tk20 Installguide

Tivoli Key Lifecycle Manager
Version 2 Release 0
Installation and Configuration Guide

SC27-2741-00
®
Version 2 Release 0
Installation and Configuration Guide

SC27-2741-00
Note
Before using this information and the product it supports, read the information in “Notices” on page 121.
August 2010
This edition applies to version 2 of Tivoli Key Lifecycle Manager (product number 5724-T60) and to all subsequent
releases and modifications.
© Copyright IBM Corporation 2008, 2010.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . . v Migration requirements for Encryption Key
Manager . . . . . . . . . . . . . . . 26
Tables . . . . . . . . . . . . . . . vii Migration for Encryption Key Manager from
AS/400 systems . . . . . . . . . . . . . 26
Obtaining Encryption Key Manager . . . . . . 27
Preface . . . . . . . . . . . . . . . ix Migration restrictions for Encryption Key Manager 27
What is new in version 2 . . . . . . . . . . ix After migrating Encryption Key Manager . . . . 27
Intended audience . . . . . . . . . . . . x After migrating Tivoli Key Lifecycle Manager . . . 28
Publications . . . . . . . . . . . . . . x Data objects and properties migrated from
Tivoli Key Lifecycle Manager library . . . . . x Encryption Key Manager . . . . . . . . . . 30
Related publications . . . . . . . . . . xi Data objects and properties migrated from Tivoli
Accessing publications online . . . . . . . xi Key Lifecycle Manager . . . . . . . . . . 32
Ordering publications . . . . . . . . . . xi
Tivoli technical training . . . . . . . . . . xii
Chapter 4. Types of installation . . . . 35
Tivoli user groups . . . . . . . . . . . . xii
Syntax and parameters for the installation program 35
Support information . . . . . . . . . . . xii
Graphical mode installation . . . . . . . . . 35
Conventions used in this information . . . . . xii
Starting a graphical installation . . . . . . . 36
Typeface conventions . . . . . . . . . . xii
Installation and migration panels . . . . . . 36
Definitions for HOME and other directory
Console mode installation . . . . . . . . . 37
variables . . . . . . . . . . . . . . xiii
Silent installation . . . . . . . . . . . . 37
Audit files . . . . . . . . . . . . . xiv
Adapting a sample response file . . . . . . . 38
Chapter 1. Overview of the environment 1

Chapter 5. Installing on distributed
Features overview . . . . . . . . . . . . 1
Deployment . . . . . . . . . . . . . . 2 systems . . . . . . . . . . . . . . 39
Deployment on Windows and systems such as Configuring DB2 during installation . . . . . . 40
Linux or AIX . . . . . . . . . . . . . 2 DB2 password security issues on Windows
Installation overview . . . . . . . . . . . 2 systems. . . . . . . . . . . . . . . 42
Installation images and fix packs . . . . . . . 3 DB2 password security issues on systems such as
Preparing the installation package . . . . . . . 3 Linux or AIX . . . . . . . . . . . . . 44
Configuring middleware during installation . . . 47
Migrating an Encryption Key Manager configuration 48
Chapter 2. Planning the installation . . . 5
Resetting a password on distributed systems . . . 48
Hardware requirements for distributed systems. . . 5
Operating system requirements . . . . . . . . 8
Linux packages . . . . . . . . . . . . 9 Chapter 6. Uninstalling on distributed
Disabling Security Enhanced Linux . . . . . . 9 systems . . . . . . . . . . . . . . 51
Software prerequisites . . . . . . . . . . . 9 Syntax and parameters for the uninstallation
Java Runtime Environment (JRE) requirements 10 program . . . . . . . . . . . . . . . 51
Database authority and requirements . . . . . 10 Uninstalling on Windows systems . . . . . . . 52
Runtime environment requirements . . . . . 11 Recovering from a failed uninstallation on Windows
Tivoli Integrated Portal requirement . . . . . 11 systems. . . . . . . . . . . . . . . . 53
Browser requirements . . . . . . . . . . 11 Uninstalling on systems such as Linux and AIX . . 54
Keystore type and key size requirements . . . 12 Recovering from a failed uninstallation on systems
Access requirements . . . . . . . . . . . 13 such as Linux and AIX . . . . . . . . . . 55
Login URL and initial user ID . . . . . . . . 13 Reinstalling Version 1 if migration repeatedly fails 56
Roles . . . . . . . . . . . . . . . . 16
Available permissions . . . . . . . . . . . 17 Chapter 7. Optionally removing DB2
and disabling services . . . . . . . . 59
Chapter 3. Migration planning . . . . . 21 Uninstalling DB2 . . . . . . . . . . . . 59
Before you migrate . . . . . . . . . . . . 21 Disassociating a user ID from the DB2 instance 60
Disk space requirements . . . . . . . . . 21 Removing the user ID of the DB2 instance owner 61
Data quantity. . . . . . . . . . . . . 24 Disabling automatic services. . . . . . . . . 62
Encryption Key Manager configuration . . . . 24
Tivoli Key Lifecycle Manager Version 1 Chapter 8. Recovering from migration
requirements . . . . . . . . . . . . . 25
failure . . . . . . . . . . . . . . . 63
© Copyright IBM Corp. 2008, 2010 iii
Recovering from migration failure for Encryption General installation parameters . . . . . . . . 87
Key Manager . . . . . . . . . . . . . . 63 DB2 configuration parameters . . . . . . . . 87
Migration recovery script for Encryption Key Tivoli Integrated Portal configuration parameters . . 88
Manager . . . . . . . . . . . . . . . 63
Recovering from migration failure for Tivoli Key Appendix B. Sample response files . . 91
Lifecycle Manager . . . . . . . . . . . . 64 New installation of Version 2 on Windows systems 91
Migration recovery script for Tivoli Key Lifecycle New installation of Version 2 on systems such as
Manager . . . . . . . . . . . . . . . 65 Linux or AIX . . . . . . . . . . . . . . 93
Enabling automatic start for DB2 . . . . . . . 66 Version 1 to Version 2 migration on Windows
Migration properties file . . . . . . . . . . 66 systems. . . . . . . . . . . . . . . . 95
Version 1 to Version 2 migration on systems such as
Chapter 9. Post-installation steps . . . 69 Linux or AIX . . . . . . . . . . . . . . 97
Services, ports, and processes . . . . . . . . 69 Uninstall on Windows systems . . . . . . . . 98
Post-installation security . . . . . . . . . . 71 Uninstall on systems such as Linux or AIX . . . . 99
Response file security . . . . . . . . . . 71
Specifying a certificate for browser access . . . 71 Appendix C. Installation error
Changing the WebSphere Application Server messages . . . . . . . . . . . . . 101
keystore password . . . . . . . . . . . 72
Installation process exit codes . . . . . . . . 101
Tivoli Integrated Portal security . . . . . . 73
Message syntax. . . . . . . . . . . . . 102
Handling installation errors . . . . . . . . . 73
Error and warning messages . . . . . . . . 102
Enabling automatic services . . . . . . . . . 74
Setting the session timeout interval . . . . . . 76
Setting the maximum transaction timeout . . . . 77 Appendix D. Installation and migration
Using the correct version of DB2 after migration . . 77 log files . . . . . . . . . . . . . . 113
Changing the DB2 server host name . . . . . . 78 Background information . . . . . . . . . . 113
Changing an existing Tivoli Integrated Portal Server Important log files . . . . . . . . . . . . 113
host name . . . . . . . . . . . . . . . 78 Which log file to use first . . . . . . . . . 114
Stopping the DB2 server . . . . . . . . . . 80 Log file names and locations . . . . . . . . 114
Configuring SSL . . . . . . . . . . . . . 80 Migration log file names and location . . . . . 117
Determining the current port number . . . . . 82 Examining an error log file . . . . . . . . . 118
Verifying the installation . . . . . . . . . . 82 Other information to gather . . . . . . . . 118
Enabling scripting settings for Internet Explorer
Version 7 and 8 . . . . . . . . . . . . . 83 Notices . . . . . . . . . . . . . . 121
Starting and stopping the Tivoli Key Lifecycle Trademarks . . . . . . . . . . . . . . 122
Manager server on distributed systems . . . . . 83
Enabling global security . . . . . . . . . 84 Index . . . . . . . . . . . . . . . 125
Disabling global security . . . . . . . . . 84
Glossary . . . . . . . . . . . . . 131
Appendix A. Preinstallation worksheets 87
iv IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

Figures
1. Main components on Windows systems and
systems such as Linux or AIX . . . . . . . 2
© Copyright IBM Corp. 2008, 2010 v

vi IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide
Tables
1. HOME and other directory variables . . . . xiii 10. Device groups. . . . . . . . . . . . 18
2. Hardware requirements for Windows systems 5 11. General installation parameters . . . . . . 87
3. Hardware requirements for systems such as 12. DB2 configuration parameters . . . . . . 87
Linux and AIX . . . . . . . . . . . . 6 13. Tivoli Integrated Portal configuration
4. Operating system requirements . . . . . . 8 parameters . . . . . . . . . . . . . 88
5. Supported browsers. . . . . . . . . . 12 14. Installation process exit codes . . . . . . 101
6. Summary of supported keystore types . . . 12 15. Location of installation log files on distributed
7. Supported key sizes and keystore types 13 systems . . . . . . . . . . . . . 115
8. Administrator user IDs and passwords 14 16. Location of migration log files on distributed
9. Permissions for actions. . . . . . . . . 18 systems . . . . . . . . . . . . . 117
© Copyright IBM Corp. 2008, 2010 vii

viii IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide
Preface
This guide describes how to install and configure IBM Tivoli Key Lifecycle
Manager.
What is new in version 2

Tivoli Key Lifecycle Manager enables you to locally create, distribute, backup,
archive, and manage the life cycle of keys and certificates in your enterprise.
Major new function in version 2 of Tivoli Key Lifecycle Manager includes:

v Role-based access control that provides permissions to do tasks such as create,
modify, and delete for specific device groups. Most permissions are associated
with specific device groups.
v Extension of support to devices using industry-standard Key Management
Interoperability Protocol (KMIP) for encryption of stored data and the
corresponding cryptographic key management.
v Extend device support to devices using Internet Key Exchange (IKEv2-SCSI)
Version 1 for secure interchange of keys between cryptographic units.
Note: Tivoli Key Lifecycle Manager does not support IKEv2-SCSI if you use the
Federal Information Processing Standard (FIPS). If your system uses IKEv2-SCSI,
do not specify a value of on for the fips property that Tivoli Key Lifecycle
Manager provides.
v Serving symmetric keys to DS5000 storage servers
Provide administration and ongoing maintenance of keys served to DS5000
storage servers. Restrict the set of machines with which a device such as a disk
drive can be associated. You can associate a device to an existing machine in the
Tivoli Key Lifecycle Manager database.
v Additional device support that includes:
– Emulex
ONESECURE device group, which is a device group in the DS5000 device
family. The ONESECURE device group supports the OneCommand Guardian
(part number 2Port-02-100) with OneSecure HBAs using a prefix that starts
with LPSe12002.
– Brocade
BRCD_ENCRYPTOR device group, which is a device group in the LTO device
family. The BRCD_ENCRYPTOR device group supports these devices:
- IBM System Storage SAN32B-E4 (2498-E32), a stand-alone appliance
- FC: 3895 - Encryption Blade
v Usability changes:
– Requiring a password for the tklmKeyExport command to protect the
PKCS#12 file to which the private key and certificate are exported.
Note: If you migrate data from Tivoli Key Lifecycle Manager Version 1, any
scripts or applications that you previously used to automate key export
require modification to specify a password.
– Supporting auto-pending requests
© Copyright IBM Corp. 2008, 2010 ix

Provide three modes to add new devices: Added automatically, added
pending approval from an administrator, or manually added.
– Creating additional device groups from a predefined set of device group
families, new in this release
Categorize and identify device groups based on use by a division within the
company, or the manufacturer. Different device groups can each have their
own administrator using the role-based access control function.
– Supporting variable length serial numbers for LTO tape drives and DS5000
storage servers
– Enable concurrent administration of Tivoli Key Lifecycle Manager
Provide simultaneous access by multiple Tivoli Key Lifecycle Manager
administrators.
– Managing trusted certificates for secure communication
Enable server certificates and client certificates for devices using SSL, Internet
Key Exchange, or Key Management Interoperability Protocol protocols.
– Providing an additional certificate for DS8000 Turbo drives
Optionally specify a second certificate that the storage image might use.
– Simplifying the use of DB2®
Automatically start DB2 during Tivoli Key Lifecycle Manager installation.
– Providing additional Welcome page status information in the graphical user
interface
Display additional information for pending device requests, key groups and
certificates, and the status of configured protocols.
– On Windows systems, providing a link from the Start menu to access the Web
interface. On systems such as Linux or AIX, provide an HTML file with a link
to the Web interface.
Intended audience
This information center is designed for the system and security administrators in
an organization that uses Tivoli Key Lifecycle Manager.
Readers are expected to understand system and security administration concepts.

Additionally, the readers must understand administration concepts for these types
of products:
v Database servers
v Web application servers
Publications
Read the descriptions of the product library and the related publications to
determine which publications you might find helpful. After you determine the
publications you need, see the instructions for accessing publications online.
Tivoli Key Lifecycle Manager library

You can obtain the product documentation from the IBM Tivoli Key Lifecycle
Manager Information Center.
The information center is available at http://publib.boulder.ibm.com/infocenter/

tivihelp/v2r1/topic/com.ibm.tklm.doc_2.0/welcome.htm.
x IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

The following information is also provided:
v IBM Tivoli Key Lifecycle Manager Quick Start Guide GI11-8738-01
v IBM Tivoli Key Lifecycle Manager Installation and Configuration Guide SC27-2741-00
You can also locate publications at http://www.elink.ibmlink.ibm.com/

publications/servlet/pbi.wss.
Related publications
You can obtain related publications from these IBM® Web sites.
v The Tivoli Integrated Portal information center is available at
http://publib.boulder.ibm.com/infocenter/tivihelp/v15r1/topic/
com.ibm.tip.doc/welcome_tip_ic.htm.
v The Tivoli® Software Library provides a variety of Tivoli publications such as
white papers, data sheets, demonstrations, IBM Redbooks®, and announcement
letters. The Tivoli Software Library is available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
v The IBM Terminology Web site consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology Web site at
the following Web address:
http://www.ibm.com/software/globalization/terminology
Accessing publications online

The publications for this product are available online in Portable Document Format
(PDF) or Hypertext Markup Language (HTML) format, or both in the Tivoli
software library.
The Tivoli software library is located at http://publib.boulder.ibm.com/tividd/td/

tdprodlist.html.
To locate product publications in the library, click the first letter of the product
name or scroll until you find the product name. Click the product name. Product
publications can include release notes, installation guides, user's guides,
administrator's guides, and developer's references.
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Documentation Central
Web site at http://www.ibm.com/tivoli/documentation.
Note: To ensure proper printing of PDF publications, select the Fit to page check
box in the Adobe Acrobat Print window (which is available when you click File →
Print).
You can also locate publications at http://www.elink.ibmlink.ibm.com/

publications/servlet/pbi.wss.
Ordering publications
You can order many Tivoli publications online or by telephone.
You can order publications from http://www.elink.ibmlink.ibm.com/public/

applications/publications/cgibin/pbi.cgi.
You can also order by telephone by calling one of these numbers:

v In the United States: 800-879-2755
Preface xi
v In Canada: 800-426-4968
In other countries, see the Web site http://www.elink.ibmlink.ibm.com/public/

applications/publications/cgibin/pbi.cgi.
Tivoli technical training

For Tivoli software training information, see the IBM Tivoli Education Web site.
The Web site address is http://www.ibm.com/software/tivoli/education/.
Tivoli user groups

Tivoli user groups are independent, user-run membership organizations that
provide Tivoli users with information to assist them in the implementation of
Tivoli Software solutions. Through these groups, members can share information
and learn from the knowledge and experience of other Tivoli users. Tivoli user
groups include the following members and groups:
v 23,000+ members
v 144+ groups
Access the link for the Tivoli Users Group at www.tivoli-ug.org.
Support information
If you have a problem with your IBM software, you want to resolve it quickly.
About this task
To obtain the support you need online, go to the IBM Software Support site at
http://www.ibm.com/software/support/probsub.html and follow the instructions.
Conventions used in this information

This information uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This information uses these typeface conventions.
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets)
v Keywords and parameters in text
italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
xii IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Definitions for HOME and other directory variables

The following table contains default definitions that are used in this information to
represent the HOME directory level for various product installation paths.
You can customize the HOME directory for your specific implementation. Make the
appropriate substitution for the definition of each variable represented in this table.
The default value of path varies for these operating systems, called distributed
systems for ease in reference. The term "distributed systems" refers to
non-mainframe hardware platforms, including personal computers and
workstations.
v For Windows systems, the default path is:
– DB2
drive:\Program Files
– All applications other than DB2
drive:\
v For Linux, Solaris, and AIX systems, /opt is the default path.
Table 1. HOME and other directory variables
Directory variable Default definition Description
DB_HOME The directory that contains the DB2
Windows systems:
application for Tivoli Key Lifecycle
drive\Program
Manager.
Files\IBM\db2tklmV2
AIX and Linux systems:
/opt/IBM/db2tklmV2
DB_INSTANCE_HOME The directory that contains the DB2
Windows
database instance for Tivoli Key
drive\db2adminID
Lifecycle Manager.
For example, if the value of
drive is C: and the default DB2
administrator is tklmdb2,
DB_INSTANCE_HOME is
C:\TKLMDB2
Linux and AIX®
/home/db2adminID
Solaris /export/home/db2adminID
Preface xiii
Table 1. HOME and other directory variables (continued)
Directory variable Default definition Description
TIP_HOME The Tivoli Integrated Portal home
Windows
directory.
drive:\IBM\tivoli\tiptklmV2
Linux, AIX, and Solaris
path/IBM/tivoli/tiptklmV2
For example:
/opt/IBM/tivoli/tiptklmV2
Do not embed spaces in the TIP_HOME

installation path or directory name.
TKLM_HOME The Tivoli Key Lifecycle Manager
Windows
home directory.
TIP_HOME\products\tklm
TIP_HOME/products/tklm
TKLM_UNINSTALL_HOME The directory that contains the Tivoli
Windows
Key Lifecycle Manager uninstallation
TIP_HOME\_uninst\TIPInstall
program information.
TIP_HOME/_uninst/TIPInstall
Audit files
Tivoli Key Lifecycle Manager has a default directory for audit data. The location
depends on which operating system is used:
Distributed systems
In the TKLM_HOME/config/TKLMgrConfig.properties file, edit the
Audit.handler.file.name property to set this directory. The default is:
Audit.handler.file.name=logs/audit/tklm_audit.log
xiv IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide
Chapter 1. Overview of the environment
Tivoli Key Lifecycle Manager delivers simplified key lifecycle management
capabilities in a solution that is easy to install, deploy, and manage.
This document focuses on the tasks that you must complete to install and
configure Tivoli Key Lifecycle Manager.
Features overview
Tivoli Key Lifecycle Manager enables you to manage the life cycle of the keys and
certificates of an enterprise. You can manage symmetric keys, asymmetric key
pairs, and certificates.
Tivoli Key Lifecycle Manager provides:

v Role-based access control that provides permissions to do tasks such as create,
modify, and delete for specific device groups. Most permissions are associated
with specific device groups.
v Extension of support to devices using industry-standard Key Management
Interoperability Protocol (KMIP) for encryption of stored data and the
corresponding cryptographic key management.
v Extend device support to devices using Internet Key Exchange (IKEv2-SCSI)
Version 1 for secure interchange of keys between cryptographic units.
Note: Tivoli Key Lifecycle Manager does not support IKEv2-SCSI if you use the
Federal Information Processing Standard (FIPS). If your system uses IKEv2-SCSI,
do not specify a value of on for the fips property that Tivoli Key Lifecycle
Manager provides.
v Serving symmetric keys to DS5000 storage servers
Provide administration and ongoing maintenance of keys served to DS5000
storage servers. Restrict the set of machines with which a device such as a disk
drive can be associated. You can associate a device to an existing machine in the
Tivoli Key Lifecycle Manager database.
v A graphical user interface and command-line interface to manage keys,
certificates, and devices.
v Encrypted keys to one or more devices to which Tivoli Key Lifecycle Manager
server is connected.
v Storage of keys and certificates in a keystore, and metadata about these keys and
certificates in a database.
v Backup and restore to protect critical keystore and other Tivoli Key Lifecycle
Manager data, such as the configuration files and current database information.
v Migration of an existing Tivoli Key Lifecycle Manager Version 1 or IBM
Encryption Key Manager component for the Java Platform configuration during
installation.
v Audit records based on selected events occurring as a result of successful
operations, unsuccessful operations, or both. Installing or starting Tivoli Key
Lifecycle Manager writes the build level to the audit log.
v Support for encryption-enabled 3592 tape drives and LTO tape drives, and also
DS5000 storage servers and DS8000 Turbo drives.
© Copyright IBM Corp. 2008, 2010 1

Deployment
Deployment of Tivoli Key Lifecycle Manager consists of an installation process that
gathers information for database preparation, user ID configuration, and optional
data migration from the Encryption Key Manager.
Deployment on Windows and systems such as Linux or AIX

On Windows systems and other systems such as Linux or AIX, the Tivoli Key
Lifecycle Manager installation program deploys the Tivoli Key Lifecycle Manager
server and required middleware components on the same computer. You must
ensure that the computer has the required memory, speed, and available disk space
to meet the workload.
Tivoli Key Lifecycle Manager can run on a member server in a domain controller
environment, but is not supported on a primary or backup domain controller.
Figure 1. Main components on Windows systems and systems such as Linux or AIX
Installation overview
The major steps to install Tivoli Key Lifecycle Manager are:
v Distributed systems:
1. Plan your installation and fill in the installation worksheet. See Chapter 2,
“Planning the installation,” on page 5.
2. Install and configure Tivoli Key Lifecycle Manager. The installation falls into
these phases:
a. Introductory, including the Language Selection panel, the Introduction
panel, and the License Agreement panel.
b. DB2 installation, including panels that gather information used to install
DB2. After you enter the information, the installation program installs
DB2.
c. Middleware installation, including panels that gather information used to
install Tivoli Integrated Portal and embedded WebSphere® Application
Server middleware. After you enter the information, the installation
program installs the middleware.
Tivoli Key Lifecycle Manager is installed during this phase.
3. Log in and verify the installation, resolving any problems. See “Login URL
and initial user ID” on page 13 and “Verifying the installation” on page 82
for details.
Note: Installation might take more than an hour.
2 IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

Installation images and fix packs
For distributed systems, obtain Tivoli Key Lifecycle Manager installation files and
fix packs by using the IBM Passport Advantage® Web site, or by another means,
such as a DVD as provided by your IBM sales representative.
The Passport Advantage Web site provides packages, referred to as eAssemblies,

for various IBM products.
The IBM Tivoli Key Lifecycle Manager Installation and Configuration Guide provides
instructions for installing and configuring Tivoli Key Lifecycle Manager and the
prerequisite middleware products.
Preparing the installation package

For distributed systems, the installation package is available on a DVD, or as one
or more compressed files that you download.
Installing from a DVD
To install from a DVD for distributed systems, take these steps:

1. Insert or mount the DVD, as required by the operating system.
2. Locate the installation scripts in the root directory of the DVD.
Installing from downloaded packages
The installation package files for distributed systems are archive files that contain
the files used in the installation. Packages labeled "eImage <integer>" require
assembly into a temporary installation directory on your computer. For example, a
package label might be eImage 1. Paths to temporary installation directories cannot
contain spaces or special characters.
To install from eImage images, follow these assembly steps:

1. Download the eImage package files to a convenient temporary directory.
2. Expand all the compressed files from the eImage packages into a different
temporary directory.
Windows systems:
Unzip the first eImage package into a temporary subdirectory that
matches the first eImage package name. Unzip subsequent packages
into the subdirectory that matches the first eImage package name, not
the subsequent package name.
For example, using temporary directory C:\mytklmV2download, take
these steps:
a. First, unzip eImage package 1 into a subdirectory such as
C:\mytklmV2download\CZJF3ML.
b. Next, unzip package 2 into the same subdirectory that eImage
package 1 created, which in this example is C:\mytklmV2download\
CZJF3ML.
c. Unzip subsequent packages into the eImage package 1 subdirectory,
which in this example is C:\mytklmV2download\CZJF3ML.
Chapter 1. Overview of the environment 3

Linux systems:
On Linux systems, the compressed files are expanded directly into the
temporary directory without the addition of package names.
AIX
On AIX systems, the compressed files are expanded directly into the
You must use a GNU tar utility to extract the eImage packages. Take
these steps:
a. Download and install the GNU tar utility from this address:
ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/
ppc/tar/tar-1.14-2.aix5.1.ppc.rpm
b. Untar each package. For example, to untar a first eImage named
CZJD7ML.tar, run this command:
/usr/bin/gtar -xvf CZJD7ML.tar
c. Repeat the command specifying each of the additional eImages.
Solaris
On Solaris systems, the compressed files are expanded directly into the
You must use a GNU tar utility to extract the eImage packages. Take
these steps:
a. You might already have the GNU tar package installed. Determine
whether it the utility is located here: /usr/sfw/bin/gtar
To obtain more information about the package, run this command:
pkginfo -l SUNWgtar
If you need to download and install the GNU tar utility, access this
Web site:
http://www.sunfreeware.com/
b. Untar each package. For example, to untar a first eImage named
CZJE9ML.tar, run this command:
/usr/sfw/bin/gtar -xvf CZJE9ML.tar
c. Repeat the command specifying each of the additional eImages.
3. Locate and run the installation files in the temporary directory into which you
expanded the installation packages. For example, locate:
v Windows systems: install.exe
v Other systems: install.sh
On some versions of the Linux operating system, you might see this error
message when you start the installation program using the install.sh
command from the DVD:
-bash: ./install.sh: /bin/sh: bad interpreter: Permission denied
This occurs when the default automount settings have -noexec permission.
Change the permissions before you run the installation program. For
example, type:
mount -o remount,exec /media/TKLM_LINUX_Base

Chapter 2. Planning the installation
Before installing Tivoli Key Lifecycle Manager, follow these steps:
v Use the worksheet in Appendix A, “Preinstallation worksheets,” on page 87 to
assist with your planning.
v Determine the Tivoli Key Lifecycle Manager topology, described in
“Deployment” on page 2.
v Ensure that the system meets hardware requirements. For more information, see
– “Hardware requirements for distributed systems”
v Ensure that the operating system is at the correct level, with all the required
patches in place. See “Operating system requirements” on page 8 for information
on required operating system versions.
v Ensure that kernel settings are correct for those operating systems, such as the
Solaris operating system, that require updating. See “DB2 kernel settings” on
page 10 for details.
v If you intend to use your own previously installed version of DB2, ensure that
the copy of DB2 is at the required software level. See “Software prerequisites”
on page 9 for information on supported versions of DB2.
v Determine if you want to migrate the configuration from an earlier version of
Encryption Key Manager. For more information, see Chapter 3, “Migration
planning,” on page 21.
Note: On distributed systems, the only opportunity to migrate an Encryption

Key Manager configuration to Tivoli Key Lifecycle Manager is during
installation.
v On distributed systems, decide what installation mode you want to use to install
Tivoli Key Lifecycle Manager: graphical mode, console mode, or silent mode. See
Chapter 4, “Types of installation,” on page 35 for a description of the installation
modes.
Hardware requirements for distributed systems

You must ensure that the computer has the required memory, processor speed, and
available disk space to meet the workload.
Table 2 lists hardware requirements for Windows systems:

Table 2. Hardware requirements for Windows systems
System components Minimum values* Typical values**
System memory (RAM) 4 GB 4 GB
Processor speed 2.66 GHz single processor 3.0 GHz dual processors
Disk space free in the 600 MB 2 GB
Windows drive that
contains the temporary
file system location
(C:\Documents and
Settings\
admin_user_name\Local
Settings\Temp)

Table 2. Hardware requirements for Windows systems (continued)
Windows drive where
DB2 will be installed.
By default, the
directory is
drive\Program
Files\IBM\db2tklmV2.
Disk space free on the 300 MB 1 GB
Windows system drive
(usually C:\) for
installation of the
Deployment Engine
Disk space free on the 1400 MB 2 GB
Windows system drive
(by default C:\) where
the DB2 instance for
Tivoli Key Lifecycle
Manager will be
created.
Disk space free for the 2 GB 5 GB
core product Tivoli Key
Lifecycle Manager and
Tivoli Integrated Portal.
By default, the
directory is C:\Program
Files\ibm\tivoli\
tiptklmV2.
Disk space required for 200 MB 400 MB
the keystore
All file systems must be writable.
* Minimum values: These values enable a basic use of Tivoli Key Lifecycle Manager.
** Typical values: You might need to use larger values that are appropriate for your
production environment. The most critical requirements are to provide adequate system
memory, and free disk and swap space. Processor speed is less important.
Installing into mapped network drives is not supported.
If installation locations of more than one system component fall on the same Windows
drive, the cumulative space required to contain all those components must be available in
that drive.
Table 3 lists hardware requirements for systems such as Linux and AIX:
Table 3. Hardware requirements for systems such as Linux and AIX
System memory (RAM) 4 GB 4 GB
Processor speed v For Linux on distributed v For Linux on distributed
systems: 2.66 GHz single systems: 3.0 GHz dual
processor processors
v For AIX and Sun Solaris v For AIX and Sun Solaris
systems: 1.5 GHz (2–way) systems: 1.5 GHz (4–way)

Table 3. Hardware requirements for systems such as Linux and AIX (continued)
partition that contains
the temporary file
system location (usually
/tmp)
Disk space free in the v Linux systems: 800 MB v Linux systems: 1 GB
partition where DB2 is
v AIX and Sun Solaris systems: v AIX and Sun Solaris systems:
installed. By default,
1300 MB 2 GB
the directory is
/opt/IBM/db2tklmV2.
Disk space free for 700 MB 2 GB
installation of the
Deployment Engine in
the
/usr/ibm/common/acsi
directory
Disk space free in the 1700 3 GB
partition where DB2
instance home for the
Tivoli Key Lifecycle
Manager DB2
administrator user is
created. By default, the
directory is
/home/tklmdb2 on Linux
and AIX systems and
/export/home/tklmdb2
on Solaris systems.
Disk space free where 2 GB 5 GB
the core product (Tivoli
Key Lifecycle Manager
and Tivoli Integrated
Portal) is installed. By
default, the directory is
path/IBM/tivoli/
tiptklmV2.
Disk space required for 200 MB 400 MB
the keystore
All file systems must be writable.
* Minimum values: These values enable a basic use of Tivoli Key Lifecycle Manager.
** Typical values: You might need to use larger values that are appropriate for your
production environment. The most critical requirements are to provide adequate system
memory, and free disk and swap space. Processor speed is less important.
Installing into mounted partitions is not supported.
If installation locations of more than one system component fall on the same UNIX
partition, the cumulative space required to contain all those components must be available
in that partition.
Chapter 2. Planning the installation 7

Operating system requirements
For each operating system that Tivoli Key Lifecycle Manager server runs on, there
is a minimum version level required.
Table 4 identifies the operating systems requirements for installation:

Table 4. Operating system requirements
Use DB2 Use DB2
Workgroup Workgroup Server
Server Edition Edition Version 9.7
Operating system Version 9.5 with with
AIX Version 5.3 64–bit (in 32-bit mode) and Version 6.1 (in 32-bit mode.
POWER7 servers are not supported.)
v For both versions, a 64-bit AIX kernel is required.
v For Version 5.3, use Technology Level 9 and Service Pack 2. The
minimum C++ runtime level requires the xlC.rte 9.0.0.8 and xlC.aix50.rte
9.0.0.8 (or later) filesets. These filesets are included in the June 2008
IBM® C++ Runtime Environment Components for AIX package.
v For Version 6.1, use AIX 6.1 Technology Level 2. The minimum C++
runtime level requires the xlC.rte 9.0.0.8 and xlC.aix61.rte 9.0.0.8 (or
later) filesets. These filesets are included in the June 2008 IBM C++
Runtime Environment Components for AIX package.
Sun Server Solaris 9 (SPARC 64–bit in 32-bit mode)
Apply patches 111711-12 and 111712-12 If raw devices are used, apply
patch 122300-11.
Note: Tivoli Key Lifecycle Manager runs in a 32–bit JVM.
Sun Server Solaris 10 (SPARC 64–bit in 32-bit mode)
If raw devices are used, apply patch 125100-07.

