• Failed : Your operating system failed the prerequisites check.
  A supported operating system was not detected. Support for your operating system might have been added after the release of the product. You can continue with the installation, but the installation might not succeed.
• Install, com.ibm.ws.install.ni.ismp.actions.PopulateMultipleMaintenanceSelectionPanelAction, msg1, 6.1.0-WS-WAS-LinuxX64-FP0000023.pak. A supported platform, operating system, related operating system architecture, and bit architecture were not detected. For example, a 32-bit product for a specific operating system and operating system architecture must be installed onto a 32-bit installation with the same operating system and operating system architecture. Similarly, a 64-bit product for a specific operating system and operating system architecture must be installed onto a 64-bit installation with the same operating system and operating system architecture. Install a product that has the platform, operating system, related operating system architecture, and bit architecture which is supported by the existing installation

To resolve this issue, it is required that the target WAS instance is uninstalled completely, and then reinstalled with an updated/fixed 'maintenance.xml' file. The file must be placed into the directory 'WAS/was.primary.pak' within the WAS installation image directory.

The file can be downloaded from this IBM page: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21268993. Detailed instructions can also be found on this page.

The recycle bin is disabled by default in ITIM 5, because it can reduce ITIM performance.

You can disable the ITIM recycle bin manually. To disable the recycle bin, edit the enrole.properties file and update enrole.recyclebin.enable to false.

ITIM allows a user to set how long an object should be in the recycle bin before it can be deleted using clean up scripts. enrole.ldapserver.agelimit can be set to n number of days, in the enrole.properties file.

You can manually run the script below, when necessary, to delete the aged objects in the recycle bin. It may be better to insert it in the cron table.

Windows: <ITIM_HOME>\bin\win\ldapClean.cmd
UNIX: <ITIM_HOME>/bin/Unix/ldapClean.sh

JavaScript "if expressions" can be used to determine which service is in process and then call the associated function for the service. The code should be something similar to this:

var serviceName= service.getProperty("erservicename")[0];
if(serviceName == <service1>){
...//function call

}

else if(serviceName == <service2>) {
...//function call
}

This creates a problem, as now there is no way to unconfigure WebSEAL once the Policy Server has been unconfigured.

The way to solve this is to just delete the flags that TAM uses to tell if a component has been configured.

For UNIX:

The flags are in the directory “/opt/PolicyDirector/.configure”, as shown below

# ls -la /opt/PolicyDirector/.configure

drwxrwxr-x  2 ivmgr ivmgr 4096 Jan  9 14:06 .

drwxrwxr-x 12 ivmgr ivmgr 4096 Feb 24 11:20 ..

-rw-r--r--  1 root  root     0 Jan  9 14:06 PDAcld-PD

-rw-r--r--  1 ivmgr ivmgr   47 Feb 18  2008 PDlic.txt

-rw-r--r--  1 root  root     0 Jan  9 13:51 PDMgr-PD

-rw-r--r--  1 root  root     0 Jan  9 13:50 PDRTE-PD

So this shows that the Authorisation server (PDAcld), the Policy Server (PDMgr) and the Runtime Environment (PDRTE) are configured. If we deleted, say, the PDAcld-PD file, then in pdconfig the Authorisation server will show as not being configured.  We can then configure the Authorisation server as normal.

For Windows:

The flags are in the registry “HKEY_LOCAL_MACHINE\SOFTWARE\Tivoli\<component>\<version>”

If you change the value of ‘Configured’ to ‘No’ - then this component will show up as not being configured. We can then configure it as normal.

Note:

As of TAMeb 6.1, WebSEAL uses the existence of the configuration file and the "status" key in the webseal-config stanza to determine which WebSEAL instances exist and their configuration state

When using regular expressions special characters must be escaped using a backslash (\), and the a wildcard is escaped using a dot. The table below details the special characters and how to escape them.

What is it?

This tool is simply a front end to the IBM WebSphere Adminisrative Scripting tool (wsadmin) which uses the Jython environment to access the following public APIs:

•  Container Management
•  Person Management
•  Policy Mnagement
•  Role Management
•  Request Management

Using it

The script you write is used as a file argument for the executable, apiscript.bat for Windows platforms and apiscript.ksh for UNIX).

apiscript.bat –f <scriptname>

Example

The following script will create a dynamic role in ITIM, where the rule for membership is all users that have the location attribute set in their profile as “London”, i.e. LDAP filter: l=London. Note the use if the arguments on the “request” line.

