ITIM - Imx - Scenarios
ITIM - Imx - Scenarios
ITIM - Imx - Scenarios
As a prerequisite, install the Tivoli Identity Manager Express Server and verify that
its components are running. Additionally, obtain a system administrator user ID
(itim manager) and password (which is initially secret).
To verify that the test user can log on, complete these steps:
1. In the navigation tree, click Log Out as administrator.
2. From the Login window, in the User ID field, type mytestuserID and in the
Password field, type secret. Click Log In.
This is the user ID that is provided in the Identity Manager login ID field in
the new user’s Personal Information page.
Scenarios 3
7. On the Select a User Attribute window, select the Full Name attribute, and
then click OK.
The benefit of providing this account default is that the value of the user’s
name appears on account information.
8. On the Manage Account Defaults window, click OK.
9. On the Select an Account Attribute window, click OK.
10. On the Success window, click Close.
Before logging in as the test user on the managed resource, you determined in a
previous step in this scenario that your account request was successful.
To test whether you successfully obtained an account on the managed resource, log
on as the new user to the managed resource.
After taking steps to correct the problem, repeat the process to request an account.
For example, restart the managed resource and repeat your request for a test
account.
Scenarios 5
Tivoli Directory Integrator Server and also for the managed resource. Test the
connection. Correct the values in the address fields if you receive an error
such as this message:
The following error occurred. Error: CTGRI0001E
The application could not establish a connection to
mybox.mylablab.city.company.com.
To locate this field, complete these steps:
a. In the navigation tree, click Manage Services.
b. In the Select a Service window, in the Services table, select the service.
c. On the Service Information page, in the Tivoli Directory Integrator
location field, specify the correct address.
v Ensure that the necessary servers are running:
– Tivoli Directory Server
On Windows systems, click Start > Programs > Control Panel >
Administrative Tools > Services. In the list of services, determine if the
Tivoli Directory Server entry has a status of started. If not, start the
service.
– WebSphere Application Server
Start the WebSphere Application Server administrative console. On a
browser, enter this Web address:
http://hostname:9060/admin
The value of hostname is the fully qualified host name or the IP address of
the computer on which the WebSphere Application Server is running. The
value 9060 is the default port number for the WebSphere administrative
HTTP transport.
For more information on steps to verify that these servers are running, refer
to the IBM Tivoli Identity Manager Express Installation and Configuration Guide.
Scenarios 7
Groups
Accept the default, which is blank.
d. In the Business Information window, in the Manager field, click Search.
e. In the Select Users window, in the User Attribute field, type chuck. In the
Search by window, select Full Name, and click Search.
f. In the Select Users window, in the Users table, select Chuck Manager, and
click OK.
Selecting Chuck Manager as the manager causes Chuck Manager to obtain
membership in the Manager group.
g. Skip entering information in the Contact Information window for this test
user and click Continue.
h. On the Password window, select Allow me to type a password. Then, type
and confirm secret as the password, and then click Submit.
i. On the Success window, click Close.
Click Close again if you need to close any remaining windows for this task.
In the previous scenario, you created the service named Linux myhost. In this
scenario, you will create an account request workflow for that service.
Scenarios 9
1) In the Grouped Approval window, select the check box for one or
more activities that you want to approve. In the Comments field, add
any comments that are necessary, and then click Approve.
2) After a confirmation approval message appears, click Close.
v If there is only one request in your queue, an Approval Details window
appears:
1) In the Approval Details window, in the Requested for and the
Requested by fields, click the user name to ensure that this is a
request that you want to approve. Review the information, and then
click Close.
2) In the Approval Details window, click Approve.
3) On the Success window, click Close.
c. Log out as cmanager.
3. Check the status of an account request as the requestor by logging on as juser,
and completing these steps:
a. In the navigation tree, click View Requests > View All My Requests.
b. In the View All My Requests window, in the Requests table, click the
calendar icons next to the Start date and End date fields to set the starting
and ending times of the interval. Then, click Search.
c. Examine the Status field for the status of an Account add request that has a
timestamp and service instance that matches the account request.
The status column for the request indicates a value of Success, Pending, or
Failed. For example, you might find that the request has a status of
Pending.
d. To determine who must respond to a pending request, click the item in the
Request type field. For example, click Account add.
e. In the Activities window, click the item in the Activity field. For example,
click my_activity.
f. In the Approval Details window, read the field values for any additional
information such as the due date before the request is escalated to another
participant. Then, repeatedly click Close to exit the request status windows.
4. Verify that the Judith User has an account on the managed resource by
completing these steps:
a. In the navigation tree, click View Requests > View All My Requests.
b. In the View All My Requests window, in the Requests table, determining
that the request indicates success.
c. Logging on as juser on the managed resource
After taking steps to correct the problem, repeat the process to request an account.
