Use the IBM® Tivoli® Monitoring Installation
Launchpad or IBM Installation
Manager with a local or network repository to install the Tivoli Authorization Policy Server
using a graphical user interface. Using both of these methods, you
can also install the IBM Infrastructure
Management Dashboards for Servers and tivcmd Command Line Interface
for Authorization at the same time. The Installation Launchpad is
the recommended approach if you do not have experience using IBM Installation Manager.
Before you begin
IBM Dashboard Application
Services Hub must be installed before you can install Authorization
Policy Server.
If IBM Dashboard
Application Services Hub is not already installed, you have two options:
- Use the Jazz™ for Service
Management launchpad application to install IBM Dashboard Application Services Hub and its
prerequisites. Then, use the IBM Tivoli Monitoring installation
launchpad to install the IBM Tivoli Monitoring components
for a dashboard environment. This is the recommended approach if you
are not familiar with IBM Installation
Manager.
- Ensure that IBM Installation
Manager is installed and then set up a local or network repository
that contains the Jazz for Service
Management components. Also set up a repository with the IBM Tivoli Monitoring
components for a dashboard environment. Then use IBM Installation Manager to install IBM Dashboard Application Services Hub, its prerequisites,
and the IBM Tivoli Monitoring components at the same time. IBM Installation Manager ensures
the components are installed in the correct order.
If Dashboard Application Services Hub is already installed,
you have two options for installing the Tivoli Authorization Policy Server:
- Use the IBM Tivoli Monitoring installation launchpad.
This is the recommended approach if you are not familiar with IBM Installation Manager.
- Set up a local or network repository with the Tivoli Monitoring components for a dashboard
environment and then use IBM Installation
Manager to perform the installation.
If you are using IBM Installation
Manager repository to perform the installation, you must ensure that
it is installed and then set up a local or network repository with
the packages to be installed. For more information, see Using IBM Installation Manager to install components from a local repository or Using IBM Installation Manager to install components from a network repository.
About this task
Complete the following steps to install and configure the Tivoli Authorization Policy Server
on the computer where the Dashboard Application Services Hub is installed.
(Or where the Dashboard Application Services Hub will be installed
at the same time as the authorization policy server.)
Procedure
- If you are using the IBM Tivoli Monitoring Installation
Launchpad, perform these steps to start the installation:
- Log in into the system as the same user who installed
the IBM Dashboard Application
Services Hub.
- Execute the launchpad command or script for your operating
system. The launchpad commands and scripts are located in the root
directory of the IBM Tivoli Monitoring Dashboards
for Servers and Authorization Policy Components DVD or DVD image.
- 32 bit system launchpad.exe
- 64 bit system launchpad64.exe
- launchpad.sh
- On the main launchpad panel, select one of the following
links under the Product Overview category:
- Install as administrative user: Select this link if you
installed IBM Dashboard Application
Services Hub as an administrative user on Windows or as root on Linux/UNIX.
- Install as non-administrative user: Select this link if
you did not install IBM Dashboard
Application Services Hub as an administrative user on Windows or as root on Linux/UNIX.
The IBM Installation Manager
window opens with several choices for managing your IBM software installations.
- If you are using IBM Installation
Manager, perform these steps to start the installation:
- Log in as the user who installed IBM Dashboard Application Services Hub if it
is already installed.
- Start the IBM Installation
Manager:
- Double-click the IBMIM.exe file that is
located in the eclipse subdirectory in the directory where IBM Installation Manager was installed.
The default path for IBM Installation
Manager on Windows is C:\Program
Files\IBM\Installation Manager\eclipse.
- Execute the IBMIM binary under /opt/IBM/InstallationManager/eclipse.
The IBM Installation Manager
window opens with several choices for managing your IBM software installations.
- In the Installation Manager main window, click Install to
see the available packages in the repositories that are configured
for IBM Installation Manager.
- Select the Tivoli Authorization Policy Server package
and click Next.
Note: - If you are using the IBM Tivoli Monitoring Installation
Launchpad, the Tivoli Authorization Policy Server package
is preselected.
