You must create a domain and deploy a runtime application
for each instance of the Tivoli® Federated Identity Manager.
This task is a prerequisite for configuration of additional Tivoli Federated Identity Manager features such as federated
single sign-on or Web services security management. It is also a prerequisite
for deployments that use the Tivoli Federated Identity Manager security
token service for token exchange. An example of a token exchange scenario
is deployment of Tivoli Federated Identity Manager Kerberos
constrained delegation with WebSEAL junctions.
Before you begin
A wizard prompts you to supply the necessary configuration
properties. You can use the properties on the worksheet that you prepared.
For more information on the worksheet, see
Domain configuration
Procedure
- Verify that the WebSphere® Application
Server application is running.
- When you are deploying a domain into a WebSphere Application Server cluster and WebSphere global security is enabled, you
must ensure that the WebSphere key
files from the Deployment Manager are copied to all nodes in the cluster.
Place the keys on each node in the same directory as on the Deployment
Manager. WebSphere 6.1
should do this automatically. However, ensure that when the administration
console is remote from the Dmgr(Management Service) that the server
certificate presented by the DMgr is trusted by the console. One way
to do this is to copy the trust store from the DMgr to the console
profile.
- Log in to the WebSphere console
and click Tivoli Federated
Identity Manager → Getting Started.
The Getting
Started portlet is displayed.
- Click Manage Domains. The
Domains portlet is displayed
- Click Create. The Domain
Wizard displays the Welcome panel.
- Click Next. The Management
Service Endpoint panel is displayed.
- Enter values for the specified properties and click Next.
- The WebSphere Security
panel is displayed. Specify whether WebSphere global security is enabled.
Note: When installing on z/OS®,
see the README file on the z/OS distribution
media for important information about setting WebSphere security properties.
- When global security is enabled, enter values for the specified
properties and click Next.
- When global security is not enabled, leave the remaining properties
blank. Click Next.
- Click Test Connection. When
successful, you will see an information message:
FBTCON317I Tivoli Federated Identity Manager connected successfully.
- Click Next. The WebSphere Target Mapping panel is displayed.
Select or enter the name of your server or cluster. When finished,
click Next.
- When
the WebSphere environment
consists of a single server, the panel displays a Server name menu
with a default name.
- When the WebSphere environment
consists of a cluster, the panel displays the Cluster Name menu. This
menu lists the names of clusters defined in the cell. Select the name
of the cluster to use.
- The Select Domain panel is displayed. A default name is
provided. Accept it or enter a name for the new domain.
- The Tivoli Access
Manager Environment Settings panel is displayed. Select or deselect This
Environment Uses Tivoli Access Manager as appropriate. and click Next. When you select this option, provide values for the rest of
the properties.
- The Summary panel is displayed. Verify that the domain
information is correct and click Finish.
The domain is created and the domain wizard exits. The Create
Domain Complete panel is displayed.
- Select both of the check boxes on the Create Domain Complete
panel and click OK.
You
must complete both of the tasks as part of the initial creation and
deployment of the Tivoli Federated Identity Manager management
service and runtime:
- Make this domain the active management domain
- Open Runtime Node Management upon completion
- When you are deploying Tivoli Federated Identity Manager into a WebSphere cluster, ensure that the WebSphere Node Agent is running
on all the nodes in the cluster.
Use the WebSphere administrative console
to verify the status of the node agents.
- The Current® Domain
portlet and the Runtime Node Management portlet are displayed. In
the Runtime Node Management portlet, click Deploy Runtime. A message is displayed:
FBTCON355I - A request to deploy the Tivoli Federated Identity Manager
Runtime is in progress.
The following link is displayed:
Click to refresh runtime deployment status and check for completion.
The Deploy operation may take several minutes. During this time,
you can click the link to check for completion. When the deployment
is complete, then clicking on the link will return the message:
FBTCON132I The Runtime was successfully deployed to the domain.
The Runtime Node Management portlet is redrawn. An entry for
the runtime is added to the Runtime Nodes table
for each node in the domain. Also, the Configure button
is activated.
- In the Runtime Node table, select the check box for your
node and click Configure.
The
runtime application is configured into the environment.
- In a WebSphere cluster
environment, configure each node in the cluster by repeating the previous
step.
- When all nodes are configured, click the Load
configuration changes to the Tivoli Federated Identity Runtime button.
The button is located in the Current Domain portlet.
- Continue with the instructions the apply to your deployment:
- In a WebSphere cluster environment,
continue with Mapping the runtime to a Web server.
- In a WebSphere non-clustered (standalone
server) environment, the domain creation and deployment is now complete.
Continue with the appropriate instructions for your scenario.