Note: Tivoli Key Lifecycle Manager runs in a 32–bit JVM.
Windows Server 2003 R2 (all Intel and AMD processors) for:
v Standard Edition
v Enterprise Edition
Tivoli Key Lifecycle Manager can run on a member server in a domain

controller environment, but is not supported on a primary or backup
domain controller.
Windows Server 2008 (32-bit and also 64-bit in 32-bit mode for all Intel and
AMD processors) including:
v Standard Edition
Windows Server 2008 R2 (64-bit in 32-bit mode for all Intel and AMD
processors) including:
v Standard Edition
Red Hat Enterprise Linux AS Version 4.0 on x86 32–bit
Red Hat Enterprise Linux Version 5.0 update 2 on x86 32–bit and also
64-bit in 32-bit mode
SuSE Linux Enterprise Server Version 9 on x86 (32–bit)

Table 4. Operating system requirements (continued)
Use DB2 Use DB2
Workgroup Workgroup Server
Server Edition Edition Version 9.7
Operating system Version 9.5 with with
SuSE Linux Enterprise Server Version 10 Service Pack 2 on x86 (32–bit and
64-bit in 32-bit mode) and Version 11 (32–bit and 64-bit in 32-bit mode)
Linux packages
On Linux platforms, Tivoli Key Lifecycle Manager requires the
compat-libstdc++-33-3.2.3-61 or later package. It also requires the libaio
package, which contains the asynchronous library required for DB2 database
servers.
v libstdc package
To determine if you have the package, run this command:
rpm -qa | grep -i "libstdc"
If the package is not installed, locate the rpm file on your original installation
media and install it:
find installation_media -name compat-libstdc++*
rpm -ivh full_path_to_compat-libstdc++_rpm_file
v libaio package
To determine if you have the package, run this command:
rpm -qa | grep -i "libaio"
If the package is not installed, locate the rpm file on your original installation
media and install it:
find installation_media -name libaio*
rpm -ivh full_path_to_libaio_rpm_file
Disabling Security Enhanced Linux

Tivoli Key Lifecycle Manager problems occur on Linux operating systems if the
Security Enhanced Linux (SELINUX) setting is enabled.
For example, a problem might occur with TCP/IP connections on Tivoli Key
Lifecycle Manager server ports. To disable Security Enhanced Linux, take these
steps after you install the Linux operating system:
1. Edit the /etc/selinux/config file and set SELINUX=disabled.
2. Reboot the system to make the change effective.
3. Ensure that SELinux is disabled by running sestatus from the command line:
[root@localhost ~]$ sestatus
SELinux status: disabled
4. Install Tivoli Key Lifecycle Manager.
Software prerequisites
Tivoli Key Lifecycle Manager uses several support and middleware programs.
v “Java Runtime Environment (JRE) requirements” on page 10
v “Runtime environment requirements” on page 11
v “ Tivoli Integrated Portal requirement” on page 11

v “Database authority and requirements”
v A supported browser, which is not included with the product installation
On distributed systems, Tivoli Key Lifecycle Manager installs the middleware that
it uses. If you have DB2 already installed on the system, see the details in
“Database authority and requirements.”
Java Runtime Environment (JRE) requirements

The Tivoli Key Lifecycle Manager requirement for a version of Java Runtime
Environment depends on which operating system is used.
On distributed systems:
IBM Java Runtime Environment that is included with embedded
WebSphere Application Server.
On all systems, use of an independently installed development kit for Java, from
IBM or other vendors, is not supported.
Database authority and requirements

The Tivoli Key Lifecycle Manager requirement for a database depends on which
operating system is used.
DB2 Workgroup Server Edition on the same computer on which the Tivoli Key
Lifecycle Manager server runs:
– Version 9.5 with Fix Pack 4 or a higher fix pack on SuSE Linux Enterprise
Server Version 9 and on Red Hat Enterprise Linux AS Version 4.0.
– Version 9.7 with Fix Pack 2 on other distributed operating systems that Tivoli
Key Lifecycle Manager supports.
Note:
- You must use Tivoli Key Lifecycle Manager to manage the database. To
avoid data synchronization problems, do not use tools that the database
application might provide.
- For improved performance of DB2 Version 9.7 on AIX systems, ensure that
you install and configure the I/O completion ports (IOCP) package that is
described here:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=/
com.ibm.db2.luw.admin.perf.doc/doc/t0054518.html
- If an existing copy of DB2 Workgroup Server Edition was installed as the
root user at the correct version for the operating system, you can use the
existing DB2 Workgroup Server Edition. Tivoli Key Lifecycle Manager
installation does not detect the presence of DB2 that was preinstalled as a
non-root user and does not support non-root installation of DB2.
For more information on DB2 prerequisites, see http://www.ibm.com/software/

data/db2/9/sysreqs.html
DB2 kernel settings

Ensure that kernel settings are correct for those operating systems, such as the
Solaris operating system, that require updating.
Before installing the application, see the DB2 documentation on these Web sites for
these additional kernel settings:

AIX systems
None required.
Linux systems
v Modifying kernel parameters for DB2 Workgroup Server Edition
Version 9.5 on SuSE Linux Enterprise Server Version 9 and Red Hat
Enterprise Linux AS Version 4.0:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/topic/
com.ibm.db2.luw.qb.server.doc/doc/t0008238.html
v Modifying kernel parameters for DB2 Workgroup Server Edition
Version 9.7 on other supported Linux systems:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/
index.jsp?topic=/com.ibm.db2.luw.qb.server.doc/doc/t0008238.html
Solaris systems
http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/
com.ibm.db2.udb.uprun.doc/doc/t0006476.htm
Window systems
None required.
Runtime environment requirements

The Tivoli Key Lifecycle Manager requirement for a runtime environment depends
on which operating system is used.
On distributed systems:
embedded WebSphere Application Server 6.1.0.29 and any applicable fix
pack or APAR requirements.
WebSphere Application Server Version 6.1 is not supported.
Tivoli Integrated Portal requirement

The requirement for a version of Tivoli Integrated Portal depends on which
operating system or required prerequisite Tivoli Key Lifecycle Manager uses.
v Distributed systems: Tivoli Integrated Portal Version 1.1.1.11
Tivoli Key Lifecycle Manager includes and installs Tivoli Integrated Portal.
During installation, Tivoli Key Lifecycle Manager makes modifications to Tivoli
Integrated Portal that might cause problems with products that use the same
Tivoli Integrated Portal when you uninstall Tivoli Key Lifecycle Manager. To
avoid these issues:
– Do not install Tivoli Key Lifecycle Manager in a Tivoli Integrated Portal
instance that another product provides.
– Do not install another product in the instance of Tivoli Integrated Portal that
Tivoli Key Lifecycle Manager provides.
Browser requirements
The following table lists the browser and browser versions that are supported by
Tivoli Key Lifecycle Manager.
Session cookies and JavaScript must be enabled in the browser to establish a

session with Tivoli Key Lifecycle Manager.
Supported browsers are not included with the product installation. Except for AIX
systems, a browser can be deployed on the same or a different computer on which

Tivoli Key Lifecycle Manager runs. There are no supported browsers that run on
AIX systems as described in Table 5.
Table 5. Supported browsers
Browser Fix pack AIX Sun Windows Windows Windows Red Hat SuSE Linux
Server Server Server 2008 Server Enterprise Enterprise
Solaris 2003 R2 2008 R2 Linux Server
SPARC
Microsoft None Deploy a
Internet Explorer, remote
Version 7.0 browser
on a
Microsoft None
separate
Internet Explorer,
machine.
Version 8.0 in
compatibility
mode
Firefox Version None
3.0.x
Note: Version
3.5 and above
are not
supported.
Keystore type and key size requirements

You must consider the requirements for a specific keystore type and key sizes
before you install and configure Tivoli Key Lifecycle Manager.
Tivoli Key Lifecycle Manager supports these keystore types:

v JCEKS (JCE software provider)
Use this keystore type if you are using only Java software. Ensure that the flat
file JCEKS keystore resides in a restricted area of the file system on the Tivoli
Key Lifecycle Manager system. Use a JCEKS keystore for all distributed
operating systems.
Table 6 lists the keystore types that Tivoli Key Lifecycle Manager supports.
Table 6. Summary of supported keystore types
DS5000,
3592, DS8000 LTO, ONESECURE
Operating (store keypairs BRCD_ENCRYPTOR (store symmetric 3592, DS8000,
Keystore system and certificates) (store symmetric keys) keys) LTO
JCEKS all
Supported key sizes and import and export restrictions
Tivoli Key Lifecycle Manager can serve either 2048 or 1024-bit keys to devices.
Older keys that were generated as 1024-bit keys can continue to be used.
Table 7 on page 13 lists the supported key sizes for each keystore type that Tivoli
Key Lifecycle Manager supports.

Table 7. Supported key sizes and keystore types
Key Generation Size in
Keystore type Import PKCS#12 file Export PKCS#12 file Bits
JCEKS Yes Yes 2048
Access requirements
Installing Tivoli Key Lifecycle Manager requires local administrator authorization
or access that depends on the operating system. Do not use a domain user ID to
install Tivoli Key Lifecycle Manager.
Windows systems:
You must have Administrator access to install Tivoli Key Lifecycle
Manager.
AIX, Linux, and Solaris systems:
You must have root access to install Tivoli Key Lifecycle Manager.
Login URL and initial user ID

To get started after installing Tivoli Key Lifecycle Manager, you must know the
login URL and the initial Tivoli Key Lifecycle Manager administrator user ID and
password.
Login URL
The login URL enables you to access the Tivoli Key Lifecycle Manager Web
interface. The login URL for the Tivoli Key Lifecycle Manager administrative
console is:
https://ip-address:port/ibm/console
The value of ip-address is an IP address or DNS address of the Tivoli Key Lifecycle
Manager server.
On systems such as AIX or Linux, the login URL and installed port numbers are
stored in the TIP_HOME/etc/tklmadmin.html file that you can load in your browser.
On Windows systems, the information is on the start menu. Click Start > All
Programs > Tivoli Key Lifecycle Manager 2.0 > Tivoli Integrated Portal.
For example:
https://strawberry.mylab.mycity.mycompany.com:16316/ibm/console
http://strawbery.mylab.mycity.mycompany.com:16310
If you use an https address, the default value of the port is:
16316. If you use http, the default port is 16310. Use an address like this
example:
http://strawbery.mylab.mycity.mycompany.com:16310
Do not use a port value greater than 65520.
The default port on the WebSphere Application Server information panel
continues to be 16310. In the case of migration, or if the default port has a
conflict for other reasons, Tivoli Integrated Portal automatically selects another
free port.

The installation complete panel indicates the port that is configured for Tivoli
Integrated Portal. The Windows start menu contains an entry to connect to the
Tivoli Integrated Portal using the correct port number. For systems such as
Linux or AIX, the TIP_HOME/etc/tklmadmin.html file is installed containing the
URL with the port number to which Tivoli Integrated Portal and Tivoli Key
Lifecycle Manager are deployed.
Administrator user IDs and passwords
Installing Tivoli Key Lifecycle Manager provides default administrator user IDs of
TIPAdmin, TKLMAdmin, and tklmdb2.
Table 8. Administrator user IDs and passwords
Program User ID Password
Distributed systems
For distributed platforms, installation must be performed by a local administrative ID, which is root for AIX or
Linux systems or a member of the Administrators group on Windows systems. Do not use a domain user ID to
install Tivoli Key Lifecycle Manager.
You might have one or more of these user IDs:

Tivoli Key Lifecycle Manager TKLMAdmin Specify and securely store a password
administrator during installation.
As the primary administrator with full
access to all operations, this user ID has
the klmSecurityOfficer super user role,
in the group that is named
klmSecurityOfficerGroup. This user ID is
not case-sensitive. Alternatively, use
tklmadmin. Use the TKLMAdmin user
ID to administer Tivoli Key Lifecycle
Manager.
The TKLMAdmin user ID can:

v View and use the Tivoli Key Lifecycle
Manager interface.
v Change the password for the Tivoli
Key Lifecycle Manager administrator.
However, you cannot:

v Create one or more additional Tivoli
Key Lifecycle Manager administrator
user IDs.
v Do Tivoli Integrated Portal
administrator tasks such as creating or
assigning a role.
v Start or stop the server.

Table 8. Administrator user IDs and passwords (continued)
Tivoli Integrated Portal TIPAdmin Specify and securely store a password
administrator during installation.
This user ID is not case-sensitive.
Alternatively, use tipadmin or a user ID Protect the TIPAdmin user ID in the
that you specify during installation. same way that you protect the use of the
TKLMAdmin user ID. The TIPAdmin
Do not use the: user ID has authority to reset the
v TKLMAdmin user ID to administer TKLMAdmin password and to create
Tivoli Integrated Portal. and assign permissions to new Tivoli
v TIPAdmin user ID to administer Key Lifecycle Manager users.
Tivoli Key Lifecycle Manager. The
TIPAdmin user ID has no roles to use
This administrator user ID is the Tivoli

Integrated Portal and WebSphere
Application Server administrator user
ID.
With the tipadmin user ID, you can:

v View and use only the Tivoli
Integrated Portal interface.
v Create one or more additional Tivoli
Key Lifecycle Manager administrator
user IDs, groups, and roles.
v Reset the password of any Tivoli Key
Lifecycle Manager user ID, including
the TKLMAdmin administrator.
v Start and stop the server.
However, you cannot:

v Use the Tivoli Key Lifecycle Manager
to complete tasks. For example, you
cannot create Tivoli Key Lifecycle
Manager device groups.
v Do other tasks that require access to
Tivoli Key Lifecycle Manager data.
The tipadmin user ID does not have
access to Tivoli Key Lifecycle Manager
data as a superuser.
The Tivoli Key Lifecycle Manager DB2 database

Table 8. Administrator user IDs and passwords (continued)
Instance owner of the database Windows systems and systems such as Specify and securely store a password
AIX or Linux: The default value is during installation. This password is an
tklmdb2. You might specify a different operating system password. If you
value during installation. The ID is the change the password on the operating
installation default user ID for the system, you must change this password.
instance owner of the database.
For more information, see “Resetting a
Do not specify a user ID greater than password on distributed systems” on
eight characters in length. page 48..
The instance name is also tklmdb2.
If DB2 is on a system such as AIX or

Linux, your user ID must be in the bin
or root group, or in a separate group in
which root is a member.
If you use an existing user ID as

instance owner of the Tivoli Key
Lifecycle Manager database, the user ID
cannot own another database instance.
Note: Do not use a hyphen (-) or
underscore character (_) when you
specify a user ID for an existing copy of
DB2.
Database instance The administrator ID tklmdb2 owns a
DB2 instance named tklmdb2.
Roles
Tivoli Key Lifecycle Manager provides a super user (klmSecurityOfficer) role and
the means to specify more limited administrative roles to meet the needs of your
organization. By default, the TKLMAdmin user ID has the klmSecurityOfficer role.
For backup and restore tasks, Tivoli Key Lifecycle Manager also installs the
klmBackupRestoreGroup to which no user IDs initially belong. Installing Tivoli
Key Lifecycle Manager creates predefined administrator, operator, and auditor
groups to manage LTO tape drives.
The TIPAdmin user ID has the authority to create and assign these roles, and to
change the password of any Tivoli Key Lifecycle Manager administrator. To set
administration limits for Tivoli Key Lifecycle Manager, use the TIPAdmin user ID
on the Tivoli Integrated Portal Console to create roles, users, and groups. Assign
roles and users to a group. For example, you might create a group and assign both
users and a role that limits user activities to administer only LTO tape drives. You
must assign a role to a new user before that user attempts to log in to Tivoli Key
Lifecycle Manager.
Before you begin:

v Determine the limits on device administration that your organization requires.
For example, you might determine that a specific device group has its own
administration.

v Estimate how many administrative users might be needed over an interval of
time. For ease of use, consider specifying a group and a role to specify their
tasks.
For example, you might specify a group that has a limited range of permissions
to manage only 3592 tape drives.
Available permissions
Installing Tivoli Key Lifecycle Manager creates the TKLMAdmin user ID, which
has the klmSecurityOfficer role as the default super user. The installation process
also deploys predefined permissions to the WebSphere Application Server list of
administrative roles.
A permission from Tivoli Key Lifecycle Manager enables an action or the use of a
device group. A role in Tivoli Key Lifecycle Manager is one or more permissions.
However, in the Tivoli Integrated Portal graphical user interface, the term role
includes both Tivoli Key Lifecycle Manager permissions and roles.
Note: Installation creates these default groups:

klmSecurityOfficerGroup
Installation assigns the klmSecurityOfficer role to this group. The
klmSecurityOfficer role replaces the previous klmApplicationRole role in
the group that was named klmGroup.
The klmSecurityOfficer role has:
v Root access to the entire set of permissions and device groups described
in Table 9 on page 18 and Table 10 on page 18.
v Permission to any role or device group that might be created.
v The suppressmonitor role.
The Tivoli Integrated Portal provides the suppressmonitor role to hide
tasks in the left pane of the Tivoli Integrated Portal Console that a Tivoli
Key Lifecycle Manager administrator does not use. Hidden items are
associated with the application server, including Tivoli Integrated Portal
administrative tasks in the Security, Troubleshooting, and Users and
Groups folders.
klmBackupRestoreGroup
Back up and restore Tivoli Key Lifecycle Manager.
LTOAdmin
Administer devices in the LTO device family with actions that include
create, view, modify, delete, get (export), back up, and configure.
LTOOperator
Operate devices in the LTO device family with actions that include create,
view, modify, and back up.
LTOAuditor
Audit devices in the LTO device family with actions that include view and
audit.
A user who has any one of the permissions in Table 9 on page 18 can view:
v Tivoli Key Lifecycle Manager global configuration parameters that are defined
in the TKLMgrConfig.properties file.
v The key server status and last backup date.

Table 9. Permissions for actions
Unrelated to Associated
device with device
Permission Enables these actions groups groups
klmCreate Create but not view, modify, or
delete objects
klmDelete Delete objects, but not view,
modify, or create objects
klmGet Export a key or certificate for a
client device.
klmModify Modify objects, but not view,
create, or delete objects.
klmView View objects, but not create,
delete, or modify objects. For
example, you must have this
permission to see that tasks you
want to do on the graphical
user interface.
klmAdminDeviceGroup Administer (create a device
group, set default parameters,
view, delete an empty device
group. This permission does
not provide access to devices,
keys, or certificates.)
klmAudit View audit data using the
tklmServedDataList command
klmBackup Create and delete a backup of
data
klmConfigure Read and change Tivoli Key
Lifecycle Manager
configuration properties, or act
on SSL or IKEv2-SCSI
certificates. Add, view, update,
or delete the keystore.
klmRestore Restore a previous backup copy
of Tivoli Key Lifecycle Manager
data
The klmSecurityOfficer role also has root access to permissions for all device
groups.
Table 10. Device groups
Permission Allows actions on these objects
LTO LTO device family
TS3592 3592 device family
DS5000 DS5000 device family
DS8000 DS8000 device family
BRCD_ENCRYPTOR BRCD_ENCRYPTOR device group
ONESECURE ONESECURE device group
GENERIC Objects in the GENERIC device family.

Table 10. Device groups (continued)
Permission Allows actions on these objects
userdevicegroup A user-defined instance such as myLTO that you
manually create, based on a predefined device family
such as LTO.

Chapter 3. Migration planning
Before you install Tivoli Key Lifecycle Manager at this version, determine whether
you migrate a previous version of Tivoli Key Lifecycle Manager, or previous
configuration data from IBM Encryption Key Manager component for the Java
Platform.
v Tivoli Key Lifecycle Manager Version 1 at fix pack 3 or later.
Installing Version 2 of Tivoli Key Lifecycle Manager detects an earlier version of
Tivoli Key Lifecycle Manager, automatically migrates its data, and removes the
earlier version.
A failed migration of Tivoli Key Lifecycle Manager Version 1 retains a record of
successful migration steps. Running the migration recovery script starts at the
point in the migration process where the error occurred.
v Encryption Key Manager Version 2.1
Migration is enabled for Version 2.1, but not for earlier versions of Encryption
Key Manager. The only opportunity to migrate the configuration is during the
installation of Tivoli Key Lifecycle Manager, or immediately afterward, before
you change the Tivoli Key Lifecycle Manager configuration.
If Encryption Key Manager Version 2.1 migration fails, no data is migrated to
the Tivoli Key Lifecycle Manager database. Any changes that might have been
made are reversed.
If migration fails from the installer, you can manually run the Tivoli Key Lifecycle
Manager Version 2 migration utility from the TKLM_HOME\migration\bin directory
after exiting the install.
v Run migrate.bat or migrate.sh to migrate Encryption Key Manager Version 2.1
to Tivoli Key Lifecycle Manager. On systems such as Linux or AIX, ensure that
you are logged in as the root user before you run migrate.sh.
v Run migratetklm.bat or migratetklm.sh to migrate Tivoli Key Lifecycle Manager
Version 1 to Version 2. On systems such as Linux or AIX, ensure that you are
logged in as the root user before you run migratetklm.sh.
Do not run other *.bat utilities that you might see in this directory. The utilities are
for use only by the automatic installation process.
Before you migrate

Before you begin, ensure that your enterprise allows a time interval for a
temporary halt to key serving activity.
A window of time for testing is also required to ensure that the new Tivoli Key
Lifecycle Manager has the expected keys and other configuration attributes that
you intended to migrate.
Complete these preliminary tasks:
Disk space requirements

Before you migrate Tivoli Key Lifecycle Manager Version 1 to Tivoli Key Lifecycle
Manager Version 2, verify that there is sufficient disk space on your system.

These disk space requirements are in addition to disk space requirements identified
by the installer for installing Tivoli Key Lifecycle Manager, Version 2 and its
prerequisite software; Tivoli Integrated Portal Server and DB2 Version 9.7.
The additional disk space is needed because the migration program performs the
following tasks:
v Converts the Tivoli Key Lifecycle Manager database instance from DB2 Version
9.1 to the version of DB2 that is shipped with Tivoli Key Lifecycle Manager
Version 2.
v Converts the Tivoli Key Lifecycle Manager database from DB2 Version 9.1 to
DB2 Version 9.5 or 9.7.
v Upgrades the schema from Tivoli Key Lifecycle Manager Version 1 to Tivoli Key
Lifecycle Manager Version 2.
v Converts the metadata in the database from Tivoli Key Lifecycle Manager
Version 1 format to Tivoli Key Lifecycle Manager Version 2 format.
If you determine that disk space is not available, increase the disk space on the
partitions or the drive letters. You must identify the disk space requirements,
which includes identifying the number of keys and served data.
Identify disk space requirements
To identify disk space requirements, take these steps:

Windows systems
1. Identify the following properties in your current Tivoli Key Lifecycle
Manager Version 1 installation by typing the contents of the file
%SYSTEMDRIVE%\tklmtemp\db2srcit.txt. For example:
v DB2ADMIN=tklmdb2
v DB2DBNAME=tklmdb
v DB2ADMINID=tklmdb2
v DB2PORTSTART=50010
v DB2INSTALLDIR=C:\IBM\tklmV2db2\
v INSTANCEHOME=C:
2. Identify the drive letter where the Tivoli Key Lifecycle Manager Version
1 database is located. This is the value of the INSTANCEHOME
property. Using Windows Explorer, identify the size of the folder that is
named TKLMDB2.
Note: Calculate that the additional space required for migration in the
drive containing the database is 3 times the size of the TKLMDB2 folder.
3. Identify the number of keys and device audit data by using the steps in
“Identify the number of keys and served data” on page 23. The
migration of keys and served data generates the log in the
V2_TKLM_HOME/logs folder.
Note: Calculate that the additional space required on the Windows

drive on which Tivoli Key Lifecycle Manager Version 2 is installed is
the sum of these two operations:
v Number of keys multiplied by 5 KB
v Number of served data multiplied by 1 KB

In a typical installation, the migration of other entities such as devices
and groups does not result in additional disk space requirements.
Systems such as Linux or AIX
1. Identify the following properties in your current Tivoli Key Lifecycle
Manager Version 1 installation by typing the contents of the file
/tklmtemp/db2unix.srcit.
A typical file might contain these entries:
v export DB2ADMIN=tklmdb2
v export DB2DBNAME=tklmdb
v export INSTANCEHOME=/home/tklmdb2
2. Identify the home directory of the database owner by examining the
value of the INSTANCEHOME property. Type this command to
determine the disk space in the home directory:
du –k /home/tklmdb2/tklmdb2
Note:
Calculate that the additional space required for migration in the disk
partition containing the database is 3 times the size of the
/home/tklmdb2/tklmdb2 folder.
3. Identify the number of keys and device audit data by using the steps in
“Identify the number of keys and served data.” The migration of keys
and served data generates the log in the V2_TKLM_HOME/logs folder.
Note: Calculate that the additional space required in the disk partition
on the computer on which Tivoli Key Lifecycle Manager Version 2 is
installed is the sum of these two operations:
v Number of keys multiplied by 5 KB
v Number of served data multiplied by 1 KB
In a typical installation, the migration of other entities such as devices
and groups does not result in additional disk space requirements.
Identify the number of keys and served data
To identify the number of keys and served data, take these steps:
Windows systems
1. Type:
d2cmd
set DB2INSTANCE=tklmdb2
db2 connect to tklmdb user tklmdb2 using password
where:
tklmdb Identified by the DB2DBNAME property.
tklmdb2
Identified by the DB2ADMIN property
password
Password for the database.
2. Identify the number of keys to be migrated. Type:
db2 "SELECT COUNT(UUID) FROM KMT_KEY"
3. Identify the number of served data to be migrated. Type:
db2 "SELECT COUNT(*) FROM KMT_DEVAUDIT"
Chapter 3. Migration planning 23

4. Exit the session. Type:
db2 terminate
Systems such as Linux or AIX
1. Type:
. ~tklmdb2/sqllib/db2profile
db2 connect to tklmdb user tklmdb2 using password
where:
tklmdb Identified by the DB2DBNAME property.
tklmdb2
Identified by the DB2ADMIN property
password
Password for the database.
2. Identify the number of keys to be migrated. Type:
db2 "SELECT COUNT(UUID) FROM KMT_KEY"
3. Identify the number of served data to be migrated. Type:
db2 "SELECT COUNT(*) FROM KMT_DEVAUDIT"
4. Exit the session. Type:
db2 terminate
Example calculation
Assume that Tivoli Key Lifecycle Manager Version 2 is installed in the default
location /opt/IBM/tivoli/tiptklmV2 and that the disk partition is /opt. The home
directory of the database instance owner is /home/tklmdb2 and the disk partition is
/home.
You identify these values:

v Keys in the database = 84000
v Served data list = 100000
v Typing the command du -k /home/tklmdb2/tkmdb2 returns a value of 173712.
You calculate the required additional disk space:

v In the /opt partition
(84000 * 5) + (100000 * 1) = 520000 KB
v In the /home partition
(3 * 173712) = 521136 KB
Data quantity
Determine whether a large quantity of data requires migration. Migrating an
existing database can require up to four times the current disk space usage during
the migration activity.
Most of this disk space is released after migration succeeds. You might also change
the memory settings that are described in “Hardware requirements for distributed
systems” on page 5.
Encryption Key Manager configuration

Before migration, the Encryption Key Manager configuration must be correctly
configured and must be a working configuration.

Take these steps:
v Refresh and stop the Encryption Key Manager server to ensure that there is no
data loss.
v Back up the server that has the configuration data that you intend to migrate.
Migrated data includes:
– A configuration properties file
– Keys and certificates that are referenced by the configuration properties file
– Drive tables
– An optional metadata file pointed at by the configuration properties file
– An optional key groups file
v Stop Encryption Key Manager. Key serving cannot be active during migration.
Tivoli Key Lifecycle Manager Version 1 requirements

Before migration, ensure that Tivoli Key Lifecycle Manager Version 1 has the
required prerequisites.
Before you migrate, take these steps:

v Ensure that you applied the most current fix pack for Tivoli Key Lifecycle
Manager.
v Verify that you have a functioning Tivoli Key Lifecycle Manager Version 1
system with a configured keystore. Migration fails if a keystore is not
configured.
v Ensure that Tivoli Key Lifecycle Manager Version 1 is using DB2 Version 9.1
with Fix Pack 4 or a higher fix pack. For more Version 1 information, see the
IBM Tivoli Key Lifecycle Manager Information Center.
v Back up the Tivoli Key Lifecycle Manager server. Also back up any replica. If
migration fails, you might restore Tivoli Key Lifecycle Manager Version 1 from a
backup copy.
Note: After you successfully migrate Tivoli Key Lifecycle Manager to Version 2,
previous Version 1 backup files cannot be used to restore Tivoli Key Lifecycle
Manager at Version 2.
v Migration does not remove the Version 1 backup directory when the Version 2
installation process removes Tivoli Key Lifecycle Manager Version 1.
However, if the Tivoli Key Lifecycle Manager Version 1 backup directory is a
subfolder in the Tivoli Integrated Portal Server directory path, uninstalling Tivoli
Integrated Portal also removes the Tivoli Key Lifecycle Manager backup
directory.
v Migration removes the contents of the TKLM_HOME directory but does not
migrate or remove the Version 1 audit log file.
v Stop Tivoli Key Lifecycle Manager and any replica server. Key serving cannot be
active during migration.
v You cannot use passwords with special characters for the Tivoli Key Lifecycle
Manager database or for Tivoli Integrated Portal Server. You can use only
alphabetical characters (A-Z and a-z), numeric characters (0-9), the underscore
(_), and hyphen (-). If you previously modified a password, change the
password before migration to use only the character set that migration allows.
After migration, you can reset the password to use special characters.

v During migration, examine the TKLM_HOME\migration\migrate.log file frequently
to determine how far migration has progressed. If migration fails, run the
migration utility to print messages to the migrate.log file and to the
command-line interface.
v To avoid errors while migration is in progress, do not start or stop the DB2
server or the Tivoli Integrated Portal Server outside of the migration process. Do
not interrupt the migration process.
Migration requirements for Encryption Key Manager

There are certain requirements before you can migrate from Encryption Key
Manager to Tivoli Key Lifecycle Manager. You can migrate only Version 2.1 of
Encryption Key Manager
Requirements include:
v Migrate only one Encryption Key Manager server to one Tivoli Key Lifecycle
Manager server. To migrate a second Encryption Key Manager use a second
Tivoli Key Lifecycle Manager server.
v Both the Encryption Key Manager server and the Tivoli Key Lifecycle Manager
server that receives migrated data must be on the same host. After migration,
Tivoli Key Lifecycle Manager server uses the keystore, TCP port, and SSL port
that Encryption Key Manager server previously used.
v Two properties are required for migration:
– config.keystore.file
– TransportListener.ssl.keystore.name
v To migrate keygroups, if your Encryption Key Manager was configured with
keygroups to work with LTO tape drives, ensure that the
config.keygroup.xml.file property exists in the Encryption Key Manager
properties file and is specified as an absolute path.
This property might not be in the properties file because Encryption Key
Manager might use the file from a default directory from which the Encryption
Key Manager was launched.
Migration for Encryption Key Manager from AS/400 systems

You might need to relocate Encryption Key Manager from a system such as
AS/400 to a different operating system before you can migrate Encryption Key
Manager to Tivoli Key Lifecycle Manager.
Take these steps:

1. On an AS/400 system, the keys must be in a JCEKS keystore. Otherwise, you
must first move the keys to a JCEKS keystore.
2. Move the JCEKS keystore and Encryption Key Manager properties file, which
you must update for the new operating system, from the AS/400 system to a
system that Tivoli Key Lifecycle Manager Version 2 supports.
3. Use the keystore and modified properties file that you moved to set up
Encryption Key Manager on the system that Tivoli Key Lifecycle Manager
Version 2 supports.
4. Ensure that Encryption Key Manager is functional on the new system.
5. Migrate from the new Encryption Key Manager to Tivoli Key Lifecycle
Manager Version 2 as part of installing Tivoli Key Lifecycle Manager Version 2.
You can migrate only Version 2.1 of Encryption Key Manager.

