IBM Tivoli Identity Manager: Oracle Agent for Windows...

IBM Tivoli Identity Manager

Oracle Agent for Windows InstallationGuideVersion 4.5.0

SC32-1155-03

��

Note:Before using this information and the product it supports, read the information in Appendix C, “Notices”, on page 51.

First Edition (August 2003)

This edition applies to version 4.5.0 of this agent and to all subsequent releases and modifications until otherwiseindicated in new editions.

© Copyright International Business Machines Corporation 2003. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . vWho should read this book . . . . . . . . . vPublications . . . . . . . . . . . . . . v

Tivoli Identity Manager Agent library . . . . . vRelated publications . . . . . . . . . . . vAccessing publications online . . . . . . . vi

Accessibility . . . . . . . . . . . . . . viContacting software support . . . . . . . . . viConventions used in this book . . . . . . . . vi

Chapter 1. Overview . . . . . . . . . 1Basic Installation . . . . . . . . . . . . . 1Chapter Descriptions . . . . . . . . . . . 1

Chapter 2. Agent Installation . . . . . . 3Requirements . . . . . . . . . . . . . . 3Information Worksheet . . . . . . . . . . . 4

Step 1: Installing the Agent . . . . . . . . 4Step 2: Activating the Agent as a Service . . . . 4Step 3: Configuring the Agent . . . . . . . 5Step 4: Installing the Agent’s Certificate . . . . 5Step 5: Installing the Agent’s Profile . . . . . 5Step 6: Configuring the Agent for EventNotification. . . . . . . . . . . . . . 5Step 7: Configuring the Agent’s Forms. . . . . 5

Step 1: Installing the Agent . . . . . . . . . 5Step 2: Activating the Agent as a Service . . . . . 7Step 3: Configuring the Agent . . . . . . . . 7

Configuring a Single Instance of the Agent . . . 7Configuring Multiple Instances of the Agent . . . 7

Step 4: Installing the Agent’s Certificate . . . . . 8Step 5: Installing the Agent’s Profile . . . . . . 8Step 6: Configuring the Agent for Event Notification 8Step 7: Configuring the Agent’s Forms. . . . . . 9

Chapter 3. Agent Profile Installation . . 11Requirements . . . . . . . . . . . . . . 11Installing the Agent Profile . . . . . . . . . 11Verifying the Agent Profile is Installed . . . . . 12

Chapter 4. Agent ParametersModification . . . . . . . . . . . . 15Accessing the Agent Configuration Tool Main Menu 15Viewing Configuration Settings . . . . . . . . 16Changing Protocol Configuration Settings . . . . 16

Adding a Protocol . . . . . . . . . . . 17Removing a Protocol . . . . . . . . . . 17Configuring a Protocol . . . . . . . . . 17

Setting Event Notification . . . . . . . . . 19Setting Attributes to be Reconciled . . . . . 21Modifying an Event Notification Context . . . 22

Changing the Configuration Key . . . . . . . 23Changing Activity Logging Settings . . . . . . 23Changing Registry Settings . . . . . . . . . 25

Modifying Non-encrypted Registry Settings . . 25Modifying Encrypted Registry Settings . . . . 26Multi-instance Settings . . . . . . . . . 27

Changing Advanced Settings . . . . . . . . 27Viewing Statistics . . . . . . . . . . . . 28Accessing Help and Additional Options . . . . . 29

Chapter 5. Oracle ServicesModifications . . . . . . . . . . . . 31Accessing the Service Configuration Tool MainMenu . . . . . . . . . . . . . . . . 31Viewing Current Oracle Services . . . . . . . 31Adding a New Oracle Service . . . . . . . . 32

Example of Adding an Oracle Service . . . . 32Modifying an Oracle Service. . . . . . . . . 33

Example of Modifying an Oracle Service . . . 33Removing an Oracle Service . . . . . . . . . 34

Example of Removing an Oracle Service . . . . 34Testing an Oracle Connection . . . . . . . . 34

Example of Testing an Oracle Connection . . . 35

Chapter 6. Certificate Installation . . . 37Overview of SSL and Digital Certificates . . . . 37

Basic Configuration for Server-to-Agent SSL . . 38Clustered Tivoli Identity Manager Configuration 38

Accessing the Certificate Configuration Tool MainMenu . . . . . . . . . . . . . . . . 38Generating a Private Key and Certificate Request. . 40

Example of Certificate Request Script . . . . . 41Example of request.pem File. . . . . . . . 41

Installing the Certificate from a File . . . . . . 42Installing the Certificate and Key from a PKCS12File . . . . . . . . . . . . . . . . . 42Viewing Installed Certificates . . . . . . . . 42Viewing CA Certificates . . . . . . . . . . 42Installing a CA Certificate . . . . . . . . . 43Deleting a CA Certificate . . . . . . . . . . 43Viewing Registered Certificates . . . . . . . . 43Registering a Certificate . . . . . . . . . . 43Unregistering a Certificate . . . . . . . . . 44

Appendix A. Agent Variables . . . . . 45Variable Descriptions . . . . . . . . . . . 45Variables by Oracle Agent Actions . . . . . . . 46

Database Login Add . . . . . . . . . . 47Database Login Change . . . . . . . . . 47Database Login Delete . . . . . . . . . . 47Database Login Suspend . . . . . . . . . 47Database Login Restore . . . . . . . . . 48Reconciliation . . . . . . . . . . . . 48

Appendix B. Additional InstallationOptions . . . . . . . . . . . . . . 49Installation Options. . . . . . . . . . . . 49

© Copyright IBM Corp. 2003 iii

Batch File Option . . . . . . . . . . . 49Console Option . . . . . . . . . . . . 49Setup Arguments . . . . . . . . . . . 49

Agent Removal . . . . . . . . . . . . . 49

Appendix C. Notices . . . . . . . . . 51

Trademarks . . . . . . . . . . . . . . 52

Index . . . . . . . . . . . . . . . 55

iv IBM Tivoli Identity Manager: Oracle Agent for Windows Installation Guide

Preface

The Tivoli Identity Manager Oracle Agent (Oracle Agent) enables connectivitybetween the IBM Tivoli Identity Manager Server and a network of systems runningthe Oracle database. After the agent is installed and prepared, Tivoli IdentityManager manages access to Oracle database resources with your site’s securitysystem. This manual describes how to install and prepare the Oracle Agent.

Who should read this bookThis manual is intended for security administrators responsible for installingsoftware on their site’s computer systems. Readers are expected to understandWindows® and Oracle database concepts. Also the person completing the OracleAgent installation should be familiar with security administration concepts andwith their site’s system standards.

PublicationsRead the descriptions of the Tivoli Identity Manager library, and the relatedpublications to determine which publications you might find helpful. After youdetermine the publications you need, refer to the instructions for accessingpublications online.

Tivoli Identity Manager Agent libraryThe publications in the Tivoli Identity Manager Agent library are:v Online user assistance for Tivoli Identity Manager

Provides integrated online help topics for all Tivoli Identity Manageradministrative tasks.

v Tivoli Identity Manager Policy and Organization Administration Guide

Provides topics for Tivoli Identity Manager administrative tasks.v Tivoli Identity Manager Server Configuration Guide

Provides configuration information for single-server and cluster Tivoli IdentityManager configurations.

Related publicationsInformation related to Tivoli Identity Manager is available in the followingpublications:v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, datasheets, demonstrations, redbooks, and announcement letters.The Tivoli Software Library is available on the Web at:http://www.ibm.com/software/tivoli/library/

v The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in Englishonly from the Glossary link on the left side of the Tivoli Software Library Webpage:http://www.ibm.com/software/tivoli/library

© Copyright IBM Corp. 2003 v

http://www.ibm.com/software/tivoli/library/


Accessing publications onlineThe IBM publications for this product are available online in Portable DocumentFormat (PDF) or Hypertext Markup Language (HTML) format, or both at theTivoli Software Library:

http://www.ibm.com/software/tivoli/library

To locate product publications in the library, click the Product manuals link on theleft side of the Library page. Then, locate and click the name of the product on theTivoli Software Information Center page.

Product publications include release notes, installation guides, user’s guides,administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page checkbox in the Adobe Acrobat Print window (which is available when you clickFile →Print).

AccessibilityThe product documentation includes the following features to aid accessibility:v Documentation is available in both HTML and convertible PDF formats to give

the maximum opportunity for users to apply screen-reader software.v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Contacting software supportBefore contacting IBM Tivoli Software support with a problem, refer to the IBMTivoli Software support Web site at:

http://www.ibm.com/software/sysmgmt/products/support/

If you need additional help, contact software support using the methods describedin the IBM Software Support Guide at the following Web site:

http://techsupport.services.ibm.com/guides/handbook.html

This guide provides the following information:v Registration and eligibility requirements for receiving supportv Telephone numbers and e-mail addresses, depending on the country in which

you are locatedv A list of information you should gather before contacting customer support

Conventions used in this bookThis reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

The following typeface conventions are used in this book:

Bold Bold text indicates selectable window buttons, field entries, andcommands appearing in this manual except from within examplesor the contents of files.

vi IBM Tivoli Identity Manager: Oracle Agent for Windows Installation Guide


http://www.ibm.com/software/sysmgmt/products/support/

http://techsupport.services.ibm.com/guides/handbook.html

Monospace Text in monospace type indicates the contents of files or the outputfrom commands.

italic Italic text indicates context-specific values such as:v path namesv file namesv user namesv group namesv system parametersv environment variables

Preface vii

viii IBM Tivoli Identity Manager: Oracle Agent for Windows Installation Guide

Chapter 1. Overview

This installation guide provides all of the basic information necessary to install andconfigure the Oracle Agent components. This chapter provides a simple overviewof the installation process and a brief overview of the information in each chapter.

Basic InstallationThe following lists the basic procedures necessary to install, configure, and run theagent:v Install the agent software.v Activate the Oracle Agent as a service on the agent’s system.v Configure the agent’s communication protocols to enable the Oracle Agent to

communicate with the Tivoli Identity Manager Server.v Install the agent’s profile on the Tivoli Identity Manager Server.v Configure the Tivoli Identity Manager Server to recognize the agent as a service.

Chapter DescriptionsThe Oracle Agent Installation Guide contains information pertinent to the properinstallation and configuration of the Oracle Agent in the following chapters andappendices:

Chapter 1, “Overview” Provides an overview of this document and the basicprocedures necessary to install and configure this agent.

Chapter 2, “AgentInstallation”

Contains detailed information about installing the agent. Thischapter also contains additional steps required to configurethe agent properly.

