A Tivoli® Federated Identity Manager domain is a deployment of the Tivoli Federated Identity Manager runtime component to either a WebSphere® single server or a WebSphere cluster.
There is one domain per WebSphere cluster. In a single server environment, there can be only one domain.
Each domain is managed independently. You can use installation of the Tivoli Federated Identity Manager management console to manage multiple domains. You can manage only one domain at a time. The domain that is being managed is known as the active domain.
When Tivoli Federated Identity Manager is installed, no domains exist. You will use the management console to create a domain. When you installed Tivoli Federated Identity Manager the management service was deployed to a WebSphere server (single server mode) or WebSphere Deployment Manager (WebSphere cluster mode). You will connect with this management service and choose a WebSphere server or cluster to which you will deploy the Tivoli Federated Identity Manager runtime component. When the runtime is deployed and configured, you are ready to configure additional features such as federated single sign-on or Web services security management.
In a WebSphere Network Deployment environment, the deployment and configuration of the Tivoli Federated Identity Manager runtime to cluster members is an automated process. It is not necessary to perform additional installation of Tivoli Federated Identity Manager or Tivoli Access Manager software onto the WebSphere cluster computers. Deployment and configuration of the runtime application to distributed cluster members is performed by the Tivoli Federated Identity Manager management service utilizing the application deployment services of the WebSphere Deployment Manager.
The management console provides a wizard to guide you through the creation of the domain. The following sections list the properties that the wizard prompts you to supply.
idp.example.com
WebSphere Application Server can optionally have global security enabled. When global security is enabled, the security properties must be configured for the Tivoli Federated Identity Manager management service. Global security is enabled in most deployments.
Note for z/OS®: When deploying on z/OS, WebSphere is typically configured to use a RACF® (or other security product) keyring for certificates. For instructions on setting up certificates for use with Tivoli Federated Identity Manager on z/OS, see the README document on the z/OS distribution media. The instructions describe how to take a certificate from a RACF Keyring, and add it to a Java™ Key Store file for use by Tivoli Federated Identity Manager. The trusted keystore and the optional client keystore files and passwords created by using those instructions should be used instead of the default values (for example, the trust.p12 file) shown below.
When you have installed Tivoli Federated Identity Manager on a computer that uses an existing WebSphere installation, the default path on Linux® or UNIX® is:
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/etc/trust.p12
On Windows®:
C:\Program Files\IBM\WebSphere\AppServer\ profiles\AppSrv01\etc\trust.p12
When you have installed embedded WebSphere as part of the Tivoli Federated Identity Manager installation, the default path on Linux or UNIX is:
/opt/IBM/FIM/ewas/profiles/ itfimProfile/etc/trust.p12
On Windows:
C:\Program Files\IBM\FIM\ewas\ profiles\AppSrv01\etc\trust.p12
The default password for the WebSphere key is:
WebAS
This keystore file is an optional configuration item. Some WebSphere deployments do not use an SSL Client Keystore file.
The domain wizard prompts for the WebSphere server or cluster name when creating a domain.
The server is a single server, not part of a cluster.
The default name is automatically built by the wizard. For example, on host named host1:
WebSphere:cell=host1Node01Cell,node=host1Node01,server=server1
The wizard prompts whether you want to configure into a Tivoli Access Manager environment. Do not configure into a Tivoli Access Manager environment if you are using a point of contact server other than WebSEAL. For example, do not configure into a Tivoli Access Manager environment if you are using WebSphere as a point of contact server.
The wizard presents the following prompt:
If you select this check box, you must specify the properties listed in the following table
idp.example.com
idp.example.com