Note: Use this Website to obtain Encryption Key Manager for an IBM operating
system: Encryption Key Manager component
Obtaining Encryption Key Manager

You might need to obtain a current version of Encryption Key Manager.
About this task
IBM maintains the latest levels of Encryption Key Manager software and
documentation at the Fix Central download portal:
http://www.ibm.com/support/fixcentral
Procedure
1. In the Product Group menu, select Storage Systems.
2. In the Product Family menu, select Tape Systems.
3. In the Product Type menu, select Tape device drivers and software.
4. In the Product menu, select Encryption Key Manager (EKM).
5. In the Platform menu, select the appropriate operating system. Click Continue.
6. In the subsequent menu, avoid making entries that narrow the search and click
Continue.
Migration restrictions for Encryption Key Manager

There are certain restrictions on what you can migrate from Encryption Key
Manager:
v Migration of Administrator SSL keystores and truststores is not supported. Tivoli
Key Lifecycle Manager server does not support Administrator sync capability.
v Migration of PKCS11Impl keystores and truststores is not supported. Tivoli Key
Lifecycle Manager server does not support PKCS11Impl keystores.
v Tivoli Key Lifecycle Manager does not support the use of a key in multiple
groups, unlike Encryption Key Manager, which supports the use of a key in
multiple groups.
When you migrate key data in KeyGroup.xml from Encryption Key Manager to
Tivoli Key Lifecycle Manager, each key is attached to one group. A key that was
previously in multiple groups in Encryption Key Manager is created in only one
group in Tivoli Key Lifecycle Manager.
The migration process logs the event that the key is not created in multiple
groups, and continues. If the symmetricKeySet property specifies a list or range
or keys, and not a group, all keys specified by symmetricKeySet are migrated
into a key group named DefaultMigrateGroup. If the keys from
symmetricKeySet have been created as a part of other groups, and the key group
named DefaultMigrateGroup is empty, Tivoli Key Lifecycle Manager does not
create the DefaultMigrateGroup key group and also does not migrate the
symmetricKeySet property.
To work around the problem, use the Tivoli Key Lifecycle Manager graphical or
command-line interface to define a default key group, for example, for LTO tape
drives.
After migrating Encryption Key Manager

After migrating Encryption Key Manager, take these steps to validate the
configuration and protect data:
v Do not run Encryption Key Manager. After migration, the Encryption Key
Manager retains its ability to serve keys.
v Resolve possible problems with certificates and keys.
Encryption Key Manager does not restrict device groups to which a certificate
and its keys can be associated. Certificates and keys that belong to multiple
device types are marked as CONFLICTED after migration to Tivoli Key Lifecycle
Manager Version 2. You cannot change their device group to another device
group. Tivoli Key Lifecycle Manager can use a certificate or key that is marked
as CONFLICTED for both read and write operations.
Migration might also cause a certificate to appear with an UNKNOWN label in
the Tivoli Key Lifecycle Manager graphical user interface.
– Unknown certificates can be used as rollover certificates. Once scheduled as a
rollover, the unknown certificate is updated to the specific device group of the
rollover. An SSL server certificate with an UNKNOWN label is updated to be
an SSL certificate.
– Pending certificates might be listed on the graphical user interface with a
device group that has an UNKNOWN status. First, accept the pending
certificate, which then has an UNKNOWN status. Next, use the
tklmCertUpdate command to update the certificate usage to a specific device
group. The update changes the certificate status to a state such as active.
– After migration completes, one or more devices might be associated with the
UNKNOWN device group. You can assign the device group for UNKNOWN
devices to a new group, or allow the group to be determined when the
devices make a first key service request.
Use the tklmCertList command to find certificates that are marked as
CONFLICTED or UNKNOWN. Specify no value for the -usage parameter, or
specify a parameter value of 3592, DS8000, or SSLSERVER. For example, this
Jython-formatted command lists all certificates for the 3592 device group:
print AdminTask.tklmCertList(’[-usage 3592 -v y]’)
v Verify that the migrated Encryption Key Manager configuration is in the state
that you expect, before making any updates or any configuration changes to
The Encryption Key Manager configuration keystore becomes the Tivoli Key
Lifecycle Manager keystore after migration is complete. You cannot migrate
Encryption Key Manager server data a second time to the same Tivoli Key
Lifecycle Manager server.
If migration fails and you choose to complete the remaining Tivoli Key Lifecycle
Manager installation process, there is a stand-alone migration-recovery script
that you can invoke only as long as you have not made any updates or changes
to the Tivoli Key Lifecycle Manager configuration. For more information, see
Chapter 8, “Recovering from migration failure,” on page 63.
After migrating Tivoli Key Lifecycle Manager

After migrating Tivoli Key Lifecycle Manager, take these steps to validate the
configuration and protect data:
v Immediately after installing Tivoli Key Lifecycle Manager Version 2, perform a
backup of Tivoli Key Lifecycle Manager Version 2. A backup of Version 1 cannot
be restored to a Version 2 environment.
You cannot run the primary Tivoli Key Lifecycle Manager Version 1 because
migration removes Version 1 from the Tivoli Integrated Portal. Migration to
Version 2 does not remove the instance of Tivoli Integrated Portal and does not
use the previous port number.

If migration fails and you choose to complete the remaining Tivoli Key Lifecycle
Manager installation process, there is a stand-alone migration-recovery script
that you can invoke only as long as you have not made any updates or changes
to the Tivoli Key Lifecycle Manager configuration. For more information, see
Chapter 8, “Recovering from migration failure,” on page 63. You must complete
the migration recovery process before you can use Tivoli Key Lifecycle Manager
Version 2.
v Retain and do not run a replica of Tivoli Key Lifecycle Manager Version 1 to
ensure that you have a Version 1 environment and data in case validation
determines that there is a problem with Version 2.
v Resolve possible problems with certificates and keys.
Tivoli Key Lifecycle Manager Version 1 does not restrict device groups to which
a certificate and its keys can be associated. Certificates and keys that belong to
multiple device types at Tivoli Key Lifecycle Manager Version 1 are marked as
CONFLICTED at Version 2. You cannot change their device group to another
device group. Tivoli Key Lifecycle Manager can use a certificate or key that is
marked as CONFLICTED for both read and write operations.
v After migration completes, one or more devices might be associated with the
UNKNOWN device group. You can assign the device group for UNKNOWN
devices to a new group, or allow the group to be determined when the devices
make a first key service request.
v After completing migration of Tivoli Key Lifecycle Manager Version 1 to Version
2, the migration program removes the Tivoli Key Lifecycle Manager data source
definition and removes the Tivoli Key Lifecycle Manager Version 1 software
from the Tivoli Integrated Portal Server. The migration process also removes the
contents of the TKLM_HOME directory, except the audit_log file. If migration
cannot complete these steps, migration issues a warning and a successful
completion message. Examine the migrate.log file for messages and take the
appropriate manual action.
v For future administrative use in Tivoli Key Lifecycle Manager Version 1, you
might have marked a certificate for use as a 3592 rollover or a key group as an
LTO rollover. If the scheduled future date for rollover is earlier than the time of
migration, the migration program adds an appropriate message and does not
migrate these rollover entries. After successfully installing Tivoli Key Lifecycle
Manager Version 2, use the command-line interface or graphical user interface to
manually add these rollover entries.
v You cannot use the graphical user interface to delete a migrated rollover that
you added with the command-line interface using the
tklmCertDefaultRolloverAdd or the tklmKeyGroupDefaultRolloverAdd
command. Use the command-line interface to delete a migrated rollover that you
created using the command-line interface.
v After you ensure that the primary Tivoli Key Lifecycle Manager at Version 2 is
configured and running correctly, back up the Version 2 Tivoli Key Lifecycle
Manager server and install the backup on a replica computer.
– Validate that the Version 2 replica computer is configured and running
correctly.
– As a best practice, retain a copy of Version 2 backup files in a location that is
not in the Tivoli Key Lifecycle Manager Version 2 directory path. The separate
location ensures that other processes cannot remove backup files if Tivoli Key
Lifecycle Manager is removed.
Additionally, retain the TKLM_HOME\migrate*.log files for future reference.

Data objects and properties migrated from Encryption Key Manager
The following data objects and properties are migrated from Encryption Key
Manager.
Properties that must be in the Encryption Key Manager configuration file include:
v Audit.metadata.file.name
File must exist in the same directory as the configuration file itself and must be
read enabled.
v config.drivetable.file.url
read enabled.
v config.keystore.file
read and write enabled.
v config.keystore.password.obfuscated
v config.keystore.type
The keystore type must not be PKCS11IMPLKS.
v TransportListener.ssl.keystore.name
read enabled.
v TransportListener.ssl.keystore.password.obfuscated
v TransportListener.ssl.keystore.type
The keystore type must not be PKCS11IMPLKS.
v TransportListener.ssl.port
The value must be a positive integer between 1 and 65535 and must be not be
identical with the value for TransportListener.tcp.port.
v TransportListener.ssl.truststore.type
The truststore type must not be PKCS11IMPLKS.
v TransportListener.tcp.port
The value must be a positive integer between 1 and 65535 and must be not be
identical with the value for TransportListener.ssl.port.
Migration includes:
Keystores
Tivoli Key Lifecycle Manager supports only one keystore, identified by the
config.keystore.name property in the TKLMgrConfig.properties file. This is
equivalent to the Encryption Key Manager Config keystore. During
migration, the two Encryption Key Manager keystores, Config and
TransportListener, are merged into the single Tivoli Key Lifecycle Manager
keystore. The Config keystore is recreated during migration as this entry in
the TKLMgrConfig.properties file:
config.keystore.name = defaultKeyStore
All certificates and metadata from the config.keystore properties are added
to the Tivoli Key Lifecycle Manager database. All the certificates from the
TransportListener truststore are imported into the Tivoli Key Lifecycle
Manager keystore.

A certificate from the TransportListener keystore is set as the SSL certificate
for Tivoli Key Lifecycle Manager. The config.keystore.ssl.certalias property
is updated with the alias of this certificate.
Other Encryption Key Manager keystores are not used.
Devices
All the device information is read from the drive table pointed at by the
config.drivetable.file.url propety, and is entered in a Tivoli Key Lifecycle
Manager database. If the drive has the symalias property defined, the drive
type is set to LTO. If the drive has aliases defined, the drive type is set to
3592. Migration sets a type of UNKNOWN for a drive that has none of
these properties defined and that has no type that can be determined.
Keygroups
The keygroup.xml file that is pointed at by the config.keygroup.xml.file
property, is parsed and the keygroup information is stored in a Tivoli Key
Lifecycle Manager database. All the group members and group
relationships are also migrated.
If the symmetricKeySet property has a list of aliases or range of aliases, a
default key group named DefaultMigrationGroup is created with all the
aliases as members of the group. In this case, the symmetricKeySet
property is set to DefaultMigrationGroup. If the symmetricKeySet property
is already a group alias, the default migration group is not created.
Metadata
All the metadata information that is pointed at by the
Audit.metadata.file.name property is migrated into a Tivoli Key Lifecycle
Manager database.
The properties migrated from the Encryption Key Manager configuration file to the
TKLMgrConfig.properties file might include:
v Audit.eventQueue.max
v Audit.handler.file.size
v Audit.event.outcome
v Audit.event.types
v config.keystore.name (set to defaultKeyStore)
v cert.valiDATE
v drive.acceptUnknownDrives is migrated to the database as the default entry in
the specified device group.
v fips
v TransportListener.ssl.ciphersuites
v TransportListener.ssl.clientauthentication
v TransportListener.ssl.port
v TransportListener.ssl.protocols
v TransportListener.ssl.timeout
v TransportListener.tcp.port
v TransportListener.tcp.timeout
v useSKIDefaultLabels
v zOSCompatibility
These properties are migrated from the Encryption Key Manager configuration file
to the Tivoli Key Lifecycle Manager database:

v drive.default.alias1
v symmetricKeySet (set to an already-specified group alias, otherwise set to
DefaultMigrationGroup)
Data objects and properties migrated from Tivoli Key Lifecycle

Manager
The following data objects and properties are migrated from Tivoli Key Lifecycle
Manager Version 1:
Keystore
The keystore, including all certificates and metadata from Version 1, are
added to the Tivoli Key Lifecycle Manager Version 2 database. The
keystore is identified by the config.keystore.name property in the
TKLMgrConfig.properties file.
Devices
All the device information is read from the Tivoli Key Lifecycle Manager
database.
Keygroups
The key group information is read from the Tivoli Key Lifecycle Manager
database.
Rollover certificates and keygroups
Certificates and keygroups in Tivoli Key Lifecycle Manager Version 1
might be marked for future 3592 administration. The migration program
detects and marks these rollovers for future administration with Tivoli Key
Metadata
All the metadata information is migrated from the Tivoli Key Lifecycle
Manager Version 1 database and made usable by the Version 2 database.
Properties
Properties in the TKLMgrConfig.properties file are migrated from the
Tivoli Key Lifecycle Manager database. The datastore.properties file is
migrated.
These properties are deleted from the Version 2 TKLMgrConfig.properties
file:
v ds8k.acceptUnknownDrives
The device.AutoPendingAutoDiscovery property replaces this property.
v drive.acceptUnknownDrives
The device.AutoPendingAutoDiscovery attribute in the Tivoli Key
Lifecycle Manager database replaces this property.
These Tivoli Key Lifecycle Manager Version 1 properties are obsolete and
are not migrated:
v tklm.internal.gui.jagworkflow
v tklm.internal.gui.lto4workflow
These properties are migrated from the Version 2 TKLMgrConfig.properties
file to the Tivoli Key Lifecycle Manager database:

v symmetricKeySet (removed from the TKLMgrConfig.properties file and
replaced with an entry for the device group in the Tivoli Key Lifecycle
Manager database)

Chapter 4. Types of installation
On distributed systems, use one of these modes of installation:
v A graphical user interface-based installation driven by a wizard.
v A console mode installation that runs in a console window. This mode scrolls
information onto the screen and prompts for your entries one line at a time.
v A silent installation that runs unattended, using response files for the
configuration options.
Syntax and parameters for the installation program

The syntax of the install command is:
install [ –i { gui | console | silent [ –f full_path_to_response_file] } ]
Where install is
install.exe on Windows systems
install.sh on systems such as Linux or AIX
Note: Do not install from a network drive or mounted drive. For example, do not
specify either of these net use statements as the directory location and attempt
installation:
net use z: \\server\share
net use \\server\share
The parameters for the install command are:

-i option
Optional. If you do not use the -i parameter, the default is gui mode.
Indicates the type of installation to run. The options are:
gui Interactive installation, using a graphical installation wizard.
console
Interactive installation, using a scrolling, console interface.
silent Noninteractive installation, using a response file for the installation
options.
-f full_path_to_response_file
Required if silent mode is selected. Specifies the full path and file name for
the response file containing the installation options to use during the silent
installation. For example, on a Windows system:
install.exe -i silent -f C:\your_directory\responses.rsp
Graphical mode installation

These steps install Tivoli Key Lifecycle Manager in graphical mode.
v Start the installation wizard.
v Complete the installation wizard pages, entering the configuration options. For
details, see Chapter 5, “Installing on distributed systems,” on page 39.
v Verify that the Tivoli Key Lifecycle Manager server is operational. For details,
see “Verifying the installation” on page 82.

Starting a graphical installation
To start the installation wizard, navigate to the directory where you stored the
installation files, and run this command:
install
Where install is
For details about the syntax and flags for the installation program, see “Syntax and
parameters for the installation program” on page 35.
Installation and migration panels

You might see these panels during installation:
1. Language selection
2. Introduction
3. Software license agreement
4. DB2 directory
5. DB2 configuration options
6. Summary of prerequisites
7. Installation progress for DB2
8. Transition to Tivoli Key Lifecycle Manager installation
9. Deployment Engine initialization
10. Installation directory for Tivoli Key Lifecycle Manager and Tivoli Integrated
Portal
11. WebSphere Application Server information
12. TKLMAdmin password
13. Encryption Key Manager migration
14. Pre-installation summary
15. Installation progress for Tivoli Integrated Portal
16. Installation summary
You might see additional panels when migration occurs during installation:
1. Language selection
2. Introduction
3. Software license agreement
4. DB2 directory
5. Migration information
6. Migration summary
7. Summary of prerequisites
8. Installation progress for DB2
9. Transition to Tivoli Key Lifecycle Manager installation
10. Deployment Engine initialization
11. Installation directory for Tivoli Key Lifecycle Manager and Tivoli Integrated
Portal
12. WebSphere Application Server information
13. TKLMAdmin password

14. Pre-installation summary
15. Installation progress for Tivoli Integrated Portal
16. Migration progress for Tivoli Key Lifecycle Manager
17. Installation summary
Console mode installation

Console mode installation is an interactive installation without the use of a
graphical user interface. This can be of use to users on systems such as Linux or
AIX, who might need to run the installation program without an X11 client. It can
also be used to install Tivoli Key Lifecycle Manager over a Telnet connection.
Console mode installation scrolls the lines of the panel onto the screen one line at a
time and prompts the user for input on the bottom line. The Language selection
panel in console mode is like this example:
Preparing CONSOLE Mode Installation...
===============================================================
Choose Locale...
----------------
->1- English
2- Français
CHOOSE LOCALE BY NUMBER: __
To start the installation program in console mode, run the command:

install -i console
Where install is
Silent installation
A silent installation is a noninteractive installation, driven by a response file that
provides installation settings.
No user input is required during a silent installation. This is useful in

environments where Tivoli Key Lifecycle Manager is to be installed on multiple
identical systems, such as in a data center.
Note: Silent mode installation uses a response file that might contain nonsecure
password information. For additional security, delete the response file immediately
after using silent mode to install Tivoli Key Lifecycle Manager.
To start the installation program in silent mode using a response file, enter this
command:
install –i silent –f full_path_to_response_file
Where install is
Chapter 4. Types of installation 37

Note: If you enter an invalid value for the full_path_to_response_file parameter, such
as an incomplete path, the installation program exits immediately. No error
message is displayed or logged.
Adapting a sample response file

Tivoli Key Lifecycle Manager includes sample response files that you can use as a
template for creating your own response file. The sample file must be modified for
the specifics of your environment before it can be used.
The sample response files are located in the directory in which your installation
package is located. Examples include:
v “New installation of Version 2 on Windows systems” on page 91
v “New installation of Version 2 on systems such as Linux or AIX” on page 93
v “Version 1 to Version 2 migration on Windows systems” on page 95
v “Version 1 to Version 2 migration on systems such as Linux or AIX” on page 97
v “Uninstall on Windows systems” on page 98
v “Uninstall on systems such as Linux or AIX” on page 99

Chapter 5. Installing on distributed systems
During graphical and console mode installations, you are prompted for the
configuration information required to install Tivoli Key Lifecycle Manager and the
prerequisite software it uses.
Notes: There are several important considerations to keep in mind:

v Installation can take more than an hour.
v Do not install on a computer that has a host name or domain name that contains
special characters.
Ensure that the computer host name and domain name contain only alphabetical
characters (A-Z and a-z) and numeric characters (0-9). The domain name can
also include a dash (-) character that does not begin or end the name. No other
characters are supported, such as the underscore character (_).
v To install Tivoli Key Lifecycle Manager as a member of the Administrator's
group on a Windows 2008 server, you must disable User Access Control on the
Windows system. If you cannot disable User Access Control, you must install
and run Tivoli Key Lifecycle Manager using the Administrator account. To
disable User Access Control, take these steps:
1. Click Start, and then click Control Panel.
2. In the Control Panel, click User Accounts.
3. In the User Accounts window, click User Accounts.
4. In the User Accounts tasks window, click Turn User Account Control on or
off.
5. If User Access Control is currently configured in Admin Approval Mode, the
User Account Control message appears. Click Continue.
6. Clear the checkbox labeled Use User Account Control (UAC) to help protect
your computer. Then click OK.
7. Click Restart Now to apply the change immediately, or click Restart Later
and close the User Accounts tasks window.
v Do not install from a network drive or mounted drive. For example, do not
specify either of these net use statements as the directory location and attempt
installation:
net use z: \\server\share
net use \\server\share
v Ensure that you select the correct language at prompts during installation.
Correcting a locale error requires uninstalling and re-installing Tivoli Key
Lifecycle Manager and DB2.
v When installing Tivoli Key Lifecycle Manager on a system such as Solaris,
certain DB2 configuration changes made during installation might require that
you restart the system. Close any other applications before rebooting the system.
After the system restarts, run the installation program again.
v Entries for all fields are restricted to alphabetical characters (A-Z and a-z),
numeric characters (0-9), and the underscore character (_). The restriction also
applies to the values in the response file used for silent installations.
v Entries for paths cannot contain spaces.
Do not embed spaces in the TIP_HOME installation path or directory name.

v When you specify the installation path, you might discover that a different path
is required. For example, there might not be adequate space. Do not use the
previous button to change the installation path. Instead, cancel and restart the
installation, specifying another location.
v If you have Tivoli Key Lifecycle Manager Version 1 in your environment, before
you install and migrate to Version 2:
– Obtain the Version 1 administrative passwords.
– Apply fix pack 3 or later to Version 1.
– On Windows systems, ensure that the IBM ADE Service is started.
On Windows systems, open the Services console. Verify that the IBM ADE
Service is started. If the service is not started, select and start the service.
Configuring DB2 during installation

Tivoli Key Lifecycle Manager requires DB2 Workgroup Server Edition at a Version
9 level that depends on the operating system.
The installation program performs one of the following actions:

v If an existing copy of DB2 Workgroup Server Edition is installed as the root user
at the correct version for the operating system, you can use the existing DB2
Workgroup Server Edition. Tivoli Key Lifecycle Manager installation does not
detect the presence of DB2 that was preinstalled as a non-root user and does not
support non-root installation of DB2.
You can also install a new copy of DB2 Workgroup Server Edition. An existing
DB2 must be locally installed on the system and not on a network or shared
drive.
On a Windows system, if a new copy of DB2 is installed, the DB2_COPY_NAME
is set to DB2TKLMV2.
For example, the correct version of DB2 Workgroup Server Edition might exist
because you previously installed and uninstalled Tivoli Key Lifecycle Manager
Version 2. On a Windows system, a copy of DB2 that is installed with the name
DB2TKLMV2 is used automatically by any future installs.
v If Tivoli Key Lifecycle Manager Version 1 and an earlier version of DB2 exist on
the system, the process installs DB2 Workgroup Server Edition at a Version 9
level that depends on the operating system. You can also use another existing,
installed version of DB2 9 that is at the correct level.
The process also migrates data from the previous version of Tivoli Key Lifecycle
Manager to the new version. For example:
– The new copy of DB2 Workgroup Server Edition uses the previous db2admin
user ID and password.
– On a Windows system, if a new copy of DB2 is installed, the
DB2_COPY_NAME is set to DB2TKLMV2.
v If no Tivoli Key Lifecycle Manager exists on the system and there is either no
copy or an earlier version of DB2, the installation process installs DB2
Workgroup Server Edition at a Version 9 level that depends on the operating
system.
No DB2 upgrade occurs.
During DB2 configuration, you are prompted for the following information, which
might differ from this list, depending on the operating system and on whether
Tivoli Key Lifecycle Manager is installing DB2 or using an existing copy:

DB2 Selection
The directory for the DB2 installation.
On systems such as AIX or Linux, the entry must start from the root
directory. The first character in the entry must be a forward slash ('/').
This entry is only required if Tivoli Key Lifecycle Manager is installing
DB2. The installation process provides a default value. See “Definitions for
HOME and other directory variables” on page xiii.
DB2 Administrator ID
The local DB2 administrator user ID. The installation process provides a
default Administrator user ID with the necessary permissions. Do not use a
domain user ID as the DB2 administrator. Do not specify a user ID greater
than eight characters in length.
Note: Do not use a hyphen (-) or underscore character (_) when you
specify a user ID for an existing copy of DB2.
On a Windows system, the DB2 Administrator user ID must be a member
of the Administrator group. The user ID is subject to the security policy
active on the Windows system.
On a system such as Linux or AIX, the user ID of the Tivoli Key Lifecycle
Manager DB2 instance owner must be a member of a group in which the
root user ID is also a member. If it is available, use bin as the group. If bin
is not available, ask the system administrator for the name of a general
purpose group to use.
Note: The Administrator ID cannot be a DB2 reserved word, such as db2,

users, admins, guests, public, private, properties, local, or root.
DB2 Administrator Password
The password for the administrator. The maximum length is 20 characters.
The password for the DB2 Administrator user ID is subject to the security
policy active on the system. In addition, the login password for the DB2
Administrator user ID and the DB2 password for the user ID must be the
same. When you change one, you must change the other.
Database Name
The name of the Tivoli Key Lifecycle Manager database, which is tklmdb.
DB2 Port
The port that DB2 uses.
Create DB2 Administrator if it does not already exist?
Select this check box if no DB2 administrator exists.
Clear this check box if you want to use a user ID that already exists. You
might make this choice whether or not DB2 is already installed.
If you are using an existing copy of DB2, you have the option of creating a
new DB2 instance owner or reusing an existing DB2 user ID. If you reuse
an existing user ID, certain restrictions apply:
v The DB2 user ID cannot have any associated DB2 instances.
v The DB2 user ID must belong to a group in which root is also a member,
such as bin.
Administrator's Group
Access group in which the Administrator user ID exists. If DB2 is on a
Chapter 5. Installing on distributed systems 41

system such as AIX or Linux, your user ID must be in the bin or root
group, or in a separate group in which root is a member.
Administrator / Database Home
The directory (AIX or Linux systems) or drive (Windows systems) in which
the database instance and the formatted tables used by Tivoli Key Lifecycle
Manager are created.
Notes:
1. Entries for all fields are restricted to alphabetical characters (A-Z and a-z),
numeric characters (0-9), and the underscore character (_). The restriction also
applies to the values in the response file used for silent installations.
2. Do not specify spaces in any of the directory paths or filenames.
3. The name of the computer on which you install DB2 cannot start with "ibm,"
"sql," or "sys," in lowercase or uppercase. The name of the computer also
cannot contain the underscore character (_).
4. When you enter the user ID information for the DB2 Administrator ID, the user
ID is created as soon as you click the Next button. If, for example, you notice
that the user ID entered is mis-typed, you might return to the configuration
panel and change the entry in the DB2 Administrator ID field. However, the
effect is to create a second, new user ID, not to replace an existing user ID.
To remove the extra user ID, use the DB2 utilities to drop the user ID, and use
the user management utilities of the operating system to delete the extra user
ID. See “Removing the user ID of the DB2 instance owner” on page 61 for
details of this process.
DB2 password security issues on Windows systems

On Windows systems, the DB2 Administrator user ID and password are subject to
the security policy that is active on the system.
If there is a password expiration restriction in effect, you must change the login
password and DB2 password for the Administrator user ID before the expiration
period expires.
In addition, the login password for the DB2 Administrator user ID and the DB2
datasource password used by Tivoli Integrated Portal must be the same. When you
change one, you must change the other.
To change the DB2 database password, take these steps:

1. Stop the Tivoli Integrated Portal and all Windows services that are related to
DB2.
2. Open the Windows user management tool by opening the Control Panel and
clicking Administrative tools > Computer Management > Local Users and
Groups > Users.
3. Change the password for the Tivoli Key Lifecycle Manager database owner.
4. Open the Windows Services console by opening the Control Panel and clicking
Administrative Tools > Computer Management.
5. On the following services, change the password using the Logon tab of the
Properties dialog box:
v DB2 - DB2TKLMV2 - tklminstance
For example, the value of tklminstance might be:
DB2 - DB2TKLMV2 - DBTKLM20
DB2 - DB2TKLMV2 - TKLMDB2

For example, with the default instance name, the value of tklminstance is:
DB2 - DB2TKLMV2 - TKLMDB2
v DB2 Governor (DB2TKLMV2)
v DB Remote Command Server (DB2TKLMV2)
v DB2DAS - DB2DAS00
When you have changed the passwords for all the services, restart the services.
The following services must be stopped and restarted, but the passwords need
not be changed:
v DB2 License Server (DB2TKLMV2)
v DB2 Management Service (DB2TKLMV2)
6. Start the Tivoli Integrated Portal.
7. Using the wsadmin interface that the WebSphere Application Server provides,
specify the Jython syntax.
wsadmin -username TIPAdmin -password mypwd -lang jython
8. Using the wsadmin command, change the password of the WebSphere
Application Server data source:
a. The following command lists JAASAuthData entries:
wsadmin>print AdminConfig.list(’JAASAuthData’)
The result might be:
(cells/TIPCell|security.xml#JAASAuthData_1228871756187)
b. Identify the data source ID with the alias that matches the string tklm_db.
Also identify the data source ID with the alias that matches the string
tklmdb:
print AdminConfig.showAttribute(’JAASAuthData_list_entry’, ’alias’)
For example, type on one line:
print AdminConfig.showAttribute
(’(cells/TIPCell|security.xml#JAASAuthData_1228871756187)’, ’alias’)
The result is:
tklm_db
Additionally, type on one line:
print AdminConfig.showAttribute
(’(cells/TIPCell|security.xml#JAASAuthData_1228871757843)’, ’alias’)
The result is:
tklmdb
c. Change the password of the tklm_db alias, entering this command on one
line:
print AdminConfig.modify(’JAASAuthData_list_entry’,
’[[password newpassword]]’
If you specify special characters in the password, use quote marks as
delimiters when you specify the password value.
print AdminConfig.modify
(’(cells/TIPCell|security.xml#JAASAuthData_1228871756187)’,
’[[password tucs0naz]]’)
d. Change the password of the tklmdb alias that has the identifier
JAASAuthData_1228871757843:
print AdminConfig.modify(’JAASAuthData_list_entry’,
’[[password passw0rdc]]’

e. Save the changes:
print AdminConfig.save()
f. Stop and restart the Tivoli Key Lifecycle Manager server using the
stopServer and startServer commands.
Alternatively, stop and restart the Tivoli Key Lifecycle Manager server by
using Windows Computer Management.
1) Open the Control Panel and click Administrative Tools > Computer
Management > Services.
2) Stop and start the Tivoli Key Lifecycle Manager server service, which has
a name like Tivoli Integrated Portal – TIPProfile_Port_16310.
g. Verify that you can connect to the database using the WebSphere
Application Server data source.
1) First, type:
print AdminConfig.list(’DataSource’)
The result might be:
"TKLM DataSource(cells/TIPCell/nodes/TIPNode/
servers/server1|resources.xml#DataSource_1228871762031)"
"TKLM scheduler XA Datasource(cells/TIPCell/nodes/TIPNode/
"Tivoli Common Reporting Data Source(cells/TIPCell|resources.xml#
DataSource_1227211230078)"
DefaultEJBTimerDataSource(cells/TIPCell/nodes/TIPNode/
servers/server1|resources.xml#DataSource_1000001)
ttssdb(cells/TIPCell|resources.xml#DataSource_1227211144390)
2) Test the connection on the first data source. For example, type:
print AdminControl.testConnection(’TKLM DataSource(cells....)’)
print AdminControl.testConnection
(’TKLMDataSource(cells/TIPCell/nodes/TIPNode/
servers/server1|resources.xml#DataSource_1228871762031)’)
3) Test the connection on the remaining data source. For example, type:
(’TKLM scheduler XA Datasource(cells/TIPCell/nodes/TIPNode/
4) In both cases, you receive a message that the connection to the data
source was successful. For example:
WASX7217I: Connection to provided datasource was successful.
Now you can perform a Tivoli Key Lifecycle Manager operation such as
listing a keystore.
DB2 password security issues on systems such as Linux or

AIX
On systems such as Linux or AIX, you might need to change the password for the
DB2 Administrator user ID. The login password for the DB2 Administrator user ID
and the DB2 password for the user ID must be the same.
The Tivoli Key Lifecycle Manager installation program installs DB2 and prompts
the installing person for a password for the user named tklmdb2. Additionally, the

DB2 application creates an operating system user entry named tklmdb2. For
example, the password for this user might expire, requiring you to resynchronize
the password for both user IDs.
Before you can change the password of the DB2 Administrator user ID, you must
change the password for the system user entry. Take these steps:
1. Log on to Tivoli Key Lifecycle Manager server as root.
2. Change user to the tklmdb2 system user entry. Type:
su tklmdb2
3. Change the password. Type:
passwd
Specify the new password.
4. Exit back to root user.
exit
5. In the TIP_HOME/bin directory, use the wsadmin interface that the WebSphere
Application Server provides to specify the Jython syntax.
./wsadmin.sh -username TIPAdmin -password mypwd -lang jython
6. Change the password for the WebSphere Application Server data source:
a. The following command lists the JAASAuthData entries:
wsadmin>print AdminConfig.list(’JAASAuthData’)
The result might like this example:
b. Type the AdminConfig.showall command for each entry, to locate the alias
tklm_db. For example, type on one line:
print AdminConfig.showall
(’(cells/TIPCell|security.xml#JAASAuthData_1228871756187)’)
The result is like this example:
{alias tklm_db}
{description "TKLM database user j2c authentication alias"}
{password *****}
{userId tklmdb2}
And also type on one line:
print AdminConfig.showall
(’(cells/TIPCell|security.xml#JAASAuthData_1228871757843)’)
{alias tklmdb}
{description "TKLM database user J2C authentication alias"}
{password *****}
{userId tklmdb2}
c. Change the password for the tklm_db alias that has the identifier
print AdminConfig.modify(’JAASAuthData_list_entry’, ’[[password passw0rdc]]’
d. Change the password for the tklmdb alias that has the identifier
print AdminConfig.modify(’JAASAuthData_list_entry’, ’[[password passw0rdc]]’

e. Save the changes:
print AdminConfig.save()
f. Exit back to root user.
exit
g. In the TIP_HOME/bin directory, stop the Tivoli Integrated Portal application.
For example, as TIPAdmin, type on one line:
stopServer.sh server1 -username tipadmin -password passw0rd
ADMU0116I: Tool information is being logged in file
//opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/logs/server1/stopServer.log
ADMU0128I: Starting tool with the TIPProfile profile
ADMU3100I: Reading configuration for server: server1
ADMU3201I: Server stop request issued. Waiting for stop status.
ADMU4000I: Server server1 stop completed.
h. Start the Tivoli Integrated Portal application. As the Tivoli Integrated Portal
administrator, type on one line:
startServer.sh server1
i. In the TIP_HOME/bin directory, use the wsadmin interface that the
WebSphere Application Server provides to specify the Jython syntax.
./wsadmin.sh -username tipadmin -password mypwd -lang jython
j. Verify that you can connect to the database using the WebSphere Application
Server data source.
1) First, query for a list of data sources. Type:
print AdminConfig.list(’DataSource’)
The result might be like this example:
"TKLM DataSource(cells/TIPCell/nodes/TIPNode/
"TKLM scheduler XA Datasource(cells/TIPCell/nodes/TIPNode/
"Tivoli Common Reporting Data Source(cells/TIPCell|resources.xml#
DataSource_1227211230078)"
DefaultEJBTimerDataSource(cells/TIPCell/nodes/TIPNode/
servers/server1|resources.xml#DataSource_1000001)
ttssdb(cells/TIPCell|resources.xml#DataSource_1227211144390)
2) Type:
print AdminControl.testConnection(’TKLM DataSource(cells....)’)
(’TKLMDataSource(cells/TIPCell/nodes/TIPNode/
3) Test the connection on the remaining data source. For example, type:
(’TKLM scheduler XA Datasource(cells/TIPCell/nodes/TIPNode/
4) In both cases, you receive a message that the connection to the data
source was successful. For example:
WASX7217I: Connection to provided data source was successful.

