IBM SECURITY ACCESS MANAGER

Virtual Machine Cookbook

Configuring an ISAM VM for basic tasks

9.0.3.0

Scott M Andrews

Version 1.1.0
October 2017
Table of Contents
1 Introduction ............................................................................................................................................... 3
1.1 Required Components ......................................................................................................................... 3
1.1.1 Access Manager Virtual Appliance ISO Image and License file .................................................. 3
1.1.2 VMWare vSphere .......................................................................................................................... 3
1.1.3 Host machine running VMWare .................................................................................................... 3
1.1.4 VMWare Workstation/Fusion Networking ..................................................................................... 4
1.1.5 Browser ......................................................................................................................................... 4
2 Virtual Machine creation and Appliance Install .................................................................................... 5
2.1 Create a new virtual machine .............................................................................................................. 5
2.2 Loading the Firmware Image onto the Virtual Appliance .................................................................. 13
3 Appliance Host and Networking Configuration .................................................................................. 15
3.1.1 If using VMWare Workstation/Fusion.......................................................................................... 19
3.1.2 If using vSphere .......................................................................................................................... 19
3.2 Check internet connectivity ................................................................................................................ 23
4 Basic Appliance Configuration ............................................................................................................. 24
4.1 Login to Local Management Interface (LMI) ...................................................................................... 24
4.2 Product Activation .............................................................................................................................. 26
4.3 Configure Runtime Interfaces ............................................................................................................ 28
4.4 Configure ISAM Runtime Component on the Appliance ................................................................... 30
5 Create and configure Reverse Proxy instances ................................................................................. 33
5.1 Create Reverse Proxy Instance ......................................................................................................... 33
5.2 Deploy the Changes and Restart the Reverse Proxy Instance ......................................................... 35
5.3 Verifying the Web Reverse Proxy ...................................................................................................... 36
6 Create and use a user in the local user registry ................................................................................. 38
6.1 Create the user in the local user registry ........................................................................................... 38
6.1.1 Access the Web Portal Manager ................................................................................................ 38
6.1.2 Authenticate to the Web Portal Manager .................................................................................... 38
6.1.3 Create “testuser1” ....................................................................................................................... 39
6.2 Test user in Reverse Proxy ............................................................................................................... 40
6.3 Advanced Configuration: Federated Directories ............................................................................... 40
7 Appliance Snapshots and Backup ....................................................................................................... 41
7.1 Appliance Snapshots ......................................................................................................................... 41
7.1.1 Taking a Snapshot ...................................................................................................................... 41
7.1.2 Reverting to a Snapshot.............................................................................................................. 42
7.2 Firmware partition .............................................................................................................................. 42
7.2.1 Backing up the current partition .................................................................................................. 42
7.2.2 Switching to the other partition .................................................................................................... 43
8 Notices ..................................................................................................................................................... 44

Page 2 of 46
1 Introduction
This cookbook provides a step-by-step guide to installing an IBM Security Access Manager Virtual Appliance
and then configuring it with network access, a basic reverse proxy and a simple junction.

This cookbook is designed to work with IBM Security Access Manager 9.0.3.0.

It will create an ISAM named “ISAM MMFA”, with the management hostname “isam.mmfa.ibm.com” and the
application hostname “www.mmfa.ibm.com”. These values can be replaced with something more appropriate
to the task.

Instructions are provided for VMWare vSphere, for cloud hosting, and VMWare Workstation for local hosting.
Steps will diverge based on this environment.

1.1 Required Components

1.1.1 Access Manager Virtual Appliance ISO Image and License file

The Access Manager Virtual Appliance installation ISO image is required to create a Virtual Appliance from an
empty Virtual Machine.

IBMers can visit Extreme Leverage and download product codes -

1. IBM Security Access Manager V9.0.3 Base Virtual Appliance .ISO file Multiplatform, Multilingual
(CNJ6VML)
2. IBM Security Access Manager 9.0.3 Activation Code Multiplatform, Multilingual (CNJ6QML)
3. IBM Security Access Manager 9.0.3 Advanced Access Control Activation Code Multiplatform, Multilingual
(CNJ6NML)

Customers and Business Partners can visit Passport Advantage Online and download the same.