Chapter 3, “Agent ProfileInstallation”

Contains detailed information about installing the agent’sprofile on the Tivoli Identity Manager Server. Installing theagent’s profile on the Tivoli Identity Manager Server allowsthe Tivoli Identity Manager Server to recognize the agent. Ifthe agent profile is not installed on the Tivoli IdentityManager Server, the Tivoli Identity Manager Server will notbe able to manage access to the Oracle database.

Chapter 4, “AgentParameters Modification”

Contains information about using the agentCfg tool. TheagentCfg tool provides an easy way to configure variousproperties specific to the agent, such as communicationprotocols, logging settings, and so on.

Chapter 5, “Oracle ServicesModifications”

Describes how to use the service configuration program toview or modify Oracle services.

Chapter 6, “CertificateInstallation”

Contains information about using the CertTool tool. TheCertTool tool provides an easy way to request, install, andregister certificates for use with the agent.

Appendix A, “AgentVariables”

Contains information about the agent variables.

Appendix B, “AdditionalInstallation Options”

Contains additional installation options information andinformation about uninstalling the agent.

Appendix C, “Notices” Contains legal notices for this agent.

© Copyright IBM Corp. 2003 1

2 IBM Tivoli Identity Manager: Oracle Agent for Windows Installation Guide

Chapter 2. Agent Installation

This chapter describes the procedure to install and configure the Oracle Agentsoftware. Each step includes a short procedure that completes one aspect of theoverall agent installation process. You must complete the steps in the order theyare listed.

RequirementsThe following table identifies hardware, software, and authorization requirementsto install the Oracle Agent. Verify that all of the requirements have been met beforeinstalling the Oracle Agent.

Table 1. Requirements to install the agent

System The agent must be installed on a server with a 32-bitx86-based microprocessor, at least 128 MB of memory, andat least 100 MB of free disk space.

Operating System Windows NT 4.0 with Service Pack 6 or Windows 2000Server with Service Pack 2 must be installed andoperational on the system where the agent will beinstalled.

Oracle Client Software Oracle Client Software version 8i must be operational onthe workstation where the agent is installed. The OracleClient Software must also be able to communicate withthe Oracle instance.Note: The agent supports Oracle Database versions 7.3.4,8.0.x, and 8i for all platforms.

Network Connectivity The agent must be installed on a system that cancommunicate with the Tivoli Identity Manager Serverthrough a TCP/IP network.

For security purposes, IBM® recommends installing theagent on a Windows NT file system.

System AdministratorAuthority

The person completing the Oracle Agent installationprocedure must have system administrator authority tocomplete the steps in this chapter.

The installer should also be able to create directorieswithin the Oracle instance.

Server Communication Communication between the Tivoli Identity ManagerApplication Server and the Oracle database should betested with a low-level communications ping beforeinstalling any IBM software. This makes troubleshootingeasier if you encounter installation problems.


Table 1. Requirements to install the agent (continued)

Oracle Service Account For every Oracle Instance that the agent will manage, youmust provide an Oracle account and password. TheOracle account must have the following Oracle privilegesand roles:

v GRANT ANY PRIVILEGE

v GRANT ANY ROLE

v CREATE SESSION

v CREATE USER

v ALTER USER

v ALTER SYSTEM

v DROP USER

v SELECT ANY TABLE

Information WorksheetUse the following worksheet to document information required to install andconfigure the Oracle Agent. Complete this worksheet before starting theinstallation procedure. The worksheet includes default values used by the agentand identifies the information you need to modify during installation.

Make a copy of the worksheet for each server where you are installing the OracleAgent. For example, if you have five Windows Servers where you are installing theOracle Agent, you need five copies of the worksheet.

Step 1: Installing the AgentThe Tivoli Identity Manager Oracle Agent installation files are available fordownload from IBM’s Web site. Contact your IBM account representative for theWeb address and download instructions.

Install the Oracle Agent using the provided executable installation program. Formore information, see “Step 1: Installing the Agent” on page 5.v The Oracle Agent destination directory. The default is the

C:\Tivoli\Agents\OracleAgent directory.____________________________________________________________v Oracle service names(s)____________________________________________________________v Oracle account names(s)____________________________________________________________v Oracle account password(s)____________________________________________________________v Oracle version for each Oracle service____________________________________________________________

Step 2: Activating the Agent as a ServiceStart the Oracle Agent as a service and configure it to start automatically. For moreinformation, see “Step 2: Activating the Agent as a Service” on page 7.


Step 3: Configuring the AgentConfigure the agent’s communication protocol to use the DAML protocol tocommunicate with the Tivoli Identity Manager Server. For more information, see“Step 3: Configuring the Agent” on page 7.

Step 4: Installing the Agent’s CertificateInstall the agent’s certificate. This certificate is used by the DAML protocol duringcommunication with the Tivoli Identity Manager Server. For more information, see“Step 4: Installing the Agent’s Certificate” on page 8.

Step 5: Installing the Agent’s ProfileInstall the agent’s profile on the Tivoli Identity Manager Server. For moreinformation, see “Step 5: Installing the Agent’s Profile” on page 8.

Step 6: Configuring the Agent for Event NotificationConfigure the Oracle Agent for event notification. This step is optional. For moreinformation, see “Step 6: Configuring the Agent for Event Notification” on page 8.

Step 7: Configuring the Agent’s FormsConfigure the agent’s forms on the Tivoli Identity Manager Server. For moreinformation, see “Step 7: Configuring the Agent’s Forms” on page 9.

Step 1: Installing the AgentAn executable installation program is provided for the Oracle Agent. When yourun the installation program, you can accept the default settings or select newvalues.

The Tivoli Identity Manager Oracle Agent installation files are available fordownload from IBM’s Web site. Contact your IBM account representative for theWeb address and download instructions.

To install the agent, do the following:1. Download the Oracle Agent installation zip file from IBM’s Web site.2. Extract the contents of the Oracle Agent installation zip file into a temporary

directory.3. Select Run... from the Start menu and type the path to the temporary

directory followed by Setup.exe. For example:C:\Temp\Setup.exe

The Welcome dialog window appears.4. Click Next.

The License Agreement window opens.5. Read the license agreement and decide whether to accept its terms. If you do,

click Accept.6. Click Next.

The Select Destination Directory dialog window appears.

Chapter 2. Agent Installation 5

7. Accept the default or select an alternate destination path and click Next.The Install Summary dialog window appears.

8. Click Next.The Oracle Service Names dialog window appears.

Note: Oracle Instances must define service names before the agent worksproperly. The service names are case sensitive.

9. Type the Oracle service name, Oracle account name, and Oracle accountpassword in their respective fields and select the Oracle version you are using.

Oracle Service NameThe service name for the database instance the agent will manage.

Oracle AccountName of the Oracle service account that the agent will use to managethe Oracle instance.

Account PasswordThe Oracle service account password

Oracle VersionThe version of Oracle that the agent will be managing instances for.

Note: You may add additional service names for the agent to manage afterthe installation is completed. See Chapter 4, “Agent ParametersModification”, on page 15 and Chapter 5, “Oracle ServicesModifications” for more information about adding, modifying, anddeleting managed instances.

10. Click Next.The Install Summary dialog window appears.

11. Click Next.

InstallShieldInstallShield

Click Next to install < > to this directory, orclick Browse to install to a different directory.

agentname

Directory Name:

Installer

C:\tivoli\agents\< >agentname

Browse...

CancelNext >< Back

Figure 1. Select Destination Directory dialog window


The agent components are installed and the Installation Completed dialogwindow appears.

12. Click Finish.

Step 2: Activating the Agent as a ServiceThe Oracle Agent is installed for the Oracle database and automatically startswhenever the server is rebooted. However, the service is not active afterinstallation. Select the Oracle Agent service to start the Oracle Agent software onthe target platform.

Step 3: Configuring the AgentThe Oracle Agent uses the DAML protocol to ensure secure communication withthe Tivoli Identity Manager Server. Default protocol values are provided. However,you must configure the DAML protocol for your site’s systems. See “ChangingProtocol Configuration Settings” on page 16 for more information.

Note: A certificate must be installed for the DAML protocol. Refer to Chapter 6,“Certificate Installation”, on page 37 for more information about installingcertificates.

Configuring a Single Instance of the AgentIf you are only installing one instance of the agent for use with one service on theTivoli Identity Manager Server, the following properties must be configured:v Event Notification Context

The event notification context allows the the Tivoli Identity Manager Server torecognize the Oracle Agent during an event notification. An Event NotificationContext must be defined for this agent. See “Step 6: Configuring the Agent forEvent Notification” on page 8 and “Modifying an Event Notification Context” onpage 22 for more detailed information about adding a new context.

v DAML ProtocolThe agent name uses the DAML protocol to ensure secure communication withthe product name. Default protocol values are provided. However, you mustconfigure the DAML protocol for your site’s systems. See “Changing ProtocolConfiguration Settings” on page 16 for more information.

Note: A certificate must be installed for the DAML protocol. See Chapter 6,“Certificate Installation”, on page 37 for more information about installingcertificates.

Configuring Multiple Instances of the AgentIf you are installing multiple instances of the Oracle Agent, then one or both of thefollowing properties for each instance must be defined, depending on themulti-instance configuration of the agent.v Event Notification Context

The event notification context allows the Tivoli Identity Manager Server toidentify each instance of the Oracle Agent service managed by the agent andprocess requests accordingly. When defining the context, a new attribute calledresource_name must be added for each instance. Refer to “Step 6: Configuringthe Agent for Event Notification” on page 8 and “Modifying an EventNotification Context” on page 22 for more detailed information about adding anew context.


v DAML ProtocolMany instances of the Oracle Agent can be installed on the same system.Therefore, each instance of the Universal Provisioning Agent must have adifferent port number. Configure the DAML port number for each instance ofthe agent. See “Changing Protocol Configuration Settings” on page 16 for moreinformation about modifying the DAML protocol settings.

Step 4: Installing the Agent’s CertificateA certificate must also be installed for the DAML protocol. You must obtain aproduction certificate from a well-known Certificate Authority or create your owncertificate using your own Certificate Authority. The Oracle Agent does not comeprepackaged with a certificate. See Chapter 6, “Certificate Installation”, on page 37for more information about installing certificates.

When you install the new certificate, you will also need to install the newCertificate Authority on the Tivoli Identity Manager Server. Refer to the TivoliIdentity Manager Server Configuration Guide for more information.

Note: You must configure the DAML protocol before installing your certificate.Stop and restart the agent after the certificate is installed.