Configuring middleware during installation
The installation wizard gathers configuration information for the Tivoli Integrated
Portal component of Tivoli Key Lifecycle Manager and for the embedded
WebSphere Application Server runtime environment.
Tivoli Key Lifecycle Manager makes modifications to Tivoli Integrated Portal that
might cause problems with products that use the same Tivoli Integrated Portal
when you uninstall Tivoli Key Lifecycle Manager. To avoid these issues:
v Do not install Tivoli Key Lifecycle Manager in another product's instance of
v Do not install another product in the instance of Tivoli Integrated Portal that
Tivoli Key Lifecycle Manager provides.
The installation requires answers for the following fields:

v Use only alphabetical characters (A-Z and a-z), numeric characters (0-9), and the
underscore character (_). The restriction also applies to the values in the
response file during silent installations.
The name string cannot contain leading and trailing spaces, and cannot contain
these characters:
/ forward slash
\ backslash
* asterisk
, comma
: colon
; semi-colon
= equal sign
+ plus sign
? question mark
| vertical bar
< left angle bracket
> right angle bracket
& ampersand (and sign)
% percent sign
' single quote mark
" double quote mark
]]> No specific name exists for this character combination.
. period (not valid if first character; valid if a later character)
# Hash mark
$ Dollar sign
~ Tilde
( Left parenthesis
) Right parenthesis
v Select a new location when you respond to a request for a location to install
If Tivoli Integrated Portal is already installed on the system, do not use an
existing Tivoli Integrated Portal profile.
Tivoli Integrated Portal Directory Name
Specifies the directory where you want to install Tivoli Integrated Portal.
Do not use spaces in the directory path.

User ID
Specifies the WebSphere Application Server login user ID for the Tivoli
Integrated Portal Administrator profile.
Note: Do not use tklmadmin in either lowercase or uppercase for the user
ID.
Password
Specifies the WebSphere Application Server password for the Tivoli
Integrated Portal profile.
Port Number
Specifies the WebSphere Application Server port for the Tivoli Integrated
Portal profile. Do not use a port value greater than 65520.
Migrating an Encryption Key Manager configuration

Installation provides the only opportunity to migrate an existing Encryption Key
Manager configuration to Tivoli Key Lifecycle Manager.
Before you begin, obtain the password to log in to the Encryption Key Manager
server.
To migrate an existing configuration, select this option:

Migrate Encryption Key Manager
Check this box if you have an old Encryption Key Manager properties file
to migrate to Tivoli Key Lifecycle Manager. If you select the check box, you
must specify the properties file from the previous Encryption Key Manager
system.
You can migrate from Version 2.1 of Encryption Key Manager.
Encryption Key Manager must not be active when you are doing the migration. To
stop a running Encryption Key Manager process, complete these steps:
1. Start an administrative session. At Version 2.1, enter this command:
java com.ibm.keymanager.KMSAdminCmd KeyManagerConfig.properties -i
2. After the administrative session starts, complete these steps:
a. Authenticate to the Encryption Key Manager server using the login
command. Type:
login -ekmuser EKMAdmin -password password
b. Stop the server. Type:
stopekm
3. Exit the session.
For additional restrictions on migration, see Chapter 3, “Migration planning,” on

page 21.
Resetting a password on distributed systems

To reset a password for the Tivoli Key Lifecycle Manager or Tivoli Integrated
Portal administrator, take these steps as administrator on the computer on which
Tivoli Key Lifecycle Manager runs. Use these steps only when the password of the
user is lost. In all other cases, use the graphical user interface to update the
password.

1. Log in using the TIPAdmin user ID.
2. Back up the TIP_HOME/profiles/TIPProfile/config/cells/TIPCell/
fileRegistry.xml file. Changing the value of the password changes this
registry file.
3. Change the password.
v Windows systems
a. Start a wsadmin session using the Jython syntax. For example, type:
TIP_HOME/bin/wsadmin -conntype none -profileName TIPProfile -lang jython
b. Reset the password for the TKLMAdmin user ID:
wsadmin>print AdminTask.changeFileRegistryAccountPassword
(’-userId TKLMAdmin -password newpassword’)
Note:
– Only the TIPAdmin user ID or another user ID with Tivoli Integrated
Portal administrator authority can change passwords using the
AdminTask.changeFileRegistryAccountPassword command.
– Passwords that you create using the
AdminTask.changeFileRegistryAccountPassword command are not
validated against the configured password policy that Tivoli Key
Lifecycle Manager provides.
After a lost password reset, the user must set the password using the
graphical user interface.
c. Save the change and exit:
wsadmin>print AdminConfig.save()
wsadmin>exit
v Systems such as Linux or AIX
a. Start a wsadmin session using the Jython syntax. For example, type on
one line:
TIP_HOME/bin/wsadmin.sh -conntype none
-profileName TIPProfile -lang jython
b. Reset the password for the TKLMAdmin user ID:
wsadmin>print AdminTask.changeFileRegistryAccountPassword
(’-userId TKLMAdmin -password newpassword’)
Note:
– Only the TIPAdmin user ID or another user ID with Tivoli Integrated
Portal administrator authority can change passwords using the
AdminTask.changeFileRegistryAccountPassword command.
– Passwords that you create using the
AdminTask.changeFileRegistryAccountPassword command are not
validated against the configured password policy that Tivoli Key
Lifecycle Manager provides.
After a lost password reset, the user must set the password using the
graphical user interface.
c. Save the change and exit:
wsadmin>print AdminConfig.save()
wsadmin>exit
4. Stop and start the server.
v Stop
On Windows systems:
stopServer.bat server1

On systems such as Linux or AIX:
./stopServer.sh server1
v Start
On Windows systems:
startServer.bat server1
./startServer.sh server1
5. Verify that you can log in as the specified administrator using the new
password.

Chapter 6. Uninstalling on distributed systems
On distributed systems, uninstalling Tivoli Key Lifecycle Manager has these
considerations:
v If the keystore file is stored under TIP_HOME, and you want to save a copy of
it, you must back up the keystore file to another directory before uninstalling
Tivoli Key Lifecycle Manager. For more information on TIP_HOME, see
“Definitions for HOME and other directory variables” on page xiii.
v The default uninstallation mode is the same as the mode used to install Tivoli
Key Lifecycle Manager. You can also uninstall using a different mode. For more
information, see “Syntax and parameters for the uninstallation program.”
v Uninstalling Tivoli Key Lifecycle Manager does not uninstall DB2. This is a
separate, optional step. For information, see “Uninstalling DB2” on page 59.
In addition, although uninstalling Tivoli Key Lifecycle Manager disassociates the
DB2 database instance from the user ID used for the Tivoli Key Lifecycle
Manager DB2 instance owner, the deletion of the user ID is a separate step. For
information, see “Removing the user ID of the DB2 instance owner” on page 61.
Unsuccessful uninstallation might indicate the need to return to a known state of
Tivoli Key Lifecycle Manager Version 1. For more information, see “Reinstalling
Version 1 if migration repeatedly fails” on page 56.
v After you start the uninstallation program, an error occurs if you click Previous
on the page on which you enter the TIPAdmin user ID and password, and then
click Next.
An incorrect, masked password is in the password field on the page. Retype the
correct password in the field to continue with a successful uninstall process.
Syntax and parameters for the uninstallation program

The syntax of the uninstall command is:
uninstall [ –i { gui | console | silent [ –f full_path_to_response_file] } ]
Where uninstall is
uninstall.exe on Windows systems
uninstall.sh on systems such as Linux or AIX
The parameters for the uninstall command are:

-i option
Optional. If you do not use the -i parameter, the default is the mode in
which you installed. Indicates the type of uninstallation to run. The options
are:
gui Interactive uninstallation, using a graphical wizard.
console
Interactive uninstallation, using a scrolling, console interface.
silent Noninteractive uninstallation, using a response file for the
uninstallation options.
-f full_path_to_response_file
Required if silent mode is selected. Specifies the full path and file name for

the response file containing the uninstallation options to use during the
silent uninstallation. For example, on a Windows system:
uninstall.exe -i silent -f C:\your_directory\responses.rsp
Uninstalling on Windows systems

To uninstall Tivoli Key Lifecycle Manager on a Windows system, take these steps:
1. Remove the Tivoli Key Lifecycle Manager DB2 instance owner. Removing the
DB2 instance owner also drops the instance.
In a command prompt window, enter this command:
cd TIP_HOME\products\tklm\_uninst
removeDB2Inst.bat
2. Run the uninstallation program.
In a command prompt window, enter these commands:
cd TIP_HOME\_uninst\TIPInstall
uninstall.exe
Enter the user name and password for the Tivoli Integrated Portal
administrator when prompted.
Note: If no mode of uninstallation is specified with the -i option, the

uninstaller will use the same method that installation used. To ensure the mode
that want, specify the -i option with a value of console, GUI, or silent. When
you specify silent, use the -f option to point to the full path to your uninstall
response file. Failure to point to a correct uninstall response file for silent
uninstall can cause an incomplete uninstall.
3. If there are no other products using Tivoli Integrated Portal, remove the
TIP_HOME directory.
4. Remove the installation log files in this directory:
v Windows Server 2003: C:\Documents and Settings\installation_userid
v Windows Server 2008: C:\Users\installation_userid
The filenames start with "IA" and have an extension of ".log" (that is IA*.log).
The directory name is the user ID of the user that installed Tivoli Key Lifecycle
Manager, typically Administrator. For example:
v Windows Server 2003:
del "C:\Documents and Settings\Administrator\IA*.log"
del C:\User\Administrator\IA*.log
Remove these installation log files, if they still exist, by running the following
commands:
rmdir /S C:\tklmV2properties
del C:\tklm_install.stderr
5. Restart the computer.
6. Validate that the DB2 services that are associated with Tivoli Key Lifecycle
Manager are disabled from starting automatically after each system restart.
See “Disabling automatic services” on page 62 for steps to ensure that the DB2
services associated with Tivoli Key Lifecycle Manager are disabled.

Recovering from a failed uninstallation on Windows systems
You might need to recover a failed attempt to uninstall Tivoli Key Lifecycle
Manager on a Windows system.
About this task
This task assumes that the uninstallation program failed to complete successfully.
Take these recovery steps:
1. Stop the Tivoli Integrated Portal service.
a. Open the Windows Services Console by opening the Control Panel and
clicking Administrative Tools > Services.
b. Locate the Tivoli Integrated Portal service:
Tivoli Integrated Portal - TipProfile_Port_port_number
For example, Tivoli Integrated Portal - TIPProfile_Port_16310
c. Open the Properties dialog box for the service. If the Service status is not
Stopped, click Stop.
d. Click OK to close the dialog box and exit the Services Console.
If you cannot stop the service from inside the Windows Service Console, open a
command prompt window and enter these commands to stop the service
manually:
cd TIP_HOME\bin
WASService -stop TIPProfile_Port_port_number
2. Remove the Tivoli Integrated Portal service, if it has not already been removed.
Open a command prompt window and enter these commands:
cd TIP_HOME\bin
WASService -remove TIPProfile_Port_port_number
If the TIP_HOME or TIP_HOME\bin directories have already been removed,

skip this step.
3. Enter the following commands to remove the Tivoli Key Lifecycle Manager
information from the Deployment Engine database:
cd TIP_HOME\products\tklm\_uninst
removeDEInfo.bat RemoveTIP TIP_HOME
To validate that the removeDEInfo command removed the information, run
this command:
C:\Program Files\IBM\Common\acsi\bin\listIU
The output should be like this example:
IU UUID: DDCE934782398B3E81431666515AC8B5
Name: DE Extensions Interfaces CLI IU Version: 1.4.0.6
IU UUID: C37109911C8A11D98E1700061BDE7AEA
Name: Deployment Engine IU Version: 1.4.0.6
IU RootIU UUID: D94240D11C8B11D99F2D00061BDE7AEA
Name: Install IU Version: 1.4.0.6
You might find that these entries are also present:
IU UUID: AF474CF431584795AC18AE267A4FD2AC
Name: SIU-TKLMVMMPasswordPolicyPlugin Version: 2.0.0.0
IU RootIU UUID: A872CDD2AF33494887A89F4978170A49
Name: TKLMVMMPasswordPolicyPlugin Version: 2.0.0.0
Remove them by running this command on one line:
C:\Program Files\IBM\Common\acsi\bin\manageIU.bat -o delete -r tip_home
-d RootIUTypeID[A872CDD2AF33494887A89F4978170A49,2.0.0.0]
Chapter 6. Uninstalling on distributed systems 53

C:\Program Files\IBM\Common\acsi\bin\manageIU.bat -o delete
-r C:\ibm\tivoli\tiptklmV2
4. If there are no other products using the Deployment Engine, uninstall the
Deployment Engine. To uninstall the Deployment Engine, open a command
prompt window and run the following commands:
"C:\Program Files\IBM\Common\acsi\setenv.cmd"
"C:\program Files\IBM\Common\acsi\bin\si_inst.bat” -r -f
rmdir /s "C:\Program Files\IBM\Common\acsi"
Note: After running these commands, verify that the directory has been
removed. If a Deployment Engine process is running at the time you perform
this step, it might be necessary to restart the computer, then repeat this step.
TIP_HOME directory.
6. Remove the installation log files in this directory:
v Windows Server 2003: C:\Documents and Settings\installation_userid
v Windows Server 2008: C:\Users\installation_userid
The filenames start with "IA" and have an extension of ".log" (that is IA*.log).
The directory name is the user ID of the user that installed Tivoli Key Lifecycle
Manager, typically Administrator. For example:
del C:\Documents and Settings\Administrator\IA*.log
del C:\User\Administrator\IA*.log
Remove these installation log files, if they still exist, by running the following
commands:
rmdir /S C:\tklmV2properties
del C:\tklm_install.stderr
del C:\tklm_install.stdout
7. Configure the DB2 services associated with Tivoli Key Lifecycle Manager to
disable them from starting automatically after each system restart. See
“Disabling automatic services” on page 62 for details.
Uninstalling on systems such as Linux and AIX

To uninstall Tivoli Key Lifecycle Manager on a system such as Linux or AIX, take
these steps.
1. Log in as root
2. Remove the Tivoli Key Lifecycle Manager DB2 instance owner. Removing the
DB2 instance owner also drops the instance.
In a command prompt window, enter this command:
cd TIP_HOME/products/tklm/_uninst
./removeDB2Inst.sh
3. Run the uninstallation program.
v Using an SSH or telnet session:
cd TIP_HOME/_uninst/TIPInstall
./uninstall -i console
You are prompted for the necessary information using console panels.
v Using the graphical user interface:

cd TIP_HOME/_uninst/TIPInstall
./uninstall
Enter the user name and password for the Tivoli Integrated Portal
administrator when prompted.
Note: If no mode of uninstallation is specified with the -i option, the

uninstaller will use the same method that installation used. To ensure the mode
that want, specify the -i option with a value of console, GUI, or silent. When
you specify silent, use the -f option to point to the full path to your uninstall
response file. Failure to point to a correct uninstall response file for silent
uninstall can cause an incomplete uninstall.
TIP_HOME directory.
5. Remove the installation log files, if they still exist, using the following
commands:
rm -rf /tklmV2properties
rm /tklm_install.stderr
rm ~root/IA*.log
Recovering from a failed uninstallation on systems such as Linux and

AIX
You might need to recover a failed attempt to uninstall Tivoli Key Lifecycle
Manager on a system such as Linux or AIX, perform these steps.
About this task
This task assumes that the uninstallation program failed to complete successfully.
Take these recovery steps:
1. Log in as root
2. Remove the Tivoli Key Lifecycle Manager information from the Deployment
Engine database:
a. Run these commands:
cd TIP_HOME/products/tklm/_uninst
./removeDEInfo.sh RemoveTIP TIP_HOME
These scripts can take several minutes to complete.

b. Validate that the removeDEInfo command removed the information by
running this command:
/usr/ibm/common/acsi/bin/listIU.sh
The output should be like this example:
IU UUID: DDCE934782398B3E81431666515AC8B5
Name: DE Extensions Interfaces CLI IU Version: 1.4.0.6
IU UUID: C37109911C8A11D98E1700061BDE7AEA
Name: Deployment Engine IU Version: 1.4.0.6
IU RootIU UUID: D94240D11C8B11D99F2D00061BDE7AEA
Name: Install IU Version: 1.4.0.6
You might find that these entries are also present:
IU UUID: AF474CF431584795AC18AE267A4FD2AC
Name: SIU-TKLMVMMPasswordPolicyPlugin Version: 2.0.0.0
IU RootIU UUID: A872CDD2AF33494887A89F4978170A49
Name: TKLMVMMPasswordPolicyPlugin Version: 2.0.0.0

Remove them by running this command on one line:
/usr/ibm/common/acsi/bin/manageIU.sh -o delete -r tip_home
/usr/ibm/common/acsi/bin/manageIU.sh -o delete -r /opt/IBM/tivoli/tiptklmV2
3. If there are no other products using the Deployment Engine, uninstall the
Deployment Engine.
To uninstall the Deployment Engine, run the following commands:
. /var/ibm/common/acsi/setenv.sh
/usr/ibm/common/acsi/bin/si_inst.sh -r -f
rm -rf /usr/ibm/common/acsi
rm -rf /var/ibm/common/acsi
Note: After running these commands, verify that the directory has been
removed. If a Deployment Engine process is running at the time you perform
this step, it might be necessary to restart the computer, then repeat this step.
TIP_HOME directory.
5. Remove the installation log files, if they still exist, using the following
commands:
rm -rf /tklmV2properties
rm /tklm_install.stderr
rm /tklm_install.stdout
rm ~root/IA*.log
6. Configure the DB2 services associated with Tivoli Key Lifecycle Manager to
disable them from starting automatically after each system restart. See
“Disabling automatic services” on page 62 for details.
Reinstalling Version 1 if migration repeatedly fails

If migration from Version 1 to Version 2 repeatedly fails, the previous Tivoli Key
Lifecycle Manager Version 1 on the computer might be in an unknown state. You
might need to reinstall Tivoli Key Lifecycle Manager Version 1, apply the most
current backup, and again install Version 2.
Take these steps to determine the level of DB2 that is associated with the Tivoli
Key Lifecycle Manager database and run removeDB2Inst scripts from either
Version 1 or Version 2:
1. Determine the level of DB2 that is associated with the Tivoli Key Lifecycle
Manager database:
Windows systems:
a. Start a DB2 command line processor for DB2 by clicking Start > All
Programs >IBM DB2 > DB2TKLMV2.
b. Type these commands:
db2ilist
where tklmdb2 is the instance owner name.

If the output shows DB2 Version 9.7, the Tivoli Key Lifecycle
Manager database instance has migrated to DB2 Version 9.7.
Otherwise, the database instance is still associated with DB2 Version
9.1.
Note: If you installed DB2 Version 9.7 without using the Tivoli Key
Lifecycle Manager installation program, then you might not have
DB2TKLMV2. Use the appropriate copy of DB2 from the Start menu.
Systems such as AIX or Linux:
Run the following commands to determine the level of DB2:
a. Source the db2profile:
where tklmdb2 is the database instance owner.
b. Run the db2level command to identify the level of DB2:
db2level
If the output shows DB2 Version:
v 9.1, the instance is still associated with DB2 Version 9.1.
v 9.5 or 9.7, the instance has migrated to DB2 Version 9.5 or 9.7.
2. Take one of these actions:
v Tivoli Key Lifecycle Manager is currently at DB2 Version 9.1, go to 3.
v If Tivoli Key Lifecycle Manager is at DB2 Version 9.5 or 9.7, remove the DB2
instance for Tivoli Key Lifecycle Manager Version 2. Run the removeDB2Inst
script that is located in the TKLM_HOME\_uninst directory.
Windows systems:
removeDB2Inst.bat
removeDB2Inst.sh
3. Uninstall Tivoli Key Lifecycle Manager Version 2 by following the steps in
Chapter 6, “Uninstalling on distributed systems,” on page 51. During the
uninstallation:
v Follow the instructions to remove DB2 Version 9.5 or DB2 Version 9.7. If you
find no copy of DB2, installation failed for Tivoli Key Lifecycle Manager
Version 2.
v Do not remove the DB2 instance owner until after you remove Version 1 of
4. If you determined that Tivoli Key Lifecycle Manager is at DB2 Version 9.1,
remove the DB2 instance for Tivoli Key Lifecycle Manager Version 1 by
running the removeDB2Inst script that is located in the TKLM_HOME\_uninst
directory. For example, type:
v Windows systems:
removeDB2Inst.bat
v Systems such as Linux or AIX:
removeDB2Inst.sh
5. Obtain the following Tivoli Key Lifecycle Manager Version 1 information and
files:
v Administrative user IDs and passwords
v Most current fix pack
v Most current backup and password

6. Uninstall Tivoli Key Lifecycle Manager Version 1, using the steps to uninstall
on distributed systems that are available at http://publib.boulder.ibm.com/
infocenter/tivihelp/v2r1/topic/com.ibm.tklm.doc/install/cpt/
cpt_insguide_uninstalling.html.
Note: During the uninstall of Tivoli Key Lifecycle Manager, Version 1, ignore
the instructions to remove the DB2 instance owner. The instance owner is
removed either during step 2 on page 57 or step 4 on page 57.
7. Remove the copy of DB2 and also remove the DB2 instance owner that was
created during installation of Tivoli Key Lifecycle Manager Version 1 by
following the steps in http://publib.boulder.ibm.com/infocenter/tivihelp/
v2r1/topic/com.ibm.tklm.doc/install/cpt/cpt_insguide_uninstalling_db2.html.
As you remove the DB2 instance owner, you must also manually delete the
instance owner home directory. For example, if the instance owner is tklmdb2,
remove the /home/tklmdb2 directory. Type:
rm -rf /home/tklmdb2
8. Locate and use the installation steps in the Version 1 information center
available at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/
com.ibm.tklm.doc/welcome.htm, including:
v Planning the installation
v Installing Tivoli Key Lifecycle Manager on distributed systems
v Applying the fix pack used before the most current backup
v Verifying the installation, in the post-installation steps
v Restoring the most current backup that was previously taken at the same
level of fix pack
9. After restoring the most current backup, validate that Tivoli Key Lifecycle
Manager Version 1 is running correctly.

Chapter 7. Optionally removing DB2 and disabling services
After uninstalling Tivoli Key Lifecycle Manager, you have the option of leaving
DB2 installed or uninstalling the program. You might also ensure that related
automatic startup services are disabled.
Uninstalling DB2
After uninstalling Tivoli Key Lifecycle Manager, you have the option of leaving
DB2 installed or uninstalling the program.
If you choose to leave DB2 installed, you have the option of keeping or removing
the Tivoli Key Lifecycle Manager DB2 instance owner. Unless you have a specific
reason for keeping the instance owner, such as keeping a connection to a database,
disassociate the user ID from the DB2 database instance. For more information, see
“Disassociating a user ID from the DB2 instance” on page 60.
If you choose to uninstall DB2, follow these steps:

Windows systems:
Open the Control Panel.
v Windows Server 2003: Click Add or Remove Programs.
v Windows Server 2008: Click Programs and Features.
Locate the entry for DB2, and click Remove to uninstall it.
Note: After uninstalling DB2, additional steps might be required to finish

removing DB2 artifacts.
1. To delete the user ID that was used for the Tivoli Key Lifecycle
Manager DB2 instance owner, open the Control Panel and click
Administrative tools > Computer Management > Local Users and
Groups > Users.
Review the list of user IDs. If the user ID for the Tivoli Key Lifecycle
Manager DB2 instance owner still exists, delete it.
Close the Computer Management console.
2. Review the entries and verify that the entries for the DB2 ports have
been removed from the C:\WINDOWS\system32\drivers\etc\services
file. Edit the file and search for the port numbers used by DB2. If any
are found, remove the entries from the file.
3. Open the Control Panel and click Administrative Tools > Computer
Management > Services. Review the list of services and verify that the
DB2 related service entries have been removed. Close the Services
console when you are finished.
4. Remove the DB2 installation directory if the directory is not already
removed.
For additional information on uninstalling DB2 on Windows systems see
http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=/
com.ibm.db2.udb.uprun.doc/doc/t0007436.htm.
1. Log in as the root user.

2. Remove the user ID of the Tivoli Key Lifecycle Manager DB2 instance
owner:
a. Change to the user ID of the Tivoli Key Lifecycle Manager DB2
instance owner, run the db2istop command for the instance owner
user ID and exit back to the root user ID:
su - tklm_instance_owner_userid
cd DB_HOME/instance
./db2istop tklm_instance_owner_userid /home/tklm_instance_owner_userid
exit
b. Run the db2idrop command on the instance owner user ID:
cd DB_HOME/instance
./db2idrop tklm_instance_owner_userid
c. Remove the user ID from the system:
userdel -r tklm_instance_owner_userid
3. Remove DB2 from the system:
cd DB_HOME/install/
./db2_deinstall -a
4. Edit the services file:
vi /etc/services
Locate the port numbers used by DB2, and remove the entries from the
file.
5. Remove the DB2 installation directory if it has not already been
removed.
For additional information on uninstalling DB2 on systems such as Linux
and AIX, see http://publib.boulder.ibm.com/infocenter/db2luw/v9/
index.jsp?topic=/com.ibm.db2.udb.uprun.doc/doc/t0007439.htm.
Below is an example of the steps involved, using the default DB2 instance
owner user ID, tklmdb2, and the default DB2 directory,
/opt/IBM/db2tklmV2.
Starting as root, type:
su - tklmdb2
cd /opt/IBM/db2tklmV2/instance
./db2istop tklmdb2 /home/tklmdb2
exit
# Exit back to root.
cd /opt/IBM/db2tklmV2/instance
./db2idrop tklmdb2
userdel -r tklmdb2
cd /opt/IBM/db2tklmV2/install
./db2_deinstall -a
vi /etc/services
# Locate and remove the DB2 port entries in the services file.
rm -rf /opt/IBM/db2tklmV2
Disassociating a user ID from the DB2 instance

If you want to disassociate a user ID from the Tivoli Key Lifecycle Manager DB2
instance, follow these steps.
If the user ID has already been disassociated from the DB2 instance, a step might
return a message that the user was not found. If this occurs, continue with the next
step.
v Windows systems:

1. Open the Windows Services console, and stop the DB2 service for the Tivoli
Key Lifecycle Manager instance owner.
To locate the DB2 instance service, search the list of services for services
whose names begin with "DB2." The entry for the instance service contains
the user ID of the Tivoli Key Lifecycle Manager DB2 instance owner as part
of the service name. For example, DB2 - tklmdb2 - DB2-0.
Open the properties dialog for the service and set the Service status to
Stopped, and the Startup type to Manual.
2. Click Start > Programs > IBM DB2 > instance_owner > Command Line
Tools > Command Window to open the DB2 Command Window, and enter:
db2idrop db databasename
db2idrop tklm_instance_owner_userid
3. If the C:\tklm_instance_owner_user_id directory still exists, remove it:
del /s /q C:\tklm_instance_owner_user_id
v AIX and Linux systems:
Log in as the root user, and follow these steps.
1. Change to the user ID of the Tivoli Key Lifecycle Manager DB2 instance
owner, run the db2istop command for the instance owner user ID and exit
back to the root user ID:
su - tklm_instance_owner_userid
cd DB_HOME/instance
./db2istop tklm_instance_owner_userid /home/tklm_instance_owner_userid
exit
2. Run the db2idrop command on the instance owner user ID:
cd DB_HOME/instance
./db2idrop tklm_instance_owner_userid
3. If the tklm_instance_owner_user_id/sqllib directory still exists, remove it:
rm -rf tklm_instance_owner_user_id/sqllib
Removing the user ID of the DB2 instance owner

To remove the user ID that was used as the Tivoli Key Lifecycle Manager DB2
instance owner, use the user management utilities of the operating system to delete
the user ID.
Before deleting a user ID that has been used as the instance owner for the Tivoli
Key Lifecycle Manager databases, ensure that the user ID is no longer associated
with the DB2 instance.
Follow the steps in “Disassociating a user ID from the DB2 instance” on page 60. If
the user ID has already been disassociated from the DB2 instance, a step might
return a message that the user was not found. If this occurs, continue with the next
step.
After verifying that the user ID is not associated with the DB2 database instance,
follow these steps to remove the user ID from the system:
v Windows systems:
Use the user management tool for the version of Windows you are running to
delete the DB2 administrative user from the system. For example, on some
versions of Windows, perform these steps:
1. Open the Control Panel.
Chapter 7. Optionally removing DB2 and disabling services 61

2. Click Administrative tools > Computer Management > Local Users and
Groups > Users.
3. Delete the user from the system.
v AIX and Linux systems:
Log in as the root user, and enter this command to remove the user ID:
userdel -r tklm_instance_owner_userid
Disabling automatic services