If you need a format other than ISO for a different hypervisor, search for IBM Security Access Manager v9.0.3
Multiplatform Multilingual eAssembly (CRW4EML) which will give you the parts for VHD, OVA, etc.

1.1.2 VMWare vSphere

The vSphere cloud infrastructure should be able to provide a virtual machine with these minimum
specifications:
• 8GB memory (4GB for host OS + 4GB for Virtual Appliance)
• 20GB free disk space (40GB preferred for partition backup)
• Internet connectivity optional (steps are provided to test it)

This cookbook assumes that the network is configured with at least one interface. Configuring ISAM using this
cookbook require 2 IP addresses. One for the management interface and one for the application.

1.1.3 Host machine running VMWare

This guide assumes that the Hypervisor environment is VMWare Workstation (or Fusion for Mac). The host
machine should have these minimum specifications:
• Good 64-bit processor (recommend dual core i5 or better)
• 8GB memory (4GB for host OS + 4GB for Virtual Appliance)
• 20GB free disk space

Other hypervisors are supported for the Access Manager Virtual Appliance.

Page 3 of 46
1.1.4 VMWare Workstation/Fusion Networking
If using VMWare vSphere, skip this step.

This cookbook assumes NAT networking is used within VMWare and that the NAT network is configured for
192.168.42.0 subnet.

Browsers wishing to access the protected application must be able to contact the SAM Reverse Proxy
listening on port 444 of IP Address 192.168.42.104. To achieve this, NAT port forwarding must be configured
under VMWare to forward TCP packets received at Host port 444 to VM IP address 192.168.42.104 port 444.

Internet connectivity is required for Network Time Protocol to be configured against an internet source. It is
not otherwise required.

1.1.5 Browser
You will need to use a browser to access the ISAM Virtual Appliance LMI Web Console. This will also be
used to run the test scenarios. This cookbook was written using Firefox ESR 45.5.1.

Page 4 of 46
2 Virtual Machine creation and Appliance Install
This section describes the installation of an ISAM Virtual Appliance in VMWare Workstation.

2.1 Create a new virtual machine

The first step is to create a new VMWare virtual machine to host the virtual appliance.

Open VMWare Workstation.

Select FileNew Virtual Machine… from the menu bar, as shown above, to start the wizard for creating a
new virtual machine.

Select the Custom (advanced) radio button and press Next.

Page 5 of 46
Press Next to accept the defaults and continue.

Select the Installer disc image file (iso) radio button and then use the Browse to select the ISAM 9.0.2.0
Virtual Appliance ISO image from your host machine.

Note that the name and location of ISO image will likely be different on your host machine to that shown
above in the screen image. Press Next to continue.

Page 6 of 46
The appliance is Linux-based, so select the Linux radio button and Other Linux 2.6.x kernel 64-bit from the
Version pull-down list. Press Next to continue.

Enter ISAM MMFA as the Virtual machine name

Enter the location on your host system where you want to store the virtual image into the Location field – the
location you choose on your host machine will likely be different to that shown above in the screen image.
Press Next to continue.

Page 7 of 46
We won’t be placing much load on the appliance image in this lab, so leave the numbers of processors and
cores set to one, and press Next to continue.

Set the Memory for this virtual machine to 4096 and press Next to continue.

Page 8 of 46
Select the Use network address translation (NAT) radio button and press Next to continue.

Select the LSI Logic (Recommended) radio button and press Next to continue.

Page 9 of 46
Depending on your VMWare Workstation version you may see this option:

If shown, select SCSI as the disk type and click Next to continue.

Select the Create a new virtual disk radio button and press Next to continue.

Page 10 of 46
Select “SCSI” as the “Virtual disk type” and press Next to continue.

