Abstract
Readme documentation for IBM® InfoSphere™ Master Data Management Server for Weblogic® and IBM WebSphere® Application Server for Version 9.0.2.40 including installation-related instructions, prerequisites and co-requisites, and list of fixes.
Readme file for: IBM® InfoSphere™ Master Data Management
Server for Weblogic® and WebSphere® Application Server
Product/Component Release: 9.0.2
Update Name:9.0.2.40
Fix ID: MDM_9.0.2.40_hotfix_WAS, MDM_9.0.2.40_hotfix_WL
Contents
Download location
Prerequisites and co-requisites
Installation
information:
Prior to installation
Installing
Important Changes
Contacting IBM Software support
List
of fixes
Copyright and trademark information
Download
location
Download fixes from Fix Central (select Information Management
-> InfoSphere MDM Server -> 9.0.2 -> AIX)
http://www-933.ibm.com/support/fixcentral/
Below is a list of products/components names, platforms, and file names that apply to this ReadMe file.
|
Product/Component Name: |
Platform: |
File Name: |
|
InfoSphere MDM Server 9.0.2.40 |
WebSphere Application Server |
MDM90240_WAS.jar |
|
InfoSphere MDM Server 9.0.2.40 |
WebLogic |
MDM90240_WL.jar |
Prerequisites
and co-requisites
This is a roll-up fix that contains all the fixes from
9.0.2.1 to 9.0.2.39. It can be installed directly on top of MDM 9.0.2, or any
hot fix from 9.0.2.1 to 9.0.2.39.
Client customizations or extensions may impact the update process. Please consider the impact of custom configurations and extensions before proceeding with the update of this hot fix to your environments.
To install, replace or merge the assets (such as jars, properties files, XSDs, etc.) in your environment with the assets included in this hot fix, execute the provided scripts (if provided) and redeploy. Remember to make a backup of the original environment before applying the hot fix in the event that there is cause to roll back the hot fix. For more details on how to deploy a hot fix, please refer to the document 'DeployFix_Guidelines.pdf'.
**************************
The fix uses
the "Double Submit Cookies" technique mentioned in the
XSRF Prevention Cheat Sheet. When the server gets a POST request
from the client, it will check to see if the request contains a
csrfToken
parameter (which is
the session ID). If it matches with the server's value, it will
continue with the request. Otherwise, it redirect to the specified
page in the filter. With this fix, the UI need to add a new hidden
field within all the form tags to include the csrfToken
in its request.
Steps
to apply fix (For non-customized UI):
1. Go to WAS Admin
Console, then go to Servers -> Server Types -> WebSphere
application servers, Stop UI instances. (BAUI, DSUI & PUI)
2. Go to
Applications -> Application Types -> WebSphere enterprise applications,
Export original UI .ear files.
3. Open propertiesUI.jar in the new UI .ear file, change default UI
setting by copying mdmUIConfiguration.properties from the original propertiesUI.jar and replacing the new mdmUIConfiguration.properties.
4. Go to
Applications -> Application Types -> WebSphere enterprise applications,
Update with new UI .ear file. (For PUI update only: Check Deploy Web services option on the Install New Application page)
5. Go to System
administration -> Save changes to master
repository, check Synchronize changes with Nodes and Save.
6. Go to Servers
-> Server Types -> WebSphere application
servers, Start UI instances.
Steps
to apply fix (For customized UI):
1. Adjust the SessionFilter.java
(CommonUIUtilities/src/com.ibm.mdm.ui.filter and CommonUIModel/src/com.ibm.mdm.ui.filter packages) by adding
the following section of code after the closing of the "if(httpSession == null)" section of code (since the CSRF
check will only be done when there is a valid session) in the "doFilter" method:
2. Apply the following code in all .jsp
pages where there is a "</h:form>"
tag (can just do a search for the tag):
<h:inputHidden id="csrfToken" value="#{csrfToken}"></h:inputHidden>
3. Adjust the web.xml
(ProductWeb/WebContent/WEB-INF)
by changing the SessionFilter
url-pattern from /faces/*
to /*. (Apply to PUI only)
<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
**************************
o
In this official ifix, we fix the missing TAIL QCF and queue resource definition in PartyEJB and FinancialServicesEJB.
Below are the suggested steps how to apply it.