- If you are using IBM Installation
Manager to install IBM Dashboard
Application Services Hub at the same time, you must also select its
package and its prerequisite packages. See the Jazz for Services Management Installation Guide
for details when you are asked to provide information specific to
these packages (http://pic.dhe.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.psc.doc_1.1.0/install/psc_c_install.html).
- You can also select the IBM Infrastructure
Management Dashboards for Servers package and tivcmd Command Line
Interface for Authorization Policy packages if they are also being
installed on the same system.
- If you are installing Jazz for
Service Management, accept the license agreement for each package
and click Next.
- If you are using IBM Installation
Manager to perform the installation, specify the location of the Shared
Resources Directory and click Next.
The
first time that you install a package on a computer you are asked
to specify a shared resources directory. The shared resources directory
is where IBM Installation Manager
stores installation artifacts that can be used by one or more package
groups. Choose a directory on your largest drive. You cannot change
the shared resources directory location until you uninstall all packages.
- On the panel for configuring package groups, you cannot
specify an installation directory for the Tivoli Authorization
Policy Server package because it is installed using the
package group definition for IBM Dashboard
Application Services Hub: Core services in Jazz for Service
Management.
Note: - If you are using IBM Installation
Manager to install IBM Dashboard
Application Services Hub at the same time, you should confirm the
package group location for its package group and its prerequisite
package groups.
- If you are also installing the tivcmd Command Line Interface for
Authorization Policy package on the computer, you should select its
package directory and either use the default installation directory
location or enter a custom installation directory location. On a 64
bit machine, the 64 bit architecture of the tivcmd Command Line Interface
for Authorization Policy is installed by default. You can select to
switch to the 32 bit architecture. However, on zSeries® systems with Linux, you can only install the 32 bit architecture
of the CLI.
Important: The tivcmd CLI cannot be installed
under the same installation directory as Jazz for
Service Management or the monitoring server, portal server, portal
client, monitoring agents, and tacmd CLI components of IBM Tivoli Monitoring.
- If you are using IBM Installation
Manager to perform the installation for Jazz for
Service Management, you might be asked to specify the translation
packages to install. After making your selection, click Next.
Note: The language files for all supported languages
are always installed with the IBM Infrastructure
Management Dashboards for Servers, Tivoli Authorization
Policy Server, and tivcmd Command Line Interface for Authorization
Policy packages.
- Select the Tivoli Authorization Policy Server feature
and click Next.
Note: - If you are using the IBM Tivoli Monitoring Installation
Launchpad, this feature is preselected.
- It is recommended to select the Tivoli Authorization
Policy Server Installation and Configuration features
together (which is the default behavior). However, you can clear the
Configuration feature if you did not select the Configuration feature
when IBM Dashboard Application
Services Hub was installed. Or likewise, if you want to review the
deployment scripts before they are used to deploy the authorization
policy server application into IBM Dashboard
Application Services Hub. If you select the Installation feature on
its own, only the authorization policy server binaries and install
scripts are laid down in the installation directory (on Windows this location is usually C:\Program
Files\IBM\JazzSM\AuthPolicyServer and on Linux/UNIX this
location is usually /opt/IBM/JazzSM/AuthPolicyServer).
If you select the Configuration feature on its own, the Installation
feature is selected as well.
- If you are using IBM Installation
Manager to install IBM Dashboard
Application Services Hub at the same time, you must also select the IBM Dashboard Application Services
Hub features and its prerequisite features.
- You can also select the IBM Infrastructure
Management Dashboards for Servers feature and tivcmd Command Line
Interface for Authorization Policy feature if you want to install
those features on the same system.
- On the next window, specify the configuration parameters
for each package where you selected the Configuration feature. Select
each package on the left to see its set of configuration parameters.
Specify the configuration parameters and click Next.
The following configuration
parameters apply to the Tivoli Authorization
Policy Server configuration feature:
- The Common Configuration for Core Services in Jazz for Service Management configuration parameters
are displayed if IBM Dashboard
Application Services Hub is already installed. You must specify an IBM Dashboard Application Services
Hub administrative user name and password such as tipadmin. Click Validate to
confirm the credentials can be used to log in to the dashboard hub.