Enter 40 as the Maximum disk size – this will give us two 20GB partitions on the appliance.
It is best to select Store virtual disk as a single file for performance but this isn't required.

Note that we are NOT selecting Allocate all disk space now. This means that although we are creating a
40GB drive here (which is useful for future expansion) only around 3GB will be used on the host system.

Page 11 of 46
Press Next to accept the default disk filename and continue.

The virtual machine image has now been fully defined, press Finish to complete the image creation.

Page 12 of 46
2.2 Loading the Firmware Image onto the Virtual Appliance
Having now created the virtual machine, the next step is to load the ISAM virtual appliance firmware from the
ISO image that we attached to the virtual machine when we created it.

With the new appliance tab (ISAM MMFA) selected, click Power on this virtual machine.

If you need to release your focus from the Virtual Machine, press <Ctrl> and <Alt> at the same time.

Press Enter to start the appliance installer (or wait 10 seconds).

The installer automatically begins installation of the appliance firmware to the Virtual Machine hard drive.

Two partitions are created each with a copy of the firmware.

When the firmware installation is complete, the Virtual Machine automatically shuts down.

We will now disconnect the installation ISO from the virtual appliance.

Page 13 of 46
 Virtual Machines default to boot from the local hard disk so it is not a requirement to disconnect the virtual
CD drive. However, doing so removes dependency on the ISO image being available which can generate
unwanted warnings at start up. You can also take this opportunity to remove the Sound Card and Printer
devices which are not used by the ISAM Virtual Appliance.

Click on the CD/DVD (IDE) entry in the device list of the Virtual Machine.

Clear the check box for Connect device at power on and click OK.

Page 14 of 46
3 Appliance Host and Networking Configuration
We will now perform host and networking configuration of the appliance so that the management interface is
available on the network. This is done on the appliance console shown in the VMWare Workstation window.

Note that some network addresses differ between VMWare Workstation and VMWare vSphere.

Boot the Virtual Appliance using the Play button in VMWare.

While the appliance boots you will see a flashing cursor. After around 1 minute you should see the following:

Log in to the console using the administrator user id admin and the default password of admin.

During the first login after the initial firmware has been loaded onto the appliance, a wizard is automatically
run to configure the firmware.

Press Enter to run the configuration wizard.

Once you have read the Software License Agreement, enter 4 to proceed to acceptance of terms.

Page 15 of 46
Enter 1 to agree to the license terms.

We don't want to enable FIPS mode so enter n to continue.

We don't want to change the password (we'll do that in a later step) so enter n to continue.

Enter 1 to set the host name.

Page 16 of 46
Enter isam.mmfa.ibm.com as the host name.

Enter n to continue.

We now want to configure a management interface.

Enter 3 to configure an interface.

Enter 1 to configure the 1.1 interface. This is the only interface available because we only defined one
networking card for the Virtual Machine.

Enter 1 to enable this interface.

Page 17 of 46
Enter 2 for manual configuration - we want to specify a fixed IP address for the management interface.

Enter 2 to add a new IP address to the 1.1 interface

Enter the IPv4 configuration as follows:

• Address: 192.168.42.103
• Subnet Mask: 255.255.255.0
If using vSphere, substitute these with values appropriate to the environment.

Enter 1 to specify this IP address as a management address.

Enter 1 to enable this IP address.

Enter 4 to finish configuring addresses.

We could add other IP addresses here but configuration of the management address is the minimum
required. With the management address configured, further addresses can be added later using the
management console or REST APIs.

Page 18 of 46
We're not going to use IPv6 so we want to manually configure it with no addresses. Enter 2 to select this.

Enter 4 to finish (without creating any IPv6 addresses).

Enter 6 to set the IPv4 default gateway. This is required to give the appliance connectivity beyond the local
192.168.42.0 subnet.

3.1.1 If using VMWare Workstation/Fusion

Enter 192.168.42.2 as the Default Gateway.

