This section describes how to integrate IBM Tivoli Identity Manager with Service Catalog.
Prerequisite software
This section describes the prerequisite software required to integrate IBM Tivoli Identity Manager with Service Catalog.
Before you configure Tivoli Identity Manager to integrate with Service Catalog, the products listed in the following table must be installed and running. It is suggested that each product, or set of products, be installed on separate computers, as
indicated below.
Product Operating System Reference
Computer 1: Service Catalog component of IBM Tivoli Service Request Manager Version 7.1
Windows, Linux Follow the instructions in the Installing section of this information center to install the Service Catalog component of Tivoli Service Request Manager.
Computer 2: IBM Tivoli Identity Manager Version 4.6
AIX, Solaris, Windows, Linux
Check Tivoli Identity Manager Release Notes for a list of prerequisite software. Use Tivoli Identity Manager installation media to install the product.
Computer 3: Lotus Notes®Client Release 7.0, IBM Tivoli Identity Manager Lotus Notes Adapter Version 4.6.1011, and a network file server
Windows Use the appropriate installation media to install the Lotus Notes Client and Tivoli Identity Manager Lotus Notes Adapter.
Refer to the Tivoli Identify Manager Lotus Notes Adapter Installation and Configuration Guide for adapter related information.
Computer 4: Lotus Domino®Server Release 7.0
Windows, AIX Use the appropriate installation media to install Lotus Domino Server. Check the Lotus Domino Administrator Help for installation and configuration information.
The Tivoli Service Request Manager product must be supported by WebSphere Application Server and a database server. The supported database servers vary according to the operating system that WebSphere Application Server is installed on, as summarized in the following table.:
Application server Operating system Database server
IBM WebSphere Application Server, version 6.1.0.13
Windows IBM DB2, Oracle, Microsoft SQL
Server
Linux, UNIX IBM DB2, Oracle
You can use the Tivoli Service Request Manager installation launchpad to install WebSphere Application Server, DB2, and the other additional middleware components on a Windows or Linux system. See the Installing section of this information center for details.
Integration road map
This section provides an overview of the tasks required to set up bidirectional communication between Service Catalog and the Tivoli Identity Manager Server.
Perform the tasks listed in the following table to set up IBM Tivoli Identity Manager integration with Service Catalog. Table 6 describes the role of each component in the installation.
Table 6. Integration steps
Step Task Description
Step 1 Install or upgrade to the required versions of IBM Tivoli Service Request Manager with the Service Catalog component, and Tivoli Identity Manager.
Refer to the Installing section of this information center for instructions on how to install Tivoli Service Request Manager.
You can use the Tivoli Service Request Manager installation launchpad to sequentially install the following:
v Both required and additional middleware v Base services
v Service Catalog component of Tivoli Service Request Manager When you install the Service Catalog component, an integration module is automatically installed and activated on Tivoli Service Request Manager. The integration module provides an interface between Tivoli Service Request Manager and Tivoli Identity Manager.
The installation process also deploys a new maximo.ear file on WebSphere Application Server to support the integration between Tivoli Identity Manager and Service Catalog.
Step 2 Configure a Tivoli Identity Manager shared library for Service Catalog.
If WebSphere Application Server runtime environment does not recognize the Tivoli Identity Manager Java archive (JAR) files that are defined in the Tivoli Service Request Manager common library directory, one must be configured.
Step 3 Create a Tivoli Identity Manager login proxy on the Tivoli Service Request Manager computer.
Use the WebSphere Application Server administrative console to create a Java Authentication and Authorization Service login module for Tivoli Identity Manager.
Step 4 Install and configure the mail server on the Tivoli Service Request Manager computer.
The mail server is used to send an e-mail message with the Lotus Notes ID file and new password to the user or the manager of the user.
You can use an existing mail server for Tivoli Service Request Manager. For example, if you configured a Simple Mail Transfer Protocol (SMTP) server to work with the IBM Tivoli Change and Configuration Management Database, that same SMTP server can be configured for use by Service Catalog.
Step 5 Perform additional configuration on the Tivoli Identity Manager Server.