The Tivoli Key Lifecycle Manager uninstall process disables the DB2 and Tivoli
Integrated Portal services associated with Tivoli Key Lifecycle Manager. To correct
error conditions, you might also need to ensure that these services are disabled.
Windows systems
On Windows systems, use the Windows Services console to prevent the DB2 and
Tivoli Integrated Portal services associated with Tivoli Key Lifecycle Manager from
starting automatically.
Open the Windows Services console and locate the services in the following list.
For each service in the list, open the Properties dialog box for the service, and
ensure that the Startup Type is set to Disabled, and the Service status field is set
to Stopped.
DB2 - db2 copy name - DB2–n
For example, DB2 - DB2TKLMV2 - DBTKLM20
DB2 - db2 copy name - TKLM_INSTANCE_OWNER
For example, DB2 - DB2TKLMV2 - TKLMDB2
DB2 Governor (db2 copy name)
For example, DB2 Governor (DB2TKLMV2)
DB2 License Server (db2 copy name)
For example, DB2 License Server (DB2TKLMV2)
DB2 Management Service (db2 copy name)
For example, DB2 Management Service (DB2TKLMV2)
DB2 Remote Command Server (db2 copy name)
For example, DB2 Remote Command Server (DB2TKLMV2)
DB2DAS - DB2DAS_entry
For example, DB2DAS - DB2DAS00
AIX and Linux systems
On AIX or Linux systems, enter the following commands to configure the Tivoli
Key Lifecycle Manager DB2 instance owner so that it does not start automatically:
DB_HOME/instance/db2iauto -off tklmdb2
Where tklmdb2 is the default instance owner user ID. If you changed it during
installation, use that user ID instead.
Next, edit the /etc/inittab file and remove the entry that autostarts the Tivoli
Integrated Portal server:
tip:23456789:wait://opt/IBM/tivoli/tiptklmV2/bin/startServer.sh server1

Chapter 8. Recovering from migration failure
You can take migration recovery steps for failure to migrate either Encryption Key
Manager or Tivoli Key Lifecycle Manager.
Recovering from migration failure for Encryption Key Manager

Errors might occur during migration for Encryption Key Manager:
The installation process completes the installation step for Tivoli Key Lifecycle
Manager and invokes a migration process to migrate data from Encryption Key
Manager to Tivoli Key Lifecycle Manager.
v As migration starts, an error might occur when the installation program is
validating the values in the Encryption Key Manager properties file for the
following conditions:
– The properties file cannot be read due to inadequate access permissions.
– A required property does not exist or does not have a value.
– The value of a property is malformed.
– The file that a property points to does not exist or cannot be read due to
inadequate access permissions.
v An error might occur after the migration operation has completed significant
activities. In this case, review the error log files:
Windows systems:
TIP_HOME\logs\tklm_migrate_results.out
TIP_HOME\products\tklm\migration\migrate.log
TIP_HOME/logs/tklm_migrate_results.out
TIP_HOME/products/tklm/migration/migrate.log
If Encryption Key Manager migration fails and you choose to complete the
remaining migration process, you can invoke a migration-recovery script as long as
you do not make any changes or otherwise configure Tivoli Key Lifecycle Manager
server before running the script.
Migration recovery script for Encryption Key Manager

You can invoke a migration-recovery script for Encryption Key Manager as long as
you do not make any changes or otherwise configure Tivoli Key Lifecycle Manager
server before running the script. For example, do not significantly change the
available disk space on the system.
The migration-recovery script is in these locations:

The migration script is in the TIP_HOME\products\tklm\migration directory. The
commands to run the script are:
Windows systems:
cd TIP_HOME\products\tklm\migration
.\bin\migrate.bat tklm_instance_owner_password

Linux and AIX systems:
cd TIP_HOME/products/tklm/migration
./bin/migrate.sh tklm_instance_owner_password
On systems such as Linux or AIX, ensure that you are logged in as the
root user before you run migrate.sh.
Where the tklm_instance_owner_password parameter is the password for the Tivoli
Key Lifecycle Manager server DB2 instance owner.
The TIP_HOME parameter is only used on Windows systems and must be
enclosed in quotes.
Windows systems:
cd "C:\Program Files\ibm\tivoli\tiptklmV2C\products\tklm\migration"
.\bin\migrate.bat password
echo %ERRORLEVEL%
Note:
– If you do not want to specify the password as an argument, omit the
password. The recovery script prompts you for the value. The
password is not in clear text. For example:
migrate.bat
echo $?
– During its runtime progress, the migration recovery script creates a
migrate.log file.
cd /opt/IBM/tivoli/tiptklmV2/products/tklm/migration
./bin/migrate.sh password
echo $?
On systems such as Linux or AIX, ensure that you are logged in as the
root user before you run migrate.sh.
Recovering from migration failure for Tivoli Key Lifecycle Manager

These error scenarios might occur during migration for Tivoli Key Lifecycle
Manager:
v As migration starts, an error message might be caused by one or more of the
following conditions:
– Inadequate access permissions prevent reading required files, or properties or
files are missing.
– Other applications are using a required file.
– During DB2 server migration, Tivoli Integrated Portal Server unexpectedly
stopped running.
v After migration is complete, or has performed significant activities, An error
might occur after the migration operation has begun.
The installation program displays an error message. In this case, review the error
log file:
Windows systems:
TIP_HOME\logs\tklm_migrate_results.out
TIP_HOME/logs/tklm_migrate_results.out

If repeated running of the migration program fails and you choose to go back to
Version 1, complete these tasks for a new version of DB2:
– Uninstall Tivoli Key Lifecycle Manager Version 2. On systems such as AIX or
Linux, navigate to the home directory of the instance owner such as
/home/tklmdb2. If the sqllib_v91 directory exists, remove the directory.
– Reboot the computer.
– Re-install Tivoli Key Lifecycle Manager Version 1 and restore the most recent
backup. Apply the most recent fix pack.
Migration recovery script for Tivoli Key Lifecycle Manager

You can invoke a migration-recovery script for Tivoli Key Lifecycle Manager as
long as you do not make any changes or otherwise configure Tivoli Key Lifecycle
Manager server before running the script. For example, do not significantly change
the available disk space on the system.
To avoid passing the value of passwords as arguments in the migration scripts,

invoke the migration program without any arguments. The migration utility
prompts for the passwords and does not show their values in plain text. You
cannot specify some passwords as arguments and others in interactive mode.
The migration utility creates a migrate.log file in the TIP_HOME/products/tklm/

migration directory.
The migration-recovery script is in these locations:

The migration script is in the TIP_HOME/products/tklm/migration/bin
directory.
The commands to run the migration script are:

Windows systems:
cd TIP_HOME\products\tklm\migration
.\bin\migratetklm.bat [db_administrator_pwd v1_tipadmin_pwd

v2_tipadmin_pwd v2_tklmadmin_pwd]
For example:
cd "C:\Program Files\ibm\tivoli\tiptklmV2C\products\tklm\migration"
.\bin\migatetklm.bat [mydb2adminpwd myv1tippwd myv2tippwd myv2tklmpwd]

cd TIP_HOME/products/tklm/migration
./bin/migratetklm.sh
[db_administrator_pwd v1_tipadmin_pwd v2_tipadmin_pwd v2_tklmadmin_pwd]
For example:
cd //opt/IBM/tivoli/tiptklmV2/products/tklm/migration
./bin/migratetklm.sh [mydb2adminpwd myv1tippwd myv2tippwd myv2tklmpwd]

On systems such as Linux or AIX, ensure that you are logged in as the root
user before you run migratetklm.sh.
Where:
Chapter 8. Recovering from migration failure 65

db_administrator_pwd
Password of the DB2 database administrator at Tivoli Key Lifecycle
Manager Version 1.
v1_tipadmin_pwd
Tivoli Integrated Portal administrator password at Tivoli Key Lifecycle
Manager Version 1.
v2_tipadmin_pwd
Tivoli Integrated Portal administrator password at Tivoli Key Lifecycle
Manager Version 2.
v2_tklmadmin_pwd
Tivoli Key Lifecycle Manager administrator password at Tivoli Key
Enabling automatic start for DB2

If you completed a failed migration by running the migration script in recovery
mode, you must enable DB2 to start automatically when the computer restarts.
Windows systems
On Windows systems, take these steps to start DB2 automatically:

1. Open the Control Panel and click Start > Control Panel > Administrative Tools
> Services.
2. Right-click the DB2 - DB2TKMV2 - TKLMDB2 service and click Properties.
3. On the Properties dialog, on the General tab, change the Startup Type to
Automatic and click Apply.
4. Restart the system to verify that the database server starts automatically.
If you enabled crontab in Tivoli Key Lifecycle Manager Version 1, type this
command to enable DB2 to start automatically:
DB_HOME/instance/db2iauto -on tklmdb2
Where tklmdb2 is the default instance owner user ID. If you changed the value
during installation, use that user ID instead.
Solaris systems
On Solaris systems, enter the following commands to configure the Tivoli Key
Lifecycle Manager DB2 instance owner to start automatically:
Migration properties file

The Tivoli Key Lifecycle Manager server migration utility maintains a
TKLM_HOME/migration/migratestatus.properties file to track completed tasks.

If migration fails, the properties file is retained for debugging purposes. The
migration utility also uses the retained file to determine at what point to start a
new migration process. If you accidentally run migration again, the utility uses the
properties file to determine whether migration already succeeded.
Chapter 8. Recovering from migration failure 67

Chapter 9. Post-installation steps
After you install Tivoli Key Lifecycle Manager, ensure that the DB2 and Tivoli
Integrated Portal services are correctly configured.
On a system that is Internet Protocol version 6 (IPv6) only, the Universal Resource
Locator displayed at the end of installation is an IPv4 URL. Change the URL to
your known IPv6 URL before navigating to Tivoli Key Lifecycle Manager.
Note: Silent mode installation uses a response file that might contain nonsecure
password information. For additional security, delete the response file immediately
after using silent mode to install Tivoli Key Lifecycle Manager.
Services, ports, and processes

After installing Tivoli Key Lifecycle Manager server, validate that required services,
ports, and processes are running.
Windows systems:
v Services
– Tivoli Integrated Portal: TIPProfile_Port_16310
– DB2: DB2TKLMV2 - TKLMDB2
v Ports
– Tivoli Key Lifecycle Manager: 16310, 16311, 16312, 16313, 16315,
16316, 16320, 16322, 16323
– DB2: 50010 as the default. This value might be another port number,
depending on the installation settings. There are other ports
associated with the default port number.
v Processes
– Tivoli Key Lifecycle Manager: WASService.exe java.exe
– DB2: db2fmp.exe db2syscs.exe
If Version 2 is migrated from Version 1:
v Services
– Tivoli Integrated Portal: TIPProfile_Port_16340
– DB2: DB2TKLMV2 - TKLMDB2
v Ports
16346, 16350, 16352, 16353
– DB2: The port number is the same as the DB2 port number at Tivoli
Key Lifecycle Manager Version 1. There are other ports associated
with the default port number.
v Processes
– Tivoli Key Lifecycle Manager: WASService.exe java.exe
– DB2: db2fmp.exe db2syscs.exe
Ensure that these are running:
v Ports

16316, 16320, 16322, 16323
– DB2: 50000 as the default. This value might be another port number.
There are other ports associated with the default port number.
v Processes
– Tivoli Key Lifecycle Manager:
/opt/IBM/tivoli/tiptklmV2/java/bin/java
-Declipse.security
-Dwas.status.socket=38662
-Dosgi.install.area=/opt/IBM/tivoli/tiptklmV2
-Dosgi.configuration.area=/opt/IBM/tivoli/tiptklmV2/profiles
/TIPProfile/configuration
-Djava.awt.headless=true
-Dosgi.framework.extensions=com.ibm.cds
-Xshareclasses:name=webspherev61_%g,groupAccess,nonFatal
-Xscmx50M
-Xbootclasspath/p:/opt/IBM/tivoli/tiptklmV2/java/jre/lib/ext
/ibmorb.jar:/opt/IBM/tivoli/tiptklmV2/java/jre/lib/ext/ibmext.jar
-classpath /opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/properties
:/opt/IBM/tivoli/tiptklmV2/properties
:/opt/IBM/tivoli/tiptklmV2/lib/startup.jar
:/opt/IBM/tivoli/tiptklmV2/lib/bootstrap.jar
:/opt/IBM/tivoli/tiptklmV2/lib/j2ee.jar
:/opt/IBM/tivoli/tiptklmV2/lib/lmproxy.jar
:/opt/IBM/tivoli/tiptklmV2/lib/urlprotocols.jar
:/opt/IBM/tivoli/tiptklmV2/deploytool/itp/batchboot.jar
:/opt/IBM/tivoli/tiptklmV2/deploytool/itp/batch2.jar
:/opt/IBM/tivoli/tiptklmV2/java/lib/tools.jar
-Dibm.websphere.internalClassAccessMode=allow
-Xms512m
-Xmx1024m
-Dws.ext.dirs=/opt/IBM/tivoli/tiptklmV2/java/lib
:/opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/classes
:/opt/IBM/tivoli/tiptklmV2/classes
:/opt/IBM/tivoli/tiptklmV2/lib
:/opt/IBM/tivoli/tiptklmV2/installedChannels
:/opt/IBM/tivoli/tiptklmV2/lib/ext
:/opt/IBM/tivoli/tiptklmV2/web/help
:/opt/IBM/tivoli/tiptklmV2/deploytool/itp/plugins/
com.ibm.etools.ejbdeploy/runtime
-Dderby.system.home=/opt/IBM/tivoli/tiptklmV2/derby
-Dcom.ibm.itp.location=/opt/IBM/tivoli/tiptklmV2/bin
-Djava.util.logging.configureByServer=true
-Duser.install.root=/opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile
-Djavax.management.builder.initial=
com.ibm.ws.management.PlatformMBeanServerBuilder
-Dwas.install.root=/opt/IBM/tivoli/tiptklmV2
-Dpython.cachedir=/opt/IBM/tivoli/tiptklmV2/profiles
/TIPProfile/temp/cachedir
-Djava.util.logging.manager=com.ibm.ws.bootstrap.WsLogManager
-Dserver.root=/opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile

-Dcom.ibm.tivoli.reporting.installdir=
/opt/IBM/tivoli/tiptklmV2/products/tcr
-Djava.security.auth.login.config=
/opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/properties
/wsjaas.conf
-Djava.security.policy=
/opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/properties
/server.policy com.ibm.wsspi.bootstrap.WSPreLauncher
-nosplash -application com.ibm.ws.bootstrap.

WSLauncher com.ibm.ws.runtime.WsServer
/opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile/config
TIPCell TIPNode server1
– DB2: db2fmp db2syscs
Post-installation security
After installing Tivoli Key Lifecycle Manager, you need to take several steps to
ensure certificate recognition by your browser, and protect sensitive user IDs and
passwords.
Response file security

A response file might contain passwords that are stored in plain text. You must
modify or store the file securely.
If you insert actual password values in a sample response file, such as

sample_response.txt, you must take additional steps to ensure the security of the
file. The file is located in the same directory as your installation package.
For examples, see Appendix B, “Sample response files,” on page 91.
Specifying a certificate for browser access

All browsers trigger a certificate error that you must overwrite to gain access to
About this task

The error occurs because the owner of the internal certificate is not in the list of
trusted signing authorities. Install the certificate into each browser that you use to
access Tivoli Key Lifecycle Manager. You can use the Tivoli Integrated Portal user
interface to overwrite the certificate.
Procedure
To configure the certificate, follow these steps:

1. Using the TIPAdmin user ID, log in to the Tivoli Key Lifecycle Manager server.
2. On the Security tab, click SSL certificate and key management.
3. On the SSL certificate and key management page, click Manage endpoint
security configuration -> server1. In the local topology tree, you might need to
click TIPCell > nodes > TipNode > servers > server1 to expand the tree and
locate server1 in the outbound branch.
4. To set the specific SSL configuration for this endpoint, click Manage
Certificates.
Chapter 9. Post-installation steps 71

5. Extract the certificate.
The browser needs only the certificate. Extract retrieves the certificate (the
public key) and stores it into a file. Do not export the certificate, which obtains
both the public and the private key.
6. Import the certificate into your browser.
v Firefox
a. Click Tools > Options > Advanced > Encryption.
b. Select View Certificates > Import buttons.
c. Navigate to the directory from which the certificate is exported. Select the
certificate and click Open.
d. On the Certificate Manager dialog, select the imported certificate and
click Edit.
e. On the Edit web site certificate trust settings dialog, select Trust the
authenticity of this certificate and click OK.
f. On the Certificate Manager dialog, click OK.
g. On the Options dialog, click OK.
v Internet Explorer
a. Click Tools > Internet Options.
b. Select the Content tab and click the Certificates button.
c. Select the Trusted Root Certification Authorities tab and click the Import
button.
d. On the Certificate Import Wizard dialog, click Next.
e. Browse to locate the certificate and click Next.
f. Type the password for the certificate and click Next.
g. Complete the remaining steps that the wizard provides.
h. On the Security Warning dialog, read the warning. If you agree, click Yes.
7. On the browser address field, enter the fully-qualified Universal Resource
Locator to point to the Tivoli Key Lifecycle Manager server. Press Enter.
Changing the WebSphere Application Server keystore

password
SSL certificates for the browser are stored in WebSphere Application Server
keystores. On WebSphere Application Server 6.1, these keystore passwords are
public and must be changed.
About this task
When you install the application server, each server creates a keystore and
truststore for the default SSL configuration with the default password value of
WebAS.
Procedure
To change the password, follow these steps:

1. Change the password by using the graphical user interface:
a. Using the TIPAdmin user ID, log in to the Tivoli Key Lifecycle Manager
server.
b. On the Security tab, click SSL certificate and key management.

c. On the SSL certificate and key management page, click Key stores and
certificates > NodeDefaultKeyStore.
d. Change the keystore password.
e. On the SSL certificate and key management page, click Key stores and
certificates > NodeDefaultTrustStore.
f. Change the truststore password.
2. Save the password in a secure location.
Tivoli Integrated Portal security

You need to take several steps to ensure Tivoli Integrated Portal security for
sensitive information.
Support might determine that tracing is required to debug an issue in a function

that the WASService.exe command runs. Turning on tracing for this function
writes potentially sensitive trace information to the WASService.Trace file in the
Windows root directory. Use information protection steps that are appropriate for
your site to protect the WASService.Trace file.
Additionally, use caution running the stopServer command. Do not put the
password directly on the command line. Instead, enter the user name and
password for the Tivoli Integrated Portal administrator when prompted.
For example, to stop all processes bound to TIP_HOME, type:

stopServer server1
Enter the user name and password at the prompts.
Avoid including the user ID and password in the command. For example, do not
type:
On Windows systems:
stopServer.bat server1 -username tipadmin -password mypwd
./stopServer.sh server1 -username tipadmin -password mypwd
Subsequently running the ps -aef command to display information about the active
process can potentially display the Tivoli Integrated Portal password.
Handling installation errors

Errors that you must correct can occur during installation. Many error messages
contain enough information to correct the situation that caused the error. However,
some error conditions require additional information.
Silent installation might exit with no error message displayed, but errors do
exist in the log file.
If silent installation exits with a zero return code, also check the log file for
error messages.
Windows systems:
%SystemDrive%tklmV2properties\tklm_silentInstall.log
/tklmV2properties/tklm_silentInstall.log
During silent installation, if the installation exits immediately with no error
message displayed and no error logged:
v You might have entered an invalid value for the full_path_to_response_file
parameter of the installation program, such as an incomplete path.
v The LICENSE_ACCEPTED parameter in the response file might have been
left commented out or not set to true.
If you get an error message about a disk or file system not having enough disk
space available:
Remove files to free up space, or add storage to the system to expand the
size of the file system.
Do not correct the problem while the installation program is running. Exit
the installation program before making the corrections, and restart the
program after the corrections are made.
See “Hardware requirements for distributed systems” on page 5 for
information about disk space and other hardware requirements.
If you install Tivoli Key Lifecycle Manager using an Exceed X Server on a local
machine while exporting the display from a Linux system to the local machine,
do not decline the license agreement.
If you decline the license agreement, the installation program can be
rendered unresponsive. Accept the license agreement, or use a Cygwin X
Server or a Virtual Network Connection instead.
Removing the tklmdb2 administrator using Windows user and group
management tool requires removing the previous tklmdb2 subdirectory before
reinstalling Tivoli Key Lifecycle Manager and DB2.
During Tivoli Key Lifecycle Manager installation, you might encounter a
problem if you used the Windows user and group management tool to
previously delete the tklmdb2 user ID as the DB2 administrator.
Reinstalling Tivoli Key Lifecycle Manager then fails to install DB2.
To fix the problem, take these steps:
1. Change to the appropriate subdirectory:
v Windows Server 2003: drive:\Documents and Settings
v Windows Server 2008: drive:\Users
2. Remove the tklmdb2 subdirectory.
3. Reinstall Tivoli Key Lifecycle Manager. The tklmdb2 subdirectory is not
automatically removed when you use the Windows user and group
management tool to delete the user account tklmdb2.
Enabling automatic services

The Tivoli Key Lifecycle Manager installation process starts the DB2 and Tivoli
Integrated Portal services that Tivoli Key Lifecycle Manager requires. The
installation process also sets the services to start automatically. However, you
might need to correct error conditions with the automatic starting of services.
Windows systems
On Windows systems, use the Windows Services console to configure the services
to start automatically.
Locate the services in the following list. For each service in the list, open the
Properties dialog box for the service, and ensure that the Startup Type is set to
Automatic. If the Service status field has a value of Stopped, click Start to start the
service.

DB2 - db2 copy name - DB2–n
For example, DB2 - DB2TKLMV2 - DBTKLM20
DB2 - db2 copy name - TKLM_INSTANCE_OWNER
For example, DB2 - DB2TKLMV2 - TKLMDB2
DB2 Governor (db2 copy name)
For example, DB2 Governor (DB2TKLMV2)
DB2 License Server (db2 copy name)
For example, DB2 License Server (DB2TKLMV2)
DB2 Management Service (db2 copy name)
For example, DB2 Management Service (DB2TKLMV2)
DB2 Remote Command Server (db2 copy name)
For example, DB2 Remote Command Server (DB2TKLMV2)
DB2DAS - DB2DAS_entry
For example, DB2DAS - DB2DAS00
Tivoli Integrated Portal - TipProfile_Port_port_number.
For example, Tivoli Integrated Portal - TIPProfile_Port_16310
On AIX or Linux systems, enter the following commands to configure the Tivoli
Key Lifecycle Manager DB2 instance owner to start automatically:
Where tklmdb2 is the default instance owner user ID. If you changed the value
during installation, use that user ID instead.
Installing Tivoli Key Lifecycle Manager adds commands to start the WebSphere
Application Server to the /etc/inittab file. You might edit these commands in the
/etc/inittab file:
slp:2345:wait:/bin/sleep 60
tip:23456789:wait:TIP_HOME/bin/startServer.sh server1
Solaris systems
On Solaris systems, enter the following commands to configure the Tivoli Key
Lifecycle Manager DB2 instance owner to start automatically:
Installing Tivoli Key Lifecycle Manager adds commands to start the WebSphere
Application Server to the /etc/inittab file. You might edit these commands in the
/etc/inittab file:
sl:2345:wait:/bin/sleep 60
tt:23456:wait:TIP_HOME/bin/startServer.sh server1
To configure the embedded WebSphere Application Server to start automatically,

follow the steps described in the section that describes creating an SMF service
definition, in the IBM WebSphere Application Server V6.1 on the Solaris 10 Operating

System Redbooks publication. This document is available at: http://
www.redbooks.ibm.com/abstracts/sg247584.html.
Adapt the information from the Web page with values based on your Tivoli Key
Lifecycle Manager installation. For example, use the directories from your system
in the script:
WAS_DIR="//opt/IBM/tivoli/tiptklmV2/profiles/TIPProfile"
On some systems, it might be necessary to increase the timeout value in the

manifest file from 60 to 300.
Setting the session timeout interval

The Tivoli Key Lifecycle Manager user interface session can be configured to time
out after thirty minutes of inactivity or to stay alive with no time restriction.
About this task
This option is controlled by the ISC.KEEPALIVE.INTERVAL property in the

consoleProperties.xml properties file.
Procedure
To configure the timeout interval, follow these steps:

1. Navigate to the directory containing the properties file:
Windows systems
cd TIP_HOME\profiles\TIPProfile\config\cells\TIPCell\applications \
\isclite.ear\deployments\isclite\isclite.war\WEB-INF
AIX or Linux systems
cd TIP_HOME/profiles/TIPProfile/config/cells/TIPCell/applications \
/isclite.ear/deployments/isclite/isclite.war/WEB-INF
For the location of TIP_HOME on your system, see “Definitions for HOME
and other directory variables” on page xiii.
2. Edit consoleProperties.xml and locate the ISC.KEEPALIVE.INTERVAL property.
3. Set the value of ISC.KEEPALIVE.INTERVAL.
To have the session time out after 30 minutes:
Set the value of ISC.KEEPALIVE.INTERVAL to -1:
<consoleproperties:console-property id="ISC.KEEPALIVE.INTERVAL" value="-1"/>
This disables the ISC.KEEPALIVE.INTERVAL property.

To keep the session alive without timing out:
Set the value of ISC.KEEPALIVE.INTERVAL to 20:
<consoleproperties:console-property id="ISC.KEEPALIVE.INTERVAL" value="20"/>
This causes the browser to ping the server every 20 minutes,

maintaining the session.
4. Save the changes and close the editor.

Setting the maximum transaction timeout
On systems other than z/OS, the total transaction timeout value is set to 600
seconds. Depending on the setting, some long running Tivoli Key Lifecycle
Manager operations might timeout.
About this task
Long running Tivoli Key Lifecycle Manager operations might timeout with an
error message like this example:
[10/21/08 14:28:41:693 CDT] 00000020 TimeoutManage I
WTRN0006W: Transaction 00000110001 has timed out after xxx seconds.
Procedure
To configure the transaction timeout interval to a larger value, take these steps:
1. Stop the server.
v Windows systems:
In the TIP_HOME\bin directory, type:
v AIX, Linux, and Solaris systems:
In the TIP_HOME/bin directory, type:
2. Edit this file:
..\profiles\TIPProfile\config\cells\TipCell\nodes\TIPNode\
servers\server1\server.xml
3. Change the propogatedOrBMTTranLifetimeTimeout parameter to a larger value.
4. Save the file.
5. Start the server.
v Windows systems:
In the TIP_HOME\bin directory, type:
v AIX, Linux, and Solaris systems:
In the TIP_HOME/bin directory, type:
Using the correct version of DB2 after migration

Before connecting to the Tivoli Key Lifecycle Manager database, ensure that you
use the correct version of DB2.
About this task
After migrating Tivoli Key Lifecycle Manager from Version 1 to Version 2, both
obsolete Version 9.1 and a later version of DB2 are available.
Procedure
Take these steps:

1. Log in as the database instance owner on systems such as AIX or Linux, or the
DB2 administrator on Windows systems.

2. Ensure that the correct version of DB2 is available. Take these steps:
Windows systems:
v Click Start > IBM DB2 > DB2TKLMV2 > Command Line Tools >
Command Line Processor. Specify:
v Navigate to the drive\Program Files\IBM\db2tklmV2\bin directory
and ensure that you can successfully run a DB2 command. For
example, type:
db2cmd
db2stop
db2start
v Navigate to the /opt/IBM/db2tklmV2/bin directory.
v Ensure that you can successfully run a DB2 command. For example,
type:
~tklmdb2/dqllib/db2profile
db2stop
db2start
3. Start Tivoli Key Lifecycle Manager Version 2.
Changing the DB2 server host name

After installing Tivoli Key Lifecycle Manager, you might need to change the host
name of the DB2 server.
About this task
After this task succeeds, you must also change the host name of the Tivoli
Integrated Portal Server.
Ensure that the computer host name and domain name contain only alphabetical
characters (A-Z and a-z) and numeric characters (0-9). The domain name can also
include a dash (-) character that does not begin or end the name. No other
characters are supported, such as the underscore character (_).
To change the host name of the DB2 server, follow these steps:
1. Obtain the current steps to change the host name for your level of the DB2
server from the technote at this Web address: http://www.ibm.com/support/
docview.wss?rs=71&context=SSEPGG&context=SSEPDU&context=SSVGXH
&context=SSVGZB&context=SSFHEG&context=SSYK8P&context=SSTLZ9
&q1=db2+change+hostname&uid=swg21258834&loc=en_US&cs=utf-8&lang=en
2. When this task succeeds, change the host name of the Tivoli Integrated Portal
Server.
For more information, see “Changing an existing Tivoli Integrated Portal Server
host name.”
Changing an existing Tivoli Integrated Portal Server host name

After changing the host name of the DB2 server, you must also change the host
name of the Tivoli Integrated Portal Server.

About this task
Installing Tivoli Key Lifecycle Manager creates scripts in the TIP_HOME\bin

directory that you might use to change the host name of an existing Tivoli
Integrated Portal Server:
v Windows systems:
tipChangeHostName.bat
v Systems such as AIX or Linux:
tipChangeHostName.sh
-h newhostname
Specifies the new host name of the Tivoli Integrated Portal Server.
Before you change the host name, ensure that no other programs are using the
existing Tivoli Integrated Portal Server. Tivoli Key Lifecycle Manager requires
exclusive use of the Tivoli Integrated Portal Server.
To change the host name of the Tivoli Integrated Portal Server, follow these steps:
1. Log in as root (AIX or Linux sustems) or Administrator (Windows systems) and
navigate to the TIP_HOME\bin directory.
2. Stop the Tivoli Integrated Portal Server. The tipChangeHostName script does
not run unless you stop the Tivoli Integrated Portal Server.
stopServer.bat server1 -username tipadmin -password passw0rd
3. Ensure that the Tivoli Integrated Portal service has stopped.
4. Change the host name of the machine.
Ensure that the computer host name and domain name contain only
alphabetical characters (A-Z and a-z) and numeric characters (0-9). The domain
name can also include a dash (-) character that does not begin or end the name.
No other characters are supported, such as the underscore character (_).
On Windows systems, the change typically requires a system reboot. Disable
the Tivoli Integrated Portal service from starting automatically after a restart. To
disable the service:
v Click Start > Settings > Control Panel > Administrative Tools > Services >
TIP.
v Right-click the TIP service and select Properties Context Menu. On the
General tab, set Startup type to a value of Manual.
5. After ensuring that the Tivoli Integrated Portal service has stopped, run the
script to change the host name.
For example, type:
tipChangeHostName.bat -h newhostname
6. Confirm that the result is written to the tipchangehostname.log file that is
located in the TIP_HOME\logs directory.
7. Restart the Tivoli Integrated Portal Server.
Log in as root (AIX or Linux sustems) or Administrator (Windows systems) and
navigate to the TIP_HOME\bin directory and type:
8. Enable the Tivoli Integrated Portal Server service to start automatically on
Windows systems.
To enable the service:

v Click Start > Settings > Control Panel > Administrative Tools > Services >
TIP.
v Right-click the TIP service and select Properties Context Menu. On the
General tab, set Startup type to a value of Automatic.
Stopping the DB2 server

To stop the database server, stop the Tivoli Integrated Portal Server and stop the
DB2 server.
About this task
You must be the database instance owner on systems such as AIX or Linux, or the
Local Administrator on Windows systems.
Procedure
To stop the database server, take these steps:

1. Log in as the database instance owner on systems such as AIX or Linux, or log
in as Local Administrator on Windows systems.
2. Stop the Tivoli Integrated Portal Server. Type this command:
Windows systems:
cd C:\Program Files\IBM\tivoli\tiptklmV2\bin
.\stopServer.bat server1 -username tipadmin -password mysecretpwd
/opt/IBM/tivoli/tiptklmV2/bin/stopServer.sh server1 -username tipadmin
-password mysecretpwd
3. Stop the DB2 server. Type these commands:
Windows systems:
db2stop
su -tklmdb2
db2stop
Configuring SSL
After installing Tivoli Key Lifecycle Manager, you might configure secure
communication using SSL.
About this task
This option is controlled by the config.keystore.ssl.certalias property in the

TKLM_HOME/config/TKLMgrConfig.properties file.
If transport ports are specified, this alias points at an existing certificate that is
used for SSL authentication for secure communication between a drive and the
Tivoli Key Lifecycle Manager server.
If you migrate data from Encryption Key Manager, all the certificates from the
TransportListener truststore are imported into the Tivoli Key Lifecycle Manager
keystore.

