PDMgr_config

Syntax

PDMgr_config [–C compliance] [–d dn_ldap-admin] [–D ldap_dn] [–f response_file] [–F use_fips{yes|no}] [–j standby_server {yes|no}] [–J standby_server_conf_file] [–k key_file] [–K key_file_password] [–l certificate_life] [–L port] –m password [–N key_file_label] [–r port] [–s silent{yes|no}] [–S ldap_suffix] [–v use_minimal_data_format {yes|no}] –w password [–Z use_ssl {yes|no}]

Description

The PDMgr_config utility configures the Security Access Manager policy server on AIX, Linux, and Solaris platforms. You can run this utility directly from the command line.

Parameters

–C compliance

Specifies the compliance value for the [ssl] ssl-compliance configuration file setting. (Optional) If not specified, this value defaults to the [ssl] ssl-compliance value that is currently set in the pd.conf file. The compliance value must be one of the following settings:

fips

Enforces FIPS 140-2 protocols and algorithms.

Security Access Manager servers and applications generate and use SHA1 with 2048-bit RSA certificates. Only TLS versions 1.0, 1.1, and 1.2 are available. SSL versions 2 and 3 are disabled and unavailable. This setting option is equivalent to the previous release setting [ssl] ssl-enable-fips = yes. This value is compatible with previous Tivoli Access Manager releases.

none

Specifies that no special compliance criteria are applied to TLS communication. Security Access Manager servers and applications generate and use SHA1 with 2048-bit RSA certificates. This setting option is equivalent to the previous release setting [ssl] ssl-enable-fips = no. This value is compatible with previous Tivoli Access Manager releases.

sp800-131-strict

Enables strict NIST SP800-131a support. This conformance enforcement is required by some agencies and businesses that start in the year 2014.

Security Access Manager servers and applications generate and use SHA256 with 2048-bit RSA certificates. This value is not compatible with prior releases of Tivoli Access Manager. Older Tivoli Access Manager clients cannot interact with Security Access Manager 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.

sp800-131-transition

Enables NIST SP800-131a support at the transition level. This value is valid until the end of the year 2013. This value has fewer restrictions than the strict enforcement. Only TLS versions 1.0, 1.1, and 1.2 are available. SSL versions 2 and 3 are disabled and unavailable.

Security Access Manager servers and applications generate and use SHA256 with 2048-bit RSA certificates. This value is at a higher level than is required by the standard and was chosen as it is a level permitted by the strict enforcement that allows easy migration from transition to strict. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with Security Access Manager 7.0 running with this compliance setting.

suite-b-128

Enables NSA Suite B at 128-bit support. Security Access Manager servers and applications generate and use SHA256 with 256-bit ECDSA certificates. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with Tivoli Access Manager 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.

suite-b-192

Enables NSA Suite B at 192-bit support. Security Access Manager servers and applications generate and use SHA384 with 384-bit ECDSA certificates. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with Security Access Manager 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.

–d dn_ldap-admin

Specifies the distinguished name of the LDAP administrator. The default value is cn=root. (Optional)

–D ldap_dn

The name of the management domain. Configuring the policy server in the management domain creates the initial administrative domain. The management domain name must be unique within the LDAP server. The name must be an alphanumeric string up to 64 characters long and not case-sensitive. The default value is Default. (Optional)

–f response_file

Specifies the fully qualified path and file name of the response file to use during silent configuration. A response file can be used for configuration. There is no default response file name. The response file contains stanzas and key=value pairs. For information about using response files, see the "Using response files" appendix in the IBM Security Access Manager for Web Command Reference. (Optional)

–F use_fips {yes|no}

Specifies whether to enable Federal Information Processing Standards (FIPS). If FIPS is enabled, the IBM Tivoli Directory Server is configured to use the appropriate FIPS secure communications protocol. The valid responses are yes or no. The default value is no. (Optional)

–j standby_server {yes|no}

If a policy server is already configured to the LDAP server, a second policy server might be configured for standby purposes only. Valid values are yes or no. The default value is no. This parameter applies only to the AIX platform. (Optional)

–J standby_server_conf_file

The fully qualified location of the ivmgrd.conf file, which is the existing primary policy server configuration file. For example, if the shared directory is /share, enter /share/PolicyDirector/ivmgrd.conf. This parameter applies only to the AIX platform. (Optional)

–k key_file

Specifies the fully qualified file name of the client-side key file. This key file holds the server-side certificates that are used in secure communication. This parameter is required when use_ssl is set to yes, which enables SSL communication. (Optional)

–K key_file_password

Specifies the password that is associated with the specified key_file. This password was set when the key file was created. This parameter is required if use_ssl is yes. (Optional)

–l certificate_life

Specifies the number of days that the SSL certificate file is valid. The default number of days is 1460. (Optional)

–L port

Specifies the Secure Sockets Layer (SSL) port number of the LDAP server. Use the LDAP server-configured port number. The default port number is 636. (Optional)

–m password

Specifies the password for the Security Access Manager administrator ID. The default administrator ID is sec_master.

–N key_file_label

Specifies the server certificate label name that is in the key_file. This label was set when the server certificate was imported in the client-side key file. This parameter is required when use_ssl is set to yes, which enables SSL communication. (Optional)

–r port

Specifies the port number for the Security Access Manager policy server. The default value is 7135. (Optional)

–s silent{yes|no}

Specifies silent configuration. The valid responses are yes or no. If set to yes, the utility runs in silent mode. If set to no, the utility runs in interactive mode. (Optional)

–S ldap_suffix

The software creates the secAuthorityInfo object entry on the LDAP server when you create:

• ASecurity Access Manager domain.
• The initial management domain.

This object represents the Security Access Manager domain and is named by using the secAuthority attribute with the name of the domain as its value. For example: secAuthority=<domain_name>.

If you do not provide a different name, the default name of the management domain is Default, making the secAuthorityInfo object name secAuthority=Default. (Optional)

–v use_minimal_data_format {yes|no}

When you configure the policy server, you can select the LDAP data format for user and group tracking information. The two LDAP data formats are minimal and standard. The valid responses are yes or no. The default value is yes. (Optional)

–w password

Specifies the password for the dn_ldap_admin.

–Z use_ssl {yes|no}

Specifies whether to enable SSL communication between the Security Access Manager policy server and the registry server. The valid responses are yes or no. The default value is no. (Optional)

Availability

This utility is in /opt/PolicyDirector/sbin, the default installation directory on AIX, Linux, and Solaris operating systems.

When an installation directory other than the default is selected, this utility is in the /sbin directory under the installation directory (for example, installation_directory/sbin).

Return codes

0

The utility ran successfully.

1

The utility failed. When a utility fails, the software displays a description of the error. See the IBM Security Access Manager for Web Error Message Reference. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.