Step 5: Installing the Agent’s ProfileBefore an agent can be added as a service to the Tivoli Identity Manager Server,the server must have a service profile to recognize the agent as a service. SeeChapter 3, “Agent Profile Installation”, on page 11 for more information oninstalling the agent’s profile on the Tivoli Identity Manager Server.

Note: If this is an upgrade of an existing agent, the new agent schema will not bereflected immediately. The Tivoli Identity Manager system stores the agentschema in memory. However, this cache is periodically refreshed and thenew agent schema will be reflected after the cache is refreshed. Re-boot theTivoli Identity Manager system to refresh the agent schema immediately.

Step 6: Configuring the Agent for Event NotificationYou can choose to configure event notification for agents configured to use theDAML protocol. Complete this step only if you want to monitor agent attributesfor changes that will trigger event notifications.

Note: This step is optional. The agent can accept requests from the Tivoli IdentityManager Server whether you configure event notification or not.

To do this, identify the Tivoli Identity Manager Server.1. Select Configure Protocol from the Agent Protocol Configuration Menu.

For more information, see “Changing Protocol Configuration Settings” onpage 16.

2. Select DAML as the protocol to configure.3. Select SRV_NODENAME.4. Specify the IP address or fully-qualified hostname that identifies the Tivoli

Identity Manager Server and press Enter.The Protocol Properties menu reappears and displays your new settings.

5. Select SRV_PORTNUMBER.


6. Specify the port number the Tivoli Identity Manager Server uses to connect tothe agent and press Enter.The Protocol Properties menu reappears and displays your new settings.

7. Select SRV_USERNAME.8. Specify the username the Tivoli Identity Manager Server uses to connect to the

agent and press Enter.The Protocol Properties menu reappears and displays your new settings.

9. Select SRV_PASSWORD10. Specify the password for the username the Tivoli Identity Manager Server

uses to connect to the agent and press Enter.The Protocol Properties menu reappears and displays your new settings.

Step 7: Configuring the Agent’s FormsConfigure the agent’s service maintenance and account maintenance forms on theTivoli Identity Manager Server. Refer to the Tivoli Identity Manager Policy andOrganization Administration Guide for more information.

If you are installing multiple instances of the Oracle Agent, the port numberspecified on the service form must match the desired instance of the agent.

If you are installing multiple services that will be managed by the Oracle Agent,the Managed Resource Name on the service form must match the EventNotification Context for the desired service.


Chapter 3. Agent Profile Installation

Before an agent can be added as a service to the Tivoli Identity Manager Server,the server must have a service profile to recognize the agent as a service. TheOracle Agent comes with a second installation script that installs the agent’s profileon the Tivoli Identity Manager Server as a service profile.

This chapter describes the procedure to install and configure the Oracle Agentprofile on the Tivoli Identity Manager Server. Each step includes a short procedurethat completes one aspect of the overall profile installation process. You mustcomplete the steps in the order they are listed.

Notes:

1. If you intend to install multiple agent profiles on the Tivoli Identity ManagerServer, it is important that you install them one at a time. You must wait for asingle profile installation to complete before starting the next profileinstallation.

2. If you are upgrading the agent software, you must also upgrade the agentprofile on the Tivoli Identity Manager Server.

3. In a WebLogic Application Server cluster, the agent profile must be installed onevery managed server. If the agent profile is not installed on every member ofthe cluster, the managed server that did not have the agent profile installed willnot recognize the agent as a service if the other managed servers becomeunavailable.

4. In a WebSphere Application Server cluster, you should install the agent profileon the computer on which Network Deployment Manager is installed, althoughthe agent profile can be installed on any server in the cluster. The profileinformation is pushed into the directory and becomes available to all clustermembers.

RequirementsThe following table identifies hardware, software, and authorization requirementsto install the Oracle Agent profile on the Tivoli Identity Manager Server. Verify thatall the requirements have been met before installing the Oracle Agent profile.

Table 2. Requirements before installing an agent profile

Server The Tivoli Identity Manager Server must be installed andrunning before the agent’s profile can be installed.

System Administrator Authority The person completing the Oracle Agent profileinstallation must have root access to the Tivoli IdentityManager Server to complete the procedures in thischapter.

Installing the Agent Profile1. Log in to the Tivoli Identity Manager Server as root.2. Download the Oracle Agent installation zip file from IBM’s Web site and

extract the contents of the zip file into a temporary directory.


Note: Contact your IBM account representative for the Web address anddownload instructions for agent installation files.

3. Complete one of the following:v For a Tivoli Identity Manager Server installed on a UNIX® platform:

– Change the working directory to the temporary directory where youextracted the agent installation files.# cd /tmp

where tmp is the path of the directory containing the agent installationfiles.

– Run the Oracle Agent profile installation script that is appropriate for youroperating system.# ./oraprofile_<operating system>.bin

where <operating system> is the name of your operating system, such asaix, solaris, or hpxxxx.

A graphical user interface appears.v For Tivoli Identity Manager Servers installed on Windows:

Select Run... from the Start menu, type the path to the temporary directorywhere you extracted the agent installation followed by oraprofile.exe. Forexample:C:\temp\oraprofile.exe


The Select Tivoli Identity Manager Home Directory screen appears.5. Type the Tivoli Identity Manager Server home directory in the text field and

click Next. You can also select the directory by clicking Browse... and browsingto the correct directory.You must install the agent profile in the same home directory in which theTivoli Identity Manager Server is installed.

Note: If the installation program cannot determine whether the Tivoli IdentityManager Server home directory that you entered is correct, the ITIM NotFound dialog window is displayed.

The Install Summary dialog window appears.6. Click Next.

The Installation Progress dialog window appears.Upon successful installation, the Applying Schema Updates window appears,and any schema updates will be applied.The Install Complete dialog window appears after installation is complete.

7. Click Finish to conclude the installation process.

Verifying the Agent Profile is InstalledTo ensure that the agent profile installed correctly, navigate to the directory whereagent profile files are installed. If the agent profile installation was successful, anagent profile directory will be created in the remote_resources folder. Examples areprovided below:


For Windows:C:\itim\data\remote_resources\nt40profile\

For UNIX:/itim/data/remote_resources/nt40profile/

Chapter 3. Agent Profile Installation 13

Chapter 4. Agent Parameters Modification

This chapter describes how to use agentCfg, the provided agent configurationprogram, to view or modify Oracle Agent parameters. All modifications made tosettings with this tool take effect immediately.

Accessing the Agent Configuration Tool Main MenuThe following procedure describes how to access the main menu of the agentCfgtool for Oracle Agent parameters.1. Select Programs from the Start menu, select Accessories, and then select

Command Prompt.The DOS Command Prompt window appears.

2. Change to the agent’s bin directory.Type the following, if the Oracle Agent directory is in the default location:cd \Tivoli\Agents\OracleAgent\bin

3. Type agentCfg -agent OracleAgent at the prompt.Enter configuration key for Agent ’OracleAgent’:

You can also use agentCfg to view or change configuration settings from aremote computer. See the table in “Accessing Help and Additional Options” onpage 29 for procedures on using the -hostname argument.

4. Type the configuration key for the Oracle Agent.The default configuration key is agent. See “Changing Protocol ConfigurationSettings” on page 16 for procedures to change the configuration key.The Main Configuration menu appears.

OracleAgent 4.5.0 Agent Main Configuration Menu-------------------------------------------A. Configuration Settings.B. Protocol Configuration.C. Event NotificationD. Change Configuration Key.E. Activity Logging.F. Registry Settings.G. Advanced Settings.H. Statistics

X. Done

Select menu option:

This chapter includes a section for each of the following main functions:v For option A, see “Viewing Configuration Settings” on page 16v For option B, see “Changing Protocol Configuration Settings” on page 16v For option C, see “Setting Event Notification” on page 19v For option D, see “Changing the Configuration Key” on page 23v For option E, see “Changing Activity Logging Settings” on page 23v For option F, see “Changing Registry Settings” on page 25v For option G, see “Changing Advanced Settings” on page 27v For option H, see “Viewing Statistics” on page 28


Viewing Configuration SettingsThe following procedure describes how to view the Oracle Agent configurationsettings.1. Type option A (Configuration Settings) at the main menu prompt.

The configuration settings for the Oracle Agent appear. The following is asample of the Oracle Agent configuration settings.

Configuration Settings-------------------------------------------Name : OracleAgentVersion : 4.5.0ADK Version : 4.27ERM Version : 4.27enRole Version : 4.0License : NONEAsynchronous ADD Requests : TRUE (Max.Threads:3)Asynchronous MOD Requests : TRUE (Max.Threads:3)Asynchronous DEL Requests : TRUE (Max.Threads:3)Asynchronous SEA Requests : TRUE (Max.Threads:3)Available Protocols : DAML, FTPConfigured Protocols : DAMLLogging Enabled : TRUELogging Directory : C:\Tivoli\Agents\OracleAgent\LogLog File Name : OracleAgent.logMax. log files : 3Max.log file size (Mbytes) : 1Debug Logging Enabled : TRUEDetail Logging Enabled : FALSE

Press any key to continue

2. Press any key to return to the main menu.

Changing Protocol Configuration SettingsThe agent can communicate with the Tivoli Identity Manager Server using DAMLor FTP. By default, agents are configured to use DAML as the communicationprotocol. Procedures provided in this section contain instructions for modifyingDAML protocol configuration settings. Configuring the agent to use FTP requiresadditional configuration not provided in this section.

The following procedure describes how to change the Oracle Agent protocolconfiguration settings. This section also describes the purpose of the providedfunctions.1. Type B (Protocol Configuration) at the main menu prompt.

The Protocol Configuration menu appears. The configured and availableprotocols for your server display above the menu options. The DAML protocolis configured and available by default for the Oracle Agent.

Agent Protocol Configuration Menu-----------------------------------Available Protocols: DAML, FTPConfigured Protocols: DAMLA. Add Protocol.B. Remove Protocol.C. Configure Protocol.

X. Done

Select menu option


2. See the following procedure that corresponds with the option that you want toselect:v For option A, see “Adding a Protocol”v For option B, see “Removing a Protocol”v For option C, see “Configuring a Protocol”

Type X to return to the main menu.

Adding a Protocol1. Type A (Add Protocol) at the Protocol Configuration menu prompt.

The Add New Protocol menu appears and displays protocols that are availableon your server. If there are no protocols to add, the Protocol Configurationmenu reappears.

2. Type the menu option letter of the protocol that you want to add.The Protocol Configuration menu reappears. The protocol that you addedappears as a Configured Protocol. See the procedure for “Configuring aProtocol” to modify the default configuration settings for the protocol that youadded.