A certificate from the TransportListener keystore is set as the SSL certificate for
Tivoli Key Lifecycle Manager. The config.keystore.ssl.certalias property is updated
with the alias of this certificate.
Procedure
To configure SSL for secure communication, follow these steps:

1. Navigate to the appropriate page or directory.
v Graphical user interface:
Log on to the graphical user interface. From the navigation tree, you can
select either of these paths:
– Tivoli Key Lifecycle Manager > Configuration > SSL
– Tivoli Key Lifecycle Manager > Advanced Configuration > Server
Certificates
v Command-line interface:
In the TIP_HOME/bin directory, start a wsadmin session using Jython. Log on
to wsadmin with an authorized user ID, such as the TKLMAdmin user ID.
For example, on Windows systems, navigate to the drive:\IBM\tivoli\
tiptklmV2\bin directory and type:
– Windows systems:
wsadmin -username TKLMAdmin -password mypwd -lang jython
– Systems such as AIX or Linux:
./wsadmin.sh -username TKLMAdmin -password mypwd -lang jython
2. Specify the certificate that is used for SSL communication.
On one of these pages, specify a certificate as the SSL certificate:
– On the SSL for Key Serving page, select the option to use an existing
certificate from the keystore as the SSL certificate. Select a certificate and
click OK.
– Alternatively, on the Administer Server Certificates page, select an existing
certificate and click Modify. Specify that the certificate is the
currently-used certificate and click Modify Certificate.
– To see the value of the property, use the tklmConfigGetEntry command.
For example, you might want to validate that a migrated certificate is set
as the SSL certificate.
This Jython-formatted command obtains the current value of the
config.keystore.ssl.certalias property.
wsadmin>print AdminTask.tklmConfigGetEntry
(’[-name config.keystore.ssl.certalias]’)
– To change the value of the property, use the tklmConfigUpdateEntry
command to specify the certificate that the Tivoli Key Lifecycle Manager
server uses.
For example, this Jython-formatted command example changes the value of
the config.keystore.ssl.certalias property.
print AdminTask.tklmConfigUpdateEntry
(’[-name config.keystore.ssl.certalias
-value mycert]’)
3. A success indicator varies, depending on the interface:

On the Success page, under Next Steps, click a related task that you want to
perform.
A completion message indicates success.
Determining the current port number

After Tivoli Key Lifecycle Manager server installation, you might need to
determine the current port number or the secure port number.
About this task
On systems such as AIX or Linux, the login URL and installed port numbers are
stored in the TIP_HOME/etc/tklmadmin.html file that you can load in your browser.
On Windows systems, the information is on the start menu. Click Start > All
Programs > Tivoli Key Lifecycle Manager 2.0 > Tivoli Integrated Portal.
The value of the port number is specified by the WC_adminhost or the

WC_adminhost_secure property in the TIP_HOME/profiles/TIPProfile/properties/
portdef.props file. For example, the file might specify these values:
WC_defaulthost=16310
WC_adminhost_secure=16316
If you change the value of the Tivoli Integrated Portal port during installation, you
might need to determine the secure port number. The Tivoli Key Lifecycle Manager
server secure port number is 6 higher than the changed Tivoli Integrated Portal
port number. For example, if you changed the port to 17000, the Tivoli Key
Lifecycle Manager server secure port number is 17006.
Verifying the installation

After the installation on distributed systems, verify that the Tivoli Key Lifecycle
Manager installation was successful.
Perform these actions to verify the installation on distributed systems:

1. Start and stop the server. See “Starting and stopping the Tivoli Key Lifecycle
Manager server on distributed systems” on page 83 for details.
2. Open Tivoli Key Lifecycle Manager in a Web browser and log in.
a. Open a Web browser and direct it to the administrative console (the URL
from the last panel of the installation). For more information, see “Login
URL and initial user ID” on page 13.
b. Log in to Tivoli Integrated Portal.
c. Click the Tivoli Key Lifecycle Manager link in the navigation panel on the
left side of the page to expand the Tivoli Key Lifecycle Manager section and
click the Welcome link.
d. Tivoli Key Lifecycle Manager opens in the main panel, displaying the Tivoli
Key Lifecycle Manager Welcome page.
3. Use the command-line interface to list the Tivoli Key Lifecycle Manager
command group. For example, from TIP_HOME/bin, enter:
./wsadmin.sh -username <tklmadmin id> -password <tklmadmin passwd> -lang jython
When the wsadmin tool prompts you, enter this command:

wsadmin>print AdminTask.help("-commandGroups")

The Tivoli Key Lifecycle Manager command groups are displayed. For example,
the list contains backup commands and other command groups:
TKLMBackupCommands - Tivoli Key Lifecycle Manager backup/restore commands
Enabling scripting settings for Internet Explorer Version 7 and 8

Ensure that scripting settings for Internet Explorer Version 7 and 8 are enabled.
About this task
Unless some scripting settings are enabled for Internet Explorer Version 7 and 8,
you might later be unable to create a Tivoli Key Lifecycle Manager user.
Procedure
Ensure that these browser settings are enabled:

v Allow status bar updates via scripts
v Active Scripting
v Scripting of Java applets
1. Open the browser and click Tools > Internet Options > Security.
2. Scroll the list of security settings to the Scripting options and ensure that these
settings are enabled:
v Allow status bar updates via scripts
v Active Scripting
v Scripting of Java applets
3. Click OK.
Starting and stopping the Tivoli Key Lifecycle Manager server on

distributed systems
You might need to use the startServer or stopServer command to start or stop the
Tivoli Key Lifecycle Manager server. For example, after a restore task completes,
restart the Tivoli Key Lifecycle Manager server.
About this task
Scripts to start and stop the Tivoli Key Lifecycle Manager server are in the
TIP_HOME/bin directory.
Procedure
1. Navigate to the TIP_HOME/bin directory.
2. Start or stop the server.
v Start
On Windows systems:
v Stop
On Windows systems:

Global security is enabled by default. Enter the user ID and password of the
Tivoli Integrated Portal administrator as parameters to the stopServer script.
The script prompts for these parameters if they are omitted, but you can
specify them on the command line:
On Windows systems:
stopServer.bat server1 -username tipadmin -password mypwd
./stopServer.sh server1 -username tipadmin -password mypwd
What to do next
Determine whether Tivoli Key Lifecycle Manager is running. For example, open
Tivoli Key Lifecycle Manager in a Web browser and log in.
Enabling global security

Conditions might occur in which you need to enable global security.
About this task
Do not disable global security when you use Tivoli Key Lifecycle Manager.
Procedure
1. To enable global security, log in as the Tivoli Integrated Portal administrator
TIPAdmin.
2. In the navigation bar, click Security.
3. Click Secure administration, applications and infrastructure.
4. Check the Enable administrative security check box.
Ensure that Enable application security is also selected and that Use Java 2
security to restrict application access to local resources is not selected.
5. Click Apply.
6. Click Save in the Messages box. Click Logout.
7. Stop and restart the server.
8. Reload the Tivoli Key Lifecycle Manager login page. Verify that the page
requires a password.
Disabling global security

Conditions might occur in which you need to disable global security.
About this task
Do not disable global security when you use Tivoli Key Lifecycle Manager.
Procedure
1. To disable global security, log in as the Tivoli Integrated Portal administrator
TIPAdmin.
2. In the navigation bar, click Security.
3. Click Secure administration, applications and infrastructure.
4. Clear the Enable administrative security check box.

5. Click Apply.
6. Click Save in the Messages box. Click Logout.
7. Stop and restart the server.
8. Reload the Tivoli Key Lifecycle Manager login page. Verify that the page does
not require a password.

Appendix A. Preinstallation worksheets
Before you begin to install and configure Tivoli Key Lifecycle Manager, you can fill
out these worksheets to identify the configuration parameters needed to complete
the Tivoli Key Lifecycle Manager installation.
General installation parameters

Use this worksheet to record general installation parameters.
Table 11. General installation parameters
Default or example
Option Description value Your value
Installation Mode in which to gui (default)
mode run the installation console
program. silent
Important Step: Ensure that you See “Hardware
have enough free requirements for
Check your free disk space distributed systems” on
disk space available. page 5 for values.
DB2 configuration parameters

Use this worksheet to record your entries related to the installation and
configuration of DB2.
Table 12. DB2 configuration parameters
Default or example
Field name Description value Your value
DB2 Destination Directory in which
Windows systems:
to install DB2
drive\Program
Files\IBM\
db2tklmV2
/opt/IBM/
db2tklmV2
DB2 User ID for the tklmdb2
Administrator ID Tivoli Key
Lifecycle Manager
database
administrator (also
called the instance
owner)
DB2 Password for the
Administrator database
Password administrator user
ID
Database name Name of the Tivoli tklmdb
Key Lifecycle
Manager database

Table 12. DB2 configuration parameters (continued)
Default or example
Field name Description value Your value
DB2 Port DB2 service 50010
listening port
Administrator / Directory where C:
Database Home the database
instance and
formatted tables
are created
Administrator Group in which If DB2 is on a system
group the instance owner such as AIX or Linux,
of the database is a your user ID must be in
member. the bin or root group, or
in a separate group in
which root is a member.
Instance Drive Drive where DB2 C:
Letter is to be installed
(Windows systems
only)
Tivoli Integrated Portal configuration parameters

Use this worksheet to record your entries related to the configuration of Tivoli
Integrated Portal.
Table 13. Tivoli Integrated Portal configuration parameters
Field name Description Default or example value Your value
Tivoli Integrated Directory in
Windows
Portal Directory which Tivoli
drive:\IBM\tivoli\
Name Integrated Portal
tiptklmV2
is to be installed.
Varies depending Linux, AIX, and Solaris
on the operating path/IBM/tivoli/
system. tiptklmV2
Do not embed spaces in the

TIP_HOME installation path
or directory name.
Tivoli Integrated Administrator tipadmin
Portal login ID used to
Administrator log in to Tivoli
Login ID Integrated Portal.
Tivoli Integrated Password for the
Portal user ID.
Administrator
Password

Table 13. Tivoli Integrated Portal configuration parameters (continued)
Field name Description Default or example value Your value
Port Number Port used for the The installation completion
Tivoli Integrated page contains the Tivoli
Portal profile. Do Integrated Portal port number.
not use a port
value greater than On systems such as AIX or
65520. Linux, the login URL and
installed port numbers are
stored in the
TIP_HOME/etc/tklmadmin.html
file that you can load in your
browser. On Windows
systems, the information is on
the start menu. Click Start >
All Programs > Tivoli Key
Lifecycle Manager 2.0 >
The following user ID is included here for reference.
Tivoli Key Administrator TKLMAdmin
Lifecycle login ID used to
Manager log in to Tivoli
Administrator Key Lifecycle
Login ID Manager.
Appendix A. Preinstallation worksheets 89

Appendix B. Sample response files
You might need to use sample response files for Windows and other systems.
Before installation, you must also read and agree to the license terms for this
product. To locate the response files and license term files, look in the root
directory of the installation image files. The /license subdirectory has the license
files in text format.
A response file stores passwords as plain text. You must take additional steps to
use and store a response file securely.
The default response file has a setting of false for a field that indicates that you
read and agree with the terms of the license for this product. Installation fails
unless you take these steps:
1. Read the license file that is located in the /license subdirectory of the root
directory of the installation image files.
2. In the response file, make these changes to the line that specifies the license:
v Set the default value to true to indicate that you agree with the terms of the
license.
v Uncomment the line by removing the pound sign (#) character at the
beginning of the line.
New installation of Version 2 on Windows systems

This example of a response file contains responses for an installation of Tivoli Key
Lifecycle Manager Version 2 onto a Windows system or an installation in which
Encryption Key Manager migration occurs.
Note: The LICENSE_ACCEPTED parameter must be uncommented and set to true

before a sample response file can be used.
###############################################################
## When ready for use, this file contains passwords in plain text.
## You must take additional steps to keep the file secure.
###############################################################
###############################################################
##
## InstallAnywhere variable to configure for silent install
##
## Usage: install.exe -i silent -f <full path to this file>
##
## With windows, install.exe will return immediately to avoid
## this, you should wrap the install.exe command into a batch
## file or use cmd /c install.exe -i silent -f <full path to this file>.
##
##
###############################################################
INSTALLER_UI=SILENT
#----
#---- Set Silent License Acceptance
#---- Accept license agreement: remove # sign
#---- example: LICENSE_ACCEPTED=true
#---- if the LICENSE_ACCEPTED is anything other than true, the installation will exit,
#---- no log will be produced, no indication of failure will be provided.
#----
#---- By removing the # sign before #LICENSE_ACCEPTED=false and changing false to true
#---- you have signified acceptance of the Tivoli Key Lifecycle Manager license agreement
#LICENSE_ACCEPTED=false

#--------------------------------------------------------------#
# DB2 RESPONSE FILE SECTION #
#--------------------------------------------------------------#
#------------------------
#---- IBM DB2 Destination
#---- Enter the DB2 installation directory or specify the full path of an existing
#---- DB2 copy to use with Tivoli Key Lifecycle Manager.
#------------------------
DB2_INSTALLATION_DIRECTORY=C:\\Program Files\\IBM\\db2tklmV2
#----------------------------------
#---- IBM DB2 Configuration Options
#----------------------------------
#---- The administrator ID will be used to name both the DB2 instance to be used
#---- for Tivoli Key Lifecycle Manager and the user to administer that DB2 instance.
#---- If using an existing DB2 copy to use with Tivoli Key Lifecycle Manager
#---- then a DB2 instance with the same name as the specified administrator ID
#---- must not already exist on that DB2 copy.
#---- If you specify an existing user as the administrator ID then you must
#---- also specify that user’s password as the value of property
#---- DB2_ADMINISTRATOR_PASSWORD below.
#---- Also, an existing user specified as the administrator ID must not already
#---- own a DB2 instance.
#----
DB2_ADMINISTRATOR_ID=tklmdb2
#---- Specify the DB2 administrator password

#---- and respecify it in the confirmation field.
#---- Be sure to remove these passwords from this file after installation.
DB2_ADMINISTRATOR_PASSWORD=
DB2_CONFIRM_PASSWORD=
#---- Specify the drive letter followed by a colon (:) of where

#---- the DB2 database will reside. DB2 will store the tables
#---- in <DB2_DB_HOME>\<DB2_ADMINISTRATOR_ID> (C:\TKLMDB2)
DB2_DB_HOME=C:
#---- Specify the name of the database to be used by Tivoli Key Lifecycle Manager
DB2_DB_NAME=tklmdb
#---- Specify the port that DB2 should use. Default is 50010
#---- on Windows ports from 50000 - 50009 and 60000 - 60009
#---- are discouraged since they could conflict with the default
#---- port used in the "free" DB2 instance you get as part of a
#---- Windows DB2 install; on Unix db2 instance creation is deferred
#---- to a post-install action
#----
#---- This port must be less than 65536
DB2_DB_PORT=50010
#--------------------------------------------------------------#
# Tivoli Key Lifecycle Manager RESPONSE FILE SECTION #
#--------------------------------------------------------------#
#---- Choose Install Folder

#---- Silent Install: remove # sign and provide fully qualified path
#---- example: USER_INSTALL_DIR=C:\\ibm\\tivoli\\tiptklmV2
#---- Note: Windows considers \ to be an escape character so use \\ when defining
#---- the path on Windows
#----
USER_INSTALL_DIR=C:\\ibm\\tivoli\\tiptklmV2
#---- Choose TKLMAdmin password

#---- and specify the confirm password
TKLMADMIN_PW=
TKLMADMIN_CONFIRM_PW=
#
# Configuration Related
#
# WAS_INFO note: the WASPortsCreationAction will create all the ports.

#
IAGLOBAL_WASUserID=tipadmin

#---- Specify the WAS TIP password and the confirm password.
#---- Be sure to remove the password from this file after installation.
IALOCAL_WASPassword=
IALOCAL_CONFIRM_WASPassword=
IAGLOBAL_WC_defaulthost=16310
IAGLOBAL_WC_defaulthost_secure=16311
IAGLOBAL_BOOTSTRAP_ADDRESS=16312
IAGLOBAL_SOAP_CONNECTOR_ADDRESS=16313
IAGLOBAL_WC_adminhost=16315
IAGLOBAL_WC_adminhost_secure=16316
IAGLOBAL_DCS_UNICAST_ADDRESS=16318
IAGLOBAL_ORB_LISTENER_ADDRESS=16320
IAGLOBAL_SAS_SSL_SERVERAUTH_LISTENER_ADDRESS=16321
IAGLOBAL_CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS=16322
IAGLOBAL_CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS=16323
#
#EKM Migration
#-------------
# Set IAGLOBAL_MIGRATE to 1 if you are migrating a working EKM 2.1
# configuration to Tivoli Key Lifecycle Manager; otherwise keep it set to 0.
# If you set IAGLOBAL_MIGRATE=1 you MUST also set the path to a
# valid KeyManagerConfig.properties file by uncommenting (removing the "#")
# for the IAGLOBAL_MIGRATE_FILE property below and setting the fully qualified path
# to the correct configuration file location as its value.
#
IAGLOBAL_MIGRATE=0
#IAGLOBAL_MIGRATE_FILE=C:\\IBM\\Java-50\\jre\\lib\\ext\\KeyManagerConfig.properties
New installation of Version 2 on systems such as Linux or AIX

This example of a response file contains responses for an installation of Tivoli Key
Lifecycle Manager Version 2 onto a system such as Linux or AIX or an installation
in which Encryption Key Manager migration occurs.
Note: The LICENSE_ACCEPTED parameter must be uncommented and set to true

before a sample response file can be used.
###############################################################
###############################################################
###############################################################
##
## InstallAnywhere variable to configure for silent install
##
## Usage: install.sh -i silent -f <full path to this file>
##
###############################################################
INSTALLER_UI=SILENT
#----
#---- Accept license agreement: remove # sign
#----
#--------------------------------------------------------------#
#--------------------------------------------------------------#
#------------------------
#---- IBM DB2 Destination
#---- Enter the DB2 installation directory or specify the full path of an existing
#---- DB2 copy to use with Tivoli Key Lifecycle Manager.
Appendix B. Sample response files 93

#------------------------
DB2_INSTALLATION_DIRECTORY=/opt/IBM/db2tklmV2
#----------------------------------
#---- IBM DB2 Configuration Options
#----------------------------------
#---- The administrator ID will be used to name both the DB2 instance to be used
#---- for Tivoli Key Lifecycle Manager and the user to administer that DB2 instance.
#---- If using an existing DB2 copy to use with Tivoli Key Lifecycle Manager
#---- then a DB2 instance with the same name as the specified administrator ID
#---- must not already exist on that DB2 copy.
#---- If you specify an existing user as the administrator ID
#---- then you must also specify that user’s password as the value of
#---- the property DB2_ADMINISTRATOR_PASSWORD below.
#---- Also, an existing user specified as the administrator ID must not
#---- already own a DB2 instance.
#----
DB2_ADMINISTRATOR_ID=tklmdb2
#---- Specify the DB2 administrator password

#---- and respecify it in the confirmation field.
#---- Specify the full path of the DB2 administrator’s

#---- home directory. This is where the instance data
#---- will be stored. The default location for Solaris
#---- is /export/home/tklmdb2
#---- The default location for all other UNIX platforms
#---- is /home/tklmdb2
DB2_DB_HOME=/home/tklmdb2
#---- Specify the name of the database to be used by Tivoli Key Lifecycle Manager
DB2_DB_NAME=tklmdb
#---- Specify the port that DB2 should use. Default is 50000
#---- The port must be less than 65536.
DB2_DB_PORT=50000
#---- DB2 Administrator Creation (1=YES, 0=NO)

#---- Set DB2_CREATE_USER_YN to 0 if using an existing user as the administrator
#---- of the DB2 instance to be used for Tivoli Key Lifecycle Manager;
#---- otherwise keep it set to 1.
DB2_CREATE_USER_YN=1
#---- Administrator’s Group - must be one of root’s groups.

DB2_ADMIN_GROUP=bin
#--------------------------------------------------------------#
#--------------------------------------------------------------#

#---- Silent Install: remove # sign and provide fully qualified path
#---- example: USER_INSTALL_DIR=/opt/IBM/tivoli/tiptklmV2
#----
USER_INSTALL_DIR=/opt/IBM/tivoli/tiptklmV2

TKLMADMIN_PW=
#
# Configuration Related
#
# WAS_INFO note: the WASPortsCreationAction will create all the ports.

#
#---- Specify the WAS TIP password and the confirm password.

#
#EKM Migration
#-------------
# Set IAGLOBAL_MIGRATE to 1 if you are migrating a working EKM 2.1
# configuration to Tivoli Key Lifecycle Manager; otherwise keep it set to 0.
# If you set IAGLOBAL_MIGRATE=1 you MUST also set the path to a valid
# KeyManagerConfig.properties file by uncommenting (removing the "#")
# for the IAGLOBAL_MIGRATE_FILE property below and setting the fully qualified path
# to the correct configuration file location as its value.
#
IAGLOBAL_MIGRATE=0
#IAGLOBAL_MIGRATE_FILE=/opt/ibm/java50/jre/lib/ext/KeyManagerConfig.properties
Version 1 to Version 2 migration on Windows systems

This example of a response file contains responses for an installation onto a
Windows system in which Tivoli Key Lifecycle Manager Version 1 to Version 2
migration occurs.
Note:
v To determine if Tivoli Key Lifecycle Manager Version 1 exists and requires
migration, use the tklmVersionInfo command. For example, type this command
in a Jython session:
print AdminTask.tklmVersionInfo()
v Uncomment LICENSE_ACCEPTED parameter and set the value to true before using
this sample response file.
###############################################################
###############################################################
###############################################################
##
## Installation settings for silent install where a migration
## from a previous release of Tivoli Key Lifcycle Manager will
## be preformed.
##
## Usage: install.exe -i silent -f <full path to this file>
##
## With windows, install.exe will return immediately. To avoid
## this, you should wrap the install.exe command into a batch
## file or use cmd /c install.exe -i silent -f <full path to this file>.
##
##
###############################################################
INSTALLER_UI=SILENT
#----
#---- Accept license agreement: remove # sign and set to true
#----

#--------------------------------------------------------------#
#--------------------------------------------------------------#
#------------------------
#---- IBM DB2 destination for the new copy of DB2 to be installed.
#---- This can also point to a valid existing installation of DB2
#---- to be used by Tivoli Key Lifecycle Manager.
#------------------------
DB2_INSTALLATION_DIRECTORY=C:\\Program Files\\IBM\\db2tklmV2
#--------------------------------------------------------------#
# Tivoli Key Lifecycle Manager Migration #
#--------------------------------------------------------------#
#----------------------------------
#---- Specify the DB2 administrator password from the DB2 that is
#---- being used by the release of Tivoli Key Lifecycle Manager
#---- that is being migrated.
#---- Respecify it in the confirmation field.
#----------------------------------------------------------------
#---- Specify the password for the Tivoli Integrated Portal administrator user ID
#---- from the release that is being migrated.
TKLM_MIGRATION_TIP_PASSWORD=
TKLM_CONFIRM_MIGRATION_TIP_PASSWORD=
#----------------------------------------------------------------
#--------------------------------------------------------------#
# The following items are used for the new Tivoli Key Lifecycle#
# Manager installation. #
#--------------------------------------------------------------#

#---- Note: Windows considers \ to be an escape character so use \\ when defining
#---- the path on Windows
#----
USER_INSTALL_DIR=C:\\ibm\\tivoli\\tiptklmV2

#---- NOTE: This does NOT need to match the TKLMAdmin password from your
#---- previous installation of Tivoli Key Lifecycle Manager.
TKLMADMIN_PW=
#---- Specify the WebSphere Application Server administrator user ID to be used

#---- for Tivoli Integrated Portal
#---- Specify the Tivoli Integrated Portal password and the confirm password.
#---- Ports to be used by Websphere Application server. Be sure to specify ports that are
#---- not in use on the system.

Version 1 to Version 2 migration on systems such as Linux or AIX
This example of a response file contains responses for an installation onto a system
such as Linux or AIX in which Tivoli Key Lifecycle Manager Version 1 to Version 2
migration occurs.
Note:
v To determine if Tivoli Key Lifecycle Manager Version 1 exists and requires
migration, use the tklmVersionInfo command. For example, type this command
in a Jython session:
print AdminTask.tklmVersionInfo()
v Uncomment LICENSE_ACCEPTED parameter and set the value to true before using
this sample response file.
###############################################################
###############################################################
###############################################################
##
## Installation settings for silent install where a migration
## from a previous release of Tivoli Key Lifcycle Manager will
## be performed.
##
## Usage: install.sh -i silent -f <full path to this file>
##
###############################################################
INSTALLER_UI=SILENT
#----
#---- Accept license agreement: remove # sign and set to true
#----
#--------------------------------------------------------------#
#--------------------------------------------------------------#
#------------------------
#---- IBM DB2 destination for the new copy of DB2 to be installed.
#---- This can also point to a valid existing installation of DB2
#---- to be used by Tivoli Key Lifecycle Manager.
#------------------------
DB2_INSTALLATION_DIRECTORY=/opt/IBM/db2tklmV2
#--------------------------------------------------------------#
# Tivoli Key Lifecycle Manager Migration #
#--------------------------------------------------------------#
#----------------------------------
#---- Specify the DB2 administrator password from the DB2 that is
#---- being used by the release of Tivoli Key Lifecycle Manager
#---- that is being migrated.
#----------------------------------------------------------------
#---- Specify the password for the Tivoli Integrated Portal administrator user ID
#---- from the release that is being migrated.
TKLM_MIGRATION_TIP_PASSWORD=

TKLM_CONFIRM_MIGRATION_TIP_PASSWORD=
#----------------------------------------------------------------
#--------------------------------------------------------------#
# The following items are used for the new #
# Tivoli Key Lifecycle Manager installation. #
#--------------------------------------------------------------#

#----
USER_INSTALL_DIR=/opt/IBM/tivoli/tiptklmV2

#---- NOTE: This does NOT need to match the TKLMAdmin password from your
#---- previous installation of Tivoli Key Lifecycle Manager.
TKLMADMIN_PW=
#---- Specify the WebSphere Application Server administrator user ID to be used

#---- for Tivoli Integrated Portal
#---- Specify the Tivoli Integrated Portal password and the confirm password.
#---- Ports to be used by Websphere Application server. Be sure to specify ports that are
#---- not in use on the system.
Uninstall on Windows systems

This example of a response file contains responses for uninstall on Windows
systems.
###############################################################
###############################################################
##
## InstallAnywhere variable to configure for silent uninstall
##
## Usage: uninstall.exe -f <full path to this file>
##
## With Wndows, uninstall.exe will return immediately to avoid
## this, you should wrap the uninstall.exe command into a batch
## file.
##
## Do not use -i silent option, INSTALLER_UI property sets silent mode.
## If you see GUI panel at the beginning it means that -f parameter
## is not valid. Stop uninstalling, check -f parameter and start again.
##
##############################################################################
INSTALLER_UI=SILENT

Uninstall on systems such as Linux or AIX
This example of a response file contains responses for uninstall on a system such
as Linux or AIX.
###############################################################################
##
## InstallAnywhere variable to configure for silent uninstall
##
## Usage: ./uninstall -i silent -f <full path to this file>
##
## If you see GUI panel at the beginning it means that -f parameter
## is not valid. Stop uninstalling, check -f parameter and start again.
##
##############################################################################
INSTALLER_UI=SILENT

Appendix C. Installation error messages
Depending on the outcome of an operation, Tivoli Key Lifecycle Manager might
provide an informational, warning, or error message.
Installation process exit codes

By default, the installation process returns zero (0) if installation is successful and a
nonzero value if installation fails.
Table 14 provides the codes and their definitions.

Table 14. Installation process exit codes
Code Definition
0 Success: The installation completed successfully without any warnings or
errors.
1 The installation completed successfully, but one or more of the actions from
the installation sequence caused a warning or a non-fatal error.
-1 One or more of the actions from the installation sequence caused a fatal error.
1000 The installation was cancelled by the user.
1001 The installation includes an invalid command line option.
2000 Unhandled error.
2001 The installation failed the authorization check, might indicate an expired
version.
2002 The installation failed a rules check. A rule placed on the installer itself failed.
2003 An unresolved dependency in silent mode caused the installer to exit.
2004 The installation failed because not enough disk space was detected during the
execution of the install action.
2005 The installation failed while trying to install on a Windows 64-bit system, but
installation did not include support for Windows 64-bit systems.
2006 The installation failed because it was launched in a UI mode that is not
supported by this installer.
3000 Unhandled error specific to a launcher.
3001 The installation failed due to an error specific to the lax.main.class property.
3002 The installation failed due to an error specific to the lax.main.method property.
3003 The installation was unable to access the method specified in the
lax.main.method property.
3004 The installation failed due to an exception error caused by the
lax.main.method property.
3005 The installation failed because no value was assigned to the
lax.application.name property.
3006 The installation was unable to access the value assigned to the
lax.nl.java.launcher.main.class property.
3007 The installation failed due to an error specific to the
lax.nl.java.launcher.main.class property.

CTGKM9001I • CTGKM9003E
Table 14. Installation process exit codes (continued)

Code Definition
3008 The installation failed due to an error specific to the
lax.nl.java.launcher.main.method property.
3009 The installation was unable to access the method specified in the
lax.nl.launcher.java.main.method property.
4000 A Java executable was not found at the directory specified by the java.home
system property.
4001 An incorrect path to the installer jar caused the relauncher to launch
incorrectly.
Message syntax
The message syntax contains elements for the product identifier, as well as which
part of the product issued the message, the message number, and an indicator that
the message content contains information, a warning, or error description.
Messages have the following syntax:

CTGUUXXXXZ
where:
CTG Identifies the Tivoli Key Lifecycle Manager product.
UU Identifies which part of the product issued the message. For example:
KM The Tivoli Key Lifecycle Manager server issued the message.
KO Password policy messages.
KS The Tivoli Key Lifecycle Manager key server issued the message.
XXXX Is the message number, such as 0001.
Z Is the character I for informational message, W for warning message, or E
for error message.
For example:
CTGKM0545E: An error occurred exporting a certificate.
Error and warning messages

These are the Tivoli Key Lifecycle Manager error and warning messages.
CTGKM9001I You must select a valid CTGKM9002E The administrator ID must be eight
KeyManagerConfig.properties file to characters or less.
migrate.
Explanation: The user ID is restricted to a maximum
Explanation: One or more of the properties in the length of eight characters.
KeyManagerConfig.properties file is invalid, or one of
System action: Installation cannot continue until you
the required properties is not defined.
correct the error.
User response: Select a different user ID that is eight
correct the error.
characters or less.
User response: Examine the
KeyManagerConfig.properties file and correct the error.
CTGKM9003E The administrator ID must begin with
an alphabetic character.
CTGKM9004E • CTGKM9014I
Explanation: The user ID must start with a letter. 0–9, and _). For disk space requirements see “Hardware
requirements for distributed systems” on page 5.
Additionally, the user ID can only use alphabetical
characters, numeric characters, and the underscore System action: Installation cannot continue until you
(A-Z, a-z, 0–9, and _). correct the error.
System action: Installation cannot continue until you User response: Ensure you have enough disk space
correct the error. and that your password conforms to the requirements.
User response: Select a different user ID that starts
with a letter. CTGKM9010E The password confirmation field is
required.
CTGKM9004E The administrator ID cannot begin Explanation: You must specify a password.
with: ibm, sql, or sys.
Explanation: The administrator user ID cannot start enter a value in the field.
with ibm, sql, or sys.
User response: Enter a password for the user ID.
correct the error.
CTGKM9011E The database home is a required
User response: Select a different user ID that does not field.
start with one of the restricted strings.
Explanation: You must specify the database home
directory.
CTGKM9005E The administrator ID cannot be: db2,
users, admins, guests, public, private,
enter a value in the field.
properties, local, or root.
User response: Enter the directory in which to store
Explanation: DB2 reserved keywords cannot be used
the database files.
as an administrator user ID.
CTGKM9012E The database name is a required
correct the error.
field.
User response: Select a different user ID that is not a
Explanation: You must specify a name for the
DB2 keyword.
database.
CTGKM9006E The administrator ID is a required
field.
User response: Enter a name for the database.
Explanation: You must specify an administrator user
ID.
CTGKM9013I The directory you are installing to
does not begin at the root directory.
Explanation: When installing on systems such as
User response: Enter a user ID in the Administrator
Linux or AIX, all file locations must be the full path to
ID field.
the file, starting at the root directory. Installation cannot
continue until you correct the error.
CTGKM9007E The password is a required field.
System action: The directory is not created.
Explanation: You must specify a password. Installation cannot continue until you correct the
directory path.
enter a value in the field. User response: Start all file locations from the root
directory ( / ).
User response: Enter a password for the user ID.
CTGKM9014I Database creation failed.

