IBM


IBM Professional Certification Program

Accelerate insight. Improve skills. Get certified now.

Test C2150-038: IBM Tivoli Identity Manager V5.1 Fundamentals


Note: This test will be withdrawn on Jun 30 2014.
The replacement test is: (C2150-197) IBM Security Identity Manager V6.0 Implementation


Section 1 - IBM Tivoli Identity Manager Architecture and Requirements Gathering


  1. Given an understanding of IBM Tivoli Identity Manager (ITIM) V5.1, summarize the various components that make up ITIM, so that these components have been reviewed.
    With emphasis on performing the following tasks:

    1. Database server productsITIM stores transactional and historical data in a database server, a relational database that maintains the current and historical states of data.

    2. Directory server productsITIM stores the current state of the managed identities in an LDAP directory, including user account and organizational data.

    3. IBM Tivoli Directory IntegratorIBM Tivoli Directory Integrator synchronizes identity data residing in different directories, databases, and applications. IBM Tivoli Directory Integrator synchronizes and manages information exchanges between applications or directory sources.

    4. WebSphere® Application ServerWebSphere Application Server is the primary component of the WebSphere environment. WebSphere Application Server runs a Java™ virtual machine, providing the runtime environment for the application code. The Application Server provides communication security, logging, messaging, and Web services.

    5. HTTP server and WebSphere Web Server plug-inAn HTTP server provides administration of ITIM through a client interface in a Web browser. ITIM requires the installation of a WebSphere Web Server plug-in with the HTTP server. The WebSphere Application Server installation program can separately install both the IBM HTTP Server and WebSphere Web Server plug-in.

    6. ITIM AdaptersAn adapter is a software component that provides an interface between a managed resource and ITIM. An adapter functions as a trusted virtual administrator for the managed resource, performing such tasks as creating accounts, suspending accounts, and other functions that administrators typically perform.

  2. Given an understanding of ITIM, discuss the middleware products that are supported for ITIM V5.1, so that the supported middleware environment and configuration utilities have been defined.
    With emphasis on performing the following tasks:

    1. Database Support

      1. DB2 9.1 FP 2

      2. Oracle 10g

      3. Microsoft SQL Server 2005

    2. Directory Server Support

      1. IBM Tivoli Directory Server (ITDS) V6.1

      2. Sun ONE Directory Server V5.2

    3. WebSphere Application Server

      1. Single server

      2. Network deployment

    4. Tivoli Director Integrator V6.1.1

    5. Eliminate manual configuration steps that are necessary prior to installing ITIM V5.1. Only support IBM Middleware (DB2 and ITDS).

    6. ITIM V5.1 middleware configuration utility performs these steps:

      1. Create user accounts for DB2 and ITDS.

      2. Create and configures the DB2 Instance for ITIM V5.1 database and LDAP database.-Install ITDS referential integrity plug-in.-Create LDAP Suffix.-Tune the ITIM DB2 and LDAP databases.

    7. Run the middleware configuration utility to set DB2 parameters for later ITIM deployment. The middleware configuration utility:

      1. Create user IDs if needed.

      2. Create DB2 instances if needed.

      3. Create databases if needed.

      4. Tune DB2 (buffer pool, log tuning).

      5. Configure some DB2 settings (DB2ENVLIST=EXTSHM, DB2COMM=tcpip).

  3. Given knowledge of the ITIM, describe the hardware and software requirements for ITIM so that installation the hardware and software requirements have been described.
    With emphasis on performing the following tasks:

    1. Hardware Requirements

      1. System Memory should be having minimum 2 GB of RAM and recommended one is 4 GB of RAM.

      2. Processor Speed should be Single 2.0 gigahertz Intel or pSeries® processor and recommended one is Dual 3.2 gigahertz Intel or pSeries processors.

      3. Required disk space for product and other prerequisite products are minimum 20 GB and recommended one is 25 GB.

    2. Software Requirements

      1. ITIM requires:-IBM JRE version 1.5 SR9.-WebSphere Application Server Version 6.1 with FP 23 and WebSphere Application Server Version 7.0 with FP 5 are supported with ITIM.-IBM DB2 Enterprise Version 9.1 with FP 4 , V9.5 with FP 3B and V9.7 are supported with ITIM.-Microsoft SQL Server 2005 Enterprise Edition is supported on Windows 2003 and Windows 2008 for ITIM configuration.-Oracle 10g Release 2 and Oracle 11g Release 1 are supported with ITIM.-ITDS V6.1 with FP1 and FP4 and V6.2 are supported with ITIM.-IBM Tivoli Directory Integrator Version 6.1.1, V6.1.2 and V7.0 are supported with ITIM.-Tivoli Common Reporting Server, Version 1.2.0.1with FP 2 are supported with ITIM.

  4. Given knowledge of ITIM, perform requirements gathering based upon the target environment, so that the requirements have been gathered.
    With emphasis on performing the following tasks:

    1. Requirement gathering for ITIM go through various phases like:

      1. What will be the hardware and software requirements for ITIM implementation?

      2. How IITIM can centralize and streamline the provisioning of resources in a secure environment?

      3. How to prepare the environment to begin by using ITIM in an efficient and cost-effective manner?

      4. What would be the enterprise directory?

      5. How many users we need to integrate to provide identity management and of course from security perspective we need to identify that whether communications should be SSL based or not?

      6. What are the existing provisioning processes that ITIM will automate?

      7. What kind of applications would be integrated with ITIM, so as to finalize the adapters which we will be using during ITIM implementation?