Removing a Protocol1. Type B (Remove Protocol) at the Protocol Configuration menu prompt.

The Remove Protocol menu appears and displays all protocols that have beenadded. If there are no protocols to remove, the Protocol Configuration menureappears.

2. Type the menu option letter of the protocol that you want to remove.The Protocol Configuration menu reappears and the protocol that you removedis no longer listed as a configured protocol. However, the protocol remains asan available protocol that can be added again.

Configuring a Protocol1. Type C (Configure Protocol) at the Protocol Configuration menu prompt.

The Configure Protocol menu appears.2. Type the menu option letter of the protocol that you want to configure.

The Protocol Properties menu for the configured protocol appears with protocolproperties.

Note: The properties on your menu may be different from the ones shown.

The following is an example of the DAML protocol properties:

DAML Protocol Properties--------------------------------------------------------------------A. PORTNUMBER 45580 ;Protocol Server port number.B. USERNAME ****** ;Authorized user name.C. PASSWORD ****** ;Authorized user password.D. SRV_NODENAME 192.168.6.40 ;Event Notif. Server name.E. SRV_PORTNUMBER 443 ;Event Notif. Server port number.F. SRV_USERNAME ****** ;Event Notif. user name.G. SRV_PASSWORD ****** ;Event Notif. Server password.H. VALIDATE_CLIENT_CE FALSE ;Require client certificate.

X. Done

Select menu option:

Chapter 4. Agent Parameters Modification 17

3. Type the menu option letter of the protocol property that you want toconfigure.See the table below for additional information about the menu options for theDAML protocol.

Table 3. Menu options for the DAML protocol

Type this Option To Accomplish this

A (PORTNUMBER) The following prompt appears:

Modify Property ’PORTNUMBER’:

Type a different port number, for example, 7004

This is the port number the Tivoli Identity ManagerServer uses to connect to the agent.

B (USERNAME) The following prompt appears:

Modify Property ’USERNAME’:

Type a username, for example, admin

This is the username the Tivoli Identity ManagerServer uses to connect to the agent.

C (PASSWORD) The following prompt appears:

Modify Property ’PASSWORD’:

Type a password, for example, *******

This is the password for the username the TivoliIdentity Manager Server uses to connect to the agent.

D (SRV_NODENAME) The following prompt appears:

Modify Property ’SRV_NODENAME’:

Type a server name, for example, 192.168.6.152

This is the DNS name or IP address of the TivoliIdentity Manager Server.

E (SRV_PORTNUMBER) The following prompt appears:

Modify Property ’SRV_PORTNUMBER’:

Type a different port number to access the TivoliIdentity Manager Server, for example, 7004

This is the port number the agent uses to connect tothe Tivoli Identity Manager Server.

F (SRV_USERNAME) The following prompt appears:

Modify Property ’SRV_USERNAME’:

Type a different username, for example, admin

This is the username the agent uses to connect to theTivoli Identity Manager Server.

G (SRV_PASSWORD) The following prompt appears:

Modify Property ’SRV_PASSWORD’:

Type a different password, for example, *****

This is the password for the username the agent usesto connect to the Tivoli Identity Manager Server.


Table 3. Menu options for the DAML protocol (continued)


H (VALIDATE_CLIENT_CE) The following prompt appears:

Modify Property ’VALIDATE_CLIENT_CE’:

Type TRUE to require the Tivoli Identity ManagerServer to send a certificate when communicating withthe agent.

Type FALSE to allow the Tivoli Identity ManagerServer to communicate with the agent without acertificate.Note: You must configure options D through H ofthe CertTool if you set this option to TRUE.

4. Change the value and press Enter.The Protocol Properties menu reappears and displays your new settings.

Note: Press Enter to return to the Protocol Properties menu without modifyingthe selected value.

Setting Event NotificationThe following procedure describes how to set Event Notification for the TivoliIdentity Manager Server. Event Notification updates the Tivoli Identity ManagerServer with changes to the Tivoli Identity Manager Server at set intervals.

Note: The example menu shows all the options displayed when Event Notificationis enabled. If Event Notification is disabled, not all of the options aredisplayed.

1. Type C (Event Notification) at the main menu prompt.The Event Notification Menu appears.

Event Notification Menu--------------------------------------------------------------* Reconciliation interval : 1 day(s)* Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s).* Configured Contexts : Jupiter, dd309A. EnabledB. Time interval between reconciliations.C. Set Processing cache size. (currently: 50 Mbytes)D. Start event notification now.E. Set attributes to be reconciled.F. Reconciliation process priority. (current: 1)G. Add Event Notification Context.H. Modify Event Notification Context.I. Remove Event Notification Context.J. List Event Notification Contexts.

X. Done

Select menu option:

2. Type the menu option letter of the Event Notification option that you want tochange.

Note: Option A must be enabled in order for the values of the other options totake affect.


Table 4. Event notification options


A If this option is enabled, the agent updates the Tivoli IdentityManager Server with changes to the agent at regular intervals.

When the option is set to:

v disabled, it automatically changes to enabled

v enabled, it automatically changes to disabled

B (Time intervalbetween reconciliations)

The following prompt appears:

Enter new interval([ww:dd:hh:mm:ss])[00:01:00:00:00]:

Type a different reconciliation interval.

Press Enter to return to the Agent Activity Logging menuwithout changing the value.

C (Set processing cachesize)


Enter new cache size[5]:

Type a different value to change the processing cache size.


D (Start eventnotification now)

If this option is selected, event notification is started.

E (Set attributes to bereconciled)

The Event Notification Entry Types menu appears. See “SettingAttributes to be Reconciled” on page 21 for more information.

F (Reconciliationprocess priority)


Enter new thread priority [1-10]:

Type a different thread value to change reconciliation processpriority.


G (Add EventNotification Context)


Context name :

Type the new context name and press Enter. The new context isadded.

H (Modify EventNotification Context)

A menu listing the available contexts appears. See “Modifying anEvent Notification Context” on page 22 for more information.

I (Remove EventNotification Context)

The Remove Context menu appears. Select the context to removeand the following prompt appears:

Delete context context1? [no]:

Press Enter to exit without deleting the context or type Yes andpress Enter to delete the context.


Table 4. Event notification options (continued)


J (List EventNotification Contexts)

The Event Notification Contexts are displayed in the followingformat:

Context Name : Context1Target DN :erservicename=context1,o=IBM,ou=IBM,dc=com--- Attributes for search request ---{search attributes listed}-----------------------------------------------

3. Press Enter if you changed the value for option B, C, E or F.The Event Notification menu reappears and displays your new settings.

Note: The other options are changed automatically when you type thecorresponding menu option letter.

Setting Attributes to be ReconciledSetting attributes to be reconciled consists of selecting attributes that will triggerevent notifications when their values change. Attributes that change frequently(password age or last successful logon, for example) can be omitted.1. Type E (Set attributes to be reconciled) at the Event Notification Menu.

The Event Notification Entry Types menu appears.

Event Notification Entry Types-------------------------------------------A. USERB. GROUPX. DoneSelect menu option:

2. Type A for attributes returned during a user reconciliation or type B forattributes returned during a group reconciliation.The Event Notification Attribute Listing for the selected reconciliation typeappears.

Note: The default setting lists all attributes the agent supports.

Event Notification Attribute Listing-------------------------------------(a) ** (b) ** (c) **(d) ** (e) ** (f) **(g) ** (h) ** (i) **(j) ** (k) ** (l) **(m) ** (o) ** (q) **(r) ** (s) ** (t) **

(p)rev page 1 of 3 (n)ext-----------------------------

X. DoneSelect menu option:

3. Type the letter option of the attribute to exclude from an event notification.Attributes that are marked with the asterisks are returned during the eventnotification. Attributes that are not marked with asterisks are not returnedduring the event notification.


Modifying an Event Notification Context1. Type H (Modify Event Notification Context) at the Event Notification menu.

The Modify Context Menu appears.

Modify Context Menu------------------------------A. Context1B. Context2C. Context3X. DoneSelect menu option:

2. Select the desired context.The Modify Context menu for the selected context appears.

A. Set attributes for searchB. Target DN:C. Delete Baseline DatabaseX. DoneSelect menu option:

See “Adding Search Attributes for Event Notification” for option A.

See “Configuring the Target DN for Event Notification Contexts” for option B.

See “Removing the Baseline Database for Event Notification Contexts” onpage 23 for option C.

Adding Search Attributes for Event Notification1. Type A (Set attributes for search) at the desired context’s Modify Context menu.

The Reconciliation Attribute Passed to Agent menu appears.

Reconciliation Attributes Passed to Agent for Context: Context1--------------------------------------------------------------------------------------------------------A. Add new attributeB. Modify attribute valueC. Remove attributeX. DoneSelect menu option:

2. Select the desired option and complete the requested information at theprompts.The Reconciliation Attributes Passed to Agent menu reappears with thechanges displayed.

Configuring the Target DN for Event Notification Contexts1. Type B (Target DN) at the desired context’s Modify Context menu.

The following prompt appears:Enter Target DN:

2. Type the target DN for the context and press Enter.The target DN for the event notification context must be in the followingformat:erservicename=nameofservice,o=organizationname,ou=tenantname,dc=com

Each element of the DN is defined as follows:


erservicenameName of the target service used by the product name.

o Name of the organization in the product name.

ou Name of the tenant in which the organization is located. If the productname is an enterprise installation, this is the name of the organization.

dc=comRoot of the directory tree.

The selected context’s Modify Context menu reappears with the new target DNlisted.

Removing the Baseline Database for Event Notification ContextsThis option is only available after a context is created and a reconciliation is run onthe context to create a Baseline Database file.

Type C (Delete Baseline Database) at the desired context’s Modify Context menu.

The selected context’s Modify Context menu reappears with the Delete BaselineDatabase option removed.

Changing the Configuration KeyThe following procedure describes how to change the Oracle Agent configurationkey. You use this key as a password to access the configuration tool from theselected agent.1. Type D (Change Configuration Key) at the main menu prompt.2. Change the value and press Enter.

Enter new configuration key for Agent ’OracleAgent 4.5.0’:

Press Enter to return to the Main Configuration menu without changing theconfiguration key. The default configuration key is agent.

Note: Enter a configuration key that you can easily remember.

A message appears:Configuration key successfully changed.

The configuration program exits and the main prompt reappears.

Changing Activity Logging SettingsThe following procedure describes how to change the Oracle Agent activitylogging settings. When you enable logging, Tivoli Identity Manager maintains alog file of all transactions in a dated archive log file, OracleAgent.log.1. Type E (Activity Logging) at the main menu prompt.