For example, restart the managed resource, and repeat your request for a test
account.
To troubleshoot on the Tivoli Identity Manager Express Server, logon with your
administrator user ID, and complete these steps:
1. View your request by taking these steps:
a. In the navigation tree, click View Requests > View All My Requests.
b. In the View All My Requests window, in the Requests table, examine the
Status field for the status of an Account add request that has a timestamp
and service instance that matches your earlier request.
If the account request failed, complete these steps:
1) In the Requests table, click the request name in the Request type field.
2) In the General window, a Result details or a Reason for failure field
might contain a message such as CTGIMD810E The adapter returned an
error status for an add request.
3) Examine the Requested changes page for possible values that do not
match the intended approver type.
4) Locate additional information on why the adapter returned an error
message. For example, there might be information in the
TIVOLI_COMMON_DIRECTORY/trace.log file. There might also be
information in the msg.log file.
Additionally, you might examine the ITDI_HOME/solDir/ibmdi.log file.
You can also set the log4jrootCategory property in the
ITDI_HOME/solDir/log4j.properties file to obtain additional
information.
5) Correct the error and submit the account request again.
c. If this is a UNIX-based adapter and you chose to use a shadow file when
you created the service, ensure that shadow utility is running on the
operating system. To determine whether the utility is storing encrypted
passwords, type the following at an operating system prompt:
cat /etc/shadow
You should see encrypted entries in the file.
2. Test server connectivity by taking these steps:
v If you did not accept the default, which is blank, for the Tivoli Directory
Integrator Server location, ensure that you entered the correct address of the
Tivoli Directory Integrator Server and also for the managed resource. Test the
connection. Correct the values in the address fields if you receive an error
such as this message:
The following error occurred. Error: CTGRI0001E
The application could not establish a connection to
mybox.mylablab.city.company.com.
To locate this field, complete these steps:
Scenarios 11
a. In the navigation tree, click Manage Services.
b. In the Select a Service window, in the Services table, select the service.
c. On the Service Information page, in the Tivoli Directory Integrator
location field, specify the correct address.
v Ensure that the necessary servers are running:
– Tivoli Directory Server
On Windows systems, click Start > Programs > Control Panel >
Administrative Tools > Services. In the list of services, determine if the
Tivoli Directory Server entry has a status of started. If not, start the
service.
– WebSphere Application Server
Start the WebSphere Application Server administrative console. On a
browser, enter this Web address:
http://hostname:9060/admin
The value of hostname is the fully qualified host name or the IP address of
the computer on which the WebSphere Application Server is running. The
value 9060 is the default port number for the WebSphere administrative
HTTP transport.
For more information on steps to verify that these servers are running, refer
to the IBM Tivoli Identity Manager Express Installation and Configuration Guide.
You first create a Windows Server Active Directory service. Then you ensure that
the global identity policy specifies the attributes that are necessary to create a
Tivoli Identity Manager Express user ID. Subsequently, you reconcile existing
identity records from the Windows Server Active Directory server to create Tivoli
Identity Manager Express users.
For some identity data, the use of the erRoles attribute allows additional changes
to Tivoli Identity Manager Express records. However, because erRoles is not an
attribute of the Windows Server Active Directory organizational person, the
mapping logic in Tivoli Identity Manager Express policies is not applicable to
Windows Server Active Directory feeds.
Before you begin, obtain your site requirements for Tivoli Identity Manager
Express user IDs.
To specify the global identity policy that is appropriate for your site, complete
these steps:
1. From the navigation tree, select Manage Policies > Manage Identity Policies.
2. In the Work with Identity Policies window, in the Identity Policies table, click
Change global rule.
3. In the Manage Identity Policies window, examine the fields on the Rule page,
and change them as appropriate for your site requirements:
First attribute
Select an attribute, specify a character length, and specify which case to
use. For example, select Last name, specify a character limit such as a
20, and select Lower case.
Secondary attribute
Select an attribute, specify a character length, and specify which case to
use. For example, select Employee number, specify a limit such as 9,
and select Lower case.
4. Click OK to save the changes.
5. On the Success window, click Close.
Scenarios 13
4. In the Service Information page, specify the appropriate values for the service
instance:
Service Name
Type a name for the service instance. For example, type AD Feed.
URL Type the address of the computer on which the identity records exist.
The syntax is:
ldap://address:portnumber
The value of address is either the IP address or the host name of the
Windows Server Active Directory server. The default value of
portnumber is 389. Your site might have a different port number or no
port number.