#SCRIPT FILE NAME test_dynorgrole.py

# import w/ rename for less typing

from apiscript.util import orgchart

from apiscript.util import orgrole

import apiscript.util

from com.ibm.itim.apps import Request

org_cont_mo = orgchart.get_default_org_mo()

print "found default org %s" % org_cont_mo.data.name

request = orgrole.submit_create_dyn_role_from_args(org_cont_mo, 'Example Dynamic Role', 'A simple description for an example dynamic role.', '(l=London)')

print "waiting on request %s" % request.ID

apiscript.util.wait_requests([request])

assert request.status == Request.SUCCEEDED

A properties file should be added to the /etc directory (a location within the directory structure created when the code is download and uncompressed/unzipped). The file should be named <hostname>.properties, where hostname is the actual hostname of the server the code resides on – in this example, the hostname was “itimserver”.

Alternatively, the file, default.properties file could be edited with the relevant WebSphere and ITIM admin login credentials.

#properties file: itimserver.properties

# default.properties: local configuration

enrole.appServer.ejbuser.principal=wasadmin

enrole.appServer.ejbuser.credentials=passw0rd

enrole.appServer.systemuser.principal=ITIM Manager

enrole.appServer.systemuser.credentials=passw0rd

The following is the command line to execute the script shown above:

apiscript.bat –f test_dynorgrole.py

Note: If the script file is not in the same directory as the executable, then the full pathname should be used to specify the location of the script file, as shown in the screenshot below. Also, if WebSphere and ITIM have not been installed in their default locations, the environment settings for these should be set. Editng and executing the env_hostname.bat file, included in the download can be used for this purpose.

Getting the code

The Scripting tool can be downloaded from the IBM OPAL (Open Process Automation Library) site:

http://www-01.ibm.com/software/brandcatalog/portal/opal/details?NavCode=1TW10IM14

The code can be uncompressed anywhere on the filesystem (where ITIM is installed). The code includes a helpful Readme file and some example scripts. There are some further scripts on the Tivoli ITIM WIKI

http://www.ibm.com/developerworks/wikis/display/tivoliim/Related+Resources

Below is a set of examples that show how to extract several key data items from a BIRT report design file. These examples would operate on a BIRT report design that contains content such as that which is shown below.

<oda-data-set extensionID="org.eclipse.birt.report.data.oda.jdbc.JdbcSelectDataSet" name="Data Set" id="1000">
....
   <property name="rowFetchLimit">0</property>
   <property name="dataSource">Reports Data Source</property>
   <list-property name="parameters">
     <structure>
       <property name="name">type</property>
       <property name="paramName">chosen_type</property>
       <property name="dataType">any</property>
       <property name="position">1</property>
       <property name="isInput">true</property>
       <property name="isOutput">false</property>
     </structure>
   </list-property>
   <list-property name="resultSet">
     <structure>
       <property name="position">1</property>
       <property name="name">ID</property>
       <property name="nativeName">ID</property>
       <property name="dataType">decimal</property>
       <property name="nativeDataType">-5</property>
     </structure>
     <structure>
       <property name="position">2</property>
       <property name="name">TYPE</property>
       <property name="nativeName">TYPE</property>
       <property name="dataType">string</property>
       <property name="nativeDataType">12</property>
     </structure>
   </list-property>
   <property name="queryText">select ID, TYPE from TYPES ts where TYPE = ?</property>
</oda-data-set>

Code example

# Retrieve the BIRT report design file and receive a report handle object

IReportRunnable design = this.engine.openReportDesign("c:\reports\report.rptdesign");
ReportDesignHandle reportHandle = (ReportDesignHandle) design.getDesignHandle();

# Retrieve a handle to a specific data set. A data set is a specific section of a BIRT report design that describes the schema of the data returned by query embedded in the report.

String mainDataSetName = "Data Set";
OdaDataSetHandle dataSetHandle = (OdaDataSetHandle) reportHandle.findDataSet(mainDataSetName);

# Retrieve the report query

String statementQuery;
if(dataSetHandle != null) {
     statementQuery = dataSetHandle.getQueryText();
}

# Read the schema for the resultset items. In this example there would be 2 result set items

Iterator resultSetIt = dataSetHandle.resultSetIterator();
while(resultSetIt.hasNext()) {
     String columnName = ((ResultSetColumnHandle)resultSetIt.next()).getColumnName();

     # columnName would be "ID" and "TYPE"
}

#Retrieve an iterator for the report parameters.

