This document provides guidance on migrating an existing deployment of Encentuate 3.4 or 3.5 to IBM Tivoli Access Manager for Enterprise Single Sign-On version 8.0. It outlines the key differences between Encentuate versions 3.4 and 3.5 and describes a two-step upgrade process - first upgrading the IMS server to version 3.5 and then to version 8.0. It also discusses upgrading the AccessAgent clients directly to version 8.0 after completing the server upgrades. Important considerations for the upgrade process include changing the enterprise directory connector, updating authentication policies and reapplying user policy templates.
Novell SecureLogin 7 and Your Microsoft Active Directory SetupNovell
Novell recently shipped Novell SecureLogin 7, which delivers a host of enhancements, including:
• An improved integration wizard
• Extended support for .NET applications and Oracle Forms
• Integration with Client Login Extension (CLE) for recovering forgotten passwords
• Windows 7 support
In this session, we will go into detail about these new enhancements and will also discuss how to use SecureLogin 7 with Microsoft Active Directory and Active Directory Application Mode. In addition to understanding the new features in SecureLogin, when you leave this session you’ll understand:
• How to use SecureLogin with Active Directory and Active Directory Application Mode
• How to choose between a Novell eDirectory or Active Directory deployment
• How to add advanced authentication to your Active Directory deployment
• How to set up shared workstation support
• How to apply Active Directory group policies to SecureLogin
• And much more
Finally, you’ll hear from a customer who has deployed SecureLogin in their environment.
Microsoft veröffentlichte vor kurzem das jüngste Update für System Center Configuration Manager - System Center 2012 R2 Configuration Manager. Viele der neuen Updates sind so gut, dass jeder das Upgrade so schnell wie möglich haben möchte. Wally Mead, Microsoft MVP, präsentierte in dieser Preäsentation die neuen Features von Configuration Manager 2012 R2.
Novell SecureLogin 7 and Your Microsoft Active Directory SetupNovell
Novell recently shipped Novell SecureLogin 7, which delivers a host of enhancements, including:
• An improved integration wizard
• Extended support for .NET applications and Oracle Forms
• Integration with Client Login Extension (CLE) for recovering forgotten passwords
• Windows 7 support
In this session, we will go into detail about these new enhancements and will also discuss how to use SecureLogin 7 with Microsoft Active Directory and Active Directory Application Mode. In addition to understanding the new features in SecureLogin, when you leave this session you’ll understand:
• How to use SecureLogin with Active Directory and Active Directory Application Mode
• How to choose between a Novell eDirectory or Active Directory deployment
• How to add advanced authentication to your Active Directory deployment
• How to set up shared workstation support
• How to apply Active Directory group policies to SecureLogin
• And much more
Finally, you’ll hear from a customer who has deployed SecureLogin in their environment.
Microsoft veröffentlichte vor kurzem das jüngste Update für System Center Configuration Manager - System Center 2012 R2 Configuration Manager. Viele der neuen Updates sind so gut, dass jeder das Upgrade so schnell wie möglich haben möchte. Wally Mead, Microsoft MVP, präsentierte in dieser Preäsentation die neuen Features von Configuration Manager 2012 R2.
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...eG Innovations
Microsoft System Center Operations Manager (SCOM) is a leading platform for performance monitoring and management of Microsoft applications (such as Active Directory, Microsoft SQL Server, Exchange Server, IIS and SharePoint). However, SCOM does not have extensive capabilities to monitor non-Microsoft systems and applications (like Citrix, SAP, Oracle, Java, Sybase, etc.), nor does SCOM have virtualization-awareness for platforms like VMware vSphere, Citrix XenServer, Red Hat Enterprise Virtualization, AIX LPARs and Solaris LDOMs, or virtual desktops (VDI).
To extend the scope of Microsoft SCOM to manage these environments, enterprises have to look at multiple third party products that provide individual management packs, one for each specific non-Microsoft platform. This traditional "multi-pack approach" creates complexity and only provides a fragmented view of the IT infrastructure. This approach leads to slow problem isolation and diagnosis, and often results in poor user experience and loss of user productivity.
Join performance monitoring expert Srinivas Ramanathan (CEO, eG Innovations) to learn about eG Enterprise for SCOM, a new universal management pack that fills this gap and provides a single, integrated solution with SCOM to address the performance management needs of today's enterprises. This webinar presentation will show you how to:
• Monitor and troubleshoot the entire IT service infrastructure end to end from the SCOM console
• Monitor applications and platforms not natively supported by System Center Operations Manager
• Instantly diagnose and get actionable insight into IT service health and performance
• Provide automatic, rapid root cause diagnosis for even the most complex performance problems
• Receive proactive problem detection and alerting before users call
• Maximize the return on your investment in System Center Operations Manager
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013Amazon Web Services
(Presented by Equinix) As IT decision makers shift their consumptionmodels to leverage more cloud services, they are faced with overcomingperformance, security and compliance limitations associated with the publicInternet as an access method. In this session, we illustrate how Equinixdelivers a unique and enhanced AWS Direct Connect global service offering thatenables secure, high-speed access with the flexible, dynamic bandwidth to meetthe needs of the evolving IT consumption trends.
When using Notes, iNotes, Sametime and Connections on either Windows or a mobile device, users are confronted with several different passwords and settings they have to enter. In this session I will show you how to setup and configure Notes & Domino so that users do not have to enter passwords or server settings and still get logged into Notes, Sametime and Connections when starting their Notes Client or Browser.Buzzwords for this talk are: SSO, NSL, LTPA, SAML and SPNEGO.