    2. Determine effective ways to centralize user access to disparate resources in an organization and implements additional policies and features that streamline operations associated with user-resource access.

  5. Given knowledge of ITIM, explain the high level process around enterprise security identity, access and compliance management, so that enterprise security requirements have been explained.
    With emphasis on performing the following tasks:

    1. In a security lifecycle, ITIM and several other products provide access management that enables you to determine who can enter your protected systems, what can they access, and how to ensure that users access only what they need for their business tasks.

    2. Access management addresses three questions from the business point of view:

      1. Who can come into my systems?

      2. What can they do?

      3. Can I easily prove what they've done with that access?

    3. ITIM provides a secure, automated and policy-based user management solution that helps effectively manage user identities throughout their lifecycle across both legacy and e-business environments. ITIM provides centralized user access to disparate resources in an organization, by using policies and features that streamline operations associated with user-resource access.

    4. For an Identity Management implementation, the following areas need to be defined:

      1. User management procedures: the procedures for managing users, who manages users, and what is required of the solution for managing users.

      2. Password management procedures: the procedures for managing account passwords, who manages passwords, and what is required of the solution for managing passwords.

      3. Access control management procedures: the procedures for managing access control, who manages access control definition, and what is required of the solution for managing access control.

      4. Security policy: What the corporate security policy defines for users, accounts, passwords, and access control.

      5. Target systems: the current system environment (including operating systems, databases, applications, the network, firewalls, physical location, and access control) and the system requirements of the solution.

      6. Interfaces: the interfaces to the current Identity Management mechanisms and procedures and the integration requirements of the solution.

  6. Given knowledge of ITIM, Explain the high level process around a ITIM implementation, so that the ITIM implementation is described.
    With emphasis on performing the following tasks:

    1. Explain the sequence of steps involved in ITIM implementation.

    2. Describe various steps involved in ITIM implementation starting from middleware installation to the ITIM application and adapter install.

    3. Describe the various utilities available for ITIM implementation.

    4. Explain various stages of ITIM implementation starting with requirement gathering, planning to actual implementation.

  7. Given knowledge regarding ITIM, explain the high level process around an ITIM migration, so that ITIM Migration has been described.
    With emphasis on performing the following tasks:

    1. ITIM V5.1 supports data migration among supported UNIX-based operating systems. Data residing in HP_UX environments can be migrated to any of the supported UNIX environments. Data can also be migrated between Windows operating systems. Data, however, cannot be migrated from UNIX environments to Windows environments or from Windows environments to UNIX environments.In order to perform the data migration, previous versions of ITIM must have the minimum fix packs and interim fixes installed. For ITIM V4.6, you must have at minimum interim fix (IF) 47 installed.

    2. ITIM stores the current state of managed identities in an LDAP directory, including user account and organizational data.ITIM V5.1 supports data migration from directory servers supported on ITIM V4.6 or V5.0.ITIM stores transactional and historical data in a database server. For example, the ITIM provisioning processes use a relational database to maintain their current state as well as their history.ITIM V5.1 supports data migration from most databases supported on ITIM V4.6 or V5.0.

    3. Determine whether you are doing an inline migration or a parallel migration. If doing inline migration there will be some downtime while the migration is being completed.

      1. Install the required middleware (at the required release and fix pack level) and optionally run the middleware configuration utility for DB2 Universal Database and ITDS, WebSphere Application Server.

      2. Import the database data to the updated database server.

      3. Import the directory data to the updated directory server and re-index the directory server if necessary.

      4. Copy the ITIM V4.6 or V5.0 home directory to the server that will run ITIM V5.1.

      5. Run the ITIM V5.1 installation program.

      6. If required, upgrade adapters.

      7. Manually migrate any custom Java™ classes that you might have. For example Free EcmaScript Interpreter extensions, ibmscripts, or customized password rules.

  8. Given that a basic installation and configuration of an ITIM environment has been completed, Identify the products and functions needed to make the ITIM environment secure, and confirm that they are installed and configured, so that the ITIM environment includes SSL enablement.
    With emphasis on performing the following tasks:

    1. Confirm that the GSKit product and the Java JDK have been installed as part of the ITIM installation.

    2. Confirm that a valid SSL session can be invoked from a user's browser session through a secure port to the ITIM Web Console.

      1. Confirm that either the WebSphere Application Server or http server is configured with SSL certificate from a well known certification authority.

    3. Confirm that a secure connection can be established between ITIM and adapters attached to back-end systems.

      1. The ITIM adapters should have SSL enablement and an SSL port published for access.

  9. Given the knowledge of ITIM, identify the appropriate organizational tree for an ITIM installation, so that the ITIM environment has been properly identified with a logical organizational tree to fit the customer's business environment.
    With emphasis on performing the following tasks:

    1. Determine the organizational tree for an ITIM installation:

      1. Determine user access privileges with different degrees of scope within the branches of an organization.

      2. For geographically-dispersed organizations, enable a flow of changing administrative access to the system for a given region, or time interval.

      3. Determine effective change control of policies, roles, groups, and other security functions that ITIM provides.

      4. Determine the scope of influence within an organization tree for ITIM policies and workflow participants such as supervisors, and administrators.

    2. Explain the ITIM organizational tree models.

      1. Determine the organization's business and how to best fit the organization's needs to the ITIM tree model.

    3. Explain the scope of governing entities in the organization tree.

      1. I policies allow you to specify the scope of the governing services in the organization tree based on the policy's association with the business organization.