CTGKM9009I The specified administrative user ID
could not be created. Ensure that the Explanation: The Dynamic Data Language (DDL)
password meets system requirements subprogram prepares the DB2 database tables. This
and that the home directory has subprogram has failed.
adequate free disk space.
System action: Installation is stopped.
Explanation: Passwords can only contain
User response: If this error occurs, examine the error
alphanumeric characters and the underscore (A-Z, a-z,
Appendix C. Installation error messages 103

CTGKM9015I • CTGKM9023I
logs for indications of what might have happened. The

CTGKM9019I Installation/Configuration of the
error logs are DDL.ERR and ddl.log.
middleware components failed.
Explanation: An unexpected error occurred during
CTGKM9015I The directory could not be created or
installation of one of the middleware components that
is not writable:
Tivoli Key Lifecycle Manager uses.
Explanation: The disk or file system you are using is
System action: Installation is stopped.
not writable or does not have enough space. See
“Hardware requirements for distributed systems” on User response: Examine the installation error logs for
page 5 for disk space requirements. indications of what might have happened. See
Appendix D, “Installation and migration log files,” on
page 113 for information on the error logs.
correct the error.
User response: Change the write attributes of the
CTGKM9020I Installation/Configuration of the
directory, or select a different directory.
middleware components was not
successful.
CTGKM9016I The destination directory does not
have enough room for the DB2
installation. DB2 requires approximately
800MB of free disk space be available to
install. System action: Installation is stopped.
Explanation: The disk or file system you are using User response: Examine the installation error logs for
does not have enough space. See “Hardware indications of what might have happened. See
requirements for distributed systems” on page 5 for Appendix D, “Installation and migration log files,” on
disk space requirements. page 113 for information on the error logs.
correct the error. CTGKM9021I For more information, review the
following logs:
User response: Remove files to free up space, or add
storage to your system to expand the size of the file Explanation: The indicated log has information that
system. can assist you in determining the cause of the error
condition.
CTGKM9017I The administrator DN is a required User response: Review the log. Correct the error
field. before restarting installation.
Explanation: You must specify the DN for the
administrator user ID. CTGKM9022I When you click Cancel, the process
will end. Refer to the logs for more
information, correct the problem, and
try this process again.
User response: Enter the DN information for the
administrator user ID.
CTGKM9018E On Windows, the database home
System action: Installation is exitting.
should be a drive letter and a colon
only. For example: C: User response: Examine the installation error logs for
indications of what might have happened. See
Explanation: On Windows systems, you must select
Appendix D, “Installation and migration log files,” on
the drive on which to install the Tivoli Key Lifecycle
page 113 for information on the error logs.
Manager database.
CTGKM9023I The administrator's group field is
required for creation of the
User response: Enter a correctly formatted drive letter. administrator.
Explanation: You must specify the administrator's
group.
User response: Enter the group that you want the

CTGKM9030I The specified administrator group is
administrator to be in.
not one of the groups associated with
the root user. The root groups are:
CTGKM9024I The database HOME directory cannot
Explanation: The DB2 Administrator user ID must
contain spaces. If you require this
belong to a group that root is also a member of, such as
functionality, install and configure the
bin.
middleware using native methods
outside of this wizard. System action: Installation cannot continue until you
correct the error.
Explanation: The installation program does not permit
spaces in filenames or directory paths. If you require User response: Add the user ID you entered into one
this, the functionality is available after installation, of the valid groups, or select a different user ID that is
using the middleware tools. already in one of the valid groups.
correct the error. CTGKM9031I The specified administrator's primary
group is not one of root's groups.
User response: Select a new directory name that does
Correct the user's group by making it
not have any spaces.
one of the following:
CTGKM9025I The specified database HOME
belong to a group that root is also a member of, such as
directory is not writable.
bin.
Explanation: The directory must be writable for
installation to proceed.
correct the error.
User response: Add the user you entered into one of
correct the error.
the valid groups, or select a different user ID that is
User response: Use the operating system utilities to already in one of the valid groups.
make the directory writable, or select a different
directory.
CTGKM9032I The keyfile is a required field.
Explanation: You must specify a keyfile.
CTGKM9027I The specified administrator
ID/instance is already configured as a System action: Installation cannot continue until you
DB2 instance. enter a value in the field.
Explanation: The user ID for the DB2 Administrator User response: Enter the name of the keyfile.
cannot already be a DB2 instance owner.
System action: Installation cannot continue until you CTGKM9033I Installing the middleware. This could
correct the error. take several minutes to complete.
User response: Select a different user ID. Explanation: Installation can take a great deal of time.
Additionally, there are long periods when the
installation program appears to be inactive.
CTGKM9028I An invalid destination directory was
detected. User response: Do not cancel an installation that has
been running for a long time, unless it has been well
Explanation: The directory entered was not valid.
over an hour.
correct the error.
CTGKM9034I There are currently no groups
User response: Enter a new destination directory. associated with root. Correct the
problem and try again. Use the Previous
button to refresh this panel.
CTGKM9029I An invalid field was detected.
Explanation: The value entered into the field was belong to a group that root is also a member of, such as
invalid. bin. Currently no groups are currently associated with
System action: Installation cannot continue until you root.
correct the error. System action: Installation cannot continue until you
User response: Enter a new value for the field. correct the error.
User response: Create a group and add the root user

ID to the group. Add the user you entered into the

CTGKM9040I The ports 50000-50009 and 60000-60009
group.
are reserved. Specify another port
number that is free, and verify that the
CTGKM9035I Special characters are not supported next three sequential ports are free as
by this wizard. If you require this well.
Explanation: The port number cannot be in the
product without them, then use the
restricted ranges.
product's command line tools to change
the values as needed. The field System action: Installation cannot continue until you
containing special characters is: correct the error.
Explanation: Only alphanumeric characters and the User response: Select another port number. Ensure
underscore ( a-z. A-Z, 0–9, and _ ) are permitted in the that the three ports following the new port number are
fields in the installation program. available.
correct the error. CTGKM9041E The password and password
confirmation fields do not match.
User response: Enter a new value into the field that
Reenter matching passwords for these
does not contain any special characters.
two fields.
Explanation: The passwords in both fields must
CTGKM9037I The port must be a positive integer
match.
less than 65536.
Explanation: Port numbers must be less than 65536.
correct the error.
User response: Re-enter the values in the fields.
correct the error.
User response: Enter a port number that is lower than
CTGKM9042I Passwords cannot contain spaces.
65536.
Explanation: Passwords can only contain
alphanumeric characters and the underscore (a-z, A-Z,
CTGKM9038I The port is a required field.
0–9, and _).
Explanation: You must specify a port.
System action: Installation cannot continue until you correct the error.
User response: Enter a different password that
User response: Enter a port number. conforms to the rules.
CTGKM9039I The port specified or one of three CTGKM9043I The database home directory already
sequential contiguous ports is already contains an SQLLIB directory, indicating
active on this machine; specify another that this instance is partially configured
port number that is free, and verify that already.
the next three sequential ports are free
Explanation: The user ID entered for the DB2
as well.
Administrator ID is already associated with an
Explanation: The port number and the three numbers instance. The Tivoli Key Lifecycle Manager DB2
subsequent to the number entered must be available for Administrator ID cannot have a database instance
use. One or more of these numbers is already in use. associated with it.
System action: Installation cannot continue until you System action: Installation cannot continue until you
correct the error. correct the error.
User response: Select another port number. Ensure User response: Select or create a different user ID.
that the three ports following the new port number are
available.
CTGKM9044I The Administrator ID cannot be an
SQL reserved word.
Explanation: The Administrator ID cannot be an SQL
reserved word.
correct the error.
CTGKM9045I • CTGKM9054E
User response: Enter a different value for the System action: Installation cannot continue until you
Administrator ID. correct the error.
User response: Enter a correctly formatted drive letter.
CTGKM9045I The specified user either does not
exist or is not a member of any groups.
CTGKM9050I The Windows DB2 DB Home field
Explanation: The use ID must already exist, and must must be a drive letter that can be
be in a group that root is a member of. written to.
System action: Installation cannot continue until you Explanation: The drive must be writable for
correct the error. installation to proceed.
User response: Create the user ID, or select a different System action: Installation cannot continue until you
user ID. correct the error.
User response: Use the operating system utilities to
CTGKM9046I The Encryption Key Manager make the drive writable, or select a different drive.
migration file validator has detected an
invalid configuration properties file.
CTGKM9051I If uninstallation has been done more
Explanation: Either the file does not exist or it than once, there might be more than one
contains fields with invalid values. uninstall log. Use the most recent one
for the status of the current
uninstallation.
correct the error.
Explanation: Review the log files indicated to
User response: Review the location and contents of
determine the cause of the problem. Ensure that you
the configuration properties file. Refer to the
are using the most recent log file.
TIP_HOME/logs/tklm_ekm_migrate.log file for details on
the error. User response: The most recent log file is the one
named IA-TIPUninstall-00.log. Older log files have the
numeric portion of their name incremented.
CTGKM9047I The Encryption Key Manager
migration could not be run successfully.
CTGKM9053E The /var file system does not have
Explanation: Migration did not complete successfully.
enough room for the middleware
User response: Review the migration log files to installation.
determine if an error occurred. See “After migrating
Explanation: For disk space requirements, see
Encryption Key Manager” on page 27 and Chapter 8,
“Hardware requirements for distributed systems” on
“Recovering from migration failure,” on page 63 for
page 5.
additional information.
correct the error.
CTGKM9048I The Tivoli Key Lifecycle Manager
server is running with its original User response: Remove files to increase the free disk
settings. space, or add storage to your system to expand the size
of the file system.
Explanation: Tivoli Key Lifecycle Manager is using the
original settings instead of using the settings from a
migrated Encryption Key Manager. CTGKM9054E The /usr file system does not have
enough room for the middleware
User response: Review the migration log files to
installation.
determine if an error occurred. See “After migrating
Encryption Key Manager” on page 27 and Chapter 8, Explanation: For disk space requirements, see
“Recovering from migration failure,” on page 63 for “Hardware requirements for distributed systems” on
additional information. page 5.
CTGKM9049I The Windows DB2 DB Home field correct the error.
must be a drive letter [A-Z] followed by
User response: Remove files to increase the free disk
a colon.
space, or add storage to your system to expand the size
Explanation: On Windows systems, you must select of the file system.
the drive on which to install the Tivoli Key Lifecycle
Manager database. A Windows drive indicator is a
letter, following by a colon (:). For example, C:.

CTGKM9055E • CTGKM9062E
CTGKM9055E The file system does not have enough CTGKM9059E The install of the Tivoli Key Lifecycle
temporary space for the middleware Manager Fix Pack failed. Refer to the
installation. following log for more information:
Explanation: For disk space requirements, see Explanation: Refer to the log file for more information
“Hardware requirements for distributed systems” on on the installation failure.
page 5.
System action: Installation is not complete until you
System action: Installation cannot continue until you correct the error and install the fix pack.
correct the error.
User response: To recover, review the log listed in
User response: Remove files to increase the free disk message CTGKM9059E. Correct any errors and run the
space, or add storage to your system to expand the size programs listed in message CTGKM9060I. For more
of the file system. information on errors, see the fix pack readme file.
To download a fix pack, access http://www.ibm.com/
CTGKM9056E The file system containing instance support/fixcentral/.
owner home does not have enough
room for the middleware installation.
CTGKM9060I You must correct any problems and
Explanation: For disk space requirements, see run the following programs before
“Hardware requirements for distributed systems” on using Tivoli Key Lifecycle Manager:
page 5.
Explanation: To correct problems, run additional
System action: Installation cannot continue until you programs to complete the installation.
correct the error.
System action: The installation task fails.
User response: Remove files to increase the free disk
User response: Review the log files that are listed in
space, or add storage to your system to expand the size
message CTGKM9059E. Correct any errors and then
of the file system.
run the programs listed in this message. For more
information on the recoverFailedFP program and the
CTGKM9057E Special characters are not supported updateTKLM program, refer to the fix pack readme file.
by this wizard. If you require this
To download a fix pack, access http://www.ibm.com/
support/fixcentral/.
product without them, then use the
product's tools to change the values as
needed. CTGKM9061E A password of “password” is not
allowed.
Explanation: Entries for all fields are restricted to
alphabetical characters (A-Z and a-z), numeric Explanation: To provide adequate security, the value
characters (0-9), and the underscore character (_). The of a password cannot be obvious.
restriction also applies to the values in the response file
used for silent installations. System action: The installation task fails.
System action: The installation task fails. User response: Type a different value for the
password. Try again.
User response: Modify the value to use only the
supported characters. Try again.
CTGKM9062E Installation cannot continue because
the installation media is missing files.
CTGKM9058E Tivoli Key Lifecycle Manager is The following directories are missing:
already installed. It cannot be
reinstalled. Select OK to exit the Explanation: The problem might be caused by not
installer. downloading all the packages or by unzipping or
untarring them into different directories.
Explanation: Tivoli Key Lifecycle Manager is already
installed. System action: The installation task fails.
System action: The installation task fails. User response: Obtain the missing files.
User response: Select OK to exit the installer. On Windows systems, the unpacking process creates a
unique subdirectory for each package. You must unzip
all packages into a common subdirectory. For example,
unzip the first package into a temporary subdirectory
that matches the first package name. Unzip subsequent
packages into the subdirectory that matches the first
CTGKM9063E • CTGKM9075I
package name, not the subsequent package name. Try

CTGKM9070E The system does not have enough
again.
main memory (RAM) for installation to
continue. If you continue, installation
CTGKM9063E Unable to install Tivoli Key Lifecycle may fail.
Manager. The installer detected a
Explanation: Installation requires additional memory.
version of DB2 that is not supported.
User response: Increase available memory. For system
Explanation: Tivoli Key Lifecycle Manager requires a
memory requirements, refer to the hardware
supported version of DB2.
requirements topic in the IBM Tivoli Key Lifecycle
System action: The installation task fails. Manager Installation and Configuration Guide. Then, try
the installation again.
User response: Obtain a supported version of DB2 or
use a different computer. Try again.
CTGKM9071I When you select the option to Cancel
and press Enter, the installation exits.
CTGKM9066E The destination directory already
exists. Specify a directory that does not Explanation: The DB2 installation failed. When you
exist. press Enter, the installation exits.
Explanation: The directory that you specified already User response: Refer to the logs for more information
exists. and correct the problem. Then, restart installation.
System action: No product is installed such as DB2
until you specify a new directory. CTGKM9072E The install must end because the user
installing the product is not an
User response: Specify a different destination administrator on this system.
directory. Try again.
Explanation: There is a problem with your
authorization or with the system on which you are
CTGKM9067I The destination directory does not attempting installation.
have enough room for the DB2
installation. User response: Ensure you are running the process as
an administrative user on a supported platform and
Explanation: DB2 requires approximately 1300 MB of architecture.
free disk space be available to install.
System action: The installation task fails. CTGKM9073E The Encryption Key Manager
User response: Ensure that there is at least 1300 MB of properties file specified is not a valid
free disk space. Then try again. Encryption Key Manager 2.1 file.
Explanation: The supported Encryption Key Manager
CTGKM9068I The destination directory does not must be at Version 2.1.
have enough room for the DB2 User response: Ensure you are migrating a supported
installation. level of Encryption Key Manager. Refer to the
Explanation: DB2 requires approximately 800 MB of TIP_HOME/logs/tklm_ekm_migrate.log file for details on
free disk space be available to install. the error. Then, try the migration again.
System action: The installation task fails.

CTGKM9074I DB2 installation and configuration has
User response: Ensure that there is at least 800 MB of completed. A transition back to DB2
free disk space. Then try again. panels is NOT supported.
Explanation: Once you have gotten to this point in the
CTGKM9069I The user account or the password is installation, you cannot move back to the DB2
not valid. installation phase.
Explanation: The operation requires a valid user User response: Proceed forward with the installation.
account and password.
System action: The operation fails. CTGKM9075I If there is more than one log at that
User response: Specify a valid user account and location, use the most recent one
password. Then try again. available to see your current uninstall
status.
Explanation: Review the log files indicated to
determine the cause of the problem. Ensure that you

are using the most recent log file.

CTGKM9081E The destination directory does not
User response: The most recent log file is the one have enough room for the Tivoli
named IA-TIPUninstall-00.log. Older log files have the Integrated Portal installation.
numeric portion of their name incremented.
Explanation: Tivoli Integrated Portal requires
approximately 600 MB of free disk space be available to
CTGKM9076E The specified directory cannot be install.
written to.
User response: Specify approximately 600 MB of free
Explanation: There is a problem with your disk space. Then try the installation again.
authorization to the specified directory or with the
system on which you are attempting installation.
User response: Specify a directory on a drive or have enough room for the Tivoli
partition to which data can be written. Integrated Portal installation.
CTGKM9077E Only a root drive was specified. You approximately 700 MB of free disk space be available to
must specify a root drive followed by a install.
nonexistent directory.
Explanation: The specification requires both the root disk space. Then try the installation again.
drive and a directory that does not currently exist.
User response: You specified a root directory such as CTGKM9083E A previous release of Tivoli Key
C:\ or /. Specify <drive>:\newdirectory for a Windows Lifecycle Manager is installed but it is
system or /newdirectory for systems such as Linux or not at the minimum fix pack level
AIX. The directory must not exist. required for migration. The minimum
fix pack level required is: { 0 }
CTGKM9078E The tip.properties file from the Explanation: Migration requires that you apply the
previous Tivoli Key Lifecycle Manager minimum fix pack level.
installation is missing, incorrect, or
User response: Apply the correct fix pack level. Then
cannot be read. Installation cannot
try the installation again.
continue.
Explanation: The installation requires a valid
CTGKM9084E The port specified is already active on
tip.properties file.
this machine.
User response: Specify a valid tip.properties file. Then
Explanation: Installation requires an unused port.
try the installation again.
User response: Specify another port number that is
free. Then try again.
have enough room for the Deployment
Engine installation. CTGKM9085E The port is already specified against
property DB2_DB_PORT.
Explanation: Deployment Engine requires that
approximately 300 MB of free disk space be available to Explanation: Installation requires an unused port.
install.
User response: Specify approximately 300 MB of free free. Then try again.
disk space. Then try the installation again.
CTGKM9086E The ports 50000-50009 and 60000-60009
CTGKM9080E The destination directory does not are reserved.
have enough room for the Tivoli
Explanation: Installation requires an unreserved port.
Integrated Portal installation.
free. Then try again.
approximately 600 MB of free disk space be available to
install.
disk space. Then try the installation again.
CTGKM9087E Same port values specified against CTGKM9093E The install must end because the user
multiple properties. installing the product is not root on this
system.
Explanation: Installation requires unique port
specifications. Explanation: You must be running as root to run the
installer on systems such as AIX or Linux.
User response: Specify distinct valid ports against all
port properties. Then try again. User response: Log in as the root user. Then try again.
CTGKM9088E Migration failed. Tivoli Key Lifecycle CTGKM9094E Encryption Key Manager migration
Manager cannot run until the errors are failed. The original Tivoli Key Lifecycle
fixed and the migration is run from Manager settings are still available.
command line.
Explanation: You can run Tivoli Key Lifecycle
Explanation: Migration failed from the installer. Tivoli Manager with the original settings or rerun the
Key Lifecycle Manager is successfully installed. migration script immediately after exiting the
However, it cannot be used until the migration installation.
succeeds.
User response: Exit the installation. Then run Tivoli
User response: Review the migration logs. Correct the Key Lifecycle Manager with the original settings or
errors and run the migration from the command line rerun the migration script.
(in recovery mode).
CTGKM9095E The directory specified has an
CTGKM9089E Installation cannot continue because incompatible DB2 copy installed.
the installation media contains an
Explanation: Installation requires supported levels of
incorrect DB2 image.
DB2.
Explanation: Installation fails.
User response: Ensure that a directory contains a
User response: Verify that you have the correct supported level of DB2. Then try again.
installation image. Then try again.
CTGKM9096E The directory is missing.
CTGKM9090E The password for the Tivoli
Explanation: - You must specify a directory for DB2.
Integrated Portal ID could not be
validated. User response: - Specify a nonexistent directory for a
new installation of DB2 or specify a directory with a
Explanation: The password is incorrect.
valid, supported version of DB2 if you are reusing an
User response: Verify that the password entered is existing DB2. Then try again.
correct and that the server can be started. Then try
again.
CTGKM9097E An incorrect directory was specified.
Explanation: An incorrect directory was specified.
CTGKM9091E Passwords cannot contain special
characters. Valid characters are a-z, A-Z, v Systems such as AIX or Linux
0-9, underscore (_), and hyphen (-). A leading "/" might be missing. Valid characters are:
A-Z a-z 0-9 _-./
Explanation: The password contains one or more
incorrect characters. v Windows systems
There must be a drive letter followed by a directory.
User response: Reenter the password and try again.
Valid characters are: A-Z a-z 0-9 () _ - ./\:
User response: - Specify a valid directory. Then try
CTGKM9092E The password for the instance owner
again.
could not be validated.
Explanation: The password is not correct or the DB2
CTGKM9098E An unknown error occurred
instance is not started.
validating the directory specified.
User response: Verify that the password entered is
Explanation: - An unknown error occurred. Refer to
correct and that the DB2 instance is started. Then try
the USER_HOME_DIR/IA*.log files for details.
again.
User response: - Correct the error or specify another
directory. Then try again.

3. cd path_to_install_image\bin\VMMiFIX
CTGKM9099E DB2 configuration failed.
\was.rt.bundle\plugins
Explanation: A possible cause is kernel settings. \com.ibm.ws.runtime_6.1.0.jar
4. TIP_HOME\java\bin\jar
System action: No product is installed such as DB2. -uvf tiphome\plugins
\com.ibm.ws.runtime_6.1.0.jar com
User response: Refer to the IBM Tivoli Key Lifecycle
5. copy TIP_HOME\systemApps
Manager Installation and Configuration Guide for the
\isclite.ear\WIMPortlet.war\WEB-INF
proper kernel settings for DB2 installation and \lib\wimgui.jar
configuration. Correct the settings and then try again. TIP_HOME\systemApps
\isclite.ear\WIMPortlet.war\WEB-INF
\lib\wimgui.jar.mybackup
CTGKM9106E The system does not have enough
6. cd path_to_install_image\bin\
main memory (RAM) to migrate IBM
VMMiFIX\webui\systemApps\
Tivoli Key Lifecycle Manager to the isclite.ear\WIMPortlet.war\WEB-INF\
latest release. lib\wimgui.jar
Explanation: Migration requires additional memory. 7. TIP_HOME\java\bin\jar
-uvf tiphome\systemApps\isclite.ear
User response: Increase available memory. For system \WIMPortlet.war\WEB-INF\lib\
memory requirements, refer to the hardware wimgui.jar com
requirements topic in the IBM Tivoli Key Lifecycle 8. TIP_HOME\bin\osgiCfgInit.bat
Manager Installation and Configuration Guide. Then, try 9. TIP_HOME\bin\startserver server1
the migration again.
Systems such as AIX and Linux:
Type these commands, each command on one
CTGKM9107I DB2 installation is successful. Restart
line:
the system to complete the process.
1. TIP_HOME/bin
Explanation: Successful installation requires that you /stopServer.sh server1
restart your computer. 2. cp TIP_HOME/plugins
/com.ibm.ws.runtime_6.1.0.jar
System action: Installation exits normally, but you TIP_HOME/plugins
cannot use Tivoli Key Lifecycle Manager until you /com.ibm.ws.runtime_6.1.0.jar.mybackup
restart the system. 3. cd path_to_install_image/bin/VMMiFIX
/was.rt.bundle
User response: Select Quit to exit the installer. The /plugins/com.ibm.ws.runtime_6.1.0.jar
DB2 that you just installed will be reused automatically 4. TIP_HOME/java/bin/jar -uvf
the next time you start this process. For more TIP_HOME/plugins/
information, review the following logs: com.ibm.ws.runtime_6.1.0.jar com/
C:\tklmV2Properties\tklm_middleware_setup.log 5. cp TIP_HOME/systemApps
/isclite.ear/WIMPortlet.war/WEB-INF/lib
/wimgui.jar
CTGKM9108E The installation of the fix for Virtual
Member Manager was not successful. TIP_HOME/systemApps
/isclite.ear/WIMPortlet.war/WEB-INF/lib
Explanation: Successful installation requires that you /wimgui.jar.mybackup
install a fix for Virtual Member Manager before starting 6. cd path_to_install_image/bin/VMMiFIX
the Tivoli Key Lifecycle Manager server. /webui/systemApps/isclite.ear
/WIMPortlet.war/WEB-INF/lib/wimgui.jar
System action: Installation exits normally, but you
7. TIP_HOME/java/bin/jar -uvf
cannot use Tivoli Key Lifecycle Manager until the TIP_HOME/systemApps
errors are corrected. /isclite.ear/WIMPortlet.war/WEB-INF
User response: Correct the errors and apply the fix /lib/wimgui.jar com/
before using Tivoli Key Lifecycle Manager. Take these 8. TIP_HOME/bin/osgiCfgInit.sh
steps to manually apply the fix: 9. TIP_HOME/bin
/startServer.sh server1
Windows systems:
Type each command on one line:
1. TIP_HOME\bin\stopserver server1
2. copy TIP_HOME\plugins
\com.ibm.ws.runtime_6.1.0.jar
TIP_HOME\plugins
\com.ibm.ws.runtime_6.1.0.
jar.mybackup
Appendix D. Installation and migration log files
If the installation or migration encounters an unexpected error condition, use these
log files to determine the cause of the problem.
Background information
The installation program uses several subprograms, components, and subsystems
during installation. Many error conditions occur because a subprogram fails.
Installation subprograms, components and systems
You might see these names or abbreviations in the log files:

v DB2
v InstallAnywhere (IA)
v Data Definition Language (DDL) process
v Deployment Engine (DE)
v Composite Offering Installer (COI)
Installation phases
Error conditions that occur and the log files available to you depend on the phase
in which the error occurred:
1. Introductory, including the Language Selection panel, the Introduction panel,
and the License Agreement panel.
2. DB2 installation, including panels that gather information used to install DB2.
After you enter the information, the installation program installs DB2.
3. Middleware installation, including panels that gather information used to
install Tivoli Integrated Portal and embedded WebSphere Application Server
middleware. After you enter the information, the installation program installs
the middleware.
Tivoli Key Lifecycle Manager is installed during this phase.
Error reports are most likely to occur immediately after the DB2 phase and
middleware installation phase.
Important log files

These error logs provide critical information:
tklm_middleware_setup.log
For many early errors such DB2 installation errors, this is the only
available log file. View this file for errors that are often written after the
Action entries and before Property entries.
IA-TIPInstall-00.log
Use this log file for most debugging activities.
tklm_install.stderr
Use this file for additional debugging activity. Most of the information in
this file is also logged in the IA*.log file. However, early errors might be
logged here before the IA*.log file is created.

tklm_disk_usage.log
Anytime the error is related to a lack of disk space, start with this file.
*.out and *.err
The .err file sizes are zero bytes if the operation they represent was
successful. Examine error files with sizes greater than zero.
DE_trace.log
Generated by the Deployment Engine during the middleware installation
phase.
Which log file to use first

The timing of an error can provide an idea of which log file to use first. The two
main places an error might occur are immediately after the DB2 phase, and
immediately after the middleware phase. Use this list to determine where to start.
1. During or immediately after the DB2 installation phase:
a. If the error occurs early enough, the only log file available might be
tklm_middleware_setup.log.
b. Another early log file is tklm_install.stderr in the root directory. Open
this file and search for the word "exception."
c. If the error occurs later during this phase, the tklmV2properties directory
might contain results of some of the DB2 configuration, or results from the
other subprograms that run during this phase. Two key files you might see
are ddl.log and possibly ddl.err. The contents of these might indicate
whether the application database tables were successfully created.
If installation succeeds, you see only the ddl.log file. If database creation
fails, you also see the ddl.err file.
d. Later still, there might be log files from the other middleware installed
during this phase. Look for IA-TIPInstall-00.log and logs.zip. These are
not available early in the process, but if it is late enough that the files exist,
they contain valuable data.
IA-TIPInstall-00.log is potentially the most valuable log file. The logs.zip
file is a collection of all the log files created up to the point at which it is
created.
e. The location of the error log file can vary depending on whether the error
occurs during the DB2 phase, or at the end of the DB2 phase. At the end of
the DB2 phase, the log files are copied from the tklmV2properties directory
to the TIP_HOME\logs directory. See Table 15 on page 115 for the location
of the files.
2. During or immediately after the middleware installation phase:
a. The first log file to examine for errors at this point is IA-TIPInstall-00-log.
b. The next file to examine is tklm_install.stderr in the root directory.
This is also where you start if the installation completes with errors.
Log file names and locations

For the approximate order in which you use error files during installation, see
Table 15 on page 115.
After installation, most error logs are in the TIP_HOME\logs directory. If migration
occurs, there are also files in the TKLM_HOME\migration directory.
Table 15. Location of installation log files on distributed systems
Log file Description Location
tklm_middleware_setup.log DB2 installation log. Early in the installation, this file is
here:
Windows systems:
C:\tklmV2properties
/tklmV2properties
After the DB2 phase of the
installation, this file is copied to
TIP_HOME\logs.
tklm_disk_usage.log Reports disk space Windows systems:
usage: C:\tklmV2properties
v For the system drive AIX and Linux systems:
on Windows /tklmV2properties
systems.
v For the /var, /usr,
/home, and /tmp
directories on
systems such as AIX
and Linux.
Various *.out and *.err STDOUT and STDERR TIP_HOME\logs
files files generated during
installation.
IA-TIPInstall-00.log Tivoli Integrated Early in the installation, these files
Portal installation logs are in the root directory. After the
IA*.log (possibly
from the Deployment DB2 phase of the installation, they
compressed into a .zip file)
Engine and are copied to the HOME directory of
InstallAnywhere the user performing the installation.
subprograms. Might For example:
have exceptions and
Windows systems:
trackbacks.
drive:\Documents and
Settings\username
drive:\Users\username
AIX systems:
root's $HOME directory,
usually / or /home/root
Solaris systems:
usually /
SuSe systems:
usually /root
Other Linux systems:
usually / or /root
tklm_install.stderr General purpose log In the root directory
file.
tklm_migrate_results.out Migration events. TIP_HOME\logs
migrate.log Migration events. TKLM_HOME\migration
Appendix D. Installation and migration log files 115

Table 15. Location of installation log files on distributed systems (continued)
ddl.log, possibly ddl.err Generated during DB2 Early in the installation, this file is
table creation. If here:
installation succeeds, Windows systems:
you see only the C:\tklmV2properties
ddl,log file. If
database creation fails,
/tklmV2properties
you also see the
ddl.err file. After the DB2 phase of the
installation, this file is copied to
TIP_HOME\logs.
DE_trace.log Deployment Engine
Windows systems:
trace log. Updated as
C:\Program
Deployment Engine
Files\IBM\Common\acsi\
package runs. Shows
logs\userid
XML errors.
DE_Install.log Deployment Engine On 64-bit systems, the
installation log. Only Program Files directory is
used during named Program Files(x86).
Deployment Engine AIX and Linux systems:
bootstrap. /usr/ibm/common/acsi/
logs/userid
DE*.log Additional
Windows systems:
Deployment Engine
C:\Program
installation logs.
Files\IBM\Common\acsi\
logs\userid
On 64-bit systems, the
Program Files directory is
named Program Files(x86).
/usr/ibm/common/asci/
logs/userid
*.log Additional Tivoli TIP_HOME/logs
Integrated Portal logs.
*.log Logs for every stage of /tmp/install.dir.[processid]
the installation.
Linux systems only.