Enter 1 to specify that the 1.1 interface should be used to reach the Default Gateway

The 192.168.42.2 gateway is provided by VMWare. On a NAT-enabled subnet, this gateway will use
Network Address Translation to route out from the host machine using its IP addresses and routing table.

3.1.2 If using vSphere

Set the gateway according to your cloud environment, and enter 1 to specify the 1.1 interface.

Page 19 of 46
We have now completed networking configuration so enter n to move on.

Since we're not using DHCP, we need to manually configure a DNS server.
Enter 1 to set DNS server 1.

3.1.2.1 If using VMWare Workstation

Enter 192.168.42.2 as the DNS server address.

.2 is the DNS server provided by VMWare. It forwards DNS requests to the DNS servers configured for
the host machine.

3.1.2.2 If using VMWare vSphere

Enter your cloud environment’s DNS server address.

Page 20 of 46
We have completed DNS configuration. Enter n to move on to the next screen.

Enter 3 to set the time zone.

Enter the number associated with your geography. For UTC, select 8.

and then enter the number associated with your time zone. For UTC select 1.

Page 21 of 46
Check the time and date displayed and, if necessary, use options 1 and 2 to modify. Once the date, time and
time zone are set correctly, enter n to continue.

Check the data displayed in the Summary. If it is correct, enter 1 to apply the specified configuration.

The appliance firmware is now configured.

Enter exit to logout from the console interface.

Page 22 of 46
3.2 Check internet connectivity
We will now test internet connectivity from our Virtual Appliance. Access the appliance console directly as
you did above.

Skip this step, or change the destination to an internal host, if your appliance is not expected to reach the
internet.

isam.mmfa.ibm.com login: admin

Password: admin

Login with username admin and password admin

Last login: Wed Nov 24 06:35:49 2016

Welcome to the IBM Security Access Manager
Welcome to the IBM Security Access Manager appliance
Enter "help" for a list of available commands
isam.mmfa.ibm.com> tools

Enter tools to open the tools folder.

isam.mmfa.ibm.com:tools> ping pool.ntp.org

PING pool.ntp.org (91.237.88.67) 56(84) bytes of data.
64 bytes from mail.qraftwerk.de (91.237.88.67): icmp_seq=1 ttl=128 time=45.5 ms
64 bytes from mail.qraftwerk.de (91.237.88.67): icmp_seq=2 ttl=128 time=42.1 ms
64 bytes from mail.qraftwerk.de (91.237.88.67): icmp_seq=3 ttl=128 time=42.0 ms
^C
--- pool.ntp.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2404ms
rtt min/avg/max/mdev = 42.096/43.270/45.566/1.632 ms
isam.mmfa.ibm.com:tools>

Enter command ping pool.ntp.org. If ping is successful then this proves that our IP address is working, our
DNS server is working, our default gateway is working, NAT connectivity to the internet is working, and that an
NTP server can be reached.

The NTP server returned may differ depending on your location.

Press Ctrl-C to terminate the ping command.

If this ping command fails, debug of the networking configuration will be required. Check that the VMWare
networking configuration of the default NAT network is set correctly and ensure that your host machine has
connectivity to the internet.

isam.mmfa.ibm.com:tools> exit

Enter exit to log out from the appliance console.

Page 23 of 46
4 Basic Appliance Configuration
In this section, we will perform basic configuration of the appliance. The following will be configured:
• Network Time Protocol
• Functionality Activation
• Additional IP addresses
• Static hosts
• Access Manager Runtime (local policy server and LDAP)

4.1 Login to Local Management Interface (LMI)

We will now log in as the admin user. This superuser account is used to access the LMI Browser Interface
and the appliance Command Line Interface. It is also used to authenticate when making REST calls to the
LMI REST interface.

Add an entry to your host system’s hosts file, assigning isam.mmfa.ibm.com to 192.168.42.103. This step is
optional but will be assumed in screenshots.

Open a browser on your host system. Firefox ESR 45.5.1 was used when writing this lab guide.