Section 2 - IBM Tivoli Identity Manager Function


  1. Given knowledge of IBM Tivoli Identity Manager (ITIM), describe the actions that can be performed in the ITIM Web Administrative Console, so that the ITIM Web Administrative Console has been defined.
    With emphasis on performing the following tasks:

    1. The ITIM Web Administrative Console provides an advanced set of administrative tasks or actions, such as managing roles, policies, reports, and so on. The interface also features multitasking capabilities.The Administrative Console provides sets of views, each tailored for the needs of the default administrative user types:

      1. System administrator

      2. Service owner

      3. Help desk assistant

      4. Auditor

      5. Manager

  2. Given that a basic installation and configuration of an ITIM environment has been completed, identify the products and functions needed to use the Web application ITIM Self-Service User Interface for the ITIM environment, so that the Self-Service User Interface has been described.
    With emphasis on performing the following tasks:

    1. Explain the ITIM Self-Service User Interface Web application.

      1. The application can be used for password changes by users.

      2. The application can be used for password re-set via Challenge/Response.

      3. The application can be used for updates to user profiles.

      4. The application can be used for Self Registration.

    2. Explain the advantages of the ITIM Self-Service User Interface Web application.

      1. Customize the look and feel of the Web application to customer environment.

      2. Error handling can be customized for the customer environment.

      3. flexibility to implement logic for first time user login process

      4. easy to integrate with customer portal

  3. Given that a basic installation and configuration of an ITIM environment has been completed, identify the product and function needed to produce reports, so that the various types of reports have been defined.
    With emphasis on performing the following tasks:

    1. Explain the default report types:

      1. Activity reports - user accesses

      2. History reports - audit functions

    2. Explain the use of report templates within the report writing function:

      1. to specify criteria to product report details

      2. by Account operations

    3. Explain access to the reports.

      1. defined by report ACIs.

  4. Given knowledge of ITIM, identify ITIM organizational roles so that knowledge of when to use the two types has been obtained.
    With emphasis on performing the following tasks:

    1. Organizational Roles - a method of providing users with entitlements to managed resources by determining which resources are provisioned for a user or set of users who share similar responsibilities. If users are assigned to an organizational role, managed resources available to that role then become available to the users in that role, provided that those resources have been properly assigned to that role.

      1. Static Organizational Roles- available globally to any user of the organization. Assigning a user to a static organizational role can be done when:-A user is added to ITIM initially (either manually through the Web interface or automatically through a data feed).-An existing user profile is modified.-Can be defined as access. There are 4 different types of access:-Application access-Role access

    2. Dynamic Organizational Roles - an LDAP filter is used to automatically assign members based on any particular attribute found in a user's ITIM profile. These attributes can be any type of profile information, such as title, address, employee number, or department name. Implementation of dynamic organizational roles need to be carefully analyzed because in some cases an LDAP filter can result in exhaustive LDAP searches and effect the performance of the overall ITIM system. Users obtain memberships to dynamic organizational roles when:

      1. The dynamic organizational role is created and the information for a ITIM user contains an attribute value targeted by the LDAP filter.

      2. An existing user's profile information is updated and the updated attributes contained in the user's profile match the information in the definition (rule) of the role. You use LDAP filters to define these rules. These rules can either pre-qualify or automatically provision the user with any resources that are associated with the entitlement of a provisioning policy.

    3. ITIM Groups - A group is a collection of ITIM users. ITIM users can belong to one or more groups. Groups are used to control user access to functions and data in ITIM.

  5. Given knowledge of ITIM, identify the entities of an ITIM solution, so that entities and their role within an ITIM solution have been described.
    With emphasis on performing the following tasks:

    1. Entities of an ITIM solution are objects that are stored in the ITIM solution and can be managed.

    2. Explain an entity of the ITIM solution. Any object stored in ITIM LDAP is an entity.

      1. a person entry to store information or manage

      2. an object to store information or manage

      3. Each entity has an associated interface form that can be customized.

    3. Explain how the entities are related.

      1. A person or organization are both entities, a person belongs to an organization to form that relationship.

      2. ITIM as an application will manager users and their accounts as part of that relationship.

      3. Attributes, group memberships and passwords are associated to users and accounts.

      4. ITIM uses organizational tree and roles to enable management of users and accounts.

  6. Given knowledge of ITIM, differentiate between access and accounts, so that the access and account concepts have been defined.
    With emphasis on performing the following tasks:

    1. Access: Access is your ability to use a specific resource, such as a shared folder or an application. In ITIM, access can be created to represent access to access types such as shared folders, applications (such as Lotus Notes), e-mail groups, or other managed resources.

    2. Accounts: An account is the set of parameters for a managed resource that defines an identity, user profile, and credentials. It defines login information (user ID and password) and access to the specific resource with which it is associated.

      1. In ITIM, accounts are created on services, which represent the managed resources such as operating systems (UNIX), applications (Lotus Notes), or other resources.

      2. An access differs from an account in that an access is a form of an account; an account is access to the resource itself.