Administering and configuring System Center Configuration Manager 2012 R2 SP1Unitek Eduation
-Configuring and deploying SCCM 2012 R2
-Data Quering using WQL and gathering collections
-Configuring Software and Hardware Inventory, asset intelligence and software metering.
Great news for Systems Center 2012 customers. With the aim of making System Center more cloud-friendly, Microsoft has made changes to the way that the licensing model for this popular product works. What used to be an extremely complex licensing system has been made much easier for clients to understand and manage. This presentation provides a quick overview of what these key updates are and work with a Softchoice Microsoft specialist to understand your needs under this new model moving forward.
System Center 2012 R2 Configuration Manager (SCCM) with Windows IntuneAmit Gatenyo
Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations.
Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by:
1. Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices.
2. Helping protect your data by protecting corporate information and managing risk.
3. Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure.
Let’s discuss each of these areas in more detail.
Package, Stream, Manage. Application virtualiization isolates applications to create a conflict free environment with manageability as the cornerstone to successful service delivery in large organizations. With App-V, deploy applications in seconds to thousands of computers automagically.
What's new in iNotes 9.0 Social EditionRahul A. Garg
Come see what's new in IBM iNotes 9.0 Social Edition and the cloud-based SmartCloud Notes web offering, plus hear about our plans for upcoming releases. The iNotes team has been hard at work in turning innovations around OpenSocial and end-user productivity into an experience that will make you and your organization more productive and more responsive. Come check out how these innovations have transformed iNotes and how they benefit the rest of the IBM portfolio, as well as your own projects. As always, this session will be packed with demos of the latest features and previews of future additions. If browser clients are an integral part of your collaborative infrastructure and strategy, then don't miss this session!
Licencia No-Comercial, puede utilizarse siempre y cuando se de el crédito al autor y creador original de este.
renzovargas093@gmail.com
be.net/renzovargas
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...eG Innovations
Microsoft System Center Operations Manager (SCOM) is a leading platform for performance monitoring and management of Microsoft applications (such as Active Directory, Microsoft SQL Server, Exchange Server, IIS and SharePoint). However, SCOM does not have extensive capabilities to monitor non-Microsoft systems and applications (like Citrix, SAP, Oracle, Java, Sybase, etc.), nor does SCOM have virtualization-awareness for platforms like VMware vSphere, Citrix XenServer, Red Hat Enterprise Virtualization, AIX LPARs and Solaris LDOMs, or virtual desktops (VDI).
To extend the scope of Microsoft SCOM to manage these environments, enterprises have to look at multiple third party products that provide individual management packs, one for each specific non-Microsoft platform. This traditional "multi-pack approach" creates complexity and only provides a fragmented view of the IT infrastructure. This approach leads to slow problem isolation and diagnosis, and often results in poor user experience and loss of user productivity.
Join performance monitoring expert Srinivas Ramanathan (CEO, eG Innovations) to learn about eG Enterprise for SCOM, a new universal management pack that fills this gap and provides a single, integrated solution with SCOM to address the performance management needs of today's enterprises. This webinar presentation will show you how to:
• Monitor and troubleshoot the entire IT service infrastructure end to end from the SCOM console
• Monitor applications and platforms not natively supported by System Center Operations Manager
• Instantly diagnose and get actionable insight into IT service health and performance
• Provide automatic, rapid root cause diagnosis for even the most complex performance problems
• Receive proactive problem detection and alerting before users call
• Maximize the return on your investment in System Center Operations Manager
Network-Ready Your Hybrid IT Environment (ENT108) | AWS re:Invent 2013Amazon Web Services
(Presented by Equinix) As IT decision makers shift their consumptionmodels to leverage more cloud services, they are faced with overcomingperformance, security and compliance limitations associated with the publicInternet as an access method. In this session, we illustrate how Equinixdelivers a unique and enhanced AWS Direct Connect global service offering thatenables secure, high-speed access with the flexible, dynamic bandwidth to meetthe needs of the evolving IT consumption trends.
When using Notes, iNotes, Sametime and Connections on either Windows or a mobile device, users are confronted with several different passwords and settings they have to enter. In this session I will show you how to setup and configure Notes & Domino so that users do not have to enter passwords or server settings and still get logged into Notes, Sametime and Connections when starting their Notes Client or Browser.Buzzwords for this talk are: SSO, NSL, LTPA, SAML and SPNEGO.
Administering and configuring System Center Configuration Manager 2012 R2 SP1Unitek Eduation
-Configuring and deploying SCCM 2012 R2
-Data Quering using WQL and gathering collections
-Configuring Software and Hardware Inventory, asset intelligence and software metering.
Great news for Systems Center 2012 customers. With the aim of making System Center more cloud-friendly, Microsoft has made changes to the way that the licensing model for this popular product works. What used to be an extremely complex licensing system has been made much easier for clients to understand and manage. This presentation provides a quick overview of what these key updates are and work with a Softchoice Microsoft specialist to understand your needs under this new model moving forward.
System Center 2012 R2 Configuration Manager (SCCM) with Windows IntuneAmit Gatenyo
Microsoft has a history of providing rich IT-infrastructure solutions to help manage every aspect of enterprise operations. Microsoft’s people-centric solution consists of products and technologies that can help IT departments handle the influx of consumer-oriented technology and the work style expectations of users, thereby helping increase productivity and satisfaction for the people within their organizations.
Microsoft’s people-centric IT vision helps organizations enable and embrace the consumerization of IT by:
1. Enabling your end users by allowing users to work on the device(s) of their choice and providing consistent access to corporate resources from those devices.
2. Helping protect your data by protecting corporate information and managing risk.
3. Unifying your environment by delivering comprehensive application and device management from both your existing on-premises infrastructure, including System Center Configuration Manager, Windows Server, and Active Directory, as well as cloud-based services, including Windows Intune and Windows Azure.
