Microsoft SQLServer is not supported for the Identity Service Center in IBM® Security Identity Manager Version 6.0.0.2
and later. You must migrate to DB2 before upgrading.
Before you begin
Do not use these instructions if you have already upgraded
to IBM Security Identity Manager Version
6.0.0.2 or later and are using Microsoft SQL Server. Contact IBM Support
for assistance.
DB2 must be installed before you migrate the
database. See the Knowledge Center for your version of DB2 on UNIX, Linux, or Windows.
At then
end of this process you are running IBM Security Identity Manager Version 6
with DB2 and WebSphere® Application Server Version
8.5. Those product versions are required to run Identity Service Center (ISC).
Note: The
product name changed from IBM Tivoli® Identity Manager to IBM Security Identity Manager starting
with Version 6 and Version 7 VA.
About this task
Microsoft SQL Server is currently not supported for use
with IBM Security Identity Manager Version
7 VA or with the Identity Service Center (ISC)
user interface in IBM Security Identity Manager Version
6.0.0.2 and later. The following overview lists the major steps for
migration and upgrade.
- Upgrade from IBM Security Identity Manager Version
5 to Identity Manager Version 6.0.0. Skip this step if you are already
running IBM Security Identity Manager Versions
6.0.0 or 6.0.0.1.
- Migrate the database from Microsoft SQL Server to IBM DB2. This
step contains several sub-steps.
- Upgrade WebSphere Application Server to
Version 8.5.
- Upgrade to IBM Security Identity Manager Version
6.0.0.4 (Version 6 fix pack 4) or later.
This document uses <isim-home>
to refer
to the installation directory where you installed IBM Security Identity Manager. Example
locations of <isim-home>
are as follows:
- Windows systems:
C:\IBM\isim
- UNIX and Linux systems:
/opt/IBM/isim
Procedure
- Upgrade from IBM Security Identity Manager Version 5
to IBM Security Identity Manager Version
6.0.0.
- Migrate the database from Microsoft SQL Server to IBM DB2.
Follow steps 2.1 to 2.12 below.
Important: DB2 must
be installed before you start this procedure.
- Create a new database user for DB2.
Create
user
itimuser
on the host where the DB2 server is
located. The
itimuser
name is the default for
IBM Security Identity Manager and is used
in examples below. You may user another user name.
Note: you may use
the same user name and password that you used for Microsoft SQL Server.
Those credentials are in configuration files that you modify in later
steps.
- Windows systems: Create the user directly on the system. For example,
use .
- AIX systems: Use the SMIT or SMITTY tool to create the user.
- Solaris systems: Use the System Management Console (SMC) to create
the user.
- Linux systems: Use the useradd command to create the user. Example
command:
useradd -d /home/itimuser -p password itimuser
- Create a new DB2 database.
Run the following
commands, substituting your database name and database user credentials:
db2 create database <itim_dbname>; using codeset UTF-8 territory us
db2 connect to <itim_dbname> user <itim_dbadmin_name> using <itim_dbadmin_password>
db2 create bufferpool ENROLEBP size automatic pagesize 32k
db2 update db cfg for <itim_dbname> using logsecond 12
db2 update db cfg for <itim_dbname> using logfilsiz 10000
db2 update db cfg for <itim_dbname> using auto_runstats off
db2 disconnect current</p>
- Run the enrole_admin_template script.
- Go to the db2 directory in the IBM Security Identity Manager installation.
<isim-home>/config/rdbms/db2
- Check the
enrole_admin_template.sql
file. There
are three lines at the end of the file where the database user appears.
Edit the lines if necessary to use the name of the user you created
for DB2. In the example below, user name itimuser is shown. GRANT USE OF TABLESPACE ENROLE_DATA TO USER itimuser WITH GRANT OPTION;
GRANT USE OF TABLESPACE ENROLE_INDEXES TO USER itimuser WITH GRANT OPTION;
GRANT CREATETAB, CREATE_EXTERNAL_ROUTINE, CONNECT,IMPLICIT_SCHEMA ON DATABASE TO USER itimuser;
- Run the
enrole_admin_template.sql
script. The
full path to the script is shown in the example. db2 -tf <isim-home>/config/rdbms/db2/enrole_admin_template.sql
- Extract the database schema from the Microsoft SQL Server
database.
- Change the extracted database schema.
The
extracted schema is saved in the
db2tables.sql
file
in the IDMT output directory. You need to edit the file and make the
following changes.
- Add the following parameters to all
CREATE TABLE
commands: IN ENROLE_DATA INDEX IN ENROLE_INDEXES
Example:
CREATE TABLE NEXTVALUE (
ID VARCHAR(50) NOT NULL,
NEXTID INTEGER NOT NULL,
CONSTRAINT NEXTVALUE_PK PRIMARY KEY(ID)
) IN ENROLE_DATA INDEX IN ENROLE_INDEXES;
- Add the following column specification to the
CREATE TABLE
commands
for the SIB000
, SIB001
, and SIB002
tables. In
a cluster installation, add the column specification to CREATE TABLE
commands for all SIB000
, SIB001
,
and SIB002
tables in the following schemas: ITIMS000
, ITIML000
, ITIML001
,
and ITIML002
.