The Agent Activity Logging menu appears. The following sample shows thedefault activity logging settings.


Agent Activity Logging Menu-------------------------------------A. Activity Logging (Enabled).B. Logging Directory (current: C:\Tivoli\Agents\OracleAgent\Log).C. Activity Log File Name (current: OracleAgent.log).D. Activity Logging Max. File Size ( 1 mbytes)E. Activity Logging Max. Files ( 3 )F. Debug Logging (Enabled).G. Detail Logging (Disabled).H. Base Logging (Disabled).X. DoneSelect menu option:

2. Type the menu option letter of the activity logging option that you want tochange.

Note: Option A (Activity Logging) must be enabled in order for the values ofthe other options to take effect.

Table 5. Event notification options


A (Activity Logging) Set this option to enabled and Tivoli Identity Manager maintainsa log file of all transactions in a dated archive log file.




B (Logging Directory) Type a different value for the logging directory, for example,C:\Log. When the logging option is enabled, details about eachaccess request are stored in the logging file that is located in thisdirectory.


C (Activity Log FileName)

Type a different value for the log file name. When the loggingoption is enabled, details about each access request are stored inthe logging file.


D (Activity LoggingMax File Size)

Type a new value, for example, 10. The oldest data is archivedwhen the log file reaches the maximum file size. File size ismeasured in megabytes. Activity log file size can exceed diskcapacity.


E (Activity LoggingMax Files)

Type a new value up to 100, for example, 5. The agentautomatically deletes the oldest activity logs beyond the specifiedlimit.



Table 5. Event notification options (continued)


F (Debug Logging) If this option is set to enabled, the agent includes the debugstatements in the log file of all transactions.




G (Detail Logging) If this option is set to enabled, the agent maintains a detailed logfile of all transactions.Note: The detail logging option should be used for diagnosticpurposes only. When the detail logging option is on, theapplication’s performance can be adversely affected.




H (Base Logging)If this option is set to enabled, the agent maintains a log file ofall transactions in the ADK and library files.




3. Press Enter if you changed the value for option B, C, D, or E.The Agent Activity Logging menu reappears and displays your new settings.

Note: The other options are changed automatically when you type thecorresponding menu option letter.

Changing Registry SettingsThe following procedure describes how to change the Oracle Agent registrysettings.1. Type F (Registry Settings) at the main menu prompt.

The Registry menu appears.

OracleAgent 4.5.0 Agent Registry Menu-------------------------------------------A. Modify Non-encrypted registry settings.B. Modify encrypted registry settings.C. Multi-instance settings.X. DoneSelect menu option:

2. See the following procedures on modifying registry setting.

Modifying Non-encrypted Registry Settings1. Type A (Modifying Non-encrypted Registry Settings) at the Registry menu

prompt.The Non-encrypted Registry settings menu appears.


Agent Registry Items---------------------------

01. ENROLE_VERSON ’4.0’02. OraService1 ’marge:maggie:8’03. OraService2 ’homer:doh:8’04. OraService3 ’bart:lisa:8’05. SRCH_PRFILES ’YES’06. SRCH_ROLES ’YES’07. SRCH_TABLES ’YES’--------------------------------

Page 1 of 1

A. Add new attributeB. Modify attribute valueC. Remove attributeX. DoneSelect menu option:

2. Type one of the following options:v A) Add new attributev B) Modify attribute valuev C) Remove attributev X) Done

3. Type the registry item name, and press Enter.4. Type the registry item value, if you selected option A or B, and press Enter.

The non-encrypted registry settings menu reappears and displays your newsetting(s).

Modifying Encrypted Registry SettingsTo access registry settings, do the following:1. Type B (Modifying Encrypted Registry Settings) at the Registry menu prompt.

The Encrypted Registry settings menu appears.

Encrypted Registry Items-------------------------------------------01. OraService1Password ’*****’02. OraService2Password ’*****’03. OraService3Password ’*****’

Page 1 of 1

A. Add new attributeB. Modify attribute value.C. Remove attribute.X. DoneSelect menu option:

2. Type one of the following options:A) Add new attributeB) Modify attribute valueC) Remove attributeX) Done

3. Type the registry item name, and press Enter.4. Type the registry item value, if you selected option A or B, and press Enter.

The encrypted registry settings menu reappears and displays your newsettings.


Multi-instance SettingsThis option allows you to configure multi-instance settings.

Note: This option is only valid if the agent can support multi-instances.1. Type C (Multi-instance Settings) at the Registry Menu prompt.

The Oracle Agent Instance Class Menu appears.

OracleAgent 4.5.0 Agent Instance Class Menu--------------------------------------------------------------------------------------------------------------A. Select instance class.X. Done.

2. Type one of the available options.3. Type the requested information and press Enter.

The Oracle Agent Instance Class Menu reappears and displays your newsettings.

Changing Advanced SettingsThe following procedure describes how to change the Oracle Agent thread countsettings for the following types of requests:v System Login Addv System Login Changev System Login Deletev Reconciliation

These settings determine the maximum number of requests that the Oracle Agentprocesses concurrently.1. Type G (Advanced Settings) at the main menu prompt.

The Advanced Settings menu appears. The following sample shows the defaultthread count settings.

OracleAgent 4.5.0 Advanced Settings Menu-------------------------------------------A. Single Thread Agent (current:TRUE)B. ADD max. thread count. (current:3)C. MODIFY max. thread count. (current:3)D. DELETE max. thread count. (current:3)E. SEARCH max. thread count. (current:3)F. Allow User EXEC procedures (current:FALSE)G. Archive Request Packets (current:FALSE)H. UTF8 Conversion support (current:TRUE)I. Pass search filter to agent (current:FALSE)J. Thread Priority Level (1-10) (current:4)X. DoneSelect menu option:

2. Type the menu option letter of the advanced setting that you want to change.

Note: The UTF8 Conversion support setting must be set to FALSE to supportWestern European character sets.

Table 6. Menu options for the DAML protocol


A (Single Thread Agent) Forces the agent to allow only one request at a time.


Table 6. Menu options for the DAML protocol (continued)


B (ADD max. thread count) Controls how many simultaneous ADD requests canrun at one time.

C (MODIFY max. thread count) Controls how many simultaneous MODIFY requestscan run at one time.

D (DELETE max. thread count) Controls how many simultaneous DELETE requestscan run at one time.

E (SEARCH max. thread count) Controls how many simultaneous SEARCH requestscan run at one time.

F (Allow User EXEC procedures) Determines whether the agent allows pre- andpost-exec functions. Enabling this option is apotential security risk. This option is disabled bydefault.

G (Archive Request Packets) Instructs the agent to retain copies of the requestpackets in an archive. This option is specific to theFTP protocol and is used primarily for debuggingpurposes. By default, request packets are deletedonce they have been read unless this option isenabled.

H (UTF8 Conversion support) This option is no longer used.

I (Pass search filter to agent) Provides filtering functionality for search requests byissuing a full search to the agent and then filteringthe objects as they are pipelined back to the server.

Currently, this agent does not support processingfilters directly. This option should always be FALSE.

J (Thread Priority Level (1-10)) Sets the thread priority level for the agent.

3. Change the value and press Enter.The Advanced Settings menu reappears and displays your new settings.

Viewing StatisticsThe following procedures describes how to view an event log for the Oracle Agent.1. Type H (Statistics) at the main menu prompt.

The activity history for the agent is displayed.

OracleAgent 4.5.0 Agent Request Statistics--------------------------------------------------------------------Date Add Mod Del Ssp Res Rec

-----------------------------------------------------------------

11/15/02 000001 000000 000000 000000 000000 000001

-----------------------------------------------------------------

X. Done

2. Type X to return to the Main Configuration Menu.


Accessing Help and Additional OptionsThe following describes how to access the agentCfg help menu and use the helparguments.1. Return to the Oracle Agent bin directory by completing one of the following:

v Type X from the Main Configuration menu prompt.v Complete procedures 1 and 2 of “Accessing the Agent Configuration Tool

Main Menu” on page 15.2. Type agentCfg -help at the prompt to view the help menu.

The following list of possible commands appears:

-version ; Show version-hostname < value> ; Target nodename to connect to (Default:Local host IP address)-findall ; Find all agents on target node-list ; List available agents on target node-agent <value> ; Name of agent-tail ; Display agent’s activity log-schema ; Display agent’s attribute schema-portnumber <value>; Specified agent’s TCP/IP port number-netsearch <value> ; Lookup agents hosted on specified subnet-confidencetest ; Confidence test-setup ; Confidence test setup-help ; Display this help screen

The following table describes the purpose of the provided arguments.

Table 7. Command argument purposes

-version Use this argument to display the agentCfg version.

-hostname <value> Use the -hostname argument with any of the followingcommands to specify a different host:

v -findall

v -list

v -tail

v -agent

Enter a hostname or IP address as the value.

-findall Use this argument to search and display all possible portaddresses for all agents. Must be used with the -listargument. Add the -hostname argument to search a remotehost.

-list Use this argument to search and display agents found atdefault ports. By default, the argument searches the local hostof the Oracle Agent. Use the -hostname argument to search adifferent host.

-agent <value> Use this argument to specify the agent that you want toconfigure. Enter an agent name as the value. Use thisargument with the -hostname argument to modify theconfiguration setting from a remote host. You can also usethis argument with the -tail argument.

-tail Use this argument with the -agent argument to display anagent’s activity log. Add the -hostname argument to displaythe log file for an agent on a different host.

-schema Use this argument with the -agent argument to display anagent’s attribute schema.


Table 7. Command argument purposes (continued)

-portnumber <value> Use this argument with the -agent argument to specify anagent’s TCP/IP port number.

-netsearch <value> Use this argument with the -agent argument to display allagents installed on the system.

-confidencetest Use this argument to run a test to add, modify, search anddelete a request to the agent. This allows you to verify theagent connection to the managed resource without the TivoliIdentity Manager Server.

-setup Use this argument to configure the confidence test.

-help Display the help menu for agentCfg.

3. Type agentCfg and one or more of the supported arguments at the prompt.You must type agentCfg before every argument to run the agent configurationtool.

Table 8. Arguments

Argument Syntax Argument Example

-argument For example, type agentCfg -list

This example lists all agents on the local host IPaddress. Note that the default node for the TivoliIdentity Manager Server is 44970.

Agent(s) installed on node ’127.0.0.1’-----------------------OracleAgent (44970)

-argument <value> For example, type agentCfg -agent OracleAgent

This example displays the main menu of theagentCfg tool which is used to view or modify theOracle Agent parameters.