Let’s discuss each of these areas in more detail.
Package, Stream, Manage. Application virtualiization isolates applications to create a conflict free environment with manageability as the cornerstone to successful service delivery in large organizations. With App-V, deploy applications in seconds to thousands of computers automagically.
What's new in iNotes 9.0 Social EditionRahul A. Garg
Come see what's new in IBM iNotes 9.0 Social Edition and the cloud-based SmartCloud Notes web offering, plus hear about our plans for upcoming releases. The iNotes team has been hard at work in turning innovations around OpenSocial and end-user productivity into an experience that will make you and your organization more productive and more responsive. Come check out how these innovations have transformed iNotes and how they benefit the rest of the IBM portfolio, as well as your own projects. As always, this session will be packed with demos of the latest features and previews of future additions. If browser clients are an integral part of your collaborative infrastructure and strategy, then don't miss this session!
Licencia No-Comercial, puede utilizarse siempre y cuando se de el crédito al autor y creador original de este.
renzovargas093@gmail.com
be.net/renzovargas
Tivoli Live – Nyckelfärdig molntjänst för dina behov inom Service Desk and Mo...IBM Sverige
Presentation från IBM Smarter Business 2011. Spår: Driv effektiviteten i verksamheten.
Saknar du miljö för din ändringshantering, problemrapportering eller övervakning av din IT-miljö? Har du kanske redan vissa stödfunktioner men behöver en enhetlig lösning där du slipper hantera integrationen och uppgraderingar av miljön? Vill du bara betala för det du använder och utnyttja flexibiliteten som molnteknologin erbjuder? Med Tivoli Live som är en Software as a Service (SaaS) tjänst får du en molnbaserad lösning som låter dig växa i din egen takt utan att behöva göra stora investeringar. Låt oss visa hur du både kan ha kakan och äta den - men slippa att baka!
Talare: Olle Äng, Sales Manager, Integrated Technology Services, IBM Sverige.
Mer information på www.smarterbusiness.se
Managing IT as A Service with System CenterLai Yoong Seng
In order to be able to successfully in running IT As a Service, we need to have a complete solution that resolves around monitoring of health state of service, tracking and remediation of issues & pain points in the services and how we can automate these process to make to address this issue consistently. In this session, we will demonstrate how SCOM, Service Manager and Opalis work together to deliver an integrated monitoring and response solution across the System Center Suite.
Vskills certified enterprise applications integration specialist with micros...Vskills
The sample material for biztalk covers the following topics mentioned.
CHAPTER 1: Introduction & Installation
Introduction
Installation
Hardware Requirements
Software Requirements
Installing Visual Studio 2005
Install BizTalk Server 2006
Configuring BizTalk Server
Get more details on the below link: http://www.vskills.in/certification/information-technology/Certified-BizTalk-Professional
At Agile IT, we've been leading the trend in moving customers to the Microsoft Cloud. Along that roadmap is the need to secure and manage the devices that will access that data. The Microsoft Enterprise Mobility Suite (EMS) focuses on managing both the data that's accessible from the cloud as well as the devices that access it. In this webinar, we introduce you to EMS and focus on how cloud technologies work together to deliver a seamless solution for protecting your data.
The accompanying recording of the webinar can be found at https://youtu.be/NOWFI4xl-dM.
Learn about IBM Flex System: A Solid Foundation for Microsoft Exchange Server 2010. IBM builds, tests, and publishes reference configurations and performance metrics to provide clients with guidelines for sizing their Microsoft Exchange Server 2010 environments. This document highlights the IBM Flex System x240 Compute Node and IBM Flex System V7000 Storage Node and how they can be used as the foundation for your Exchange 2010 infrastructure. For more information on Pure Systems, visit http://ibm.co/J7Zb1v.
Visit http://on.fb.me/LT4gdu to 'Like' the official Facebook page of IBM India Smarter Computing.
The Workday Integration Cloud Platform is a proven, enterprise-class Integration Platform-as-a-Service (iPaaS) that enables customers and partners to build integrations to and from Workday and deploy and manage them in the Workday Cloud. http://www.workday.com/solutions/technology/integration_cloud/integration_cloud_platform.php
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
2. Planning the migration
This document should be consulted as part of the first stage of migration planning. It is
important to note that with Tivoli Access Manager for Enterprise Single Sign-On, there may
be multiple phases due to organizational, infrastructure, or business demands, and therefore,
it may be helpful to revisit these guidelines several times throughout the deployment.
Overview of the deployment architecture
A typical Tivoli Access Manager for Enterprise Single Sign-On deployment involves several
components. An overview of the basic architecture is shown in Figure 1.
Figure 1 Deployment architecture
IMS servers
The Integrated Management System (IMS) server provides administrative, reporting, help
desk, and password reset functionality, as well as being the repository for user data.
AccessAdmin and AccessAssistant are the tools used to provide management and
reporting capability. The infrastructure to communicate and manage the AccessAgents
(Clients) is also managed through the IMS Server.
IMS database
The IMS server requires a database to store configuration data, policy data, user data,
application profiles, and audit logs. Tivoli Access Manager for Enterprise Single Sign-On
currently supports Oracle, Microsoft® SQL, and IBM DB2® database servers.
AccessAgent
The client component is installed on all systems that require single sign-on (SSO)
functionality. AccessAgent can be installed on individual Windows® clients, as well as
Microsoft Terminal Services and Citrix MetaFrame/Xen systems.
AccessStudio
AccessStudio is a software tool designed for Tivoli Access Manager for Enterprise Single
Sign-On administrators to profile applications.