If the Tivoli Identity Manager Server supports a WebSphere Application Server cluster, make sure the weight value for each cluster member is set properly. If there is only one cluster member, for example server1, make sure the weight value for this member is greater than zero. For example, set the weight value to 15.
Note: If the weight value is zero and there is only one cluster member, this member will not receive any workload.
Step 6 Configure Service Catalog for integration with Tivoli Identity Manager.
On the Tivoli Service Request Manager server, update the system hosts file with the information for the Tivoli Identity Manager Server. Also, verify that the Tivoli Identity Manager Server configuration parameters are defined.
Table 6. Integration steps (continued)
Step Task Description
Step 7 Configure authentication between Service Catalog and Tivoli Identity Manager.
Ensure the following conditions are met for WebSphere Application Server:
v Lightweight Third Party Authentication (LTPA) authentication method for WebSphere Application Server Network
Deployment (ND) is turned on, which will prompt for a valid user ID and password when logging in .
v The federated repository is configured as the user registry.
v The owner of WebSphere Application Server ND service has at least read access to the shared directory where the Lotus notes ID files are stored.
The WebSphere Application Server ND service will access a shared directory containing the Notes ID files on an NFS server or on a Notes Adapter server, if the Notes Adapter server and NFS server are installed on the same computer.
Configuring a Tivoli Identity Manager shared library for Service Catalog
This section describes how to configure a Tivoli Identity Manager common library directory. Complete this task if WebSphere Application Server runtime environment does not recognize the Tivoli Identity Manager Java archive (JAR) files that are defined in the Tivoli Service Request Manager common library directory.
To configure the shared library, complete the following steps:
1. Verify that the following files are in the SRM_HOME\applications\maximo\lib directory:
v api_ejb.jar v itim_api.jar v itim_server.jar
2. From the WebSphere Application Server administrative console, click Environment → Shared Libraries → New.
3. In the Configuration window, type ITIMLib in the Name field and then type the fully qualified path for each of the JAR files from Step 1 in the Classpath field.
For example, SRM_HOME\applications\maximo\lib\api_ejb.jar. Click Apply → Save after specifying the information for each JAR file.
4. In the Login Welcome window, click Applications → Enterprise Applications → MAXIMO → Shared library references → MAXIMO → References shared Libraries. Select ITIMLib from the Available column and move it to Selected column. Click OK → OK → Save.
Creating a Tivoli Identity Manager login proxy
This section describes how to create a Tivoli Identity Manager login proxy on the IBM Tivoli Service Request Manager computer.
On the WebSphere Application Server administrative console, complete the following steps:
1. Click Security → Secure administration, applications, and infrastructure → Java Authentication and Authorization Service.
2. In the JAAS − Application logins window, click New.
3. In the Configuration window, type ITIM in the Alias field.
4. Click Apply, and then click Save.
5. In the Application logins window, click ITIM → Additional Properties → JAAS login modules → New.
6. In the New window, type
com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy in the Module class namefield.
7. In the Authentication strategy window, select REQUIRED, and then click Apply.
8. In the JAAS login modules window, click
com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy → Custom Properties → Newto select the module name you created.
9. In the New window, complete the following steps:
a. Type delegate in the Name field.
b. Type com.ibm.itim.apps.jaas.spi.PlatformLoginModule, the ITIM API Login module, in the Value field.
c. Click Apply, and then click Save.
Configuring Service Catalog for integration with Tivoli Identity Manager
This section describes how to configure Service Catalog to communicate with the IBM Tivoli Identity Manager Server.
Complete the following steps to configure the environment for integration:
1. On the IBM Tivoli Service Request Manager server, update the system hosts file with the IP address, alias, and host name of the server where Tivoli Identity Manager is installed. This will enable communication between Tivoli Service Request Manager and the Tivoli Identity Manager Server.
2. Ensure that the configuration parameters for your Tivoli Identity Manager Server are defined in an endpoint named ITIM ENDPOINT in Tivoli Service Request Manager. Table 7 lists the configuration parameters and their default values, which you should verify and update if necessary.
Table 7. Tivoli Identity Manager system properties to verify
System property Default value Location of system property
USERID=<ITIM MANAGER> itim manager Check the enRole.properties file and the LDAP structure on the Tivoli Identity Manager Server.