  7. Given knowledge of ITIM, describe the various types of customization that are possible within ITIM, so that ITIM customization options within ITIM have been described.
    With emphasis on performing the following tasks:

    1. ITIM allows for the customization of the following:

      1. Forms

      2. Workflows

      3. Identity Policies

      4. Password policy

      5. E-mail template

      6. Self-Care and Self-Registration

      7. Single Sign-on

    2. Examples of customized code that are available in ITIM.

    3. Many areas of Administrative Console can be customized including:

      1. Replace the launch link in the banner are - Both logo and the URL.

      2. Replace the banner area.

      3. Add a footer area.

      4. Replace the home page.

      5. Change the URL for help.

  8. Given knowledge of ITIM, identify ITIM scripting options available to use, so that knowledge of how to configure and customize ITIM 5.1 has been obtained.
    With emphasis on performing the following tasks:

    1. JavaScript - ITIM administrators can customize the behavior of the ITIM Server by using JavaScript. Administrators can use scripts to calculate default values for account attributes, alter the content of e-mail messages, control the processing of workflows, and do many other actions. These scripts run as a part of the ITIM Server, and they should not be confused with client-side JavaScript that is embedded in Web pages to be run by Web browsers. ITIM provides a set of JavaScript environments. Each of these JavaScript environments provides predefined variables and functions that can be used by any scripts run in that environment. These predefined objects are created by JavaScript extensions. For example, all JavaScript run during the evaluation of a provisioning policy has a predefined variable named subject. This variable contains a reference to the owner of the account being evaluated with respect to the provisioning policy. This allows data about the owner to be used when calculating default or mandatory attribute values for their accounts.

    2. JavaScript Extensions - JavaScript extensions alter the JavaScript environments that are used in the ITIM Server. ITIM comes with a set of JavaScript extensions that create its default JavaScript environments. You can create your own extensions to add additional predefined variables and functions to any of the JavaScript environments.

  9. Given knowledge of ITIM, Identify the different ITIM Web interfaces, so that the interface options in ITIM V5.1 have been described.
    With emphasis on performing the following tasks:

    1. Administrative - Provides a single enterprise management interface and centralizes the definition of users and provisioning of user services. This is the main console used by administrator of ITIM.

    2. Self-Service User Interface - Enables users to perform password resets, password synchronization, account/access requests and viewing/modification to personal information without administrative intervention.

    3. A customized Web interface by using the Admin API

  10. Given knowledge of ITIM, define audit reports within ITIM, so that the functionality of audit reports within the ITIM solution is understood.
    With emphasis on performing the following tasks:

    1. Describe Audit reports:

      1. The typical method for report generation is to use the ITIM Web Console.

      2. The data in the reports is obtained from the database and the directory server.

      3. Report outputs can be in CSV or PDF form.

      4. Report outputs can be for a multiple outputs for functions and operations of ITIM.

      5. Report templates can be modified for a custom report.

      6. Access control item (ACI) definitions govern the availability of reports for all users. The report ACIs grant or deny a group of users the ability to run reports.

  11. Given knowledge of ITIM, define services within ITIM, so that functionality of services within an ITIM solution re understood.
    With emphasis on performing the following tasks:

    1. A service represents an instance of a managed resource that a user can subscribe or be provisioned to in order to be granted access. For a user to gain access to a service, define a provisioning policy is needed in order to create and maintain an account on that resource.

      1. A service is created from a service type (also known as an adapter profile) that can be considered a template with a common set of attributes for each type of managed resource supported by ITIM.

      2. Each service requires an adapter installer component and adapter .jar file. The adapter facilitates management of the resource by ITIM. In order to create a service, you must define a service that represents the adapter.

    2. ITIM comes with following default service types:

      1. Identity feed service typesThose service types do not create accounts. They are used to import user data from an authoritative data source of identities into the ITIM directory as Person Information. The following Identity Feed Service comes with ITIM:-Directory Service Markup Language (DSML) Identity Feed-Active Directory-iNetOrgPerson-Comma-separated value (CSV) file-IDI data feed

      2. Account service types:-IBM Tivoli Directory Integrator based adapters (LDAP, UNIX, and Linux)-ITIM Service-Hosted service-Custom Java class-Manual service

  12. Given the entity design and identity feed design, set up a schedule for synchronizing identity data from the authoritative data source so that identities in ITIM are on-boarded, kept current, and off-boarded.
    With emphasis on performing the following tasks:

    1. Determine the source and form of identity data.

    2. Determine frequency of identity synchronization. (or near real time).

    3. Determine entity type and placement of identities in the ITIM organization tree.

    4. Determine if policies are to be evaluated during identity feed.

    5. Define the appropriate identity feed service in ITIM.

    6. Create external IBM Tivoli Directory Integrator Assembly Line if necessary to communicate with identity source and ITIM.


Section 3 - IBM Tivoli Identity Manager Integration


  1. Given a working Tivoli Enterprise Single Sign- On server, configured IBM Tivoli Identity Manager (ITIM) Server, Working Tivoli Directory Integrator Sever and a set of requirements for ITIM Adapter for Tivoli Enterprise Single Sign-On configuration, install and configure Tivoli Enterprise Single Sign-On Adapter so that Tivoli Enterprise Single Sign-On user accounts can be managed through ITIM.
    With emphasis on performing the following tasks:

    1. ITIM can create or update the accounts and passwords which can be imported to IBM Tivoli Access Manager for Enterprise Single Sign-on for seamless user Single Sign-on.

    2. Import TAMESSOProfile.jar.

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Configure System -> Manage Service Types.

      3. Click Import and select TAMESSOProfile.jar file form the Tivoli Access Manager Combo Adapter media.

      4. Click OK to import jar file.

    3. Install Tivoli Directory Integrator Connector for Tivoli Access Manager Enterprise Single Sign-On Adapter.

      1. Log on to Tivoli Directory Integrator with administrative privileges.

      2. Extract the contents of the Tivoli Access Manager Enterprise Single Sign- On Adapter package to a temporary directory.