2 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
3. The following components are not part of the Tivoli Access Manager for Enterprise Single
Sign-On product, but they represent infrastructure components that may or may not be
present in the environment.
Identity directory
Typically an Active Directory or LDAP environment is used by Tivoli Access Manager for
Enterprise Single Sign-On to validate users during the registration process for SSO
services. Additionally, in the case of using Active Directory, Tivoli Access Manager for
Enterprise Single Sign-On can also provide self-service password reset services.
Load balancing/high availability for IMS and database services
While Tivoli Access Manager for Enterprise Single Sign-On is a client/server architecture,
the solution is not dependent on having network connectivity between the AccessAgent
and the IMS Server to ensure a functional SSO experience for the users. In fact, given the
mobility of laptops and the typical movement of users between office and home, it is
typical that the AccessAgent is not in contact with the IMS server.
IMS servers can be clustered for load balancing and high availability. A separate
session-aware load balancer must be used to channel traffic into an IMS Server cluster.
Database servers can be clustered for load balancing and high availability using the
individual manufacturer’s technology.
Figure 1 on page 2 also depicts the communication protocols used by Tivoli Access Manager
for Enterprise Single Sign-On. Client communication over unsecured HTTP is only used
during installation; SSL encrypted communication is used for all production traffic.
To find out more about the Tivoli Access Manager for Enterprise Single Sign-On components
read the IBM Redbooks® publication Deployment Guide Series: IBM Tivoli Access Manager
for Enterprise Single Sign-On 8.0, SG24-7350.
Overview of the upgrade
An upgrade from v3.4 to v8.0 is a two step server upgrade, requiring you to first upgrade the
IMS server to v3.5, and subsequently to v8.0. The AccessAgents, however, can be directly
upgraded to v8.0.
Since IMS servers are designed to be backward compatible with AccessAgents, it is possible
for us to perform a gradual upgrade of the AccessAgents from v3.4 to v8.0, once we have
completed the server upgrade from v3.4 to v.3.5 and subsequently to v8.0.
Upgrade from v3.4 to v3.5
It is important to understand the major architectural and configuration differences between the
two versions before performing the upgrade from v3.4 to v3.5.
Differences between v3.4 and v3.5
One of the primary differences in the architectures between Encentuate v3.4 and v3.5 is the
support for multiple domains. Encentuate v3.4 had been designed to work only with a single
domain, whereas v3.5 supports multiple domains.
To enable this design, a new configuration ActiveDirectory (AD) Deployment Type was
introduced. For IMS Server versions prior to 3.5.0, support for Active Directory (AD) as the
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 3
4. enterprise directory can be configured to use AD deployment type 1 or 2. In an AD
deployment type 1 configuration, all user names must be unique, across domains and even
forests. This mode is used for backward compatibility with previous AccessAgent versions. If
user names can be duplicated across different domains, the IMS Server should be configured
to use AD deployment type 2. IMS Server versions from 3.5.0 onwards support only AD
deployment type 2 configurations.
IMS Server upgrade steps
As a first step you need to check whether the enterprise directory is configured to use the
Active Directory (LDAP) connector. If so, the enterprise directory must be changed to use the
Active Directory (ADSI) connector.
1. Launch the IMS Configuration Utility (Figure 2). By default, this is located at
http://<ims_server_url>:8080
Figure 2 The IMS v3.4 configuration utility
4 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
5. 2. Go to Basic Settings → Enterprise Directories (Figure 3). Select the enterprise
directory you have configured for Active Directory (ENCActiveDirectory) and click Update
directory.
Figure 3 The Enterprise Directories drop down menu
3. In the next panel scroll down to the Application Connector Configuration section and check
whether the connector is Active Directory (ADSI) Connector or the Active Directory
(LDAP) Connector. If it is the latter, click the Delete Connector button and then proceed
to configure an Active Directory (ADSI) Connector instead. The red frame in Figure 4 on
page 6 shows that the Active Directory (ADSI) Connector is configured.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 5
6. Figure 4 Viewing the existing Application Connector configuration
4. You can now begin the migration to v3.5. Run the IMS installer v3.5 and proceed to the
Select Installation Type dialog. Select Upgrade and click Next.
Figure 5 Choosing the Upgrade option in the v3.5 IMS installer
When proceeding with the update installer make sure to select the correct previous
installation folder and the new installation folder and finish the upgrade process.
Once the upgrade is complete, the AD deployment type has been automatically changed
to type 2 and the users have been migrated as well.
6 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
7. 5. The IMS Server Configuration utility will be automatically launched as shown in Figure 6.
Figure 6 The v3.5 IMS Server Configuration utility
6. Go to Basic settings → Enterprise directories, select the enterprise directory you have
configured for Active Directory, and click Update directory as shown in Figure 7.
Figure 7 The v3.5 Enterprise Directories list
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 7
8. 7. In the next panel scroll down to “Application connector configuration.” In the “Basic
configuration keys” section select DNS for the domain type to be shown in AccessAgent, as
shown in Figure 8. Scroll all the way to the end of the dialog and click Save and Test.
Figure 8 Changing the domain type display in the AccessAgent
8. Close the IMS Server Configuration utility.
8 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
9. 9. Stop the IMS Server by clicking Start → All Programs → Encentuate IMS Server →
Stop IMSService (Figure 9).
Figure 9 Stopping the IMS Service
10.Start the IMS Server by clicking Start → All Programs → Encentuate IMS Server →
Start IMSService.
11.Note that the DNS domain (for example, tci.encentuate.com) instead of the NetBIOS
domain (for example, tci) will now be shown in the AccessAgent logon prompt, as shown in
Figure 10.