PASSWD=<ITIM MANAGER PSSWD>
secret Check the enRole.properties file and
the LDAP structure on the Tivoli Identity Manager Server.
ENDPOINTURL=<IIOP ITIM URL> iiop://ip_address:port_number/cell/
clusters/itim_cluster
Check the enRole.properties file.
TENANTDN=<ROOT DN> ou=acme fern,dc=itim Check the enRole.properties file and the LDAP structure on the Tivoli Identity Manager Server.
Check the enRole.properties file and the LDAP structure on the Tivoli Identity Manager Server.
Table 7. Tivoli Identity Manager system properties to verify (continued)
System property Default value Location of system property
EJBUSER=<EJB USER ID> wasadmin Check the enRole.properties file on
the Tivoli Identity Manager Server.
EJBPWD=<EJB USER PASSWD> wasadmin Check the enRole.properties file on the Tivoli Identity Manager Server.
ITIMPROFILE=<ITIM PROFILE> ITIMProfileAccount Go to the Tivoli Identity Manager console and click Configuration → Entities.
NOTESPROFILE=<NOTE PROFILE> NotesAccount Go to the Tivoli Identity Manager console and click Configuration → Entities.
IDFILELOCATION=<NETWORK SHARED DIRECTORY
CONTAINING NOTES ID FILE >
\\\\ip_address\\shared_directory\\
for Windows
Ask the Tivoli Identity Manager Administrator.
3. To change any of the configured values, from the Maximo Console click Integration → End Points→ ITIM ENDPOINT. Change any configured values on the End Point tab.
Configuring authentication between Service Catalog and Tivoli Identity Manager
This section describes the two supported scenarios for IBM WebSphere Application Server Network Deployment (ND) security.
Scenario 1
In the first scenario, the following conditions must exist:
v WebSphere Application Server ND security on the IBM Tivoli Service Request Manager server is not configured to use keys for encryption and decryption of data and WebSphere Application Server ND security is turned on.
v WebSphere Application Server ND security on the Tivoli Identity Manager Server is turned off.
v A Lightweight Directory Access Protocol (LDAP) repository must be added to your WebSphere Application Server configuration. The WebSphere Application Server ND uses Federated Repositories or the LDAP repository as a user registry.
v WebSphere Application Server ND on the Tivoli Service Request Manager server requires LTPA authentication to the Tivoli Identity Manager Server.
v The EJB user account must exist on both the Tivoli Service Request Manager server and the Tivoli Identity Manager Server.
To verify that the EJB user account exists on both computers:
– On the Tivoli Service Request Manager server, use the LDAP browser. If the EJB user ID does not exist, use the WebSphere Application Server ND console to create it, by clicking Users and Groups → Manage Users → Create.
– On the Tivoli Identity Manager Server, verify the following values exist in the enrole.properties file:
- enrole.appServer.ejbuser.principal=
- enrole.appServer.ejbuser.credentials=
Scenario 2
In the second scenario, the following conditions must exist:
v WebSphere Application Server Network Deployment (ND) security on both the Tivoli Service Request Manager server and the Tivoli Identity Manager Server is configured to use keys for encryption and decryption of data.
v WebSphere Application Server ND security on both the Tivoli Service Request Manager server and the Tivoli Identity Manager Server is turned on.
v WebSphere Application Server ND on both Tivoli Service Request Manager server and the Tivoli Identity Manager Server use a single LDAP user registry repository or each has own its LDAP user registry repository.
A single LDAP user registry repository is preferred because all user accounts and information for both servers are centralized. Export the keys from the Tivoli Identity Manager Server WebSphere Application Server ND and import them into Tivoli Service Request Manager server WebSphere Application Server ND, using the same password to import and export the keys.
If the Tivoli Identity Manager Server WebSphere Application Server ND and the Tivoli Service Request Manager WebSphere Application Server ND each use a separate LDAP user registry repository, make sure to configure the same EJB user ID with the same password. If the EJB user account does not exist on either system, use the WebSphere Application Server ND console to create it, by clicking Users and Groups → Manage Users → Create.