Install & Configure Tivoli Authorization Server on Red Hat Enterprise Linux (RHEL)

As part of daily duties I document (a lot) of information and instructions for various IDMWorks customers. The following contains the instructions for installing and configuring a Tivoli Authorization Server on Red Hat Enterprise Linux (RHEL) v5 as part of an IBM Tivoli Access Manager for e-business (TAM) deployment in the environment.

This following includes instructions for installing Authorization server in a new environment, and migrating the Authorization server for an existing environment to a new PD RHEL.

As part of daily duties I document (a lot) of information and instructions for various IDMWorks customers as such the following contains the instructions for installing and configuring a Tivoli Authorization Server on Red Hat Enterprise Linux (RHEL) v5 as part of an IBM Tivoli Access Manager for e-business (TAM) deployment in the <Customer A> environment.

This following includes instructions for installing Authorization server in a new environment, and migrating the Authorization server for an existing environment to a new PD RHEL.

This installation guidance that I am providing will give you directions for installing and configuring Authorization Server on RHEL as part of a TAM deployment in <Customer A>.  while Authorization Server mirrors the Policy Director’s ACL database for a TAM deployment.

Architecture

Tivoli Access Manager provides authentication and authorization services, allowing secure access to enclave resources.  When a user attempts to access a protected resource, they must authenticate to the TAM environment.  Resource access passes through WebSEAL server junctions, which contact the TAM policy director for access control decisions.

User identity information and role assignments are stored in Tivoli Directory Server.  Tivoli Web Portal Manager and the Directory Server Web Administration Tool provided web-based graphical administration tools for the TAM system.

First Up: Prerequisites

Installation Environment

The optimal system specifications for a Policy Director server in your environment will depend on the number of users and the anticipated load in that environment. The table below lays out recommended minimum system specifications for several different servers & environments.

Recommended Minimum System Specifications

 

Environment Server Type OS CPUs RAM Disk Space Can use VMs?
Development / Testing with 50,000+ users and / or heavy load on the systems PD RHEL v5 32-bit 2 2 Gb Min 2 Gb free Yes
Development / Testing with less than 50,000 users, light load on the systems PD RHEL v5 32-bit 1 1 Gb Min 2 Gb free Yes
Production PD RHEL v5 32-bit 2 2 Gb Min 2 Gb free Yes

Pre-Install Task – Time Synchronization!!!

It is imperative that all the servers be time synchronized.  On VMware, the time synchronization will be handled by the VMware software.  On physical machines, NTP or a similar product should be used for time synchronization.  If NTP is used for time synchronization in your environment, the status of NTP on RHEL can be checked with the following command: # service ntpd status

Next Up: Install Authorization Server (ACLD)

Authorization Server Installation

The following represents the steps and my successive documentation of those steps used in installing the Authorization Server.

The Authorization server (ACLD) should be installed on the Policy Director, and one or more LDAP Replica servers, as these servers experience the least load in a TAM environment.

1.    Log onto the TAM 6.0 Authorization Server and switch to the root user.

$ su – root

<Enter the password>

Set the umask.

# umask 022

3.    If installing on a machine that has NOT already been configured as either a Policy Director OR an ITDS server, create a temporary directory with the following command.

# mkdir /opt/tmp

4.    If installing on a machine which has already been configured as a Policy Director, skip to step 12 5.    Either insert the CD with the ‘TAM Base on Linux C87B6ML.zip’ file on it into the CDROM drive, or copy the file onto the new Policy Director server.  6.    Create the /opt/tmp/base and /opt/tmp/base/FP09 directories

# mkdir /opt/tmp/base

# mkdir /opt/tmp/base/FP09

7.    Unzip the file into the /opt/tmp/base directory.

# cd /opt/tmp/base

# unzip /<mount point>/’TAM Base on Linux C87B6ML.zip’

8.    Either insert the disc with the ‘6.0.0-TIV-TAM-FP0009-LIN.tar’ file on it into the CDROM drive, or copy the file onto the new WebSEAL server. 9.    Unzip the file into the /opt/tmp/base directory.

# cd /opt/tmp/base/FP09

# tar -xzvf /<mount point>/6.0.0-TIV-TAM-FP0009-LIN.tar.z

10.  Either insert the disc with the ‘gsk7bas-7.0-3.31.i386.rpm’ file on it into the CDROM drive, or copy the file onto the new WebSEAL server.

11.  Copy the file into the /opt/tmp/base/FP09 directory.

# cd /opt/tmp/base/FP09

# cp /<mount point>/gsk7bas-7.0-3.31.i386.rpm ./

12.  If installing on a machine which has already been configured as a ITDS server, skip to step 16

13.  Either insert the CD with the ‘TAM 6 IDS on Linux C87B9ML.zip’ file on it into the CDROM drive, or copy the file onto the new ITDS server.