Figure 10 The AccessAgent login prompt with the DNS domain name
If you would like to switch back to using a NetBIOS domain, the IMS Server must be upgraded
to version 3.5.1 or later, and AccessAgent on all machines must be upgraded to version 3.5.2
or later.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 9
10. Once that is done, you can switch back to using the NetBIOS domain by performing the
following steps:
1. Launch the IMS Server Configuration utility.
2. Go to Basic settings → Enterprise directories.
3. Select the enterprise directory you have configured for Active Directory and click Update
directory.
4. In the next panel scroll down to the “Application connector configuration.” In the “Basic
configuration keys” section select NetBIOS for the domain type to be shown in
AccessAgent. Scroll all the way to the end of the dialog and click Save and Test.
5. Close the IMS Server Configuration utility.
6. Stop the IMS Server by clicking Start → All Programs → Encentuate IMS Server →
Stop IMSService.
7. Start the IMS Server by clicking Start → All Programs → Encentuate IMS Server →
Start IMSService.
Using AccessAgent version 3.4 with the new IMS
Once the new IMS Server is installed, you should be able to log into your existing
AccessAgent version 3.4. If you encounter problems logging in, update the specific users'
authentication policies to allow password-only login. This can be done by re-applying the user
policy template to the users by performing the following steps.
1. Ensure that the user policy template allows password login to the Wallet. Start the
AccessAdmin application. To access the applicable user policy template click the specific
link in the “User Policy Templates” section in AccessAdmin; in our case that is Default.
Once Password is selected in the “Authentication Policies” section, as shown in
Figure 11, scroll all the way down and click Update.
Figure 11 Updating the User Policy Template with the correct authentication policy
10 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
11. 2. Search for a user to whom the policy has to be reapplied. If you search for a particular
user, as shown in Figure 12, and that user has been found, you will immediately be
presented with the user profile page. If you search with a wildcard you may see a list of
users. Once you select a particular user you will be presented with the user profile page.
Figure 12 Searching for a user who is not able to successfully login
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 11
12. 3. Scroll down to the bottom of the user profile page, select the appropriate user policy
template, in our case Default, and click Update (Figure 13).
Figure 13 Updating a user with a new (or existing updated) user policy template
4. To achieve the same results for a larger number of users, rather than an individual user,
search for the users in AccessAdmin, as shown in Figure 14.
Figure 14 Searching for multiple users
12 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
13. 5. In the “users found” list that is displayed in Figure 15, select the users you want to apply
the policy template to. Select the policy template in the drop-down menu, and click Apply
to selected results.
Figure 15 Updating a list of users with a new (or existing updated) user policy template
Using AccessAgent versions prior to 3.3.2.6
AccessAgent versions prior to 3.3.2.6 do not properly support AD deployment type 2 when
AD password synchronization is used. In AD deployment type 1, a user can log on to
AccessAgent only with the AD attribute SAMAccountName as the user name. In AD
deployment type 2, a user can log on to AccessAgent with a different logon name, for
example, UPN as the user name. The latter is not fully supported in AccessAgent versions
prior to 3.3.2.6. Hence, users, except those who use RFID as a second factor authenticator,
should continue to log on to AccessAgent only with SAMAccountName as the user name in
AD deployment type 2.
Note: When a user logs on to AccessAgent, the username and password provided is used
to save account data in the user’s Wallet. This account data is used for SSO with
applications that authenticate with AD. In AccessAgent versions prior to 3.3.2.6, account
data with different user names is saved if a user logs on to AccessAgent with a different
logon name. Other than confusing the user, the multiple account data can go out of sync
when the user changes his AD or Encentuate password.
If RFID is being used as a second factor authenticator and all the applications that
authenticate with AD accept [domain][SAMAccountName] as the user name, the following
measures should be taken before upgrading the IMS server:
1. Before upgrading to deployment type 2, replace [dbowner] and [Authentication service
ID linked to enterprise directory] accordingly and run the SQL script in Example 1
against the IMS Server database.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 13
14. Example 1 SQL upgrade script
UPDATE [dbowner].IMSTemplatedSyncRepo
SET isDeleted = 1, updateTimeStamp = GETDATE()
WHERE (attrName = 'account_data') AND (entityTypeID = 'scp_user') AND (keyValue
LIKE '%>' + '[Authentication service ID linked to enterprise directory]' +
'<%>' +
(SELECT attrValue
FROM [dbowner].IMSIdentityUniqueAttribute B
WHERE entityID = B.imsID AND attrName = 'Enterprise Login') + '<%')
You might need to run the SQL script more than once if multiple authentication services
are linked to the enterprise directory.
Figure 16 shows an example when using SQL Server as the IMS database.
Figure 16 SQL Server Enterprise Manager SQL Query Analyzer
Note: This SQL script deletes account data used to synchronize with Encentuate
passwords for all users by setting the isDeleted flag to 1 and updating the
updateTimeStamp.
14 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
15. 2. Use the XML editor in AccessStudio to add the attribute wnd_should_be_enabled="0" to all
wnd_xpath_combo_box_indirect_auth_info nodes in the sso_site_gina_winlogon
AccessProfile as shown in Figure 17. Upload the AccessProfile to IMS Server.
Figure 17 Modifying XML related to the Windows Logon AccessProfile
After upgrading the IMS server, all users who are using RFID as a second factor should only
log on to AccessAgent using [domain][SAM Account Name] as the user name, as shown in
Figure 18.
Figure 18 Logging in to AccessAgent with the new user name format
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 15
16. Note: When users tap their RFID card before entering their password, they are effectively
logging in to AccessAgent with [domain][SAMAccountName] as the user name. This will
cause account data with the same user name to be saved in the Wallet.
