README for Self-Care

Overview
Building the Application
Installation on WebSphere
Changes if WebSphere Security is Enabled
Configure the Application
Configure the Tivoli Identity Manager
Restart the Application
Test the Application

Overview


If you are using Tivoli Identity Manager to manage user accounts and you would like your users to be able to manage their own user IDs and passwords, you could benefit from using the self-care application. By allowing users to perform these types of self-management tasks, the number of help desk calls to request these tasks could be reduced.

Building the Application


Use the build scripts in the examples directory to create itim_expi.war. The target to use is self_care. For example, on Windows platform, issuing the command "build self_care" from a command line would create itim_expi.war. The administrator can take this war and install it onto WebSphere 5 by following these instructions. If the administrator makes any changes in the source of the self-care application, then the administrator must recreate itim_expi.war.

Installation on WebSphere


Before you install the Sample, you should be familiar with the requirements for installing it and the methods you can choose for installation.

You must install the sample on a system that has WebSphere Application Server 5 already installed. In addition, you must have installed the WebSphere Application Server patches that are specified in the IBM Tivoli Identity Manager Version 4.6 Release Notes. Use the installation intructions in those Release Notes to install the patches.

You can use one of the following options for installing the self-care application: Choose the method that is appropriate for your environment.

Installation on a system where Tivoli Identity Manager is installed


Follow the steps below to install the self-care application on a WebSphere Application Server which has the Tivoli Identity Manager running:

Installation on a system where Tivoli Identity Manager is not installed


Follow the steps below to install the self-care application on a WebSphere Application Server which does not have the Tivoli Identity Manager running:


Note: Make sure you are able to connect to the system where Tivoli Identity Manager has been installed, from the system where the self-care application is being installed, using the hostname of the remote system (that hosts Tivoli Identity Manager). On a Windows machine you might have to edit the hosts file, located under the $WINDIR/system32/drivers/etc/ directory (where $WINDIR is the directory where Windows system files are stored, usually C:/WINNT) on the system where the self-care application is being installed, to add an entry for the remote system. Please contact the System Administrator for additional details.

Changes if WebSphere Security is Enabled


If the Java 2 security has been enabled for the WebSphere Application Server where the self-care application has been deployed, then follow the procedure below:

Configure the Application


Edit the itim_expi.properties file and set the key elements as follows:

Tenant and Tenant DN setup:
tenantid=<your tenant ID>
tenantdn=<your tenant DN>


Default organization (root in Tivoli Identity Manager):
default.org=root organization in Tivoli Identity Manager
platform.url=iiop://host name of Tivoli Identity Manager server:port
(URL where Tivoli Identity Manager is installed)

platform.principal=EJB user name (default= "rasweb")
platform.credentials=EJB user credentials (default = <blank>)


You can determine the values for these elements by looking at the corresponding values in the enRole.properties file, which is located in the $ITIM_HOME/data/ directory (where $ITIM_HOME is the directory where Tivoli Identity Manager is installed). The elements and corresponding values are described in the following table.

Element in itim_expi.properties file Corresponding value in the enrole.properties file
tenantid Use the value for enrole.defaulttenant.id.
tenantdn Use the value ’ou=tenantid’ combined with the value of enrole.ldapserver.root. For example, "tenantdn=ou=myco,dc=com".
default.org Use ’ou=tenantid’.
platform.url Use the URL for the Tivoli Identity Manager server with the port used by the WebSphere Server for IIOP.
platform.principal Use the name of the user who has been assigned as the ITIM_CLIENT or ITIM_SYSTEM role. (Usually this value is the same as the enrole.appServer.ejbuser.principal.)
platform.credentials Use the password of the platform.principal user. (Usually this value is the same as the enrole.appServer.ejbuser.credentials.) Note: If you have used the runConfig command in Tivoli Identity Manager to encrypt the password set in the enrole.appServer.ejbuser.credentials, you will need to manually add the unencrypted password as the value for the platform.credentials property.


Following are example values for these key elements in the itim_expi.properties file:
#------------------------------------------------------
# Organizational information
#------------------------------------------------------
tenantid=myco
tenantdn=ou=myco,dc=com
default.org=ou=myco

# Application Server
platform.url=iiop://itimserver.myco.com:2809
platform.principal=enroleUser
platform.credentials=enroleUserPassword

Configure the Tivoli Identity Manager


Follow the steps below to configure the Tivoli Identity Manager:

Restart the Application


Restart the self-care application running on the Application Server.

For WebSphere Application Server, in the WebSphere Administrative Console, under Applications -> Enterprise Applications, execute the following steps:

Test the Application


For WebSphere Application Server, enter the URL http://<hostname>:9080/itim_expi (or https://<hostname>:9443/itim_expi if WebSphere Application Server security has been enabled) in a web browser window. The Sign On page should appear. Try out the various operations randomly. If you encounter problems, make sure that ITIM is configured to allow the requested action (i.e. make sure the analogous operation is enabled using the standar ITIM UI interface).