      3. Copy TAMESSOConnector.jar to the Tivoli Directory Integrator jars/connectors directory.

      4. Restart Tivoli Directory Integrator dispatcher.

    4. Configure the Integrated Management System Server for Tivoli Directory Integrator based provisioning

      1. Start the IMS Configuration Utility.

      2. Click on Integrated Management System Bridges on the left side under advanced settings.

      3. Select Integrated Management System Bridge from the Add configuration group drop-down box.

      4. Press the Configure button.

      5. Define a Name and an Integrated Management System Bridge password (shared secret) in the available test input boxes.

      6. Enter an IP address of Tivoli Directory Integrator Server as Integrated Management System Bridge IP address value.

      7. Set Integrated Management System Bridge Type to Provisioning.

      8. Press the Add button at the bottom of the page to add the configured bridge.

      9. Restart the Integrated Management System service for the changes to take effect.

    5. Create and configure service for Tivoli Access Manager Combo Adapter.

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Manage Services.

      3. Create Service, Select TAM ESSO Profile. Click OK.

      4. Fill out the service form per requirements.

      5. Verify adapter configuration by clicking on Test Connection button.

  2. Given a proper access to the Tivoli Directory Integrator Server with Access Manager Runtime and Access Manager Java runtime is installed, Tivoli Identity Manager Web Console and the requirements for Tivoli Access Manger Combo Adapter configurations, configure Tivoli Access Manager Combo Adapter and associated service so that Tivoli Access Manager user accounts and groups can be managed through ITIM.
    With emphasis on performing the following tasks:

    1. Tivoli Access Manager for e-business can become the access control for ITIM.

    2. Import itamprofile.jar .

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Configure System -> Manage Service Types.

      3. Click Import and select itamprofile.jar file from the Tivoli Access Manager Combo Adapter media.

      4. Click OK to import jar file.

    3. Configure Java runtime for Tivoli Directory Integrator.

      1. Log on to Tivoli Directory Integrator with administrative privileges.

      2. Set system path to include java from Tivoli Directory Integrator installed directory.

      3. Run Tivoli Access Manager pdadmin command and configure Tivoli Access Manager Java Runtime for Tivoli Directory Integrator.

      4. Copy TAMComboUtils.jar from Tivoli Access Manager Combo Adapter media to <TDI HOME DIR>/jars/3rdparty/IBM directory.

      5. Configure Tivoli Directory Integrator Java Runtime into Tivoli Access Manager Secure Domain by using Tivoli Access Manager com.tivoli.pd.jcfg.SvrSslCfg Java class.\Restart Tivoli Directory Integrator dispatcher. Create and configure service for Tivoli Access Manager Combo Adapter.

      6. Log on to Tivoli Identity Manager Web Console.

      7. Navigate to Manage Services.

      8. Create Service, Select TAM Combo Profile. Click OK.

      9. Fill out the service form per requirements.

      10. Verify adapter configuration by clicking on Test Connection button.

  3. Given a configured ITIM Server, working Tivoli Compliance Insight Manager Server with configured GEM database, configured point of presence server and a set of requirements for auditing configuration, enable ITIM Auditing so that auditing events from ITIM Database are picked up by the point of presence server and forwarded to the Tivoli Compliance Insight Manager Server.
    With emphasis on performing the following tasks:

    1. Auditing Events from ITIM database are picked up by the point of presence server and forwarded to the IBM Tivoli Security Information and Event Manager Server.

    2. Edit enroleAuditing.properties file from data directory of ITIM Server.

      1. Set the "itim.auditing" property to true.

      2. Set the itim.auditing.retrycount property to a number per requirements.

      3. Set the itim.auditing.retrydelay property to a number per requirements.

      4. Set ITIM Categories to true per requirements.

      5. Save the edited file.

    3. Verify ITIM configured auditing events are processed by the Tivoli Compliance Insight Manager Server.

      1. Log in to the Tivoli Compliance Insight Manager Web portal and click on iView.

      2. Click on the ITIM database icon at the bottom of the iView main screen to open the summary view.

      3. The summary view of all the events associated with the ITIM Database is displayed.

  4. Given knowledge of ITIM, identify the target resources to allow ITIM and ITDI to provide functionality for integration, so that ITIM adapters can be customized to help manage the target resources in the customer solution.
    With emphasis on performing the following tasks:

    1. Explain the need for integration.

      1. Tivoli Directory Integrator adapters provide integration to target resources for password synchronization and user administration.

      2. Target resources can be applications that can use ITIM as a central authority for policies and workflows by using Tivoli Directory Integrator.

      3. Tivoli Directory Integrator adapters provide integration to databases for user synchronization.

      4. Tivoli Directory Integrator adapters provide integration to LDAP products for user synchronization.


Section 4 - IBM Tivoli Identity Manager Adapters


  1. Given knowledge of IBM Tivoli Identity Manager (ITIM), identify the types of adapter available within ITIM, so that the types of adapters within ITIM has been described.
    With emphasis on performing the following tasks:

    1. Define the various types of adapters available for ITIM.

      1. Out of the box adapters-Infrastructure (operating systems, basic user repositories).-Application (enterprise applications such as financials and CRMs).-Host (Mainframes and OS/400).