MachinePlan_localhostID_ Composite Offering $TIP_HOME\.install\TIPInstall\
[INSTALL_MMDD_HH.MM].log Installer installation plan\MachinePlan_localhostID\logs
plan execution log.
Where MMDD is the month
and day, and HH.MM is the Not available on all
hour and minute, that the platforms.
file is generated.
Table 15. Location of installation log files on distributed systems (continued)
logs.zip Created for situations TIP_HOME/logs.zip
when there are errors
during installation, but
it completes.
If the DB2 phase

completes successfully,
but the installation
fails in the Tivoli Key
Lifecycle Manager
phase, all the key log
files are gathered into
an archive.
If the DB2 phase does

not complete
successfully, the
archive file is not
created, and if the
installation program
completes successfully,
the archive file is not
created.
Migration log file names and location

During the migration process, the migration program creates log files when it calls
other programs or tools. In the event of migration failure, examine the migration
log files in the TKLM_HOME\migration directory.
Table 16. Location of migration log files on distributed systems
Log file Description
migrate_schema.log The migration program converts the schema from
Tivoli Key Lifecycle Manager Version 1 to Version 2.
The DB2 program generates this log while running
the Data Definition Language file to convert the
schema.
migrate_db2server.log The migration program creates this log when it starts
and stops the DB2 server.
migrate_dbpostmigratonsql.log At the end of migration, the migration programs
marks the schema to be at Version 2.0 and drops the
intermediate tables used for migration.
migrate_tklmdbmigr.log The migration program migrates the Tivoli Key
Lifecycle Manager database from DB2 Version 9.1 to
DB2 Version 9.5 or 9.7. TheDB2 migration tool creates
this log file.
migrate_tklmrollovertasks.log This migration program creates this log when it
marks certificates and keys for future administration
of LTO and 3592 devices.

Table 16. Location of migration log files on distributed systems (continued)
Log file Description
migrate_tklminstmigr.log The migration program migrates the Tivoli Key
Lifecycle Manager database instance from DB2
Version 9.1 to DB2 Version 9.5 or 9.7. TheDB2
migration tool creates this log file only on Windows
systems.
Examining an error log file

Follow these steps to read an error log file:
1. Review the list of log files in the section above. The log file to start with
depends on the operating system and the phase of the installation. The list in
“Which log file to use first” on page 114 can provide a starting point. You
might examine several log files before you find the one with the error
messages.
2. Go to the directory with the log file, and open it with a text editor. On a
Windows system, use a text editor that can process UNIX-style newline
characters, such as Microsoft WordPad.
3. The most recent log entries are at the end of the file. Starting at the last entry in
the log file, examine each entry. Take note of the program involved and the
time stamp of the entry if it has one.
Once you have reviewed the final entry, look at the entry before it. Review this
entry as you did the previous entry. Scan for anything that is mentioned in
both places such as filenames or error conditions.
Repeat the previous step, moving upward in the log file. There might be
several entries with information that is related to the error condition. If the
information in this log file is insufficient, look for additional information in
another log file.
If there are no messages about an error, go to another log file.
Other information to gather

The following list contains actions that might provide additional information:
v Check your free disk space. See “Hardware requirements for distributed
systems” on page 5 for minimum space requirements.
v See if the DB2 instance is created. If so, this validates the DB2 installation.
To verify that the DB2 instance was created, log in as the Tivoli Key Lifecycle
Manager DB2 instance owner, navigate to the DB_INSTANCE_HOME directory,
and run:
db2ilist
A list of the configured instances is displayed. The instance name for Tivoli Key
Lifecycle Manager such as tklmdb2 is typically in the list.
v Start and stop the Tivoli Key Lifecycle Manager database server using the
instance owner user ID. This validates the database creation.
To start and stop the database, log in as the Tivoli Key Lifecycle Manager DB2
instance owner, navigate to the DB_INSTANCE_HOME directory, and run the
db2start and db2stop commands on the database.
v Display a list of the tables in the DB2 database. This validates the Dynamic Data
Language process.
To display the list of tables, log in as the Tivoli Key Lifecycle Manager DB2
instance owner, navigate to the DB_INSTANCE_HOME directory, and run these
commands:
db2 connect to tklm_database user tklm_instance_owner_userid \
using tklm_instance_owner_passwd
db2 list tables
db2 describe table table_name

v Determine if the Java process for embedded WebSphere Application Server is
running. A running process validates the embedded WebSphere Application
Server installation.
To determine if the Java process is running, stop and restart the server by
navigating to the TIP_HOME/bin directory and running these commands:
stopServer.sh server1
startServer.sh server1
If global security is enabled, add these parameters to the commands to stop and
restart your server:
-username tip_admin_id -password tip_admin_passwd
On Windows systems, you can also open the Windows Services console and
verify that the service for the TIPProfile is started.
v Start the Tivoli Key Lifecycle Manager application. This validates the Tivoli Key
Lifecycle Manager installation and the overall installation.
To start the Tivoli Key Lifecycle Manager application, start the embedded
WebSphere Application Server, log in to the Tivoli Integrated Portal console, and
look for the Tivoli Key Lifecycle Manager task.

Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation

Licensing 2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 USA
Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at Copyright and
trademark information at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
Intel is a trademark of Intel Corporation in the United States, other countries, or

both.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Java and all Java-based trademarks and logos are trademarks

or registered trademarks of Sun Microsystems, Inc. in the
United States and other countries.
Other company, product, or service names may be trademarks or service marks of

others.
Notices 123
Index
Special characters B DB2 (continued)
configuration 40
/home directory, free disk space 5 backup DB2_COPY_NAME 40
/opt directory, free disk space 5 migration 25 db2admin user ID 40
/tmp directory, free disk space 5 backup and restore directory name, specifying 40
/usr directory, free disk space 5 klmBackupRestoreGroup 16 documentation Web sites 10
\temp directory, free disk space 5 BRCD_ENCRYPTOR device group 17 host name 78
DB_HOME, default directory xiii browser installation 40
DB_INSTANCE_HOME, default certificate 71 instance owner user ID
directory xiii Firefox 11 disassociating from instance 60
ITDS_HOME, default directory xiii Internet Explorer 11 removing 61
ITDS_INSTANCE_HOME, default problems, workarounds 71 instance, disassociating user ID 60
directory xiii settings, Internet Explorer 83 kernel settings 10
levels on operating systems 8
name of new copy 40
Numerics C passwords 42, 44
3592 certificate security 42, 44
device group 17 access to Tivoli Integrated Portal 71 server, stopping 80
browser 71 services
conflicted after migration 28 autostart, disabling 62
A device group 28
error as not trusted 71
autostart, enabling 66
enabling 74
access requirements, installation 13 tklmdb2
extracting 71
administrator instance name 13
pending 28
DB2 Database 13 instance owner 13
rollover 28
DB2 user ID, removing extra 40 uninstallation
unknown after migration 28
domain user ID, avoiding 40 installation directory 59
usage update 28
klmBackupRestoreGroup 16 instance owner 59
component
klmSecurityOfficer 16 ports 59
DB2 2
limiting available tasks 16 service entries 59
embedded WebSphere Application
LTOAdmin 17 verifying installation 118
Server 2
LTOAuditor 17 version, correct 77
LTOOperator 17 db2admin user ID 40
server 2
password ddl.err 114
configuration
authority to reset 49 ddl.log 114
DB2 40
resetting 49 DE_Install.log 114
predefined groups 16 DE_trace.log 114
Server 47
reserved words 40 deployment
installation 39
TIPAdmin 16 DB2 2
installation, version 1 56
Tivoli Integrated Portal 13 embedded WebSphere Application
IPv6 with IPv4 URL 69
Tivoli Key Lifecycle Manager 13 Server 2
silent mode response file, deleting 69
TKLMAdmin 16 Tivoli Key Lifecycle Manager
Tivoli Integrated Portal 47
TKLMAdmin user ID 16 server 2
Tivoli Key Lifecycle Manager 47
AIX, requirements 8 device groups
console mode installation 35, 37
audience x 3592 17
conventions, typeface xii
audit after migration 28
Audit.handler.file.name xiv BRCD_ENCRYPTOR 17
log xiv
Audit.handler.file.name, property xiv D DS5000 17
DS8000 17
authority database LTO 17
SYSADM for database 10 requirement, distributed systems 10 ONESECURE 17
SYSCTRL for database 10 SYSADM, SYSCTRL, or SYSMAINT directory
SYSMAINT for database 10 authority 10 DB_HOME default xiii
automatic services DB2 DB_INSTANCE_HOME default xiii
disabling administrator user ID ITDS_HOME default xiii
DB2 62 characters allowed 40 ITDS_INSTANCE_HOME default xiii
Tivoli Integrated Portal 62 domain user ID, avoiding 40 default definitions xiii
enabling extra, removing 40 TKLM_HOME default xiii
DB2 66, 74 login password 40 TKLM_UNINSTALL_HOME
migration recovery mode 66 password security policy 40 default xiii
Tivoli Integrated Portal 74 when created 40
autostart, disable 62

disk space
directory such as /tmp, \temp, /opt,
error (continued)
log files (continued)
G
/usr, or /home 5 tklm_disk_usage.log 113, 114 global security
existing database migration 24 tklm_install.stderr 113, 114 disable 84
migration calculation 22 tklm_middleware_setup.log 113, enable 84
requirements 5 114 graphical mode installation 35, 36
domain controller, unsupported for tklm_migrate_results.out 114 GUI mode installation 35
installation 2 message syntax 102
download installation 3 exit codes, installation 101
DS5000 H
device group 17 hardware
DS8000
device group 17
F minimum values 5
failure requirements
DVD installation 3 disk space 5
Encryption Key Manager migration
log files 63 processor speed 5
migration-recovery script 63 system memory 5
E recovery 63 host name
embedded WebSphere Application Server installation errors DB2 server 78
configuration 47 disk space available 73 Tivoli Integrated Portal Server 79
verifying installation 118 license agreement 73
embedded WebSphere Application Server, no error logged 73
requirement 9 no error message 73 I
Encryption Key Manager tklmdb2 subdirectory removal 73 IA-TIPInstall-00.log 114
migration 21 migration IBM ADE Service, started on Windows
Encryption Key Manager migration debugging 67 systems 39
data objects migrated 30 properties file 67 images
failure recovery 63 recovery mode 66 installation instructions 3
Fix Central download portal 27 Tivoli Key Lifecycle Manager Passport Advantage 3
migration migration initial user ID and password 13
conflicted keys and certificates 28 log files 64 installation 47
stand-alone migration-recovery migration-recovery script 64, 65 access requirements 13
script 28 recovery 64 AIX 39
unknown keys and certificates 28 features command syntax 35
validating 28 auto-pending device 1 command to start 36
preparations 25 BRCD_ENCRYPTOR device 1 configuration 39
properties migrated 30 certificate, additional for DS8000 console mode 35, 37
recovery from failure 63 Turbo drives 1 DB2
requirements concurrent administration 1 configuration 40
AS/400 26 DS5000 storage servers 1 on local system 40
JCEKS keystore 26 Internet Key Exchange 1 password 42, 44
properties 26 Key Management Interoperability security 42, 44
Version 2.1 only 26 Protocol 1 distributed systems 39
restrictions 27 keystore types 12 downloaded packages
steps during installation 48 ONESECURE device 1 eImages 3
Website, to obtain 26 overview steps to unzip 3
error component deployment 2 DVD 3
exit codes, installation 101 keystore types 12 embedded WebSphere Application
installation roles 17 Server
disk space available 73 role-based access 1 configuration 47
license agreement 73 serial number, variable length 1 requirement 9
no error logged 73 symmetric keys, DS5000 storage Encryption Key Manager migration
no error message 73 servers 1 after migration 28
tklmdb2 subdirectory removal 73 trusted certificate, management 1 AS/400 26
installation messages 102 Firefox browser 11 data objects migrated 30
log files fix packs failure recovery 63
ddl.err 114 operating system support 8 planning 5
ddl.log 114 Passport Advantage 3 preparations 25
DE_Install.log 114 free disk space properties migrated 30
DE_trace.log 113, 114 /home directory 5 recovery from failure 63
IA-TIPInstall-00.log 113, 114 /opt directory 5 requirements 26
logs.zip 114 /tmp directory 5 restrictions 27
MachinePlan_localhostID_ /usr directory 5 steps during installation 48
[INSTALL_MMDD_HH.MM]. \temp directory 5 error
log 114 disk space available 73
migrate.log 114 license agreement 73
most important 113, 114 log files 113
reading 118 no error logged 73
installation (continued) installation (continued) log (continued)
error (continued) Windows 39 ddl.err 114
no error message 73 wizard 35, 36 ddl.log 114
tklmdb2 subdirectory removal 73 worksheets 5 DE_Install.log 114
error log files 113, 114 DB2 87 DE_trace.log 114
exit codes 101 general 87 IA-TIPInstall-00.log 114
field entry restrictions 39 Tivoli Integrated Portal 88 logs.zip 114
graphical mode 35, 36 installation package MachinePlan_localhostID_
GUI mode 35 DVD or downloaded package 3 [INSTALL_MMDD_HH.MM].
host name setting up 3 log 114
DB2 server 78 installation wizard 36 migrate.log 114
Tivoli Integrated Portal Server 78 instance tklm_disk_usage.log 114
images name, tklmdb2 13 tklm_install.stderr 114
fix packs 3 owner, tklmdb2 13 tklm_middleware_setup.log 114
Passport Advantage 3 instance owner user ID tklm_migrate_results.out 114
installation and configuration guide, DB2 instance, disassociating 60 login
publication x removing 61 port number 13
Linux 39 Internet Explorer browser 11 Tivoli Integrated Portal port 13
locale selection 39 Internet Explorer, settings 83 URL 13
migration log files, location 117 IPv6 with IPv4 URL 69 user ID and password 13
mode 5 logs.zip 114
network drive, avoiding 39 LTO
overview 2
panels 36
J device group 17
LTOAdmin 17
Java Runtime Environment,
path changes 39 LTOAuditor 17
requirement 10
phases 2 LTOOperator 17
JCEKS, keystore type 12
planning worksheets
DB2 87
general 87
Tivoli Integrated Portal 88 K M
MachinePlan_localhostID_
port, validating 69 kernel settings for DB2 10
[INSTALL_MMDD_HH.MM]. log 114
previously installed DB2 5 key
messages
process, validating 69 conflicted after migration 28
installation errors, warnings 102
requirements device group 28
syntax 102
embedded WebSphere Application pending 28
middleware
Server 9 rollover 28
configuration
runtime environment 9 unknown after migration 28
DB2 47
service, validating 69 usage update 28
silent mode 35, 37 keystore
Server 47
steps 2 JCEKS 12
subprograms password 72
deployment
Composite Offering Installer 113 klmAdminDeviceGroup permission 17
DB2 2
Data Definition Language 113 klmAudit permission 17
Deployment Engine 113 klmBackup permission 17
Server 2
InstallAnywhere 113 klmBackupRestoreGroup 16, 17
verifying installation 118
Sun Server Solaris 39 klmConfigure permission 17
migrate_db2server.log 117
syntax of installation program 35 klmCreate permission 17
migrate_dbpostmigratonsql.log 117
time required 2, 39 klmDelete permission 17
migrate_schema.log 117
Tivoli Integrated Portal klmGet permission 17
migrate_tklmdbmigr.log 117
configuration 47 klmModify permission 17
migrate_tklminstmigr.log 117
Tivoli Key Lifecycle Manager klmRestore permission 17
migrate_tklmrollovertasks.log 117
migration klmSecurityOfficer 16
migrate.bat command 21
after migration 28 klmSecurityOfficerGroup 17
migrate.log 25, 114
data objects migrated 32 klmView permission 17
migrate.sh command 21
failure recovery 64
migratestatus.properties file 67
preparations 25
migratetklm.bat command 21
properties migrated 32
recovery from failure 64
L migratetklm.sh command 21
limitations migration
topology, determining 5
browser 71 TKLM_HOME\migration\bin
types of 35
Linux directory 21
uninstallation 51
packages 9 backup 25
verification 118
requirements 8 commands 21
command lists 82
Security Enhanced Linux (SELINUX), data 21, 25
login 82
disabling 9 DB2 levels 25, 77
server stop, start 82
locale, correcting during installation 39 disk space calculation 22
version 1 56
log during installation only 21
Version 1 migration information 39
audit xiv Encryption Key Manager 21, 25, 48
Index 127
migration (continued) password (continued) post-installation steps (continued)
fix pack, current 25 migration restrictions 25 keystore password 72
IBM ADE Service, started on path, correcting during installation 39 session timeout parameters 76
Windows 39 PDF, printing xi silent mode response file, deleting 69
keys and served data 22 permissions SSL 80
log files, location 117 klmAdminDeviceGroup 17 timeout parameters 77
manual steps 21 klmAudit 17 Tivoli Integrated Portal Server 79
migrate command 21 klmBackup 17 transaction timeout 77
migrate.log 25 klmConfigure 17 verifying the installation
preparations klmCreate 17 command lists 82
disk space 22 klmDelete 17 login 82
key serving, temporary halt 21 klmGet 17 server stop, start 82
quantity of data 24 klmModify 17 problems
testing 21 klmRestore 17 browser 71
time needed 21 klmView 17 keystore password 72
properties 22 planning process
recovery script 21 Encryption Key Manager migration b2fmp.exe db2syscs.exe 69
requirements 21 after migration 28 validating 69
restrictions AS/400 26 WASService.exe java.exe 69
backup 25 data objects migrated 30 processor speed, requirements 5
password 25 failure recovery 63 product
server, stopped 25 preparations 25 features
steps after failure 21 properties migrated 30 auto-pending device 1
Tivoli Key Lifecycle Manager 21 recovery from failure 63 BRCD_ENCRYPTOR device 1
tklmdb2 folder 22 requirements 26 certificate, additional for DS8000
utility 21 restrictions 27 Turbo drives 1
Version 1 information needed 39 steps during installation 48 concurrent administration 1
migration-recovery script installation DS5000 storage servers 1
Encryption Key Manager migration hardware requirements 5 Internet Key Exchange 1
locations 63 migrate Encryption Key Key Management Interoperability
password 63 Manager 5 Protocol 1
Tivoli Key Lifecycle Manager mode 5 ONESECURE device 1
migration previously installed DB2 5 role-based access 1
locations 65 topology, determining 5 serial number, variable length 1
migrate.log file 65 worksheets 5 symmetric keys, DS5000 storage
password 65 installation worksheets servers 1
DB2 87 trusted certificate, management 1
general 87 property
O Tivoli Integrated Portal 88
fips ix
publications
ONESECURE device group 17
migration installation and configuration
operating system
after migration 28 guide x
AIX 8
data objects migrated 32 ordering xi
DB2 levels 8
failure recovery 64 printing as PDF xi
Linux packages 9
preparations 25 quick start guide x
RedHat Linux 8
properties migrated 32 related xi
Sun Server Solaris 8
recovery from failure 64 support information xii
SuSE Linux 8
worksheets 87 Tivoli software library xi
Windows 8
port typeface conventions xii
ordering publications xi
installation default 13
overview
number
features
component deployment 2
determining current 82
http address 13
Q
keystore types 12 quick start guide, publication x
https address 13
roles 17
installation 2
tklmadmin.html file 13 R
validating 69 recovery mode
P post-installation steps automatic services, enabling 66
Passport Advantage, installation automatic services migration 66
images 3 DB2 74 recovery script, migration 21
password Tivoli Integrated Portal 74 RedHat Linux, requirements 8
administrator, resetting 49 browser certificate 71 requirements
authority to reset 49 configuration 69, 74, 76 AIX 8
backup before reset 49 DB2 browser
DB2 42, 44 version 77 Firefox 11
initial login 13 DB2, stop 80 Internet Explorer 11
requirements (continued) security (continued) TIPAdmin 13, 16
database 10 WASService.Trace file 73 Tivoli Integrated Portal
DB2 levels 8 Security Enhanced Linux (SELINUX), configuration 47
embedded WebSphere Application disabling 9 services autostart
Server 9 service disabling 62
fix pack 8 DB2 69 enabling 74
hardware Tivoli Integrated Portal 69 verifying installation 118
disk space 5 validating 69 Tivoli Integrated Portal Server
processor speed 5 session host name, changing 79
system memory 5 browser tipChangeHostName script 79
Java Runtime Environment 10 cookies 11 Tivoli Key Lifecycle Manager
Linux packages 9 JavaScript 11 configuration 47
migration 21 supported 11 verifying installation 118
RedHat Linux 8 timeout parameters 76 Tivoli Key Lifecycle Manager migration
runtime environment 9, 11 silent installation after migration
software 8, 9 description 35, 37 backup 28
Sun Server Solaris 8 software best practice 28
SuSE Linux 8 AIX 8 migrate.log 28
Tivoli Integrated Portal 11 DB2 levels 8 rollover deletion with 28
WebSphere Application Server 11 Linux packages 9 stand-alone migration-recovery
Windows 8 RedHat Linux 8 script 28
response files requirements 8, 9 Version 1 removed 28
adapting 38, 71 Sun Server Solaris 8 data objects migrated 32
samples 38, 71 SuSE Linux 8 failure recovery 64
Encryption Key Manager Windows 8 preparations 25
migration, Linux or AIX 97 software library, Tivoli xi properties migrated 32
Encryption Key Manager SSL recovery from failure 64
migration, Windows 95 config.keystore.ssl.certalias Tivoli user groups xii
Tivoli Key Lifecycle Manager property 80 tklm_disk_usage.log 114
migration, Linux or AIX 93 configuration 80 TKLM_HOME, default directory xiii
Tivoli Key Lifecycle Manager Tivoli Key Lifecycle Manager tklm_install.stderr 114
migration, Windows 91 keystore 80 tklm_middleware_setup.log 114
uninstall, Linux or AIX 99 stand-alone migration-recovery script 28 tklm_migrate_results.out 114
uninstall, Windows 98 startServer TKLM_UNINSTALL_HOME, default
silent installation 38, 71 command 83 directory xiii
restrictions, migration 21 script 83 TKLMAdmin 13, 16
roles steps in the installation 2 tklmdb2
suppressmonitor 17 stopServer instance name 13
command password, caution instance owner 13
displaying 73, 83 training, Web site address xii
S global security user ID, password 83
script 83
transaction timeout parameters 77
TS3592, device family 17
sample response files
subprograms, installation typeface conventions xii
adapting 38, 71
Composite Offering Installer 113
Encryption Key Manager migration
Data Definition Language 113
Linux or AIX 97
Windows 95
Deployment Engine 113
InstallAnywhere 113
U
silent installation 38, 71 uninstallation
Sun Server Solaris, requirements 8
Tivoli Key Lifecycle Manager AIX 54, 55
support, locating xii
migration command syntax 51
suppressmonitor role 17
Linux or AIX 93 DB2
SuSE Linux, requirements 8
Windows 91 installation directory 59
syntax
uninstall instance owner 59
installation program 35
Linux or AIX 99 ports 59
messages 102
Windows 98 service entries 59
uninstallation program 51
script introduction 51
SYSADM authority, database 10
tipChangeHostName 79 Linux 54, 55
SYSCTRL authority, database 10
script, migration recovery 21 steps
SYSMAINT authority, database 10
security AIX 54, 55
system memory, requirements 5
browser certificate 71 Linux 54, 55
DB2 42, 44 Sun Server Solaris 54, 55
IPv6 with IPv4 URL 69 Windows 52, 53
keystore password 72 T Sun Server Solaris 54, 55
response file password values 71 time, required for installation 2 syntax of program 51
Security Enhanced Linux (SELINUX), timeout Tivoli Integrated Portal
disabling 9 long running operations 77 AIX 54
silent mode response file, deleting 69 parameters 77 Linux 54
stopServer command password 73 timeout parameters for session 76 Sun Server Solaris 54
Index 129
uninstallation (continued) worksheets (continued)
Tivoli Integrated Portal (continued) installation planning 87
Windows 52 Tivoli Integrated Portal planning 88
Tivoli Integrated Portal on AIX 55
Tivoli Integrated Portal on Linux 55
Tivoli Integrated Portal on Sun Server
Solaris 55
Tivoli Integrated Portal on
Windows 53
Windows 52, 53
uninstallation wizard 51
user groups
klmBackupRestoreGroup 17
klmSecurityOfficerGroup 17
LTOAdmin 17
LTOAuditor 17
LTOOperator 17
Tivoli xii
user ID
initial login 13
Tivoli Integrated Portal
administrator 13
administrator 13
utility, migration 21
V
verifying installation
DB2 installation 118
Server 118
installation 118
middleware installation 118
W
what is new
auto-pending device ix
BRCD_ENCRYPTOR device ix
certificate, additional for DS8000
Turbo drives ix
concurrent administration ix
DS5000 storage servers ix
Internet Key Exchange ix
Key Management Interoperability
Protocol ix
ONESECURE device ix
role-based access ix
serial number, variable length ix
symmetric keys, DS5000 storage
servers ix
trusted certificate, management ix
Windows, requirements 8
wizard
installation 35
panels 36
uninstallation 51
workarounds
browser 71
keystore password 72
worksheets
DB2 planning 87
general installation planning 87
Glossary
A digital certificate
An electronic document that identifies an
AES Advanced Encryption Standard. A data
individual, server, company, or some
encryption technique that improved upon
other entity. A digital certificate associates
and officially replaced the Data
a public key with the entity. A digital
Encryption Standard (DES).
certificate is issued by a certification
alias See key label. authority and is digitally signed by that
authority. See also Certificate Authority.
authentication
A security service that provides proof that
E
a user of a computer system is genuinely
who that person claims to be. Common encryption
mechanisms for implementing this service The conversion of data into a cipher. A
are passwords and digital signatures. See key is required to encrypt and decrypt the
also authorization. data. Encryption provides protection from
persons or software that attempt to access
authorization
the data without the key.
The process of granting a user either
complete or restricted access to an object, externally encrypted data key
resource, or function. See also A data key that has been encrypted
authentication. (wrapped) by a key encryption key prior
to being stored in the data cartridge. See
C key encrypting key.
certificate
J
In computer security, a digital document
that binds a public key to the identity of JDBC (Java Database Connectivity)
the certificate owner, thereby enabling the An industry standard for
certificate owner to be authenticated. A database-independent connectivity
certificate is issued by a certificate between the Java platform and a wide
authority and is digitally signed by that range of databases. The JDBC interface
authority. provides a call-level API for SQL-based
database access.
certificate Authority (CA)
A trusted third-party organization or
K
company that issues the digital
certificates. The certificate authority key encrypting key
typically verifies the identity of the An alphanumeric, asymmetric key used to
individuals who are granted the unique encrypt the data key. See externally
certificate. encrypted data key.
certificate label key label
See key label. A unique identifier used to match the
externally encrypted data key with the
challenge
private key required to unwrap the
A request for certain information to a
protected symmetric data key.
system. The information, which is sent
back in response to this request, is key ring
necessary for authentication. In computer security, a file that contains
public keys, private keys, trusted roots,
D and certificates.
data key keystore
An alphanumeric string used to encrypt A database of private keys and their
data. associated X.509 digital certificate chains
used to authenticate the corresponding pattern used to encrypt messages that
public keys. In security, a file or a only the corresponding public key can
hardware cryptographic card where decrypt. The private key is also used to
identities and private keys are stored, for decrypt messages that were encrypted by
authentication and encryption purposes. the corresponding public key. The private
Some keystores also contain trusted, or key is kept on the user's system and is
public, keys. protected by a password.
public key
L The non-secret half of a cryptographic key
LDAP (Lightweight Directory Access Protocol) pair that is used with a public key
An open protocol that uses TCP/IP to algorithm. The public key is made
provide access to directories that support available to everyone. Public keys are
an X.500 model and that does not incur typically used to verify digital signatures
the resource requirements of the more or decrypt data that has been encrypted
complex X.500 Directory Access Protocol with the corresponding private key.
(DAP). For example, LDAP can be used to
locate people, organizations, and other R
resources in an Internet or intranet
rekey The process of changing the asymmetric
directory.
Key Encrypting Key that protects the
LDAP directory Data Key stored on an already encrypted
A type of repository that stores tape, thereby allowing different entities
information on people, organizations, and access to the data.
other resources and that is accessed using
RSA Rivest-Shamir-Adleman algorithm. A
the LDAP protocol. The entries in the
system for asymmetric, public-key
repository are organized into a
cryptography used for encryption and
hierarchical structure, and in some cases
authentication. The security of the system
the hierarchical structure reflects the
depends on the difficulty of factoring the
structure or geography of an organization.
product of two large prime numbers.
life cycle
rule A condition that is used in the evaluation
Passage or transformation through
of a policy.
different stages over time. For example
markets, brands, and offerings have life
S
cycles.
secure socket layer (SSL)
life cycle rules
A security protocol that provides
A set of rules in a policy that determine
communication privacy. SSL enables
which operations to use when
client/server applications to communicate
automatically handling commonly
in a way that is designed to prevent
occurring events, such as suspending an
eavesdropping, tampering, and message
account that has been inactive for a
forgery.
period of time.
security
P The protection of data, system operations,
and devices from accidental or intentional
password
ruin, damage, or exposure.
In computer and network security, a
specific string of characters that is used system administrator
by a program, computer operator, or user An individual who is responsible for the
to access the system and the information configuration, administration, and
stored within it. maintenance of an computer system or
application.
policy A set of considerations that influence the
behavior of a managed resource or a user.
W
private key
worldwide name
In secure communication, an algorithmic
Name of a device such as a tape drive.
The worldwide name is a non-secure, paths, you might combine the value of
64-bit address used in networks to the worldwide name with a device serial
uniquely identify each element. For number, and other information of each
example, to define devices and device disk device and tape drive used.
Glossary 133

Program Number: 5724-T60
Printed in USA
SC27-2741-00

tk20 Installguide

Uploaded by

Copyright:

Available Formats

tk20 Installguide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

tk20 Installguide

Uploaded by

Copyright:

Available Formats

Tivoli Key Lifecycle Manager

Installation and Configuration Guide

Installation and Configuration Guide

Chapter 1. Overview of the environment 1

iv IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

© Copyright IBM Corp. 2008, 2010 v

© Copyright IBM Corp. 2008, 2010 vii

What is new in version 2

Major new function in version 2 of Tivoli Key Lifecycle Manager includes:

© Copyright IBM Corp. 2008, 2010 ix

Readers are expected to understand system and security administration concepts.

Tivoli Key Lifecycle Manager library

The information center is available at http://publib.boulder.ibm.com/infocenter/

x IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

You can also locate publications at http://www.elink.ibmlink.ibm.com/

Accessing publications online

The Tivoli software library is located at http://publib.boulder.ibm.com/tividd/td/

You can also locate publications at http://www.elink.ibmlink.ibm.com/

You can order publications from http://www.elink.ibmlink.ibm.com/public/

You can also order by telephone by calling one of these numbers:

In other countries, see the Web site http://www.elink.ibmlink.ibm.com/public/

Tivoli technical training

The Web site address is http://www.ibm.com/software/tivoli/education/.

Tivoli user groups

About this task

Conventions used in this information

Definitions for HOME and other directory variables

Do not embed spaces in the TIP_HOME

Tivoli Key Lifecycle Manager provides:

© Copyright IBM Corp. 2008, 2010 1

Deployment on Windows and systems such as Linux or AIX

Note: Installation might take more than an hour.

2 IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

The Passport Advantage Web site provides packages, referred to as eAssemblies,

Preparing the installation package

Installing from a DVD

To install from a DVD for distributed systems, take these steps:

Installing from downloaded packages

To install from eImage images, follow these assembly steps:

Chapter 1. Overview of the environment 3

4 IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

Note: On distributed systems, the only opportunity to migrate an Encryption

Hardware requirements for distributed systems

Table 2 lists hardware requirements for Windows systems:

© Copyright IBM Corp. 2008, 2010 5

Installing into mapped network drives is not supported.

6 IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

Installing into mounted partitions is not supported.

Chapter 2. Planning the installation 7

Table 4 identifies the operating systems requirements for installation:

If raw devices are used, apply patch 125100-07.

Tivoli Key Lifecycle Manager can run on a member server in a domain

8 IBM Tivoli Key Lifecycle Manager: Installation and Configuration Guide

Disabling Security Enhanced Linux

Chapter 2. Planning the installation 9

Java Runtime Environment (JRE) requirements

Database authority and requirements

For more information on DB2 prerequisites, see http://www.ibm.com/software/

DB2 kernel settings