Open the LMI GUI for the ISAM Appliance via the URL: https://isam.mmfa.ibm.com

Expand Advanced and click the Add Exception… button.

Page 24 of 46
Ensure that the Permanently store this exception checkbox is selected and click the Confirm Security
Exception button to avoid seeing this certificate warning in the future.

The login page for the ISAM Appliance LMI is now displayed:

Login as user admin with password admin.

Page 25 of 46
4.2 Product Activation
The Access Manager 9.0 Virtual Appliance firmware contains a number of functional modules. However, after
initial installation, only basic management functions are available. Activation is required in order to enable the
purchased modules.

Click on the Manage System Settings icon to open the "mega-menu" and click the Licensing and
Activation item - as shown above.

The licensing and Activation screen is displayed. Currently there are no activated modules.

Click the Import button. A file selector dialog is displayed.

Select the ISAM 9.0.3 Base Activation Codeand Advanced Access Control Activation Code files that you
downloaded from IBM (see section 1.1.1 ).

Page 26 of 46
Click Save Configuration.

The IBM Security Access Manager base activation code is processed and the module is listed. To complete
the activation process we must deploy the changes we have made.

Click the Click here to review the changes or apply them to the system link in the warning message - as
shown above.

Click Deploy to confirm the deployment of the changes.

The activation process can take a few minutes to complete because a number of new components are started
and initialized within the appliance. Once it is complete, the following message is displayed:

Click on the link in the message to reconnect to the appliance management interface (it may take a few
seconds for this to work).

When the management interface reloads, verify the modules have been activated –

Page 27 of 46
4.3 Configure Runtime Interfaces
We will now configure the Interfaces where the Reverse Proxy (aka WebSEAL) instances will listen.

These steps assume the 192.168.42.104/24 address and subnet, from VMWare Workstation defaults.
Change these if using VMWare vSphere to suit your cloud environment.

In the top menu panel, select Manage System Settings → Network Settings: Interfaces” - as indicated
above.

The configuration shows our only interface (1.1) and the single management IP address that we are
connected to.

We need to edit this interface configuration to add an additional (non-management) IP address.

Select the checkbox next to the 1.1 interface and click Edit - as shown above.

Page 28 of 46
Select the IPv4 Settings tab and then click the New button to add a new IP address.

Enter 192.168.42.104/24 in the Address field. This is CIDR notation; the /24 means there are 24 bits in the
subnet mask (i.e. 255.255.255.0).

Click Save Configuration. The new IP address is now listed:

Click Save Configuration to save the new interface configuration.

Deploy the configuration changes using the link in the yellow warning message.

Open a command window on your host machine and ping the new IP address you just created to check that
the address is active and reachable.

# ping 192.168.42.104
Pinging 192.168.42.104 with 32 bytes of data:
Reply from 192.168.42.104: bytes=32 time<1ms TTL=64
Reply from 192.168.42.104: bytes=32 time<1ms TTL=64

If using vSphere, this should still apply.

Page 29 of 46
4.4 Configure ISAM Runtime Component on the Appliance
For this lab, we will configure the ISAM appliance to run with a local ISAM Policy Server and a local LDAP
server.

Click the Configure button to initiate the runtime configuration dialog.

Select the radio buttons for a “Local” Policy Server and an “LDAP Local” User Registry.
Click Next to move to the next configuration tab.

Page 30 of 46
Enter “passw0rd” as the “Administrator Password” and “Confirm Administrator Password”. Ensure the other
fields are left as default. Press Next to progress to the next tab.

On the LDAP tab, enter “passw0rd” as the Password. Press Finish to perform the runtime configuration.

This is the default password for LDAP.

After a short time, during which the Policy Server is configured and entries are created in the LDAP, you
should see a message indicating that the ISAM runtime component is configured using a local policy server
and a local user registry:

Page 31 of 46
Page 32 of 46
5 Create and configure Reverse Proxy instances
In this lab, we will create one Reverse Proxy instance to serve browser traffic. It will use the IP address
192.168.42.104 and listen on port 443.

5.1 Create Reverse Proxy Instance

In the top menu panel, select Secure Web Settings → Manage: Reverse Proxy, as indicated above.

Click the New button to open the Reverse Proxy creation dialog.

Page 33 of 46
Enter default as the Instance Name and select the IP address associated with the non-management interface
we configured earlier (192.168.42.104) from the IP Address for the Primary Interface pull-down list.

Ensure the Host name and Listening Port default correctly to the values shown above.

Click Next to progress to the next configuration panel.

Enter passw0rd as the (ISAM) Administrator Password. Ensure the other fields default correctly as shown
above.

Page 34 of 46
Click Next to progress to the next configuration panel.

Select the checkbox for HTTPS and ensure the “HTTPS Port” is set to 443. Click Finish to create the
Reverse Proxy instance.

The Reverse Proxy instance is now configured and started.

5.2 Deploy the Changes and Restart the Reverse Proxy Instance
We are now ready to deploy the configuration changes and restart the Reverse Proxy instance so the
changes come into effect.

The configuration file settings we just changed were performed on a copy of the real configuration files. Press
the link in the yellow warning bar to apply (or discard) the changes.

Press the Deploy button to deploy the changes to the master copy of the configuration files.

Page 35 of 46
A warning message is displayed advising that the Reverse Proxy instance will need to be restarted for the
changes to come into effect. The Changes are Active shows as False.

Select the radio button next to the Reverse Proxy instance and press the Restart button – as shown above, to
restart the server.

A blue message box should briefly appear once the instance has restarted. Changes are Active shows as
True to reflect that the deployed configuration changes are now active.

5.3 Verifying the Web Reverse Proxy

In this example, a host file entry has been created to alias 192.168.42.104 to www.mmfa.ibm.com on the
local machine.

In your web browser, visit https://www.mmfa.ibm.com.

Click through the browser’s certificate warning; we will provide a certificate for the Reverse Proxy instance in
the next step.

The Reverse Proxy’s default login screen will be presented.

Enter sec_master and passw0rd to log in.

This is a default administrative user and should not generally be used for testing. We will create a test user
later.

Page 36 of 46
You should see the reverse proxy’s default homepage.

Now visit https://www.mmfa.ibm.com/example.

You should see the application protected behind Access Manager on the /example junction.
If an error page is presented, verify that the Reverse Proxy instance and junction have been created correctly.

Page 37 of 46
6 Create and use a user in the local user registry
In section 4.4 the runtime was configured to use the local LDAP as a user registry. Here we will create a user
in that registry, which can be used to authenticate to the reverse proxy, and verify that it has been done
successfully.

6.1 Create the user in the local user registry

When integrating with external systems for third party providers, the simplest mechanism to synchronize users
between systems for testing is to create a user with the same username as the target system on the ISAM
appliance.

In this section we will create a user called testuser1, however you can create User IDs including an email
address such as [email protected].

6.1.1 Access the Web Portal Manager

In the Local Management Interface, go to Secure Web Settings > Policy Administration.

6.1.2 Authenticate to the Web Portal Manager

Enter sec_master and passw0rd to authenticate to the Web Portal Manager.

Page 38 of 46
6.1.3 Create “testuser1”
Click the arrow next to User, then Create User.

Enter the user details as provided below, including a password of passw0rd.

ISAM will present a success message:

Page 39 of 46
6.2 Test user in Reverse Proxy
The user should now be able to authenticate to the reverse proxy, and by extension, to the application behind
it. In your browser, open https://www.mmfa.ibm.com/example again, or
https://www.mmfa.ibm.com/example with no hosts file entry.

If you are still authenticated as sec_master, visit https://www.mmfa.ibm.com/pkmslogout first to log

out.

Authenticate as before, but using the new user: testuser1 and passw0rd.

You should be able to access the protected application as before.

6.3 Advanced Configuration: Federated Directories

For more advanced configurations and to utilize existing external directories, the ISAM Federated Directories
feature is recommended.