If RFID is being used as a second factor authenticator, but at least one application that
authenticates with AD does not accept [domain][SAMAccountName] as the user name, it is
best to enforce no changing of AD and Encentuate passwords until all AccessAgent clients
have been upgraded. After all AccessAgent clients have been upgraded, replace [dbowner]
and [Authentication service ID linked to enterprise directory] accordingly and run
the SQL script shown in Example 2 against the IMS Server database.
Example 2 SQL update script
UPDATE [dbowner].IMSTemplatedSyncRepo
SET isDeleted = 1, updateTimeStamp = GETDATE()
WHERE (attrName = 'account_data') AND (entityTypeID = 'scp_user') AND (keyValue
LIKE '%>' + '[Authentication service ID linked to enterprise directory]' + '<%>' +
(SELECT attrValue
FROM [dbowner].IMSIdentityUniqueAttribute B
WHERE entityID = B.imsID AND attrName = 'Enterprise Login') + '<%')
You might need to run the SQL script more than once if multiple authentication services are
linked to the enterprise directory.
Note: This SQL script deletes duplicate account data used to synchronize with the
Encentuate password for all users by setting the isDeleted flag to 1 and updating the
updateTimeStamp.
Upgrade from v3.5 to v8.0
Before performing an upgrade from v3.5 to v8.0, it is important to understand the differences
between the two. The next section provides an explanation of these differences.
Differences between v3.5 and v3.6/v8.0
Tivoli Access Manager for Enterprise Single Sign-On v8.0 was the first version release after
Encentuate was acquired by IBM. Major architectural changes were introduced in v3.6 that
have since then been incorporated in all subsequent Tivoli Access Manager for Enterprise
Single Sign-On versions. Due to the relative similarity in the architectures, the steps to
upgrade from v3.4 to v8.0 are practically identical to the steps needed to upgrade from v3.4 to
v3.6.
This section discusses the loss of Citrix-related functionality as well as the Machine Policy
Templates (MPTs) that were introduced in v3.6.
Citrix functionality
In v8.0, there has been a significant change in the Citrix functionality of the AccessAgents.
Prior to v8.0, the local AccessAgent installed on the user’s local PC could communicate with
the AccessAgent installed on the Citrix Server. In v8.0, this communication, which is
facilitated through the Citrix Virtual Channel, is no longer available by default. If you do require
16 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
17. this functionality, additional services are needed to implement the virtual channel functionality
on-site.
The reduced Citrix functionality and corresponding workarounds are summarized in the
following paragraphs to help you determine how critical this functionality is for you:
A second manual logon to AccessAgent on the Citrix Server is required if the Tivoli Access
Manager for Enterprise Single Sign-On Network Provider is not enabled.
– Workaround 1: If AD password synchronization is disabled, caching of Encentuate
logon credentials on the Citrix Server should be enabled by setting
pid_ts_logon_cache_enabled to 1.
However, a user still has to manually log on to AccessAgent for the first time, and
subsequently every time he changes the Tivoli Access Manager for Enterprise Single
Sign-On password.
– Workaround 2: If AD password synchronization is enabled, the Tivoli Access Manager
for Enterprise Single Sign-On Network Provider should be enabled by setting
pid_en_network_provider_enabled to 1 so that the Windows credentials will be used to
log on to AccessAgent.
There will be no immediate synchronization between a local AccessAgent on a user’s PC
and a remote AccessAgent on the Citrix Server.
– There is no workaround for this situation.
If you disable automatic sign-on on the local AccessAgent, the remote AccessAgent’s
automatic sign-on functionality will not be disabled automatically.
– There is no workaround for this situation.
Remote AccessAgent will not be informed when the user logs out of the local
AccessAgent or locks the computer. This would mean that in Shared Desktop User switch
scenarios, the remote AccessAgent will not log off from the user's Citrix session even if the
local AccessAgent logs off from the user's session.
– Workaround: The AccessProfile for Citrix ICA client (wfica32.exe) must be able to
close the Citrix client (or graceful logoff) to make sure the remote session also ends.
For situations where users lock the computer, AccessAgent lock scripts can be used.
AccessAgent on the Citrix Server icon cannot show a different menu based on whether
the user is logged into the server via a Citrix session or directly.
If a user is logged in to both local and remote AccessAgent, two AccessAgent icons are
displayed in the system tray. Currently, the remote AccessAgent will not have the same
right-click menu options as the local AccessAgent if pid_ts_aa_menu_option is set to 1.
Without ICA channel support, remote AccessAgent does not know whether local
AccessAgent exists, and thus will always display the full menu. The user will, however, be
able to distinguish between the two AccessAgent icons because the mouse-over text of
the remote AccessAgent icon indicates TAM E-SSO AccessAgent on xxx server.
– There is no workaround for this situation.
User is not logged off from Remote AccessAgent when a thin client session is
reconnected.
If RFID is used for two-factor authentication on thin clients, the Citrix session is a generic
machine-specific session to each thin client. This session may be disconnected at times if
the network connection is poor. In that case, the thin client may automatically reconnect
back to the previous session when the network is available again. The previously open
desktop may then show up on the screen. Since the remote AccessAgent does not know
whether this is a thin client scenario, it will not automatically perform logoff.
– There is no workaround for this situation.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 17
18. Cannot disable launching of remote AccessAgent even when local AccessAgent is not
present.
Currently, the launching of remote AccessAgent while a published application is launched
through Terminal Server can be disabled if local AccessAgent is not present by setting
pid_ts_start_aa_no_local_aa_enabled to 0. Without ICA channel support, remote
AccessAgent does not know whether local AccessAgent exists, and thus, will always be
launched.
