TivoliAccessManager for EnterpriseSingleSign-On培训讲义:安装

Introduction

 

This lab guide walks you through the setup of TAM E-SSO Provisioning Adapter with IBM Tivoli Identity Manager Express 4.6 on a Windows 2003 Server system. Once you complete the steps outlined in this lab guide, you’ll have a fully functional environment which you can use to demonstrate the capabilities of ITAM E-SSO and ITIMx.

 

The lab is presented in three sections. In Part 1, you will install and configure TAM E-SSO to use Microsoft ADAM as the repository for user credentials and configuration information.

 

Active Directory Application Mode ( ADAM ) is a part of Microsoft’s integrated directory services available with Windows Server 2003, and is built specifically to address directory-enabled application scenarios. ADAM runs as a non-operating-system service, and, as such, it does not require deployment on a domain controller.

 

In Part 2 of the lab, you will install the TAME-SSO Provisioning Adapter (future addition)

 

Finally, in Part 3 and Part 4 of the lab you will configure the provisioning adapter to integrate with ITIM Express 4.6.  Then you will work through a demo scenario that shows the integration of the two products and the value it provides to customers looking to deploy an Identity Management and Desktop Single Sign on solution.  (future addition)

PART ONE _______________________________________________________

 

Installing Microsoft Active Directory Application Mode Service

 

You are starting with a VMware image that is running Windows 2003 Server, FP 1.  On this server, Identity Manager Express has already been installed. Details of this server are:

 

Hostname:                   ITIMServer

Adminstrator Name:          Adminstrator

Password:                    tivoli

Domain:                ondemandinc.com

ITIMx URL:               http://itimserver/itim/identity

Home Page:                            http://itimserver:81/homepage.html (running IBM HTTP server)

 

All installation files are located in the directory C:/Studentfiles/Install.

 

If it is not running, start the ITIMServer VMware image. Log into the server as Administrator.

Installing ADAM

 

Microsoft recommends that ADAM instances should not be installed on domain controllers. ITIMServer is a stand alone Windows 2003 Server.

 

1.      Navigate to the C:/Studentfiles/Install/ ADAM directory and launch the program ADAMSP1_x86_English.exe

 

Note:  ADAM is available as a free download from Microsoft’s download site. It is also part of Windows 2003 Server R2 and can be installed by accessing Windows Control Panel -> Add/Remove Programs.

2.      The installation program begins. Click Next> to continue.

3.      Accept the License Agreement. Click Next> to continue.

4.      The installation program progresses…

5.      Click Finish to complete the installation.

The ADAM program group has now been added to your system. You will now create an ADAM instance that will be used by TAMES.

6.      Click on Programs -> ADAM -> Create an ADAM instance.

7.      The setup wizard starts. Click Next > to continue.   

8.      Select the radio button for creating a unique instance.  Click Next > to continue.   

9.      Provide an instance name. Use TAMES as the instance name. Click Next > to continue.

10.  The first available ports are selected as the defaults. Port 50001 is selected as we have an instance of LDAP listening on port 389 already. The SSL port will not be used for this lab. Click Next > to continue.

11.   You will create an application directory partition for the SSO data. Name the partition OU=SSOPartition,dc=ondemandinc,dc=com

 

Click Next > to continue.

12.  Use the defaults for the location of the data files and the recovery files. Click Next > to continue.

13.  Accept the default for using the Network service account to perform ADAM operations. Click Next > to continue.

 

The following pop-up will appear.

14.  Click Yes to continue as we will not be using replication with other ADAM instances in this lab.

15.  Accept the default to use the currently logged on user for ADAM administration. Click Next > to continue.

16.  You do not need to import any LDIF information so click Next > to continue.

17.  Click Next > to complete the instance installation.

18.  Click Finish to complete the installation.

 

Configuring the ADAM Instance

 

First we will create two Windows groups that will be used in this lab for the SSO configuration. 

 

 

1.      Click on the shortcut on your desktop to launch the Users and Groups MMC plugin.

2.      Right click on Groups container and select New Group…

3.      Create two new groups, SSO Admins and SSO Users.  Any user that is going to use TAM E-SSO will need to be a member of this windows group.

4.      At this time, also add the Administrator account to the SSO Users group, so you will be able to use this account as and end-user account to test with. Right click on the Administrator User account to display the properties for the user. Then add SSO Users to the Member of tab.

5.      You are ready to move on to the next task customizing ADAM . Close the User and Group management window.

ADAM can be managed using the ADAM ADSI Editor.  Next you will create a connection to your ADAM instance.

6.      Start the ADAM ADSI editor by selecting Programs => ADAM => ADAM ADSI Edit

7.      Right click on the ADAM ADSI Edit container and select Connect to…

8.      Complete the Connection Settings  Window as follows:

Connection Name:   TAMES ADAM

Connection

Server Name:            itimserver

 

Port:                    50001

 

Naming context: Configuration

 

Credentials:        the account of the

                     Currently logged on

                     User.

  Then, click OK to continue.

9.      Expand the containers so your window looks like the above. Click on the CN=Partitions container. Notice the container we specified when we created the ADAM instance; it is the first entry in the list. Right click on the OU=SSOPartition entry.