"DATA" VARCHAR(3360) FOR BIT DATA
Example:
CREATE TABLE "ITIML000"."SIB001"
(
"ID" BIGINT NOT NULL ,
"STREAM_ID" BIGINT NOT NULL ,
"TYPE" CHAR(2) ,
"EXPIRY_TIME" BIGINT ,
"STRATEGY" INTEGER ,
"REFERENCE" BIGINT ,
"CLASS_ID" INTEGER NOT NULL ,
"PRIORITY" INTEGER ,
"SEQUENCE" BIGINT ,
"PERMANENT_ID" INTEGER ,
"TEMPORARY_ID" INTEGER ,
"LOCK_ID" BIGINT ,
"DATA_SIZE" INTEGER NOT NULL ,
"DATA" VARCHAR(3360) FOR BIT DATA,
"LONG_DATA" BLOB(2147483647) NOT LOGGED ,
"XID" VARCHAR(254) ,
"DELETED" SMALLINT
) IN ENROLE_DATA INDEX IN ENROLE_INDEXES
;
- Run the following two queries to make sure the tables all use
the two index spaces. If necessary, change the value for
creator
to
use the database user name for Microsoft SQL Server. select name, substr(tbspace,1,15), substr(index_tbspace,1,15) from sysibm.systables where creator = 'ITIMUSER'
select name, substr(tbspace,1,15), substr(index_tbspace,1,15) from sysibm.systables where creator like 'ITIM%'
- Load the changed schema to DB2
- Make sure your user has authority to load the data before loading
the data. It requires administrative access.
- Grant permissions. Connect to DB2 as Administrator and run the
following commands. You can also use DB2 control center to grant the
permissions. Replace with the DB2 database user you created.
db2 => GRANT DBADM,CREATETAB,BINDADD,CONNECT,CREATE_NOT_FENCED_ROUTINE,
IMPLICIT_SCHEMA,LOAD,CREATE_EXTERNAL_ROUTINE,
QUIESCE_CONNECT,SECADM ON DATABASE TO USER <isim-dbadmin-name>;
- Load the data. Use the IDMT tool to deploy DLL and Data objects.
See the "Deploying objects and loading data" section on the IDMT developerWorks
site (see also step 4 above for more information on IDMT).
http://www.ibm.com/developerworks/data/library/techarticle/dm-0906datamovement/
- Remove Microsoft SQL Server data sources.
After
the migration, delete MS SQL data sources. Use the
WebSphere Application Server administration console.
- In the administration console, go to .
- Remove the following data sources.
- ITIM Bus Data Source
- ITIM Data Source
- Update configuration files.
Update the database
type and class path
LAX.CLASS.PATH
in the following
configuration files:
<isim-home>/bin/runconfig.lax
<isim-home>/bin/DBConfig.lax
<isim-home>/bin/DBUpgrade.lax
- Change the database type as follows:
DB_TYPE=IBM_DB
- If you have not already done so, copy JARs from the DB2 server
to the following locations on the IBM Security Identity Manager server.
<isim-home>/lib/db2jcc.jar
<isim-home>/lib/db2jcc_license_cu.jar
- Add two items to the class path in each configuration file. Use
separators appropriate for your platform.
<isim-home>/lib/db2jcc.jar
<isim-home>/lib/db2jcc_license_cu.jar
- Update enRoleDatabase.properties
Update
the database type, JDBC driver URL, and JDBC driver name in
<isim_home>/data/enRoleDatabase.properties
.
If you are running in a cluster environment, update the file on each
node in the cluster.
The following example shows only selected parts
of the enRoleDatabase.properties
file.
# Database type; The possible values are DB2, ORACLE, MS SQL SERVER
database.db.type=DB2
############################################################
# JDBC driver URL and driver name
#
############################################################
# JDBC driver URL
database.jdbc.driverUrl=jdbc:db2://localhost:50002/itimdb
# JDBC driver name
database.jdbc.driver=com.ibm.db2.jcc.DB2Driver
database.jdbc.connectionPool.testTableName=NEXTVALUE
Note: The
following code shows the general form of the JDBC driver URL.
jdbc:db2://<isim_db_host_name>:<jdbc_port>/<isim_dbname>
- Create the DB2 data source and enter the database user
name and password.
Run the following command on the Identiy
Manager server to create the data source:
<isim-home>/bin/runconfig install
The runconfig
command
starts a GUI.
- Click the Database tab.
- Enter the database user and password you created.
- Click OK.
- Remove the exception tables created by IDMT.
Run
the
db2dropexceptiontables.sql
script. This script
is located in the IDMT output directory.
- Update generated columns in the migrated database.
- Upgrade WebSphere Application Server to
Version 8.5.
- Upgrade to IBM Security Identity Manager Version 6.0.0.4
(Version 6 fix pack 4) or later.
Results
You are running IBM Security Identity Manager Version
6.0.0.4 or later with DB2 and WebSphere Application Server. Those product versions are required to run Identity Service Center.