These credentials are used to deploy the Authorization Policy Server
application into the WebSphere® Application
Server for IBM Dashboard Application
Services Hub. This user ID is also assigned to the PolicyAdministrator
role that is used by the Authorization Policy Server to control which
users can create and work with authorization policies.
- The Restart Dashboard Application Services Hub configuration parameters
allow you to specify how to restart the Dashboard Application Services
Hub after the authorization policy server is installed and configured.
Select either an automatic or manual restart of the Dashboard Application
Services Hub and click Confirm. Click OK when
prompted to confirm your selection.
- The advanced parameters for the Tivoli Authorization
Policy package allow you to specify audit log properties and how to
handle distribution of authorization policies. The Tivoli Authorization Policy Server periodically
compresses a file of the current set of authorization policies that
is available for distribution. On a periodic interval, the dashboard
data provider component of the portal server makes a request to the Tivoli Authorization Policy Server
for the latest compressed file of policies. If there is a new file,
it is obtained and extracted and this set of policies becomes the
current set of policies that are used by the dashboard data provider.
Configure
the Authorization Policy Server audit and policy distribution properties.
Each property has the following default value and range:
- Audit log file count
- The maximum number of audit log files to keep at one time.
- Default value is 5. Range is greater than 1 and less than 99999.
- Audit log file size (megabytes)
- The maximum size of each log file in megabytes.
- Default size is 10. Range is greater than 1 and less than 99999.
- Audit log file directory
- The directory into which the log files are stored.
- Default value is <JAZZSM_INSTALL_DIR>\AuthPolicyServer\PolicyServer\audit
- Policy-distribution Polling interval (minutes)
- This property specifies how often the Authorization Policy Server
updates the compressed file containing the authorization policies
that is downloaded by the dashboard data provider.
- Default value is 5. Range is 1 - 1440 minutes.
- Policy-distribution Polling directory
- The directory into which the version of the policies for distribution
is stored.
- Default value is <JAZZSM_INSTALL_DIR>\AuthPolicyServer\PolicyServer\dist
- If you are also installing the tivcmd CLI package, configure the IBM GSKit Security parameters. Specify
the encryption key that is being used in your IBM Tivoli Monitoring
environment in the GSKit field. The default value is IBMTivoliMonitoringEncryptionKey.
- After specifying all of the configuration parameters, click Next.
Note: The Next button is not enabled
until all required configuration parameters are completed.
- Review the information on the Install Packages Summary
window. This is your opportunity to click Back and
make any changes before proceeding.
- Click Install to begin installing.
After installation is complete, the packages are shown in a panel
with a message confirming that they are installed. You can now review
the log files.
- Click Finish to finalize the installation.
What to do next
See
Verifying the Tivoli Authorization Policy Server installation for steps
to verify that the installation was successful.
If you only selected
the installation feature of the Tivoli Authorization
Policy Server, review the authorization policy server's deployment
scripts and then use the Modify operation of IBM Installation Manager to deploy
the authorization policy server into IBM Dashboard
Application Services Hub. See Configuring the Tivoli Authorization Policy Server feature after installation.
If
you selected both the installation and configuration features of Authorization
Policy Server, perform the following tasks:
- If you selected the option for a manual restart of Dashboard Application
Services Hub in step 9, you must restart the application server for
Dashboard Application Services Hub. You must perform this action before
you can use the Authorization Policy Server with the tivcmd CLI to
create authorization policies.
- Install the tivcmd Command Line Interface on the computers that
administrators use to create authorization policies. Follow the instructions
in Installing the tivcmd Command Line Interface for Authorization Policy using the graphical user interface or Installing the tivcmd Command Line Interface for Authorization Policy using console mode. The user credentials that
you specified during the Authorization Policy Server installation
are assigned to the PolicyAdministrator role. You must use these credentials
with the tivcmd Command Line Interface to log in to the Authorization
Policy Server and assign other administrators permission to create
and work with authorization policy roles.
The IBM Tivoli Monitoring Administrator's
Guide provides
examples of creating authorization policies for common scenarios in
the Using role-based authorization policies chapter. Steps
for configuring a dashboard environment to use authorization policies
are outlined in the Preparing your dashboard environment chapter.
For a complete list of tivcmd CLI commands, see the IBM Tivoli Monitoring Command Reference.