14.  Create the /opt/tmp/ITDS directory.

# mkdir –p /opt/tmp/ITDS

15.  Unzip ‘TAM 6 IDS on Linux C87B9ML.zip’ into the /opt/tmp/ITDS directory.

# cd /opt/tmp/ITDS

# unzip /<mount point>/’TAM 6 IDS on Linux C87B9ML.zip’

16.  Navigate to the /opt/tmp directory

# cd /opt/tmp

17.  If installing on a machine that has already been configured as either a Policy Director OR an ITDS server, skip to step 27

18.  Either insert the CD with the TAM-rpms.tar file on it into the CDROM drive, or copy the TAM-rpms.tar file included in this release onto the new Authorization server.

19.  Copy the TAM-rmps.tar file into the /opt/tmp directory.

# cp <file location>/TAM-rpms.tar ./TAM-rpms.tar

20.  Extract the rpm files with the following command.

# tar -xvf TAM-rpms.tar

21.  Install the rpm files with the following commands.

# rpm -ivh glib-1.2.10-20.el5.i386.rpm

# rpm -ivh libXp-1.0.0-8.1.el5.i386.rpm

# rpm -e ksh-20060214-1.4.i386

# rpm -ivh pdksh-5.2.14-30.6.i386.rpm

# rpm -ivh gdk-pixbuf-0.22.0-25.el5.i386.rpm gtk+-1.2.10-56.el5.i386.rpm

22.  If installing on a machine that has already been configured as an ITDS server, skip to step 27.

23.  Install the IBM Directory Server Client with the following commands.

# cd /opt/tmp/ITDS/linux_i386/

# rpm -ivh idsldap-clt*.rpm

24.  Either insert the disc containing the file 6.0.0-TIV-ITDS-Linux32-FP0005.tar into the CD-ROM drive, or copy the file onto the new ITDS server.

25.  Untar 6.0.0-TIV-ITDS-Linux32-FP0005.tar into the /opt/tmp/FP05 directory.

# mkdir /opt/tmp/FP05

# cd /opt/tmp/FP05

# tar -xvf /<mount point>/6.0.0-TIV-ITDS-Linux32-FP0005.tar

26.  Install the ITDS LDAP FixPack05 from the location you downloaded it to.

# cd /opt/tmp/FP05/6.0.0-TIV-ITDS-Linux32-FP0005

# ./idsinstall -u

The output will be similar to the following:

Installing the following update packages:

./images/idsldap-clt32bit60-6.0.0-41.i386.rpm

./images/idsldap-cltbase60-6.0.0-41.i386.rpm

./images/idsldap-cltjava60-6.0.0-41.i386.rpm

All packages were installed successfully!

See the log file: /tmp/idsinstall_mm-dd-yy_hh-mm-ss.log for more details

27.  If installing on a server that has already been configured as a policy director, skip to step 30.

28.  Install the IBM Global Security Kit (GSK) with the following commands.

# cd /opt/tmp/base/FP09

# rpm -Uvh gsk7bas-7.0-3.31.i386.rpm

29.  Install the TAM 6.0 base software.  Insert the disc or navigate to the directory where you unzipped the Tivoli Base package, and execute the following commands:

# cd /opt/tmp/base/linux_i386/

# rpm -ivh PDlic-PD-6.0.0-0.i386.rpm

# cd /opt/tmp/base/FP09

# rpm -ivh TivSecUtl-TivSec-6.0.0-4.i386.rpm

# rpm -ivh PDRTE-PD-6.0.0-9.i386.rpm

30.  Install the TAM 6.0 authorization server.  Execute the following commands:

# cd /opt/tmp/base/FP09

# rpm -ivh ./PDAcld-PD-6.0.0-9.i386.rpm

31.  Each server, not including WebSEAL machines, has a unique PKI cert.  A cert request needs to be created to get the CA certs from a common CA.  Go to Appendix A and follow the procedures to create the cert and import the DoD certificates.

32.  Wait until the CA cert is returned, follow the rest of the steps in Appendix A to install the cert on this server.  Once the cert is installed, proceed to the next step.