      2. Custom adapters - IBM Tivoli Directory Integrator.

  2. Given knowledge of ITIM, describe how customized adapters can be created, so that custom adapters within a ITIM environment have been discussed.
    With emphasis on performing the following tasks:

    1. ITIM adapters can be customized to help manage the target resources in the customer solution.

      1. IBM Tivoli Directory Integrator provides a configuration console to build and customize functions for ITIM adapters.

      2. The IBM Tivoli Identity Manager Adapter Development Tool exports the configuration to a jar file, which can be imported into ITIM.

    2. Explain ITIM adapter customization.

      1. The IBM Tivoli Directory Integrator configuration console can be used to modify or enhance an adapter.

      2. The IBM Tivoli Identity Manager Adapter Development Tool can be used to create, modify or enhance an adapter.

  3. Given knowledge of ITIM, identify the functions adapters in the ITIM environment, so that how adapters are used in an ITIM solution have been described.
    With emphasis on performing the following tasks:

    1. ITIM adapters can help manage target resource in the customer solution.

      1. The adapter can create, change, delete and suspend accounts on the target resource.

      2. The adapter can synchronize group provisioning on the target resource.

      3. The adapter can manage user attribute values to the target resource.

      4. The adapter can send changes made on the target system to ITIM.

      5. The adapter can create, change and delete groups on the target resource.


Section 5 - User Administration


  1. Given an objectclass in an IBM Tivoli Identity Manager (ITIM) V5.1 LDAP, requirements for Identity form design, create custom identity entity and its associated configurations so that you can manage the custom Identity via ITIM V5.1 console graphical interface.
    With emphasis on performing the following tasks:

    1. Log on to Tivoli Identity Manager Web Console.

      1. Create ITIM Person type custom Identity.-Navigate to Configure Systems -> Manage Entity.-Add New Entity, Select type Person, click next.-Select given LDAP objectclass, map attributes per requirements and submit to create new Identity entity.

      2. Configure ITIM user interface form for custom Identity.-Navigate to Configure Systems -> Design Forms.-Open form for custom Identity type under Person.-Edit the form per requirements and save the form.

    2. Validate manual creation of a custom Identity type identity record.

      1. Navigate to Manager Users.

      2. Click Add. Select the custom Identity type.

      3. Verify the displayed form is as expected per requirements.

      4. Enter Identity data and submit.

      5. Verify the creation of Identity user record.

  2. Given a proper access to Tivoli Identity Manager Web Console, configured provisioning policies for a target, manage account on the target system so that Tivoli Identity Manager Account management functionalities are demonstrated.
    With emphasis on performing the following tasks:

    1. Log on to Tivoli Identity Manager Web Console.

      1. Add user to a role and verify that users account is created per configuration.-Navigate to Manage Roles.-Search for the role that user is to be made member of.-Place the cursor on right twisty next to the displayed role and select Manage User Members.-Click Add. Search and Select the user that needs to be added to this role.-Submit the request.-Navigate to Manage Users.-Search for the user.-Place the cursor on right twisty next to the user name and select accounts.-Search for the accounts.-Verify that users account is listed in the list of accounts.

      2. Remove users from a role and verify that account is deleted from the target system.-Navigate to Manage Roles.-Search for the role from which user is to be removed.-Place the cursor on right twisty next to the displayed role and select Manage User Members.-Click on search. Select the list check box next to the user to be removed.-Click on Remove button and submit the request.-Navigate to Manage Users.-Search for the user.-Place the cursor on right twisty next to the user name and select accounts.-Search for the accounts.-Verify that users account is no longer listed in the list of accounts.

      3. Demonstrate that as long a user is a member of a role that grants entitlement to a target, you cannot delete the account on the target system.-Navigate to Manage Users.-Search for the user.-Place the cursor on right twisty next to the user name and select accounts.-Select the account that is granted by virtue of a role membership.-Click Delete button. Select immediate radio button and click on Delete.-A message is displayed. "The following accounts cannot be deleted since these accounts are governed by automatic provisioning policy."

      4. Demonstrate when a user identity is suspended, accounts owned by the user are suspended.-Navigate to Manage Users.-Search for the user.-Select the user and click suspend.-Submit the request.-Navigate to Manage Users.-Search for the user.-Place the cursor on right twisty next to the user name and select accounts-Search for the accounts. -Verify that all listed accounts are inactive.

      5. Demonstrate when a user identity is restored, accounts owned by the user are re-enabled. -Navigate to Manage Users.-Search for the user.-Select the user and click restore.-Submit the request.-Navigate to Manage Users.-Search for the user.-Place the cursor on right twisty next to the user name and select accounts-Search for the accounts. -Verify that all listed accounts are active.

  3. Given a proper access to the Tivoli Identity Manager Web Console, ITIM Self-Service User Interface, a set of requirements for the Application Access, create and configure Access so that end users are able to make Access request by using ITIM self-care console.
    With emphasis on performing the following tasks:

    1. Log on to Tivoli Identity Manager Web Console.

      1. Navigate to Manage Roles.

      2. Click on Create.

      3. Enter the name for the Role.

      4. Select radio button for Static Role.

      5. Select Check Box for Enable Access for this role.

      6. Select Check Box for Show this role as common access.

      7. Click on Finish.

    2. Log on to Tivoli Identity Manager Self-Service User Interface as an end user.

      1. Click on Request Access.

      2. Newly created Access is displayed.

    3. Log on to Tivoli Identity Manager Web Console

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Manager Service Search for the service.