For example, type: ldap://ps2999
User ID
Identify the administrator who is authorized to access the Windows
Server Active Directory server, including the naming context of the
container that holds the identity records. The syntax is:
cn=administratorID,cn=users,domainname
The value of domainname is the distinguished name of the Windows
Server domain.
If the Windows® Server domain is dev.itim.ibm.com, the domainname
distinguished name will be dc=dev, dc=itim, dc=ibm, dc=com.
For example, type:
cn=administrator,cn=users,dc=dev,dc=itim,dc=ibm,dc=com
Password
Type the password for the administrator who is authorized to access
the Windows Server Active Directory server.
Naming Context
Type the distinguished name and the domain of the container that
holds the identity records. The identity feed uses this value to
communicate the information, using the Java™ Naming and Directory
Interface. For example, type:
cn=users,dc=dev,dc=itim,dc=ibm,dc=com
Name Attribute
Select cn from the drop-down list.
5. Click Test Connection to validate that the data in the fields is correct. Then,
click Next.
Testing the connection verifies the settings and server connectivity. If the
Universal Resource Locator data fails the connection test, contact the
administrator who is responsible for the computer on which the managed
resource runs. Then, examine the value of the URL field to ensure that it
contains the correct IP address or the host name of the Windows Server Active
Directory server.
6. In the Reconciliation page, select Perform a reconciliation now. Additionally,
select Daily as the interval at which subsequent reconciliations occur. In the At
this time field, accept the default daily time Then, click Finish.
The initial reconciliation occurs immediately. The process uses identity data on
the Windows Server Active Directory computer to create Tivoli Identity
Manager Express users.
Scenarios 15
v The managed resource or the intermediate servers are not running at the time
you request the reconciliation.If the managed resource or the intermediate
servers are not running at the time that you run the reconciliation, the
reconciliation might fail.
v The naming context that you specified in the service does not match the
Windows Server Active Directory schema. If the naming context does not exist,
an error message occurs. However, there are no errors if the context exists, but
the Windows Server Active Directory contains no identities. In this case, the
identify feed indicates success, but no Tivoli Identity Manager Express users are
created or modified.
v You specify an incorrect value for the administrator user ID or password on the
Windows Server Active Directory computer.
For more information on steps to verify that these servers are running, refer to the
IBM Tivoli Identity Manager Express Release Notes.
Tasks in this scenario include creating a service type for the manual service and
customizing account and service forms. You then create the service and set its
default values. You create a workflow to specify participants who approve a
request, and you also create an access control item to provide read and write
permission for an attribute, which is a voice mail access number. After you assign
the service to a user who is the service owner, the service owner receives a request,
calls the telephone company to create the voice mail, and returns a result when the
action is successful. Finally, you test whether a user can determine that a request
succeeds in obtaining voice mail.
After a manual service participant completes a work order and any related
activities for a user, the service creates an account for the work order.
To create the service type by specifying a new LDAP schema class that has a
voiceMailAccessNumber attribute for the manual service, complete these steps:
1. In the navigation tree, click Configure System -> Manage Service Types.
2. On the Manage Service Types window, click Create.
3. Click the General tab, and then complete these fields:
Scenarios 17
Service Type Name
Enter VoiceMailAccount. Do not include spaces in the name. This
value becomes the service type name.
Description
Leave this field blank, which is read-only.
Service Provider
Select Manual.
4. Click the Service tab, and then complete these fields:
LDAP class
Enter VoiceMailService. Do not include spaces in the name. This is a
new LDAP class that you create during this scenario. Avoid using an
identical value in the LDAP class and the Service Type Name fields.
5. On the Account tab, complete this field:
LDAP class
Enter VoiceMailProfile. Do not include spaces in the name.
6. In the Attributes table, click Add.
7. In the Attribute name field, type each of these attributes, and then click OK
to add each attribute:
v voiceMailAccessNumber
Select Required and Directory String.
v telephoneNumber
Select Required and Directory String. This example uses a
telephoneNumber attribute that already exists. The operation to reference
the attribute with this service type succeeds, although you receive an error
such as this message when you create the service type:
CTGIMO111E Fail to add or update schema for attribute [telephoneNumber].
Reason: [LDAP: error code 20 - GLPSCH031E attribute type ’2.5.4.20’ already
exists, add operation failed. ].
You might receive a different error message about the telephoneNumber
attribute. Ignore the error message and continue.
Make no changes to other attributes that the account has, such as Password
and User ID.
The VoiceMailAccount service type initially has these attributes:
Table 1. Attributes in the example service type
Attribute Required
telephoneNumber Yes. Notice that this is a pre-existing attribute.
Password Remove this attribute, which is not needed for a voice mail
request.