– There is no workaround for this situation.
Machine policy templates
In IMS Server version 3.5 the concept of machine policies was non-existent on the server. As
illustrated in Figure 19, all the machine policies were stored in the Windows registry of the
client machine as registry settings under the hive:
HKEY_LOCAL_MACHINESoftwareEncentuateDeploymentOptions
Figure 19 Registry location of the Machine Policy Templates in pre-v3.6 versions
These registry settings controlled the behavior of the machine, examples of which are:
Desktop inactivity timeout
Second factor used to strengthen access to the machine
Type of workstation (Shared or Personal)
Type of desktop for Shared machines (Private or Shared)
These registry settings were distributed along with the AccessAgent installation package. The
package consisted of a folder called Reg, which would contain a registry file called
DeploymentOptions.reg, which would be responsible for configuring the machine with the
correct registry settings.
18 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
19. In IMS version 3.6 and later, a new scope of policies applicable to machines in an enterprise
has been introduced on the IMS Server. These machine policies can be configured via
AccessAdmin. As with policies in other scopes, changes in these policies are propagated to
clients the next time AccessAgent synchronizes with the IMS Server (for example, usually
every 30 minutes).
IMS applies machine policies to machines after they join the IMS Server, they are then
automatically synchronized with AccessAgent. There can be several machine policy
templates defined in IMS. One of these templates is set as default. Through AccessAdmin,
machine policies can be modified by an administrator. However, a help desk officer can only
view machine policies.
Machine policy templates assignment
A machine policy template refers to a set of policies that govern the behavior of the machine.
In any enterprise, there are bound to be machines that serve as personal workstations,
shared workstations, and so on, access to which might have to be strengthened using a
second factor authenticator like RFID, biometrics, and so on. Since there are different
requirements from different machines, the IMS permits you to create several machine policy
templates.
Since there are multiple templates, there has to be a definite way of assigning a specific
template to a machine. The IMS AccessAdmin provides you with the ability to specify this
assignment based on several attributes of the machine, such as:
AccessAgent version
IP Address
Hostname
Active Directory Group
Machine Group Tag
Drivers for choosing a specific template assignment criterion
Machine policy template criteria can be mixed and matched using the any or and operators.
The typical drivers for choosing specific criteria are explained in the following paragraphs.
Assignment based on AccessAgent versions
Machine policies are specified on the IMS, but interpreted and enforced by the AccessAgent.
A deployment might have several versions of AccessAgents. Consequently, it might be
possible for a newer version of the IMS to specify a policy that cannot be interpreted and
enforced by an older version of the AccessAgent. In cases such as these, we would choose
the policy template with the new policy to be assigned only if the AccessAgent version
matches a specific one.
Assignment based on hostnames
Some organizations use hostnames to enforce and identify the function of a machine. For
instance, an organization may specify all their Citrix Servers to begin with the string ctx-, and
their shared workstations to begin with shared-. In deployments such as these, assignments
based on hostnames would be recommended. A caveat to note here is that if the hostname of
the PC is changed (resulting in a new template assignment), the template assigned to it
would have to be changed manually.
Assignment based on IP addresses
While this has not been widely seen, some organizations have a functional requirement of
managing machines based on their IP subnets. In such cases, managing the machine policy
templates is also a function that needs to be implemented at the subnet level. This would be
the typical situation where you would need to assign templates based on IP addresses. A
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 19
20. caveat to note here is that if the IP address of the machine changes (resulting in a new
template assignment), the template assigned to it would have to be changed manually.
Assignment based on Active Directory groups
This would be the recommended best practice for machine policy template assignment. The
basic driver for this type is centralized Active Directory enforced templates. Most
organizations typically have machines organized into groups already, or have them stored in
organizational units in the Active Directory. This mechanism makes use of this infrastructure
to implement the assignments. Note that if the machine's group is changed (resulting in a new
template assignment), the machine policy template assigned to it does not change
automatically. Either the machine must be deleted from the IMS via AccessAdmin, or the new
template must be explicitly assigned to it. On synchronization, the template will come into
effect on the local AccessAgent.
Assignment based on Machine Group Tag
In deployments without Active Directory and without the infrastructure to manage computers
centrally, an organization can use the Machine Group Tag to assign policies. This tag
essentially is a registry setting called MachineTag that the AccessAgent uses to resolve what
policy template to download from the IMS Server. As with the other assignments, templates
assigned to a machine will not be updated dynamically if this registry setting is changed. The
organization would need to delete the machine from the IMS Server and re-synchronize.
For detailed information on how to specify the machine policy template assignments, refer to
the section “Applying policy templates to machines” under “Policy template management” in
the Administrator Guide. You can access this information through the Tivoli Access Manager
for Enterprise Single Sign-On, Version 8.0.1 Information Center at the following Web location:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/
concepts/Policies_Templates_Applying_Machines.html
Upgrade steps from Version 3.5 to 3.6/8.0
The IMS Servers are always designed to be backward compatible. This typically means that a
current IMS Server has the ability to work with the current version of AccessAgent, and also
with older versions of the AccessAgents.
Consequently, this architecture necessitates a specific sequence of upgrades for the
components, with the IMS Server being the first to be upgraded.
The steps involved in upgrading the deployment are the following:
Back up the existing setup.
Upgrade the IMS Server to v8.0.
Upgrade the AccessAgents in the deployment to v8.0 (incrementally).
Back up the existing setup
The IMS server is a typical application server with a database tier. As with other such
systems, a backup essentially involves two activities:
Backup of the database
Backup of the application server's configuration
Database backup
A complete backup of the database is recommended before proceeding. This ensures that
the data and configurations are not lost in the event of an unexpected malfunction.