      3. Place the cursor on right twisty next to the Service Name and Select Manager Groups,

      4. Search for the groups Select the group for which access is being created. Click Change.

      5. Click on Access Information.

      6. Select Define an Access and fill out the rest of the form per requirements.

      7. Click OK.


Section 6 - Policy Administration


  1. Given a set of requirements for the Adoption, Password, Identity, Provisioning and Service Selection policies for a service type, configure IBM Tivoli Identity Manager (ITIM) policies so that set of requirements are met.
    With emphasis on performing the following tasks:

    1. Configure an Adoption policy for a service type.

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Manage Policies -> Manage Adoption Polices.

      3. Click Create.

      4. Enter the name of the policy. Click on Targets.

      5. Select the target service per requirement. Click on Rule.

      6. Enter the adoption rule per requirement.

      7. Click OK.

    2. Configure a Password policy for a service type.

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Manage Policies -> Manager Password Policies.

      3. Click Create.

      4. Enter the name of the policy. Click on Targets.

      5. Select the target service per requirement. Click on Rules.

      6. Set the password rules per requirements.

      7. Click OK.

    3. Configure an Identity policy for a service type.

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Manage Policies -> Manager Identity Policies.

      3. Click Create.

      4. Enter the name of the policy.

      5. Select User type per requirements. Click on Targets.

      6. Select the target service per requirement. Click on Rule.

      7. Set the Identity rule per requirements.

      8. Click OK

    4. Configure a Provisioning policy for a service type.

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Manage Policies -> Manager Provisioning Policies.

      3. Click Create.

      4. Enter the name of the policy.

      5. Enter priority per requirements. Click on Members.

      6. Enter membership criteria per requirements. Click on Entitlements.

      7. Click Create. Configure entitlement page per requirements. Click OK.

      8. Click Submit.

    5. Configure a Service Selection policy for a service type.

      1. Log on to Tivoli Identity Manager Web Console.

      2. Navigate to Manage Policies -> Manager Service Selection Policies.

      3. Click Create.

      4. Enter the name of the policy. Click on Service.

      5. Select service per requirements. Click on Click on Service Selection Script.

      6. Enter selection script per requirements. Click on Test.

      7. If script error occurs, correct it. Click Submit Now.

  2. Given a configured test ITIM system, copy the identified policies from test system to production system by using import export functionality so that identified policies from the Test system are promoted to the Production system in a supported way is demonstrated.
    With emphasis on performing the following tasks:

    1. Export the identified policies from the Test system.

      1. Log on to the Test system Web Console. From navigation tree, select Configure System -> Export Data.

      2. Create new partial export file.

      3. Select and add the identified policies to be exported.

      4. Export the policies and save the file with .jar extension.

      5. Once the file is ready for down load, save the file on the system where browser is running.

    2. Import the policies to the Production system.

      1. Log on to the Production system Web Console. From navigation tree, select Configure System -> Import Data.

      2. Upload the jar file. Provide import name and select the jar file to be uploaded.

      3. Verify jar file was uploaded.

      4. Verify and resolve any conflicts by selecting override existing object.

      5. Import the data.

      6. Verify the results of import data.

  3. Given a proper access to Tivoli Identity Manager Web Console and a set of requirements to modify existing provisioning, modify provisioning policy so that ITIM Preview capability is demonstrated.
    With emphasis on performing the following tasks:

    1. Log on to Tivoli Identity Manager Web Console.

    2. Navigate to Manage Policies -> Manager Provisioning Policies.

    3. Search for Provisioning Policy that needs to be modified per requirements.

    4. Select the provisioning policy that needs to be modified per requirements and click on Change.

    5. Modify provisioning policy per requirements.

    6. Click on Preview.

    7. Select Enforce changes only radio button and Click on Continue.

    8. Once the evaluation Status is completed, number of accounts evaluated, number of disallowed accounts, number of non-compliant accounts and number of compliant account are displayed if modified changes are to be submitted.


Section 7 - Roles Administration


  1. Given an installed IBM Tivoli Identity Manager (ITIM)environment, describe how to create and manage roles, so that the procedures to create and manage roles in ITIM V5.1 have been described.
    With emphasis on performing the following tasks:

    1. Create role - Complete these steps:

      1. From the navigation tree, select Manage Roles. The Manage Roles page is displayed.

      2. On the Manage Roles page, in the Roles table, click Create.

      3. On the Create a Role page, complete each page to specify information for the role, and then click Finish. The pages will vary, depending on whether you specify a static or a dynamic role. When you are done specifying information, click Finish.

      4. On the Success page, click Close.

    2. Modify role - Complete these steps:

      1. From the navigation tree, click Manage Roles. The Manage Roles page is displayed.

      2. On the Manage Roles page, complete these steps:-Type information about the role in the Search information field.-In the Search by field, specify whether the search should be performed against role names or descriptions, or against business units, and then click Search. A list of roles matching the search criteria is displayed. If the table contains multiple pages, you can:-Click the arrow to go to the next page.-Type the number of the page that you want to view and click Go.-In the Roles table, click the icon ( ) adjacent to the role that you want to modify, and then click Change. The Role Information page is displayed.

      3. On the Role Information page, make the desired changes for the role, and then click the button that completes the change. The buttons vary, depending on whether you specify a static or a dynamic role.

  2. Given knowledge of ITIM, describe role hierarchies, so that how role hierarchies are used with ITIM has been described.
    With emphasis on performing the following tasks:

    1. While you can assign a user to one or more roles, roles can themselves be members of other roles, in what is referred to as child roles that contribute to role hierarchy. Roles can be organized into role hierarchies, which allow the administrator to plan and build hierarchical role structures and implement role relationships. Child roles inherit all privileges from their ancestors.