1. Back-up the client original PartyEJB.jar and FinancialServicesEJB.jar
2. Merge the fixed 'ejb-jar.xml' and 'ibm-ejb-jar-bnd.xml ' with your existing files in PartyEJB.jar and FinancialServicesEJB.jar instead of copy&paste
3. Apply the modified PartyEJB.jar and FinancialServicesEJB.jar to MDM.ear in your convenience way.
4. Republish the MDM.ear - > restart server
o
For the PMR 78313,211,788 fix, please apply the attached fixed 'DWLMessagingAdapter.properties' in the properties.jar inside MDM ear file
By default, we set the delivery mode in JMS header as 'PERSISTENT'. If client would like to set the delivery mode to 'NON_PERSISTENT', please go to configure it in DWLMessagingAdapter.properties.
o
In addition to code change for PMR#15435,211,788, the following config entry need to be added into DWLCommon_extension.properties and tcrm_extension.properties.
CurrentDateTime_To_SystemCurrentTimestamp=false
If you do not choose this option, the config entry does not have to be added. When EndDate is current date, MDM Server default behavior is to igore time portion and convert current date and time to current timestamp.
o Please check the following details regarding the MDM Server Information Center security issue and learning how to apply the attached fixes
TITLE: Security Bulletin: Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM® InfoSphere™ Master Data Management Server Information Center (CVE-2012-2159, CVE-2012-2161)
SUMMARY: The installed InfoSphere MDM Server Information Center gives you local access to all of the information that you need to take full advantage of InfoSphere MDM Server. Some scripts in the help system used by the InfoSphere MDM Server Information Center are vulnerable to open redirect or cross-site scripting attacks.
This security bulletin only applies to the locally installed InfoSphere MDM Server Information Center and not the core InfoSphere MDM Server product. If you do not have an information center installed on a local or intranet system, then this security bulletin is not applicable.
VULNERABILITY DETAILS:
CVE ID: CVE-2012-2159
DESCRIPTION: Some scripts used by the help system are vulnerable to redirects from trusted to untrusted web sites when users click a malicious link.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score:
See http://xforce.iss.net/xforce/xfdb/74832
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE ID: CVE-2012-2161
DESCRIPTION: Some scripts used by the help system are vulnerable to cross-site scripting attacks. An attacker could potentially exploit this vulnerability to collect user credentials or cookie data when users click a malicious link.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score:
See http://xforce.iss.net/xforce/xfdb/74833
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED
PLATFORMS:
The following locally installed IBM InfoSphere MDM Server Information Center editions running on Linux, AIX, and Windows are affected by this security bulletin:
IBM® InfoSphere™ MDM Server 9.0.2 Information Center
REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information on the fixes available.
Fix:
The fix for this vulnerability is available for download for InfoSphere MDM Server Information Center releases v9.0.2
The package for each version includes the patch for the base information center code.
|
Product Version |
Platform |
Patch file name |
|
9.0.2 |
Windows |
IBM-Help-Win32_patch4_3.4.3.v20120416-1215.zip |
|
9.0.2 |
AIX or Linux |
IBM-Help-AIX64(LINUX32)_patch4_3.4.3.v20120416-1215.tar |
1. Download the patch for the applicable InfoSphere MDM Server information center version and platform from the following URL: XXX
2. Stop the information center if it is running:
a) Navigate to the information center installation directory, then go to ...\MDMserver_IC\ibm_help\
b) Run the stop script. The name of this script will differ depending on the version, but will be either IC_end.bat or stop_infocenter.bat.
c) Wait for the information center process to end.
3. Extract the patch.
4. Copy all of the extracted folders and files to your original information center installation directory. This will overwrite several files in the ...\MDMserver_IC\ibm_help\eclipse\plugins\ directory.
5. Restart the information center:
a) Navigate to the information center installation directory, then go to ...\MDMserver_IC\ibm_help\
b) Run the start script. The name of this script will differ depending on the version, but will be either IC_start.bat or start_infocenter.bat.
Workarounds: None known; apply fixes.
Mitigations: If applying the fix is not possible or feasible, then uninstall the locally installed information center and use the information centers available on ibm.com:
V9.0.2: http://publib.boulder.ibm.com/infocenter/mdm/v9r0m2/index.jsp
Alternately, you can use the PDF versions of the documentation that were installed with the InfoSphere MDM Server product installation.
REFERENCES:
· X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/74832)
· X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/74833)
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
o
Besides applying EventManager.jar in the iFix for PMR#20021,082,000, the following entry needs to be added into EventManager.properties to use the 2 new SQLs with literal values of EventStatus.