User ID You cannot change this attribute. Accept the default.
voiceMailAccessNumber no
8. On the Attributes table, select the Password attribute and click Remove.
9. On the Manage Service Types window, click OK to create the service type.
10. On the Success window, click Close.
11. On the navigation tree, click Configure System -> Manage Service Types.
Validate that a VoiceMailAccount item exists in the Service Type column.
12. Click Close.
The default account form might contain additional fields that display information
that users do not need, such as service information. As part of customizing the
user interface for a manual service, you remove unnecessary fields.
Scenarios 19
the top of the list, position the $eruid attribute uppermost, followed by the
$telephonenumber and $voicemailaccessnumber attributes. Alternatively,
you can right-click an attribute and click Move Up Attribute in the menu.
c. On the Form Designer task bar, click Form -> Save Form Template.
d. Click OK on the success message window.
5. Double-click the Service folder to open the Service template on the
VoiceMailProfileAccountProfile window.
The Service form contains these attributes:
Table 3. Attributes in the example Service form
Attribute name in Service Attribute specified in service
form profile Keep or delete?
$eruid User ID Delete
$erprerequisite Delete
$erpassword Delete
$owner Keep. The administrator
needs to know who the
service owner is.
$description Keep
$erservicename Keep
To create an access control item for the manual service, complete these steps:
1. In the navigation tree, click Set System Security > Create an Access Control
Item.
2. On the General tab, complete these fields, and then click Next:
Name Type MySiteVoiceMail_ACI.
Protection category
Select Account.
Object class
Select VoiceMailProfile.
3. On the Operations page, click Next to skip to the next tab.
4. On the Permissions page, grant Read and Write permission for the
telephonenumber and the voicemailaccess attributes. Then, click Next.
5. On the Membership page, check the Account owner check box to specify that
the access control item applies to only those accounts that are owned by the
user. Do not select other check boxes.
6. Click Finish to save the access control item.
7. On the Success window, click Close.
Scenarios 21
If Pat does not respond within the escalation interval, the administrator will
receive the request in a to-do list. Alternatively, if you select a group, such as
Service Owner, an escalated request goes to request to all members of the
Service Owner group.
7. Skip the reconciliation window, and click Finish.
A reconciliation file for a manual service might serve the purpose of bulk
loading additional data that has a narrow scope, such as a set of matching user
IDs and pre-assigned access numbers for voice mail.
8. On the Success window, click Close.
Click Close again if you need to close any remaining windows for this task.
Scenarios 23
f. In the Account Information window, enter values in these required fields,
and leave the remaining fields blank:
Telephone number for voice mail
Type 123-4567.
Voice Mail Access Number
Type 123456.
g. Click Finish.
h. On the Success window, click Close.
i. Log out.
2. Next, approve an account request by completing these steps:
a. Log on using the cmanager user ID that you created in an earlier scenario.
As Judith’s manager, Chuck must approve the request.
b. If forgotten password questions are enabled, the Specify Forgotten Password
Information window prompts you for the forgotten password information.
Optionally, type the information, and then click OK. To skip the window,
click Cancel.
c. In the to-do list, click the activity name named Manager approval for voice
mail.
v If the approval request is in a group, a Grouped Approval window
appears.
1) In the Grouped Approval window, select the check box for one or
more activities that you want to approve. Do not enter text in the
Comments field, and click Approve.
2) After a confirmation approval message appears, click Close.
v If there is only one request in your queue, an Approval Details window
appears:
1) In the Approval Details window, in the Requested for and the
Requested by fields, click the user name to ensure that this is a
request that you want to approve. Review the information, and then
click Close.
2) In the Approval Details window, click Approve. The request goes to
the service owner’s queue.
3) On the Success window, click Close.
d. Log out.
3. Complete the request and return a success indicator by completing these
service owner tasks:
a. Log on as the service owner, using the jphoneperson user ID.
b. If forgotten password questions are enabled, the Specify Forgotten Password
Information window prompts you for the forgotten password information.
Optionally, type the information, and then click OK. To skip the window,
click Cancel.
c. In the service owner’s to-do list, click the activity name named Manual
Service Account Add.
d. In the Work Order Details window, in the Requested for and the Requested
by fields, click the user name to ensure that this is a work order that you
want to complete. Review the information, and then click Close.
e. Complete the manual action required and enter a comment in the comments
field: Try your voice mail access now.
f. In the Work Order Details window, click Successful.
Scenarios 25
26 IBM Tivoli Identity Manager Express: Information Center - Scenario Topics
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
IBM
IBM logo
SecureWay
Tivoli
Tivoli logo
Universal Database
WebSphere
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks
of others.
Notices 29