Iterator paramsIt = dataSetHandle.parametersIterator();

#Iterate through the report parameters. In this example there would be 1 parameter

while(paramsIt.hasNext()) {
DataSetParameterHandle param = (DataSetParameterHandle) paramsIt.next();

String parameterName = param.getName();       // "type"
Integer parameterPosition = param.getPosition();   // "1"
String parameterMappedName = param.getMember("paramName").getStringValue(); // "chosen_type"
}

# In the above code example, the position relates to which '?' placeholder this particular parameter should be inserted into within the query text. In this example there is only one placeholder, therefore the position would be "1" (and not "0").

Error Message
[25/02/09 09:10:07:001 GMT] 244d182e SystemErr R java.lang.UnsatisfiedLinkError: xaConnect
[25/02/09 09:10:07:001 GMT] 244d182e SystemErr R at COM.ibm.db2.jdbc.DB2XAConnection.(Unknown Source)
[25/02/09 09:10:07:002 GMT] 244d182e SystemErr R at COM.ibm.db2.jdbc.DB2XADataSource.getXAConnection(Unknown Source)
[25/02/09 09:10:07:002 GMT] 244d182e SystemErr R at com.ibm.ws.rsadapter.DSConfigurationHelper$1.run(DSConfigurationHelper.java:934)

Root Cause
DB2 profile wasnt sourced when starting websphere

Conclusion
The WebSphere user needs to run . .db2profile from the users home directory, before starting WebSphere

The SAP Netweaver Adapter for IBM Tivoli Identity Manager can experience performance issues when reconciling against a target SAP system. In recent lab testing a typical reconciliation for approximately 60,000 accounts was found to take over 24 hours to complete.

SOLUTION:

As part of the SAP deployment an xsl folder is supplied. Modify the file "sapnw_bapi_user_getdetail_precall.xsl" to include the following highlighted line.

<BAPI_USER_GET_DETAIL>

<USERNAME><xsl:value-of select="$sapUserName" /></USERNAME>

<CACHE_RESULTS> </CACHE_RESULTS>

</BAPI_USER_GET_DETAIL>

This file and the folder are to be deployed to ITDI 611 FP3.

Following update to this file the target SAP system is able to cache results of lookups - thereby decreasing processing time (in our test environment this setting reduced the reconciliation time for approximately 60,000 SAP accounts to around 3 hours 20 minutes). Note however that this setting will result in increased memory usage on the target SAP system.

As a general rule the principle of "least privilege" will always apply when UNIX permissions are evaluated. Consider the following examples:

Scenario 1:

• File /testfile has UNIX permissions rwxrwxrwx and ownership root:system

• A TAMOS ACL applied to the file object states that user root has full access but anyone other user will have no access.

• Result: root can update the file as expected, but anyone else will be denied by TAMOS even though UNIX permissions have the file world-writable.

 Scenario 2:

• File /testfile has UNIX permissions rwxr-xr-x and ownership root:system

• A TAMOS ACL applied to the file object states that all users have full access to the file.

• Result: Only root can write to the file. Everyone else will be denied by UNIX despite the fact that TAMOS grants them access. The "least privilege" rule applies.
  

How does this effect TAMOS Auditing?

The scenarios as described can stop audit events being generated for denied actions in certain circumstances. For example:

• A resource-level POP is attached to object /testfile to capture denied write access. The file has UNIX permissions rwxr-x--- and ownership root:system.

• User jbloggs attempts to update /testfile and is correctly denied write access but no TAMOS audit event is written.

However, making /testfile UNIX permissions rwxrwxrwx and then enforcing access via a TAMOS ACL so that user root has full access but anyone else has no access will generate a TAMOS audit event. Thereafter, when user jbloggs attempts to update /testfile he will be denied by TAMOS - and the denied audit event is generated.

General Rule: If UNIX makes the denial then TAMOS is unaware of this and will not audit the event.

Conclusion: When deploying TAMOS carefully evaluate the files you are wishing to protect and audit against. Consider the type of audit event (permit or deny) you wish to have before creating ACL's and POP's to attach to the object.

Note: It is not necessarily advisable to assign full UNIX access (777) permissions for files!