitation: This is an existing limitation. By design, operations that are definedat the Entity Type Level are not shown, when the Entity Level is selected. Asystem-defined entity operation indicates it is system-defined, even after a userhas modified the operation.

    v Problem: When you configure IBM Tivoli Identity Manager Integration forMaximo Service Request Manager Version 7.1, the Maximo Web service issuescall failures when IBM Tivoli Identity Manager attempts to provision more than10,000 users. One to two dozen Maximo users do not get created due to the callfailures. However, the users are created when the requests for them areresubmitted.Limitation: This is an existing limitation. For more information, refer to APARIZ23893.

    32 Product overview

  • v Problem: If you remove a cluster node from a cluster and then add the clusternode back to the cluster, the Tivoli Identity Manager administrative console doesnot start.Workaround: Add the ITIM_Home/data directory again to the classpath on theserver associated with the node.

    v Problem: When using the GUI to submit an attribute with leading or trailingspaces, the IBM Tivoli Identity Manager server deletes the leading or trailingspaces for that attribute value. This occurs for all attributes except for thepassword attribute.Limitation: This is an existing limitation.

    WebSphere Application Server limitations, problems, andworkaroundsYou might encounter these WebSphere Application Server problems, and use theseworkarounds:v Problem: The WebSphere Application Server and the DB2 Universal Databaseare installed on the same Windows machine. The WebSphere Application Serverand the DB2 Universal Database services are set up to start automatically. Afterrebooting the machine, the WebSphere Application Server and DB2 UniversalDatabase are successfully started, but a user or account cannot be created ormodified.Workaround: The messaging engine did not start because the WebSphereApplication Server started before the DB2 Universal Database started. When theWebSphere Application Server starts, the messaging engine for IBM TivoliIdentity Manager is started, if the DB2 Universal Database is available at thattime.After rebooting the machine, manually ensure that the messaging engine forIBM Tivoli Identity Manager started successfully. On the WebSphere ApplicationServer Administrative Console, select Service Integration > Buses > itim_bus >Messaging engines from the Topology section. If the messaging engine is notstarted, start it from this page.

    v Problem: On the Sun Solaris 10 operating system, the WebSphere ApplicationServer JVM produces a core error while attempting to resize the JVM heapduring a garbage collection.Workaround: Set both the minimum and maximum JVM heap sizes (Xms andXmx) to the same value.

    Database server limitations, problems, and workaroundsYou might encounter these IBM Tivoli Identity Manager database server problems,and use these workarounds:v Problem: IBM Tivoli Identity Manager does not install on a Windows systemconfigured in the Russian language. Specifically, DB2 Universal Database cannotdetermine the Windows Administrator user if the user ID is spelled in Russian.Workaround: Before you attempt to start the IBM Tivoli Identity Managerinstallation program or the middleware configuration utility, open the operatingsystem user management utility and change the Russian spelling of the userAdministrator and the group Administrators to the English spelling. Try theinstallation again.

    v Problem: IBM Tivoli Identity Manager does not work with SQL Server JDBCDriver 1.2 when FIPS is enabled.Workaround: disable FIPS. IBM Tivoli Identity Manager works with SQL ServerJDBC Driver 1.2 when FIPS is disabled. Microsoft has accepted this problem as adefect in the SQL Server 2005 JDBC driver 1.2.

    Product overview 33

  • v Problem: IBM Tivoli Identity Manager does not work with SQL Server if thedatabase is case sensitive (CS).Workaround: Ensure that Microsoft SQL Server 2005 or at least the database isinstalled with the codepage set to case insensitive (CI).

    Directory server limitations, problems, and workaroundsYou might encounter these IBM Tivoli Identity Manager directory server problems,and use these workarounds:v Problem: In some Linux environments, a potentially ignorable error messagemight occur during a service profile import operation. You might observe thefollowing socket failure error message in the ibmslapd.log file on the IBM TivoliDirectory Server:07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).07/22/07 16:06:11 GLPCOM001E Creation of socket failed; errno 4 (Interrupted system call).

    Workaround: If either the Tivoli Identity Manager or the LDAP operationsucceeded, ignore these messages, which are written to the ibmslapd.log file, butdo not affect the requested operation. If the operation failed, contact TivoliIdentity Manager level 2 support for assistance.

    v Problem: The LDAP server can hang after several days of continuous activity, orduring intervals with large numbers of concurrent users.Workaround: On the directory server, set the environment variableLDAP_WAITQ=NO before you start the LDAP server. Setting the value of LDAP_WAITQto NO changes the behavior of the LDAP server to use the version 6.0 method ofhandling requests. For more information, refer to APAR IO07991.

    Directory Integrator limitations, problems, and workaroundsYou might encounter these IBM Tivoli Directory Integrator problems, and use theseworkarounds:v Problem: IBM Tivoli Directory Integrator Version 6.1 is known to stop underheavy load from a high number of user deletion requests. For example,attempting to delete 1,000 or more users at a time can cause IBM TivoliDirectory Integrator to stop.Workaround: Try deleting fewer users at a time to avoid the problem. For moreinformation, refer to APAR IO09039.

    Browser limitations, problems, and workaroundsYou might encounter these browser limitation, or browser problems, and use theseworkarounds:v Problem: When you click Manage Services > Select a Service, and then searchfor a service, the Services table returns a list of services. If the hyperlinked nameof a service in the table is very long, the rightmost characters in the name mightoverrun the right column boundary in the table.Limitation: This is a browser limitation, in which a long service name will fail towrap within the column boundary.

    v Problem: If you are using the Mozilla Version 1.7 browser, you can create asubordinate node, such as a Location, from the menu on the main Organizationnode. The new node appears under the main Organizat