-argument <value>-argument

or

-argument -argument <value>

For example, type agentCfg -list -hostname192.9.200.7

This example lists agents on a host whose IPaddress is 192.9.200.7. Note that the default nodefor the Oracle Agent is 44970.

Agent(s) installed on node ’192.9.200.7’------------------OracleAgent (44970)

-argument <value> -argument <value> For example, type agentCfg -agent OracleAgent-hostname 192.9.200.7

This example displays the main menu of theagentCfg tool for a host whose IP address is192.9.200.7. Use the menu options to view ormodify the Oracle Agent parameters.


Chapter 5. Oracle Services Modifications

This chapter describes how to use the provided service configuration program toview or modify Oracle Services. All modifications made to settings with this tooltake effect immediately.

Accessing the Service Configuration Tool Main MenuThe following procedure describes how to access the main menu of the serviceCfgtool for Oracle Agent parameters:1. Log in to the Oracle Agent account.2. Change the directory to the Oracle Agent bin directory.

# cd C:\Tivoli\Agents\OracleAgent\bin

3. Type serviceCfg and press Enter.# serverCfg

The Main menu appears.

IBM Oracle Agent Services Utility.-------------------------------------------1) Display current Oracle Services.2) Add a new Oracle Service.3) Modify an Oracle Service.4) Remove an Oracle Service.5) Test Oracle Connection.0) Exit.

Enter Option:

This appendix includes a section for each of the following main functions:v For option 1, see “Viewing Current Oracle Services”

v For option 2, see “Adding a New Oracle Service” on page 32

v For option 3, see “Modifying an Oracle Service” on page 33

v For option 4, see “Removing an Oracle Service” on page 34

v For option 5, see “Testing an Oracle Connection” on page 34

Type 0 to return to the main menu

Viewing Current Oracle ServicesThe following procedure describes how to the view the current Oracle Services:1. Type option 1 (Display current Oracle Services) at the main menu prompt.

The current Oracle Services for the Oracle Agent appear. The following is asample of the Oracle Service settings:


IBM Oracle Agent Services Utility.-------------------------------------------Display Current Services.Available Oracle Services 1 through 10

OraService1=sugar:plum:7OraService2=peach:blossom:8OraService3=apple:cider:8OraService4=orange:juice:7

N)next; P)previous; X)exit; -->

2. Type N to see the next ten Oracle Services, type P to see the previous tenOracle Services, or type X to return to the main menu.

Adding a New Oracle ServiceThe following procedure describes how to add a new Oracle Service:1. Type 2 (Add a new Oracle Service) at the main menu prompt.

The Add a new Oracle Service menu appears.2. Type the new Oracle Service Name and press Enter.

Oracle Service Name:

3. Type the Oracle version number and press Enter.Oracle Version (7/8) [8]:

4. Type the Oracle service account name and press Enter......Oracle Account:

Note: This is the name of the Oracle Administration Account.5. Type the Oracle service account password and press Enter.

...Account password:

This is the password of the Oracle Administration Account.6. Re-type the Oracle service account password and press Enter.

....Verify Password:

7. Press any key to continue.Hit any key to continue

The main menu reappears.

Example of Adding an Oracle ServiceThe following is a sample of the script to add a new Oracle Service:

IBM Oracle Agent Services Utility.------------------------------------------------Adding ’OracService1’.Oracle Service Name: bartOracle version (7/8) [8]:.....Oracle Account: maggie.....Account Password:.....Verify Password:Added Service ’bart’ with Account ’maggie’, Version ’8’.Hit any key to continue


Modifying an Oracle ServiceThe following procedure describes how to modify an Oracle Service:1. Type 3 (Modify an Oracle Service) at the main menu prompt and press Enter.

The Modify an Oracle Service menu appears.

IBM Oracle Agent Services Utility.----------------------------------------Modify Service.Available Oracle Services 1 through 10OraService1=sugar:plum:7OraService2=peach:blossom:8OraService3=apple:cider:8OraService4=orange:juice:7N)next; P)previous; M)modify; X)exit; -->

2. Type N to see the next ten Oracle Services, type P to see the previous OracleServices, or type M to select an Oracle Service to modify and press Enter.

3. Type the number of the Oracle Service you want to modify and press Enter.Enter the OraService number to modify :

4. Accept the default or type a new service name and press Enter.Oracle Service Name [sugar]:

5. Accept the default or type a new Oracle version number and press Enter.Oracle Version (7/8) [8]:

6. Accept the default or type a new Oracle service account name and press Enter......Oracle Account [fairy]:

7. Type the Oracle Service account password and press Enter......Account Password :

8. Re-type the Oracle administrator account password and press Enter......Verify Password :

9. Press any key.The Modify an Oracle Service menu reappears with the new values listed.

Example of Modifying an Oracle ServiceThe following is an example of the script to modify an Oracle Service:

IBM Oracle Agent Services Utility.----------------------------------------Modify Service.Available Oracle Services 1 through 10OraService1= plum:system:8OraService2= peach:oradba:8OraService3= palm:es300:8OraService4= basswood:oradba:8

N)next; P)previous; M)modify; X)exit; --> M

Enter the OraService number to modify : 1Oracle Service Name [plum]:Oracle Version (7/8) [8]:.....Oracle Account [system]: itim.....Account Password:.....Verify Password:Update Service ’plum’ with Account ’itim’, Version ’8’.Hit any key to continue.

Chapter 5. Oracle Services Modifications 33

Removing an Oracle ServiceThe following procedure describes how to remove an Oracle Service:1. Type option 4 (Remove an Oracle Service) at the main menu prompt.

The Remove an Oracle Service menu appears.

IBM Oracle Agent Services Utility---------------------------------------------Available Oracle Services 1 through 10OraService1=sugar:plum:7OraService2=peach:blossom:8OraService3=apple:cider:8OraService4=orange:juice:7N)next; P)previous; R)remove; X)exit; -->

2. Type N to see the next ten Oracle Services, type P to see the previous tenOracle Services, or type R to select an Oracle Service to remove.

3. Type the number of the Oracle Service you want to remove and press Enter.Enter the OraService number to delete :

4. Type Y and press Enter.Are you sure [Y/N]:

The Oracle Service that you selected is deleted.

Example of Removing an Oracle ServiceThe following is an example of the script to remove an Oracle Service:

IBM Oracle Agent Services Utility.-----------------------------------------------Remove Service.Available Oracle Services 1 through 10OraService1=sugar:plum:7OraService2=peach:blossom:8OraService3=apple:cider:8OraService4=orange:juice:7N)next; P)previous; R)remove; X)exit; --> rEnter the OraService number to delete : 1Removing ’OraService1’...

service name : ’sugar’account : ’plum’version : ’8’

Are you sure [Y/N]: y

Testing an Oracle ConnectionThe following procedure describes how to test the connection to your Oracledatabase:1. Type 5 (Test Oracle Service connection) at the main menu prompt.

The Test Oracle Service connection menu appears.

IBM Oracle Agent Services Utility.---------------------------------------------Test Oracle connection.Available Oracle Services 1 through 10OraService1=sugar:plum:7OraService2=peach:blossom:8OraService3=apple:cider:8OraService4=orange:juice:7

N)next; P)previous; T)test connection; X)exit; -->


2. Type N to see the next ten Oracle Services, type P to see the previous tenOracle Services, or type T to select an Oracle Service connection to test.

3. Type the number of the Oracle Service that you want to remove and pressEnter.Enter the OraService number to test :

If the test is successful, the following message appears:Connection SUCCESSFUl to ’OraService1 : sugar’ .

4. Press any key.Hit any key to continue.

The Test Oracle connection menu reappears.

Example of Testing an Oracle ConnectionThe following is an example of the script to test an Oracle connection:

IBM Oracle Agent Services Utility.----------------------------------------Test Oracle connection.Available Oracle Services 1 through 10OraService1=sugar:plum:7OraService2=peach:blossom:8OraService3=apple:cider:8OraService4=orange:juice:7N)next; P)previous; T)test connection; X)exit; --> tEnter the OraService number to test: 1Connection SUCCESSFUL to ’OraService1 : sugar’ .Hit any key to continue.

Chapter 5. Oracle Services Modifications 35

Chapter 6. Certificate Installation

This chapter describes how to use the provided certificate management tool(CertTool) to install and configure digital certificates for a Tivoli Identity ManagerAgent. The industry-standard Secure Sockets Layer (SSL) mechanism, which usesdigital certificates for authentication, is used for secure communication between theTivoli Identity Manager Server and an Agent.

For a production environment, you must obtain and use a signed productioncertificate from a well-known Certificate Authority, or from your own CertificateAuthority, to ensure secure communications. The agent does not come prepackagedwith a certificate.

This chapter provides information for managing digital certificates on the TivoliIdentity Manager Agent only. Please refer to the ″Managing Digital Certificates″chapter in the IBM Tivoli Identity Manager System Configuration Guide forinformation about configuring the Tivoli Identity Manager Server for SSL.

Note: If you install, modify, or delete a certificate, you must stop and restart theagent before the changes will take affect.

Overview of SSL and Digital CertificatesA Tivoli Identity Manager deployment must consider the security ofcommunication between all configured components. The industry-standard SecureSockets Layer (SSL) mechanism, which uses digital certificates for authentication, isused for secure communication in a Tivoli Identity Manager deployment.

SSL provides secure connections by allowing two applications connecting over anetwork connection to authenticate each other’s identity. Additionally, SSL providesencryption of the data exchanged between the applications. Authentication allowsa server (one-way) to verify the identity of the application on the other end of anetwork connection. Encryption makes data transmitted over the networkintelligible only to the intended recipient.

Features of SSL include the following concepts:v SSL provides a mechanism for one application to authenticate itself to another

application.v One-way SSL allows one application to be certain of the identity of the other

application.v The application that assumes the ″server″ role possesses and uses a server-side

certificate to prove its identity to the client application.v The application that is presented with a certificate must have in its possession

the root certificate (or certificate chain) of the Certificate Authority (CA) thatsigned the certificate being presented. The root CA certificate, or chain, validatesthe certificate being presented.

v In client connections, the client browser alerts the user when presented with acertificate that is not issued by a recognized Certificate Authority.

Note: Although the agent supports two-way SSL, Tivoli Identity Manager nolonger supports two-way authentication.


Basic Configuration for Server-to-Agent SSLThe following information pertains to a Tivoli Identity Manager deployment oneither the WebSphere or the WebLogic application server. In this scenario, theTivoli Identity Manager Server initiates communication with the agent(server-to-agent) to complete a transaction originating from the browser.

