Starting Tivoli Access Manager for e-business & Tivoli Directory Server

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

I’d like to present the  recommended order for starting the Tivoli Access Manager for e-Business (TAMeb) processes, including IBM Tivoli Directory Server (ITDS).

The TAMeb and ITDS components are often distributed across multiple machines. When your deployment spans more than one machine, switch to the appropriate machine to complete the instructions for starting each component.

1. Start the registry server that was used to configure TAMeb.

* When using ITDS as the registry server, verify that db2 is running and then start the Directory Server process (ibmslapd).

2. Start the policy server. Ensure that the registry server is running and can be accessed before starting the policy server (pdmgrd).

3. Verify that pdadmin can be used for administration commands. After the policy server has started, you can use pdadmin or any other TAMeb administration application.

4. Start any blades servers (for example, WebSEAL) or any local mode authorization applications.

*Local mode authorization applications need to receive the latest policy database from the policy server, but otherwise do not depend on the policy server. Any local mode authorization application (for example, WebSEAL) can start and run without direct dependence on the policy server, as long as the application has a local copy of policy database, and as long as the registry server is running. Remember, however, that the application requires the policy server to be running in order to complete administrative tasks such as managing junctions.

* To start WebSEAL, you can use the command:

pdweb start InstanceName

* When your deployment includes junctioned backend Web servers ensure that those servers are running.

5. Start the authorization server. All remote mode authorization applications require that the authorization server (pdacld) is running. Most of the TAMeb Java Authorization applications are remote mode application.

6. The authorization server has a local copy of the policy database. The authorization server does not rely on the policy server, with the exception that when the authorization server starts it must be able to obtain any updates to the policy database.

* WebSEAL and the authorization server can be started in any order. They are not dependent on each other.

7. When your deployment includes any remote mode authorization applications, start them now.

8. When your deployment includes a policy proxy server (pdmgrproxyd), start it now.

9. When your deployment includes the WPM administration console, or any TAMeb Java Application that runs under WebSphere, ensure that the the applications are running by stopping and restarting WebSphere.

* You can use the command pd_start startto start the following TAMeb servers:

    • Policy server
    • Policy proxy server
    • Authorization server
    • WebSEAL servers


* When the policy server (pdmgrd) is configured on a machine, the command pd_start start always starts the policy server process first and then starts the other configured processes in order. To determine the order, use the command:

pd_start status

Stopping the TAMeb and ITDS processes

In most cases, you can stop the TAMeb and ITDS processes in the reverse order in which they were started. For example:

1. Stop any admininstration applications, such as pdadmin.

2. Stop any authorization applications.

3. Stop the TAMeb servers such as the policy server, authorization server, policy proxy server, and WebSEAL server. You can use the command:
pd_start stop

4. When appropriate, stop the registry server.

Questions? Feel free to reach out to us at IDMWorks.