Authorization Server Configuration

33.  Verify that the Authorization Server can connect to the ITDS Peer Master it will be configured to access with the following command:

/opt/ibm/ldap/V6.0/bin/ldapsearch -h <ITDS Peer Master Hostname> -p 389 -D cn=root -w <password> -s one -b c=US objectclass=*

The output should look similar to the following:

[root@<Server Name> linux_i386]# /opt/ibm/ldap/V6.0/bin/ldapsearch -h ,Server name>.aaaaa.bb.cc.dddd.com -p 389 -D cn=root -w <password> -s one -b c=US objectclass=*o=U.S. Government,c=US

objectclass=organization

objectclass=top

o=U.S. Government

[root@ linux_i386]#

34.  If you are installing on a server that already has the Policy Director configured, skip to step 50.

35.  Configure the Access Manager runtime.

# pdconfig

The output should look similar to the following:

Tivoli Access Manager Setup Menu

1. Configure Package

2. Unconfigure Package

3. Display Configuration Status

x. Exit

Select the menu item [x]:

36.   Enter “1” and press enter.

The output should look similar to the following:

Tivoli Access Manager Configuration Menu

1. Access Manager Runtime Configuration

2. Access Manager Authorization Server Configuration

x. Return to the Tivoli Access Manager Setup Menu

Select the menu item [x]:

37.  Enter “1” and press enter.

The output should look similar to the following:

Will the policy server be installed on this machine (y/n) [No]:

38.  Press Enter to use the default value [No].

The output should look similar to the following:

Tivoli Common Directory logging is not configured.

This scheme provides a common location for log files for Tivoli products instead of separate locations determined by each application.

Do you want to use Tivoli Common Directory logging (y/n) [No]?

39.  Press Enter to use the default value [No].

The output should look similar to the following:

log files for this application will be created in directory:

/var/PolicyDirector/log

1. LDAP

2. Active Directory

Registry [1]:

40.  Press Enter to use the default value [1].

The output should look similar to the following:

LDAP server host name:

41.  Enter the fully-qualified hostname of the ITDS 6.0 LDAP master, for example, new60ITDSserver_name.tivoli.com.

The output should look similar to the following:

LDAP server port [389]:

42.  Press Enter to use the default value [389].

The output should look similar to the following:

Policy server host name:

43.  Enter the fully-qualified hostname of policy server, for example, new60PDserver_name.tivoli.com.

The output should look similar to the following:

Policy server SSL port [7135]:

44.  Press Enter to use the default value [7135].

The output should look similar to the following:

Domain [Default]:

45.  Press Enter to use the default value [Default].

The output should look similar to the following:

Current status of Federal Information Processing Standards (FIPS) has been enabled on the policy server: no

Automatically download the pdcacert.b64 file from the policy server? (y/n) [Yes]:

46.  Press Enter to use the default value [Yes].

The output should look similar to the following:

The package has been configured successfully.

Press Enter to continue.

47.  Press Enter to continue.

The output should look similar to the following:

Tivoli Access Manager Configuration Menu

1. Access Manager Authorization Server Configuration

x. Return to the Tivoli Access Manager Setup Menu

Select the menu item [x]:

48.  Press enter to use the default value [x].

The output should look similar to the following:

Tivoli Access Manager Setup Menu

1. Configure Package

2. Unconfigure Package

3. Display Configuration Status

x. Exit

Select the menu item [x]:

49.  Press enter to use the default value [x] and return to the command prompt.

50.  Configure the Authorization Server runtime.

# pdconfig

The output should look similar to the following:

Tivoli Access Manager Setup Menu

1. Configure Package

2. Unconfigure Package

3. Display Configuration Status

x. Exit

Select the menu item [x]:

51.  Enter “1” and press Enter

The output will be similar to the following:

Tivoli Access Manager Configuration Menu

1. Access Manager Authorization Server Configuration

x. Return to the Tivoli Access Manager Setup Menu

Select the menu item [x]:

52.  Enter “1” and press Enter.

The output will be similar to the following:

Do you want to enable SSL between the Tivoli Access Manager authorization server and the LDAP server (y/n) [Yes]?

53.  Type n and press Enter.  SSL has been deferred until after the migration.

The output should look similar to the following:

Domain [Default]:

54.  Press Enter to use the default value [Default].

The output should look similar to the following:

Policy server host name [endvl05019]:

55.  Enter the fully-qualified hostname of the TAM 6.0 Policy Server.

The output should look similar to the following:

Policy server SSL port [7135]:

56.  Press Enter to use the default value [7135].

The output should look similar to the following:

Administrator ID [sec_master]:

57.  Press Enter to use the default value [sec_master].

The output should look similar to the following:

Administrator password:

58.  Enter the sec_master password.  The system may take a minute or two to process this information, and then the output will appear.

The output should look similar to the following:

Local host name [<Server Name>]:

59.  Press Enter to use the default value if the hostname is correct.  Otherwise, enter the correct hostname for this system

The output should look similar to the following:

Administration request port [7137]:

60.  Press Enter to use the default value [7137].

The output should look similar to the following:

Authorization request port [7136]:

61.  Press Enter to use the default value [7136].

The output should look similar to the following:

* Configuring the server.