Deployment summary:

v The Tivoli Identity Manager Server and the agent use one-way authenticationover SSL.

v RSA SSL-C or Open SSL is used.

The Tivoli Identity Manager Agent must have a valid signed certificate; the TivoliIdentity Manager Server must have the corresponding CA certificate.

Note: In the diagram below, ″ITIM Server″ refers to the IBM Tivoli IdentityManager Server.

Clustered Tivoli Identity Manager ConfigurationIn a clustered configuration, the Tivoli Identity Manager System uses one WebServer to manage and load balance multiple Tivoli Identity Manager Servers. EachTivoli Identity Manager Server must have a valid CA certificate. All agents musthave associated CA and signed certificates.

Accessing the Certificate Configuration Tool Main MenuThe following procedure describes how to access the main menu of the CertToolutility for Oracle Agent certificate parameters.1. Select Programs from the Start menu, select Accessories, and then select

Command Prompt.The Microsoft Windows DOS Command Prompt window appears.

2. Change to the agent’s bin directory.

ITIMApplication Server

Agent

Resource

ITIMServer

One-way SSL

CACert

A

CertA

WebSphereor

WebLogic

Figure 2. Configuration for Server-to-Agent SSL


If the Oracle Agent directory is in the default location, type cd\Tivoli\Agents\OracleAgent\bin.

3. Type CertTool -agent OracleAgent at the prompt.The Main Configuration menu appears:

Main menu - Configuring agent: OracleAgent------------------------------

A. Generate private key and certificate requestB. Install certificate from fileC. Install certificate and key from PKCS12 fileD. View current installed certificate

E. List CA certificatesF. Install a CA certificateG. Delete a CA certificate

H. List registered certificatesI. Register certificateJ. Unregister a certificate

X. Quit

Choice:

Obtaining and installing a signed certificate:

The first set of options allows you to generate a Certificate Signing Request(CSR) and install the returned signed certificate for the agent itself. The optionshere are:

A Generate a Certificate Signing Request (CSR) that is sent to theCertificate Authority (CA), and the associated private key.

B Install a certificate from a file. This file must be the signed certificatereturned by the CA in response to the CSR generated by option A.

C Install a certificate from a PKCS12 format file that includes both thepublic certificate and a private key. If options A and B are not used toobtain a certificate, the certificate used must be in PKCS12 format.

D View all certificates installed on the system.

Additional configuration for two-way SSL:

The remaining options only apply if client validation (two-way authentication)is required and enabled.


The second set of options allows installing root CA certificates. The CAcertificates are used by the Tivoli Identity Manager Agent to validate theassociated certificates presented by the Tivoli Identity Manager Servers.

E Show the installed CA certificates. The agent only communicates withTivoli Identity Manager Servers whose certificates are validated by oneof the installed CA certificates.

F Install a new CA certificate so that certificates generated by this CA canbe validated. The CA certificate file can be either in X.509, binary, orPEM encoded formats.

Chapter 6. Certificate Installation 39

G Remove one of the installed CA certificates.

Registering a signed certificate for two-way SSL:

The remaining options only apply if client validation (two-way authentication)is required and enabled.


The third set of options allows the agent to register the Tivoli Identity ManagerServer signed certificate. The Tivoli Identity Manager Server’s signed certificateis then validated by the agent when two-way SSL communication isestablished. If the Tivoli Identity Manager Server’s signed certificate isvalidated by one of the Agent’s CA certificates but not registered with theAgent, the Agent will refuse to communicate with the Tivoli Identity ManagerServer.

H List all registered certificates that will be accepted for communications.

I Register a new certificate. The certificate to be registered should be inBase 64 encoded X.509 format.

J Unregister (remove) a certificate from the registered list.

This chapter includes a section for each of the following main functions:v For option A, see “Generating a Private Key and Certificate Request”.v For option B, see “Installing the Certificate from a File” on page 42.v For option C, see “Installing the Certificate and Key from a PKCS12 File” on

page 42.v For option D, see “Viewing Installed Certificates” on page 42.v For option E, see “Viewing CA Certificates” on page 42.v For option F, see “Installing a CA Certificate” on page 43.v For option G, see “Deleting a CA Certificate” on page 43.v For option H, see “Viewing Registered Certificates” on page 43.v For option I, see “Registering a Certificate” on page 43.v For option J, see “Unregistering a Certificate” on page 44.

Type X to return to the main menu.

Generating a Private Key and Certificate RequestThe following procedure describes how to view the Oracle Agent configurationsettings.1. Type option A (Generate a private key and certificate request) at the main

menu prompt.Enter values for certificate request (press enter to skip value)-------------------------------------------------------------------------

2. Type your organization name and press Enter.Organization:

3. Type the desired organizational unit and press Enter.Organizational Unit:

4. Type the name of the agent you are requesting a certificate for and pressEnter.


Agent Name:

5. Type the contact email address and press Enter.Email:

6. Type the country in which the agent resides and press Enter.Country:

7. Type the state in which the agent resides (if the agent is located in the UnitedStates) and press Enter.State:

Note: Some certificate authorities do not accept two letter abbreviations forstates.

8. Type the name of the city in which the agent resides and press Enter.Locality:

9. Type Y to accept the values displayed or type N to re-enter the values andpress Enter.Accept these values (y/n)?

The key pair and certificate request are generated once the values areaccepted.

10. Type the name of the file to store the PEM certificate request and press Enter.Enter name of file to store PEM cert request (Enter to cancel):

11. Press Enter.The main menu reappears.

You must now request a certificate from a trusted certificate authority.

Example of Certificate Request ScriptThe following is an example of a certificate request:

Enter values for certificate request (press enter to skip value)-----------------------------------------------------------------Organization: ibmOrganizational Unit: engineeringAgent Name: ntagentEmail: [email protected]: USState: CaliforniaLocality: IrvineAccept these values (y/n)? yGenerating key pair and certificate request ...Enter name of file to store PEM cert request (Enter to cancel) : request.pemCertificate request written to request.pem. Press Enter to continue.

Example of request.pem File-----BEGIN CERTIFICATE REQUEST-----MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5naW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdlbnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqbN1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxKXqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2-----END CERTIFICATE REQUEST-----


Installing the Certificate from a FileThe following procedure describes how to install a certificate in the agent registry.This is the certificate you receive from your trusted certificate authority aftersubmitting your certificate request.

Note: If you received the certificate as part of an e-mail message, copy the text ofthe certificate to a text file and copy the certificate file (the text file you justcreated) to the agent’s bin directory.

1. Type B (Install certificate from file) at the main menu prompt.A prompt appears:Enter name of certificate file:

2. Type the name of the certificate file and press Enter.The certificate is installed in the agent registry and the main menu reappears.

Installing the Certificate and Key from a PKCS12 FileThe following procedure describes how to install the certificate and the private keyin the agent registry from a PKCS12 (.pfx) file. This format includes both thecertificate and private key in a password protected file.

Note: Be sure to copy the certificate file to the agent’s bin directory. For example,C:\Tivoli\Agents\<agentname>\bin

1. Type C (Install certificate and key from PKCS12 file) at the main menu prompt.2. Type the name of the PKCS12 file that has the certificate and private key

information and press Enter.Enter name of PKCS12 file:

For example, DamlSrvr.pfx3. Type the password to access the file and press Enter.

Enter password:

The certificate and private key are installed in the agent registry.

Viewing Installed CertificatesYou can list all of the certificates installed on your system using option D (Viewcurrently installed certificates).

Type D (View currently installed certificates) at the main menu prompt.

The installed certificates are listed and the main menu reappears. The following isan example of an installed certificate:The following certificate is currently installed.Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server

Viewing CA CertificatesThe following procedure describes how to list all CA certificates installed on theagent.

Type E (List CA certificates) at the main menu prompt.


The installed CA certificates are listed and the main menu reappears. Thefollowing is an example only.Subject: o=IBM,ou=SampleCACert,cn=TestCAValid To: Wed Jul 26 23:59:59 2006

Installing a CA CertificateThe following procedure describes how to install a CA certificate.1. Type F (Install a CA certificate) at the main menu prompt.

A prompt appears:Enter name of certificate file:

2. Type the name of the certificate file and press Enter.The certificate file is opened and a prompt appears:[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=EngInstall the CA? (Y/N)

3. Type Y to install the certificate and press Enter.The CA certificate file is installed in the CACerts.pem file.

Deleting a CA CertificateThe following procedures describe how to delete a CA certificate from the agentdirectories.1. Type G (Delete a CA certificate) at the main menu prompt.

A list of all CA certificates installed on the agent is displayed.0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=SupportEnter number of CA certificate to remove:

2. Type the number of the CA certificate you want to remove and press Enter.The CA certificate is deleted from the CACerts.pem file and the main menureappears.

Viewing Registered CertificatesThe following procedures describe how to view a list of all registered certificatesavailable to the agent. Only requests that present a registered certificate will beaccepted by the agent when client validation is enabled.

Type H (List registered certificates) at the main menu prompt.

The registered certificates are displayed and the main menu reappears. Thefollowing is an example only.0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

Registering a CertificateThe following procedures describe how to register a certificate for the agent.1. Type I (Register certificate) at the main menu prompt.

A prompt appears:Enter name of certificate file:

2. Type the name of the certificate file to be registered and press Enter.The subject of the certificate is displayed and a prompt appears.


[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=EngRegister this CA? (Y/N)

3. Type Y to register the certificate and press Enter.The certificate is registered to the agent and the main menu reappears.

Unregistering a CertificateThe following procedures describe how to unregister a certificate for the agent.1. Type J (Unregister a certificate) at the main menu prompt.

The registered certificates are displayed. The following is an example only.0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

2. Type the number of the certificate file to be unregistered and press Enter.The subject of the selected certificate is displayed.

3. Type Y to unregister the certificate and press Enter.The certificate is removed from the registered certificate list for the agent andthe main menu reappears.


Appendix A. Agent Variables

The Oracle Agent consists of files and directories owned by the Tivoli IdentityManager account. The Tivoli Identity Manager-owned files establishcommunication with the Tivoli Identity Manager Server.

Variable DescriptionsThe Tivoli Identity Manager Server communicates with the Oracle Agent usingvariables included in transmission packets sent over a network. The combination ofvariables, included in the packets, depends on the type of action the Tivoli IdentityManager Server requests from the Oracle Agent.

The following table is an alphabetical listing of the variables used by the OracleAgent. The table gives a brief description and the data format associated with thevariable.