 

 

10.  Select New Connection to Naming Context.

11.  Expand the new container entry created. Your window should now look like this.

Next you will specify rights available to new Windows groups you just created within the ADAM instance.  You will use the two Windows groups you created, SSO Admins and SSO Users.

12.  Click on CN=Roles in the upper part of the tree.

13.  Right click on the CN=Administrators group and bring up the Properties window.

14.  Select the member attribute then click the Edit button.

15.  Next click the Add Windows Account button.

16.   Click the OK button.

  Your results should look like this.

17.  On this window and the next window, then click OK to return to the ADSI Edit window.   

Still in the top part of the ADAM ADSI Edit tree, you will add the SSO Users group to both the CN=Readers and CN=Users groups.  Follow the steps you just did for the SSO Admin group.

18.   Click on CN=Readers in the CN=Roles container in the top part of the tree. Double-click to bring up the properties page. Select the member attribute, then click the Edit button.

19.  Click on the Add Windows account button. Add the SSO Users group to this attribute.

20.  Your window should look like the above. Click OK to close the window. Click OK again to close the Properties window.

21.   Click on the role CN=Users.   Add the group SSO Users to the member attribute as done is the previous step.

22.  Now click on the CN=Roles container in the bottom portion of the tree.

 

Complete the following:

 

  1. Add SSO Admins group to CN=Administrators group membership.
  2. Add SSO Users group to CN=Readers group membership.
  3. Add SSO Users grop to CN=Users group membership.

 

This completes the configuration of ADAM using the ADAM ADSI Editor. You can close the application.

 

The installation and configuration of ADAM is now complete. So far you have

created an ADAM instance and container for TAM -ESSO to store information. All of the TAM -ESSO data will be stored inside the ADAM directory just created. You are now going to install the TAM -ESSO application. _______________________________________________________

 

Installing and Configuring TAM E-SSO

Now that the repository is created that will store the TAM E-SSO data, the following tasks must be completed to build our demonstration environment:

 

Ø      Install the TAM ESSO Console

Ø      Configure the TAM ESSO Console to use the ADAM repository

Ø      Install the TAME ESSO Client

Ø      Configure the ADAM Synchronizer

Ø      Run the First Time Setup for the Client

Ø      Verify the communications between the client and the repository.

 

This section provides you with step by step instructions to complete each of these tasks.

Installing the TAM E-SSO Administrative Console

1.      Navigate to the directory c:/Studentfiles/Install/TAMES.

2.      Launch the program IBM Tivoli Access Manager for Enterprise Single Sign-On Admin Console.exe

3.      Choose your language and click OK

4.      Click Next to continue…

5.      Accept the license agreement and click Next to continue…

6.      Select ∙Complete and click Next to continue…

7.      Then click the Install button.

8.      Click Finish to complete the installation.

Configuring the TAM E-SSO Console to Use the ADAM Repository

This task will prepare the ADAM repository to properly store the TAM E-SSO data.  The steps in this section will add the attributes and objectclasses need for TAM E-SSO

 

1.      Start the TAM E-SSO Console.

Start → Programs → IBM TAM E-SSO → TAM E-SSO Console

2.      Click on Repository  → Extend Schema

3.      Complete the connection details as follows:

 

Server Name:                            itimserver

Repository Type:                Microsoft ADAM

Port:                                   50001

 

De-select the checkbox for SSL – we will NOT use SSL for our demo

 

Username:                          Administrator

Password:                          tivoli

 

Then click OK to continue…

 

  The task should complete SUCCESSFUL.

 

4.      Click Close to continue …

5.      Click on Repository at the bottom of the left pane and then the Click here to connect link.

6.      Complete the connection details, then click OK.

7.      In the right pane on the screen, navigate to the OU= SSPartition , DC =ondemandinc,DC=com object. Right click on the object and select Configure E-SSO Support.

8.      Choose Administrative Console button, then choose Standard mode. Click Next to continue…

9.      Take the default, ∙Do Not send apps and click Next to continue. Then click Finish.

 

 

The result will be that the OU=People container will be created under the

OU=SSOPartition,DC=ondemandinc,DC=com container. The OU=People container will be where our users store their username/password credentials.

 

Note, to view the containers, make sure that both the Show User Credential Containers and the Show Users items are checked under the Repository menu as shown above.

10.  Click on the container OU= SSOPartition , DC =ondemandinc,DC=com to highlight it.

Right click on the container and select New Container from the drop down menu.

11.  Create a container named SSOConfig. This is where the TAM ESSO application templates will be stored.  Click OK to create the container.

You now have two containers created to store the TAM ESSO data. Next you will install the TAM ESSO Client and configure synchronization. You can minimize the TAM ESSO console while you perform the steps in the next section.

Installing the TAMESSO Client

Next you will install the TAM ESSO client which will communicate with the ADAM repository. You need to do a custom installation to make sure the ADAM synchronizer gets selected.

 

Navigate to the c:/Studentfiles/Install/TAMES directory.