20 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
21. For MS SQL server, it is recommended that you store the MDF (data) and LDF (transaction
log) files to the backup folder, in addition to taking a standard SQL backup. The SQL files by
default are stored in:
C:Program FilesMicrosoft SQL ServerMSSQLData
IMS Server configuration backup
The IMS configuration files are located in the IMS installation folder under:
$IMS INSTALL DIR$imsconfig
This entire folder has to be backed up. This includes several files critical to the installation.
Upgrading the IMS Server
Due to the introduction of the machine policy template (MPT) the upgrade from v3.5 to v8.0
involves, in addition to the typical installer-based upgrade, the creation and assignment of the
MPTs. The following sections provide the pertinent details.
Executing the IMS installer to upgrade
The first step is to use the IMS Server v8.0 installer to upgrade the server. Typically, this
involves going through the usual steps required to upgrade the IMS from an older version to a
newer version. For details on these steps, refer to the Tivoli Access Manager for Enterprise
Single Sign-On Information Center Administrator Guide.
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/
tasks/IMS_Installation_Upgrading_existing_IMSServer_installation.html
Creation of machine policy templates
Before version 3.6, the machine policies were stored in the Windows registry at this location:
HKEY_LOCAL_MACHINESoftwareEncentuateDeploymentOptions
The values defined in this registry hive would define the behavior of the machine and classify
it as a personal workstation, shared workstation (shared or private desktop), Citrix
workstation, and so on, along with the policies related to the second factors the PC would
support.
Since these machine policy templates are now defined on the server, you need to translate
these registry settings (policies) to their equivalents on the IMS Server AccessAdmin. You
have to create a machine policy template for each type of workstation used in the deployment.
For guidance on translating the registry settings to their policy equivalents on the IMS Server
refer to “Definitions of Policies” in the Tivoli Access Manager for Enterprise Single Sign-On
Information Center Administrator Guide.
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/
common/policies_definitions.html
Once the registry settings have been translated, the machine policy templates must be
created. For details on the creation of these templates, refer to the Tivoli Access Manager for
Enterprise Single Sign-On Information Center Administrator Guide. The section “Policy
Template Management” explains how to create a new machine policy template.
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/
references/Policies_Templates_Management.html
Assignment of machine policy templates
Along with the creation of these templates, you also need to specify the assignment criteria.
Depending upon the assignment criteria chosen, changes in the existing IT infrastructure
might be needed.
IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0 Migration Guide for Encentuate 3.4 and 3.5 21
22. Upgrading the AccessAgents
After the server has been upgraded and the machine policy templates with their assignments
created, the AccessAgents can be incrementally upgraded according to the deployment
upgrade plan.
The details of upgrading (installation) of the new AccessAgents can be found in the Tivoli
Access Manager for Enterprise Single Sign-On Information Center Administrator Guide in the
section “AccessAgent Installation”. This section provides details on manual as well as push
installations that can leverage your existing software distribution infrastructure.
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itamesso.doc/
references/AA_Installation_intro.html
Summary
While this document presents the details of a standard v3.4 to v8.0 upgrade, it is important to
keep in mind that certain environments may or may not have customizations in place that can
be affected by this upgrade. As a consequence, the significance of planning for the upgrade
and backing up the existing environment cannot be overstated.
A typical recommendation would be to have at least one test or development environment.
This test environment should be an accurate reflection of the production environment and
should take into account, to a reasonable extent, the database size, server hardware, PC
configuration (antivirus, and so on) and other variables.
The team who wrote this paper
This paper was produced by a team of specialists from around the world working at the
International Technical Support Organization, Austin Center.
Axel Buecker is a Certified Consulting Software IT Specialist at the International Technical
Support Organization, Austin Center. He writes extensively and teaches IBM classes
worldwide on areas of Software Security Architecture and Network Computing Technologies.
He holds a degree in Computer Science from the University of Bremen, Germany. He has 23
years of experience in a variety of areas related to Workstation and Systems Management,
Network Computing, and e-business Solutions. Before joining the ITSO in March 2000, Axel
worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture.
Archit Lohokare is a Managing Consultant with the IBM Tivoli SoftWare Advanced
Technology (SWAT) organization. At IBM, he provides technical sales expertise to drive the
adoption of IBM Tivoli Solutions in customer engagements worldwide and also partners with
IBM sales, IBM business partners, and consulting teams on complex and strategic business
opportunities in the identity and access management space. Archit holds a B.Eng degree
from Nanyang Technological University, Singapore. Prior to joining IBM, he worked for
Encentuate, Inc., which was acquired by IBM in March 2008.
Thanks to the following people for their contributions to this project:
Alison Chandler
International Technical Support Organization, Poughkeepsie Center
Linda Chang, Chiang Kai Er, James Keenan, Chee Meng Low
IBM
22 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5
24. This document REDP-4615-00 was created or updated on December 17, 2009.
Send us your comments in one of the following ways: ®
Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
Send your comments in an email to:
redbooks@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400 U.S.A. Redpaper ™
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corporation in the United States, other countries, or both. These and other IBM trademarked terms are
marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US
registered or common law trademarks owned by IBM at the time this information was published. Such
trademarks may also be registered or common law trademarks in other countries. A current list of IBM
trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
DB2® Redbooks® Tivoli®
IBM® Redpaper™
IMS™ Redbooks (logo) ®
The following terms are trademarks of other companies:
Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation and/or
its affiliates.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States,
other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
24 IBM Tivoli Access Manager for Enterprise Single Sign-On v8.0: Migration Guide for Encentuate 3.4 and 3.5