Table 9. Variable descriptions

Variable Name Directory Server Attribute Description Data Format

AUTHENTICATION erOracleAuthenticationType Specifies how the user isauthenticated by Oracle

LOCAL: user authenticationis performed by the localOracle databases

EXTERNAL: userauthentication is performedby the Operating System

GLOBAL: userauthentication is performedby the Network

description

EXPIRE erOracleExpirePwd Forces password toexpire, if true. The usermust change thepassword at next log in.

True = 1

False = 0

erOracleGroupType

GLOBAL erOracleGlobalName Oracle requires anexternal name ifauthentication isGLOBAL

An external string thatidentifies the user.

PASSWORD erPassword User password Must follow rules describedin the Oracle SQL Reference

erOraclePrflName

PROFILE erOracleProfile Name of the Oracle userprofile

Any valid Profile defined inthe Oracle database.


Table 9. Variable descriptions (continued)

Variable Name Directory Server Attribute Description Data Format

QUOTA erOracleTableSpaceQuota Oracle space quotaallocated for the user ina tablespace.

xM on <tablespace name>

xK on <tablespace name>

x on <tablespace name>

UNLIMITED on<tablespace name>

Where x in numeric value >0

M is for megabyte

K is for kilobyte

UNLIMITED is for no limit

Any valid tablespace namedefined in the Oracledatabase.

ROLE erOracleRole Name of the Oracle roleassigned to the user.

Any valid Role defined inthe Oracle Database.

The WITH ADMINOPTION can be appendedto any role.

erOracleRolesName

ServiceName erOracleServiceName Defines the Oracle Net8service name. The agentuses this value toconnect to Oracle

Any valid Service Namedefined by Oracle ClientNetwork Configuration.

SYSPRIV erOracleSysPriv Grants or revokes a userthe right to perform aparticular databaseoperation or class ofdatabase operations.

Any valid System Privilegedefined in the Oracledatabase.

TABLESPACED erOracleDefaultTableSpace Name of the defaultOracle table spaceallocated for the user.


erOracleTblspacesName

TABLESPACET erOracleTemporaryTableSpace Name of the Oracletemporary table spaceallocated for the user.


UserName eruid User login ID Must follow rules describedin the Oracle SQL Reference .

Variables by Oracle Agent ActionsThe following lists are typical Oracle Agent actions by their functional transactiongroup. The lists include more information about required and optional variablessent to the Oracle Agent to complete that action.


Database Login AddA Login Add is a request to create a new user account in the domain with thespecified attributes.

Table 10. Add function attributes

RequiredVariables Optional Variables

UserName

ServiceName

AUTHENTICATION

EXPIRE

GLOBAL

PASSWORD

PROFILE

QUOTA

ROLE

SYSPRIV

TABLESPACED

TABLESPACET

Database Login ChangeUse the Change function to change one or more attributes for the specified users.

Table 11. Change function attributes

RequiredVariables Optional Variables

UserName

ServiceName

AUTHENTICATION

EXPIRE

GLOBAL

PASSWORD

PROFILE

QUOTA

ROLE

SYSPRIV

TABLESPACED

TABLESPACET

Database Login DeleteThe Delete function removes the specified user from the active directory.

Table 12. Delete function

Required Variables Optional Variables

UserName

ServiceName

None

Database Login SuspendUse the Suspend function to disable a user account. The user is neither removednor are their attributes modified.

Note: Oracle Agent does not support the suspend function when managing Oracleversion 7.x.

Table 13. Suspend function


UserName

ServiceName

None

Appendix A. Agent Variables 47

Database Login RestoreUse the Restore function to re-activate a user account that was previouslysuspended. After Restoring, the user can access the system with the same attributesas those before the Suspend function is called.

Note: Oracle Agent does not support the restore function when managing Oracleversion 7.x

Table 14. Restore function


UserName

ServiceName

Password

ReconciliationThe Reconciliation function synchronizes user account information between TivoliIdentity Manager and the agent. The following is a full set of access attributesreturned by reconciliation. An asterisk (*) denotes attributes that are forinformational purposes only.

Table 15. Reconciliation function


UserName None


Appendix B. Additional Installation Options

This chapter describes installation options available when installing the agent.

In addition to installation information, instructions are provided to uninstall theagent. Each step includes a short procedure that completes one aspect of theoverall agent uninstall process. You must complete the steps in the order they arelisted.

Installation OptionsSeveral agent installation options are provided to account for disparateenvironments and preferences.

Batch File OptionThe setupconsole.exe file is provided to allow you to install the agent using abatch file. The setupconsole.exe file is different from setup.exe in thatsetupconsole.exe will wait for the java process to complete and return the exitcode. This allows a batch file to branch based on the results of the setup.

Console OptionUse the following command to install the agent from a console or command line:<agent or profile install>.exe -is:javaconsole -console

This performs a console-based installation that does not require a GUI. This isuseful on machines that install through a telnet session.

Setup ArgumentsThis section details arguments that can be used with the agent and agent profileinstallation executables. All of the arguments described here can be used with the-is:javaconsole -console option to use a command line text interface instead of aGUI.

<agent or profile install>.exe -options-record <filename>This command records the options that were selected during the installinto a file.

<agent or profile install>.exe -options-template <filename>This command creates a template file that has fields for all of the optionsthat may be selected during installation. This file can then be edited toinclude the desired responses and played back with the option below.

<agent or profile install>.exe -options-silent <filename>This command plays back the previously recorded file during a silentinstallation where installation is performed with no user interaction.

Agent RemovalThis section describes the Oracle Agent uninstall procedures. Give users advancewarning that the resource will be unavailable prior to removing the agent. If theserver is taken offline, Oracle Agent requests that are not completed may not berecoverable when the server is back online.


Complete the following procedure to remove the Oracle Agent and directories.1. Stop the Oracle Agent service.2. Open Windows Explorer and execute uninstaller.exe.


The Oracle Agent uninstallation summary dialog window appears.4. Click Next.

The Oracle Agent components are deleted.5. Click Finish.

Note: Inspect the directory tree for Oracle Agent directories, subdirectories, andfiles to verify that uninstall is complete. The Oracle Agent should nolonger appear in the Services dialog window.


Appendix C. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged should contact:

IBM Corporation2ZA4/10111400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

TrademarksThe following terms are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both:

AIXDB2IBMIBM logoSecureWayTivoliTivoli logoUniversal DatabaseWebSphere

Lotus is a registered trademark of Lotus Development Corporation and/or IBMCorporation.

Domino is a trademark of International Business Machines Corporation and LotusDevelopment Corporation in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.


Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix C. Notices 53

Index

Aactivity logging 23administrator authority 3agent

event notification configuration 8installation

arguments 49batch file 49console 49overview 1uninstall 49

profileinstallation 11purpose 11requirements 11

removal 49variables

by Oracle Agent action 46descriptions 45

agent configuration toolSee agentCfg

agentCfgarguments, use 29changing agent parameters

accessing 15configuration key 23protocol settings 16registry settings 25request processing 27

menusactivity logging 23advanced settings 27event notification 19help 29Main Configuration 15Protocol Configuration 16registry 25

viewing configuration settings 16

Bbold text vi

Ccertificate

CAavailable functions 39deleting 43installing 43viewing installed 42

CertTool 37configuration settings, changing with CertTool 39example

request script 41request.pem file 41

installfrom file 42sample 42

certificate (continued)protocol configuration tool

See CertToolregistered

registering 43removing 44viewing 43

request 40viewing

installed 42registered 43

CertToolCA certificate

deleting 43installing 43viewing 42

certificateinstall 42register 40request 40viewing installed 42viewing registered 43

changing agent parametersaccessing 38options 39

install, certificate 42private key, generating 40registered certificate

registering 43removing 44viewing 43

character sets, support 27configuration

keychanging with agentCfg 23default value 15, 23purpose 15

settingschanging with agentCfg 15default value 16viewing with agentCfg 16

DDAML protocol

options 18properties, changing with agentCfg

options 18password 18portnumber 18srv_nodename 18srv_password 18srv_portnumber 18srv_username 18username 18validate_client_ce 19

debug logdefault value 24enable/disable with agentCfg 23purpose 25


detail logdefault value 24enable/disable with agentCfg 23purpose 25

documentsaccessing online vi

Eencrypted registry settings 25encryption

default value 18type 18

event notificationcache size 20changing with agentCfg 19context

baseline database 23deleting 20listing 21modifying 22search attributes 22target DN 22

enable/disable 20reconciliation

attributes 20context 20intervals 20modifying 20process priority 20

starting manually 20

Hhelp menu for agentCfg

accessing with -help command 29arguments

-agent 29-confidencetest 29-findall 29-help 29-hostname 29-list 29-netsearch 29-portnumber 29-schema 29-setup 29-tail 29-version 29

Iinstallation requirements

administrator authority 3, 11communication with Tivoli Identity Manager Server 3network connectivity 3operating system 3server 3, 11system 3

italic text i

Llog

directory, changing with agentCfg 24

log (continued)enable/disable, changing with agentCfg 24file name, changing with agentCfg 23, 24settings, changing with agentCfg

base logging 25enable/disable 24enable/disable debug mode 25enable/disable detail mode 25log file directory 24log file name 24max file size 24max files 24

settings, default values 23statistics 28

Mmonospace text vii

Nnetwork connectivity 3non-encrypted registry settings 25

Ooperating system requirements 3

Ppassword

changing with agentCfg 18purpose 18set value in Agent Maintenance 18

portnumberchanging with agentCfg 18purpose 18set value in Agent Maintenance 18

protocoladding with agentCfg 17configuring with agentCfg 17removing with agentCfg 17

publicationsaccessing online vi

Rreconciliation

variables 48registry settings

encrypted 25non-encrypted 25

return type records TRUE/FALSEdefault value 18

Sserver requirements 3, 11srv_nodename, changing with agentCfg 18srv_password, changing with agentCfg 18srv_portnumber, changing with agentCfg 18srv_username, changing with agentCfg 18system requirements 3


Tthread count settings

changing with agentCfg 27default values 27maximum concurrent requests 27reconciliation requests 27system login add requests 27system login change requests 27system login delete requests 27

Tivoli Identity Managerclustered configuration 38

Uusername, changing with agentCfg 18UTF8 support 27

Vvalidate_client_ce, changing with agentCfg 19variables

by Oracle Agent actionadd 47change 47delete 47reconciliation 48restore 48suspend 47

descriptions 45

Wwestern European character set, support 27

Index 57

��

Program Number:

Printed in U.S.A.

SC32-1155-03

IBM Tivoli Identity Manager: Oracle Agent for Windows...

Documents

Transcript of IBM Tivoli Identity Manager: Oracle Agent for Windows...