1.       Launch the program IBM Tivoli Access Manager for Enterprise Single Sign-Onv5.0MLE.exe. Complete the following installation steps…

then, select the language…

then select Next to continue…

then accept the license...

2.      Select a Custom installation. This is required to select the correct synchronizer

3.      Expand the Logon Methods folder. Make sure Windows Logon is selected.

4.      Next, expand the Extensions folder and then the Synchronization Manager folder. Select the ADAM Synchronizer menu and select This feature will be installed on the local hard drive from the list.  This will change the   to  and install the ADAM synchronizer.

 

Click Next to continue with the installation.

  Click the Install button to

start the installation.

Click Finish to complete the installation.

Configure the ADAM Synchronizer

 

In this section you will configure the Global Agent settings for theADAM synchronizer with the connection parameters to our ADAM directory.

 

Return to the TAME ESSO Administration Console. You will need to close and restart the console to pick up the new registry information.

 

 

1.      Click on the object Global Agent Settings.

2.        Right click and from the menu and select  Import → From Live HKLM. What you have just done is to load the local machine’s necessary registry settings into the SSO Admin console. The next step is to configure the Global Agent/Registry settings using the SSO Administrative Console.

3.      Expand the Global Agent SettingsLive keys and expand Synchronization as shown above.

 

There are three (3) things that you need to have configured at a minimum to allow the agent to properly communicate with the ADAM instance:

 

4.      Click on Synchronization to display the Synchronization properties. Enable role/group security (select the check box) and select Use role/group security from the list.

 

Next, select Required under the ADAMSyncExt object.

 

Next, you need to specify the server where the ADAM directory is running.

5.      Click on the check box for Servers and then click on the icon   to get the input popup window. In the window, type the server name and the port number that ADAM is listening on. Enter itimserver:50001 in the input box and click OK to continue.

6.      Next, select Tools →Write Global Agent Settings to HKLM to save the configuration.

 

Next you will test that the synchronization is working and users are able to write their credentials to the ADAM repository.

 

You will now go through the first time SSO Adapter setup.

1.      Select Programs → IBM TAM E-SSO → TAM E-SSO.  This will start the First Time User Setup Wizard.

 

    Click Next to continue...

 

    Click Next to continue again...

 

2.      Windows Logon is the defaults to the primary login authentication method. Click Next to continue.

3.      Enter the Administrator’s password, which is tivoli

4.      Click Finish to complete the client setup.

Now return to the TAM ESSO Console. Let’s verify that the user’s credentials were written to the ADAM repository in the containers created earlier

5.      Connect to the repository.

6.      Expand the ou= SSOConfig , DC =ondemandinc,DC=com container, then the OU=People container

 

Note that the credentials have been store for the user Administrator.

 

The next objective is to publish application templates and policies to the Repository. The steps in this section will allow you to centrally manage application templates, authentication policies, and TAMESSO settings.

 

The steps in this section are implemented whenever adding or changing application templates or policies in the user repository. The SSO Adapter will periodically pull this information from the repository in order to keep a local cache of the end user’s credentials and supported application templates in the user’s desktop.

 

Now let’s create an application template and verify the synchronizer is working.

 

7.      In the console, navigate to the Applications container.  Then click on the Add button to add a new application.

8.      Choose Adobe Acrobat Reader from the Application drop down list. At this point we are simply interested in testing that the synchronization works. As a rule of thumb, using a simple application that doesn’t require any authentication should suffice and Acrobat Reader is perfect for this purpose.

9.      3. After pressing the Finish button, you will now see an object called Adobe Acrobat Reader in the left-hand pane of the Console.

10.  Naviagate to the Repository view, and in the right-hand pane, right-click the new container object OU=SSOConfig and select Configure E-SSO Support from the pop-up menu.

11.   Select the Administrative Console button, then Advanced mode and click Next to continue

12.   Click the Add All button in the Applications section.  Adobe Reader appears in the list. Click Next to continue.

13.   Now click the Finish button to complete the operation. When the Wizard completes, the Administrative Console should display a new Adobe Acrobat Reader under the OU=SSOConfig container as shown below.

14.  At this point you should also save the settings back to the registry.  Click on Tools →Write Global Agent Settings to HKLM to save the configuration.

15.  Return to the TAM E-SSO client and open the Logon Manager.

16.   Click the Refresh button first to synchronize with the repository, then click the Add, Add a log on button

17.   In the application list, you should see Adobe Acrobat reader if the synchronizer is working. Cancel out of this window as this was only to test the client / server synchronization.

 

PART TWO _______________________________________________________

 

Installing the TAM E-SSO Provisioning Adapter

 

(To be completed when 6.0 is GA)

 

 

PART THREE _______________________________________________________

 

Integrating the TAM E-SSO Provisioning Adapter  with ITIM Express 4.6

 

(To be completed when 6.0 is GA)

 

PART Four _______________________________________________________

 

Demonstrating the Provisioning Adapter with ITIM Express 4.6

 

(To be completed when 6.0 is GA)

 


原文链接: http://blog.csdn.net/jaminwm/article/details/1327267

你可能感兴趣的:(TivoliAccessManager for EnterpriseSingleSign-On培训讲义:安装)