Section 8 - Workflow Administration


  1. Given knowledge of IBM Tivoli Identity Manager (ITIM), describe the process of workflow management, so that knowledge of how to administer workflows has been obtained.
    With emphasis on performing the following tasks:

    1. To Create a workflow:

      1. From the navigation tree, select Design Workflows. Then, click either Manage Account Request Workflows or click Manage Access Request Workflows.

      2. In the page that is displayed, in the table that lists the workflows, click Create.

      3. In the General tab, complete the name and description of the workflow, and select a business unit and service type. Click other tabs to specify additional information. Then, either click OK to save the changes or Apply to save your changes and continue.

      4. In the Activities tab, complete either a simple or an advanced workflow: You can create a simple workflow and convert it to an advanced one if you later decide that you require more advanced capabilities. However, you cannot convert an advanced workflow to a simple one. If you do so, all of our advanced activities are discarded and you start with a new, simple workflow.

      5. On the Success page, click Close.

    2. To Manage a workflow:

      1. From the navigation tree, select Design Workflows. Then, click either Manage Account Request Workflows or click Manage Access Request Workflows.

      2. In the page that is displayed, in the Search information field, type information about the workflow, and click Search. You can also type information about the service to which the account request workflow is associated, or information about the access to which the access request workflow is associated.

      3. In the table that lists the available workflows, select the workflow that you want to modify, and click Change Delete.

      4. In the General tab or the Activities tab, complete your changes. Then, click OK.

      5. On the Success page, click Close.

  2. Given knowledge of ITIM, describe the different nodes of a workflow, so that knowledge of when to use specific nodes has been obtained.
    With emphasis on performing the following tasks:

    1. Activities represent the business logic for a specific task in a workflow process. An activity is represented in a workflow as a node. ITIM supports the following types of nodes:

      1. Start and End - The start node defines the beginning of a workflow, and the end node defines the end of a workflow. Both nodes are always included in a workflow and cannot be deleted. These nodes each contain a JavaScript window that allows you to add JavaScript code that executes at the beginning or end of the workflow. Start nodes have transitions out only and end nodes have transitions in only.

      2. Approval - Use the approval node to add a request for approval when adding or modifying people, accounts, and access. The approver must be an ITIM user, because the approver is required to log in to ITIM to approve or reject the request. In entitlement workflows, use approval nodes to request authorization to continue with a provisioning request. In operation workflows, use an approval node as a switch to follow a specific workflow path. Approval text and labels can also be customized to allow approvals to be used for most Yes/No decision activities.

      3. Mail - Use the mail node to specify the recipient type and content to be e-mailed to a user in an e-mail notification. The content can be specified directly or copied from a template used by mail activities in other workflows.

      4. Request for information - Use the request for information (RFI) node within entitlement and operation workflows to solicit account or user-related information from a user with an ITIM account. Within the RFI, you specify the attributes for which the participant is asked to provide values. The participant can edit only the attributes that you select. All other form attributes are read-only. The attributes selected display on the RFI page when the participant logs in and accesses the RFI activity list item.

      5. Operation - Use the operation node to invoke an existing operation from within a workflow.

      6. Loop - Use the loop node to execute one or more nodes in a loop.

      7. Extension activities Use the extension node to invoke an application extension from within the workflow. The application extension is a pre-configured Java class for use in the workflow environment. Extensions can accept input parameters and return output parameters back to the workflow. Only extensions that are registered properly display in the extension window.

      8. Script Use the script node to add logic to the workflow through the use of JavaScript code. The script node makes clear to anyone viewing the workflow that scripting is present in the workflow. JavaScript code is used within workflows to define and retrieve parameters and attribute values dynamically and to store and forward these values as variables for use by logic or code within a single workflow activity. You can extend the JavaScript code by defining custom JavaScript objects through a Java extension.

      9. Workorder - Use the workorder node to send e-mail to an ITIM user, either to request some type of manual activity or as a simple notification. The work order activity supports two execution modes:-The send mode completes the activity when the work order request messages are successfully sent to the mail server for forwarding to participants.-The send and wait for completion mode sends the e-mail and then waits for notification of the completion of a manual activity.

      10. Subprocess This node is available only for account request and access request workflows. A subprocess activity cannot be included in an operation workflow. A subprocess can use any predefined account request or access request workflow of the same service type (or global workflows); however, the workflow must be located within the same organization.

  3. Given knowledge of ITIM, describe the different types of workflows, so that knowledge of when to use specific workflow has been obtained.
    With emphasis on performing the following tasks:

    1. Entitlement Workflows - A workflow that defines the business logic that is used when provisioning a policy. For example, an entitlement workflow is used to define approvals for managing accounts. There are two types of entitlement workflows:

      1. Account request workflow can be associated with a provisioning policy entitlement. Account request workflows define pre-conditions to account provisioning (such as Linux or directory accounts).

      2. Access request workflow can be added to a service access. Access request workflows define pre-conditions to access provisioning (such as groups or shared drives).

    2. Operation workflows define the actual sequence of activities taking place when performing provisioning operations, on person, business partner person, and account. They can be customized by editing the sequence of activities occurring during the operation, as well as the activities themselves.

      1. There are 3 types of operational workflows:-Global Level -Entity Type Level - predefined workflows (add, change password, delete, modify, restore and suspend)-Entity Level




Promotions


Connect with Us