EventStatus_LiteralValue_SQL_Enabled=true
If the value is false or the configure entry is not added into EventManager.properties, MDM Server functions same using original parameterized EventStatus SQL.
o For fixing PMR#05878,057,649, we introduce a new column (access_token_value) in SUSPECT table and the new trigger. Refer to the extra readme in iFix 90233 in order to learn how to apply the sql file and trigger fix.
o A new error message needs to be added into DB by executing a corresponding SQL script file in the iFix 90238 for PMR 84535,211,788.
Contacting IBM Software support
IBM Software Support provides
assistance with product defects.
Before you submit your problem to IBM Software Support, ensure that your
company has an active IBM software maintenance contract, and that you
are authorized to submit problems to IBM. The type of software
maintenance contract that you need depends on the type of product you
have.
Product support can be obtained through the following methods.
|
On the Web |
Go to http://www.ibm.com/software/data/masterdata/customer/
|
|
By Telephone |
If you are in North America,
call 1-800-IBM-SERV (1-800-426-7378) If you are outside of North
America, check the Web page http://www.ibm.com/planetwide/
for contact information for your area. |
|
|
Incident/PMR |
Description |
|
1 |
PMR#27052,379,000 |
Fixed code not to return the ProductType element in the GetProductByAdminSysKey web service transaction if this element is empty.
|
|
2 |
PMR#3026,004,000 |
Fixed code so that it could return the correct DWLstauts within the tag of |
|
3 |
PMR#41318,211,788 |
Fixed code to properly handle validation for 'BirthPlaceValue' in TCRMPersonBObj.
|
|
4 |
PMR#43548,057,649 |
Fixed code to avoid null error message generated by RequestParserFactory and enhance batch framework to process exception properly for null error message.
|
|
5 |
PMR#43475,211,788 |
Fixed code to close JMS queue connection in DWLMessagingAdapter when exception occurred.
|
|
6 |
PMR#50445,057,649 |
When enable both MDM's Tail feature and the WAS global security, running OOTB txn in Party.jar and FinancialServies.jar would throw MQ exception(JMSCMQ0001).
|
|
7 |
PMR#52082,057,649 |
Fix code not to return PartyWithTaskMangtBObj element in the searchSuspectPartiesWithTaskManagement transaction if this element is empty while access token is enable.
|
|
8 |
PMR#53528,057,649 |
Fixed code to resolve SQLCODE -301 error by properly matching Java type in SQL parameters.
|
|
9 |
PMR#76331,211,788 |
Fixed code to enable below services to return default settings if have with inquiry level 1 :
getAllContractRoleLocationPrivacyPreferences, getAllPartyAddressPrivacyPreferences and getAllPartyContactMethodPrivacyPreferences. |
|
10 |
PMR#15657,057,649 |
Fixed code to enable customized pluggable SQL for SuspectBObjQuery.SUSPECT_PARTY_QUERY to be picked up by MDM Server.
|
|
11 |
PMR#78313,211,788 |
Fix code to allow client to set delivery mode in JMS header when using Generic JMS Provider.
|
|
12 |
PMR#78803,211,788 |
Fix code to handle exception properly when DWLControl field length exceeds DB field length in TAIL.
|
|
13 |
PMR#16166,057,649 |
Fix code to avoid SQL -301 error with DB2 z/OS platform.
|
|
14 |
PMR#04680,999,832 |
Fixed code to avoid memory issues in StringBuilderCache.
|
|
15 |
PMR#04783,999,832 |
Fix code to avoid NotSerializableException when using |
|
16 |
PMR#22785,499,000 |
Fixed code to handle the scenario that incoming request object is MDM core business object while its class is extended as a data extension in suspect re-identify process.
|
|
17 |
PMR#15435,211,788 |
Fixed code to provide an option for users not to convert EndDate to current timestamp when EndDate is current date. (Please refer to Important Changes for additional details).
|
|
18 |
PMR#15269,211,788 |
Fixed code not to send notification when notification type is expired.
|
|
19 |
N/A |
Fix the Security issue (e.g open redirect or cross-site scripting attacks) in InfoSphere MDM Server Information Center which is a browser-basesd, eclipse plugin to store those documentation. This security patch only applies to the locally installed InfoSphere MDM Server Information Center and not the core InfoSphere MDM Server product. If you do not have an information center installed on a local or intranet system, then this security patch is not applicable.