To configure a Federated Directory, if required, refer to http://www-

01.ibm.com/support/docview.wss?uid=swg21694502.

The example configuration does not use SSL/TLS to communicate with the Active Directory Server.
Additional configuration and key management is required to use SSL/TLS which is described in the
Security Access Manager Knowledge Center.

The use of userPrincipalName in place of sAMAccountName for the basic-user-principal-attribute

configuration entry is recommended. This allows a user to authenticate (for this example configuration) as
[email protected] rather than Lance Clinton in the login page.

The updated configuration entry should reflect

[server:adsystem]
host = adsystem.lance.net
port = 389
bind-dn = cn=Administrator,cn=Users,dc=lance,dc=net
basic-user-principal-attribute = userPrincipalName
ssl-enabled = no
suffix = dc=lance,dc=net

Page 40 of 46
7 Appliance Snapshots and Backup
You can use snapshots to backup and restore prior configuration and policy settings to the appliance as you
develop your AppX InfoMap.

Alternativley a full moment in time backup can be taken using the Firmware partition option and cloning an
existing configuration to the backup partition. Partitions can also be used to switch between active
configurations during testing and validations without impacting the other partition.

7.1 Appliance Snapshots

Snapshots are stored on the appliance however you can download snapshots to an external drive in case of
system failure or to maintain a last known good working state.

This is an especially useful feature when completing the AppX package validation testing as it allows you to
revert your appliance to the base configured state prior to installing the your AppX package.

7.1.1 Taking a Snapshot

Go to Manage  System Settings.

From the menu list, select Snapshots.

To create a snapshot, click New, type a comment that describes the snapshot, and then click Save.

Page 41 of 46
7.1.2 Reverting to a Snapshot

To apply a snapshot, select the snapshot, and then click Apply.

If configuration or policy versions are newer than the firmware version, the settings are rejected. If the
configuration and policy versions are older than the firmware version, the settings are migrated to the current
firmware version.

7.2 Firmware partition

ISAM has two partitions, and only one is active at a time. All of the configuration done in this document is
stored under the current, active partition.

The inactive partition can be used as a backup, separate from VMWare snapshots. This section will
demonstrate how.

7.2.1 Backing up the current partition

Go to Home.

Scroll down to Partition Information. Click Firmware Settings.

On the partition marked (Active), click Create Backup.

Read the confirmation dialogue and click Yes. Wait several minutes.

Page 42 of 46
All of the firmware settings are now backed up to the second partition.

7.2.2 Switching to the other partition

If it becomes necessary to restore from a known-good configuration or to switch between configurations, set
ISAM to boot from the other partition.

Return to Home > Partition Information > Firmware Settings.

On the partition not marked (Active), click Set Active.

Wait while ISAM reboots.

Page 43 of 46
8 Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services,
or features discussed in this document in other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is
the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing
of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property
Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan, Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are
inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement
might not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner
serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any
obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of
information between independently created programs and other programs (including this one) and (ii) the mutual use of
the information which has been exchanged, should contact:

IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms
of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in
other operating environments may vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on generally available systems.
Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this
document should verify the applicable data for their specific environment.

Page 44 of 46
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM
products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent
goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices
may vary.

This information is for planning purposes only. The information herein is subject to change before the products described
become available.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely
as possible, the examples include the names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on
various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application
programming interface for the operating platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function
of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for
the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application
programming interfaces.

Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:

© IBM 2017. Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp 2017. All rights
reserved.

If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at
ibm.com/legal/copytrade.shtml.

Statement of Good Security Practices

IT system security involves protecting systems and information through prevention, detection and response to improper
access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can
be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part
of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require
other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS,
PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Page 45 of 46
© International Business Machines Corporation 2017
International Business Machines Corporation
New Orchard Road Armonk, NY 10504
Produced in the United States of America 01-2016
All Rights Reserved
References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which
IBM operates.

Page 46 of 46