Configuration of application “ivacld” for host <Hostname> is in progress.

This might take several minutes.

The specified action completed successfully.

* Starting the server.

Tivoli Access Manager authorization server v6.0.0.0 (Build 051029a) Copyright (C) IBM Corporation 1994-2003.  All Rights Reserved.

yyyy-mm-dd-hh:mm:ss.009+00:00I—– 0x14C521D3 pdacld NOTICE mis ivcore ivacld.cpp 441 0x0022a810

HPDMS0467I   Server startup

yyyy-mm-dd-hh:mm:ss.010+00:00I—– 0x14C526F2 pdacld NOTICE mis ivmgrd ivacld.cpp 446 0x0022a810

HPDMS1778I   Loading configuration

The package has been configured successfully.

Press Enter to continue.

62.  Press Enter to continue.

The output should look similar to the following:

Tivoli Access Manager Configuration Menu

x. Return to the Tivoli Access Manager Setup Menu

Select the menu item [x]:

63.  Press Enter to use the default value [x].

The output should look similar to the following:

Tivoli Access Manager Setup Menu

1. Configure Package

2. Unconfigure Package

3. Display Configuration Status

x. Exit

Select the menu item [x]:

64.  Press Enter to use the default value [x] and return to the command prompt.

65.  Verify that the new Authorization Server is running.  The pdacld process should be Enabled and Running.

# pd_start status

The output should look similar to the following:

Tivoli Access Manager servers

Server Enabled Running

——————————————-

pdmgrd                    no        no

pdacld                    yes       yes

pdmgrproxyd               no        no

[root@ linux_i386]#

66.  Modify the firewall settings to allow Authorization server traffic

# iptables -I RH-Firewall-1-INPUT 1 -m state –state NEW -m tcp -p tcp –dport 7136 -j ACCEPT

# /sbin/service iptables save

And now…Re-Configure Existing Authorization Server for new ITDS Master

BTW…use the instructions in this section to reconfigure existing Authorization servers to point to a new ITDS Master.  These instructions should NOT be run as part of a normal installation, and should ONLY be run when called for during a migration.

67.  Log onto the TAM 6.0 Authorization Server and switch to the root user.

$ su – root

<Enter the password>

68.  Stop the Auth server with the following command:

# pd_start stop

69.  Back up the configuration files with the following commands:

# cp /opt/PolicyDirector/etc/ivacld.conf /opt/PolicyDirector/etc/ivacld.conf.pre_ldap_change

# cp /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.pre_ldap_change

# cp /opt/PolicyDirector/etc/ldap.conf /opt/PolicyDirector/etc/ldap.conf.pre_ldap_change

70.  Open the file /opt/PolicyDirector/etc/ivacld.conf in a text editor.

71.  Edit the line “host = <old ldap master>”, replacing the hostname of the old policy director with the hostname of the new policy director.

72.  Save and close the file.

73.  Open the file /opt/PolicyDirector/etc/pd.conf in a text editor.

74.  Edit the line “user-reg-server = <old ldap master>”, replacing the hostname of the old ldap master with the hostname of the new policy director.

75.  Edit the line “user-reg-host = <old ldap master>”, replacing the hostname of the old ldap master with the hostname of the new policy director.

76.  Save and close the file.

77.  Open the file /opt/PolicyDirector/etc/ldap.conf in a text editor.

78.  Edit the line “host = <old ldap master>”, replacing the hostname of the old policy director with the hostname of the new policy director.

79.  Start the Auth server with the following command:

# pd_start start

Re-Configure Existing Authorization Server for new Policy Director

Follow these instructions to modify an existing authorization server to point to a new Policy Director.  These instructions should NOT be run as part of a normal installation, and should ONLY be run when called for during a migration.

80.  Log onto the TAM 6.0 Authorization Server and switch to the root user.

$ su – root

<Enter the password>

81.  Stop the Auth server with the following command:

# pd_start stop

82.  Back up the configuration files with the following commands:

# cp -p /opt/PolicyDirector/etc/ivacld.conf /opt/PolicyDirector/etc/ivacld.conf.pre_pd_change

# cp -p /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.pre_pd_change

83.  Open the file /opt/PolicyDirector/etc/ivacld.conf in a text editor.

84.  Edit the line “master-host = <old policy director>”, replacing the hostname of the old policy director with the hostname of the new policy director.

85.  Save and close the file.

86.  Open the file /opt/PolicyDirector/etc/pd.conf in a text editor.

87.  Edit the line “master-host = <old policy director>”, replacing the hostname of the old policy director with the hostname of the new policy director.

88.  Save and close the file.

89.  Start the Auth server with the following command:

# pd_start start