|
|
20 |
N/A |
Fixed code for CollapsePartiesWithRules transaction to handle: a). Delete suspect records of inactive parties. b). Carry over user-marked suspects with suspect status 3 from source parties to the target party. |
|
21 |
PMR#20311,379,000 |
Fix code to prevent from null pointer exception when add new record to CDADMINSYSTP with empty name.
|
| 22 | PMR#04802,999,832 | Fixed code to resolve NullPointerException when running getAllProductTypes transaction. |
| 23 |
PMR#16900,211,788 |
Enhance the transaction getPartyByAdminSysKey so that the active party takes precedence over the inactive ones. |
| 24 | PMR#50255,047,649 | Fixed code to make StatusConverter pluggable. |
| 25 | PMR#20021,082,000 | Fixed code to add 2 SQLs with literal values of EventStatus to improve performance at DB2 for z/OS platform(Please refer to Important Changes for additional details of applying the iFix). |
| 26 | PMR#30469,379,000 | Fixed code to solve SAXParseException while updating spec value with "&" in the <value> tag. |
| 27 | PMR#40152,999,832 | Fixed code to ignore unnecessary query for contract relationships while running updateContract transaction without contract relationships input. |
| 28 | PMR#76481,057,649 | Fixed code to ensure thread-safe while populating "externalTxnKeyMap" data in TAIL component. |
| 29 | PMR#16894,442,000 | deleteParty transaction fails when the input Organization contains OrganizationName extension. |
| 30 | PMR#50179,211,788 | Fixed code to optimize deletePartyAddress method in TCRMPartyAddressComponent. |
| 31 | PMR#17767,211,788 | Correct the error message content of message type 2032 in CDERRMESSAGETP database table. |
| 32 | PMR#56219,004,000 | Fixed code to resolve searchPerson issue with underscore in ContactMethodReferenceNumber field. |
| 33 | PMR#78264,004,000 | SearchPerson returns incorrect results when input is phone number and a Last Name with spaces and the wildcard character. SeachPerson does not work at all for Search by Contact Method when name standardization excluded. |
| 34 | PMR#71164,019,866 | Fixed code to avoid DWLDuplicateKeyException for TAIL in synchronous mode. |
| 35 | PMR#05878,057,649 | When running the out-of-box transaction of 'searchSuspectPartiesWithTaskManagement' on DSUI, the available results count is different from the total number of records returned. |
| 36 | PMR#76132,999,649 | Fixed code to populate CUR_SUSPECT_TP_CD in table SUSPECT for transaction markPartiesAsSuspect. |
| 37 | PMR#92716,499,000 | Fixed code to solve transaction timeout exception while loading code table with large data volume. |
| 38 | PMR#77359,999,649 | Typo in build_nonStandardized_searchExclRule_by_City.sql and build_Standardized_searchExclRule_by_City.sql. |
| 39 | PMR#77707,999,649 | Fixed code not to send empty TAIL messages to JMS destination when a transaction TAIL is disabled. |
| 40 | PMR#84535,211,788 | Fixed code to delete history records of party grouping association for transaction deletePartyWithHistory. |
| 41 | PMR#26239,211,788 | Fixed the inquiry SQL statement while running getAllAnswerSet/getAllAnswerSetsByQuestionnaire transaction with ACTIVE filter. |
| 42 | PMR#78361,999,649 | With standardization enabled, adding certain last names contains space or hyphen like "Ho Ward" or "Ho-Ward" are not able to be found with a standard search with GivenNameOne and LastName provided. |
Copyright
and trademark information
http://www.ibm.com/legal/copytrade.shtml
Notices
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION
"AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may not
apply to you.
This information could include technical inaccuracies or typographical
errors. Changes are periodically made to the information herein; these
changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Microsoft, Windows, and Windows Server are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino,
Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and
Pentium are trademarks or registered trademarks of Intel Corporation or
its subsidiaries in the United States and other countries.
Other company, product, or service names may be trademarks or service
marks of others.
THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION
The license agreement for this product refers you to this file for
details concerning terms and conditions applicable to third party
software code included in this product, and for certain notices and
other information IBM must provide to you under its license to certain
software code. The relevant terms and conditions, notices and other
information are provided or referenced below. Please note that any
non-English version of the licenses below is unofficial and is provided
to you for your convenience only. The English version of the licenses
below, provided as part of the English version of this file, is the
official version.
Notwithstanding the terms and conditions of any other agreement you may
have with IBM or any of its related or affiliated entities (collectively
"IBM"), the third party software code identified below are
"Excluded Components" and are subject to the following terms
and conditions: