IBM Tivoli Key Lifecycle Manager Version 1.0 -- Distributed Platforms Interim Fix 1A README

Abstract

Readme documentation for IBM® Tivoli® Key Lifecycle Manager for Distributed Platforms, Version 1.0 Interim Fix 1A including installation-related instructions, prerequisites and corequisites, and list of fixes.

A password security vulnerability exists on Tivoli Key Lifecycle Manager V1. This vulnerability applies to the AIX, Linux, Solaris, and Windows platforms.

Readme file for: IBM® Tivoli® Key Lifecycle Manager for Distributed Platforms
Product/Component Release: 1.0
Update Name: Interim Fix IF1A
Fix ID: 1.0.0-TIV-TKLM-IF1A
Publication date: 3 August 2009
Last modified date: 3 August 2009

Contents
Applicable Platforms
Interim Fix Download Location
Known Issues
Known Limitations

Installation information:
Installing the Tivoli Key Lifecycle Manager Interim Fix
Prior to interim fix installation
Steps for installing interim fix on Windows platforms
Steps for installing interim fix on AIX, Solaris and Linux platforms
Performing the necessary tasks after interim fix installation.
Recovering from a failed interim fix installation

List of fixes
Copyright and trademark information
Document change history

This interim fix is applicable to all distributed platforms which Tivoli Key Lifecycle Manager Supports

Tivoli Key Lifecycle Manager platforms supported
AIX 5.3 64-bit
AIX 6.1 64-bit
Red Hat Enterprise Linux 4 32-bit
Solaris 10 SPARC 64-bit
SuSE Linux Enterprise Server 9 32-bit
SuSE Linux Enterprise Server 10 32-bit
Windows Server 2003 R2 32-bit
Red Hat Enterprise Linux 5 32-bit
Red Hat Enterprise Linux 5 64-bit (32-bit mode application)
Solaris 9 SPARC 64-bit
SuSE Linux Enterprise Server 10 64-bit (32-bit mode application)
Windows Server 2003 64-bit (32-bit mode application).
Windows Server 2008 32-bit.
Windows Server 2008 64-bit (32-bit mode application).

Download location

Download IBM Tivoli Key Lifecycle Manager Version 1.0 Interim Fix 1A from IBM Fix Central:

Go to IBM Fix Central Home Page, http://www.ibm.com/support/fixcentral/
For the Product Group, select "Tivoli"
For the Product, select "IBM Tivoli Key Lifecycle Manager"
For Installed Version, select your system's appropriate version level, ie. 1.0.0 [base] or 1.0.0.1 [fix pack 1]
For Platform, select the appropriate platform.
You will be prompted to "Sign In". If you do not have an ID, click on the "register" link and follow the register steps as appropriate.
At the Identify Fixes page, select the "Browse Fixes - All" (also default) and press "Continue".
A screen will display the select fixes and download method, select "Interim Fix 1.0.0-TIV-TKLM-IF0001A", scroll down and choose your download option and press "Continue".
Select the associated files and README for Interim Fix 1.0.0-TIV-TKLM-IF0001A and select "Download now".

Product/Component Name	Platform	File Name
IBM Tivoli Key Lifecycle Manager version 1.0 Interim Fix 1A - 1.0.0-TIV-TKLM-IF0001A	AIX/Solaris/Linux	1.0.0-TIV-TKLM-IF0001A-UNIX-LINUX.tar.gz
IBM Tivoli Key Lifecycle Manager version 1.0 Interim Fix 1A - 1.0.0-TIV-TKLM-IF0001A	Windows	1.0.0-TIV-TKLM-IF0001A-WINDOWS.zip

Prerequisites and corequisites
There are no prerequisites or corequisites for IBM Tivoli Key Lifecycle Manager version 1.0 interim fix 1A. IBM Tivoli Key Lifecycle Manager version 1.0 interim fix 1A is a standalone interim fix. It only contains the fix to this one issue. It can go on top of IBM Tiivoli Key Lifecycle Manager version 1.0 GA release or IBM Tivoli Key Lifecycle Manager version 1.0 fix pack 1.

Known issues

When installing interim fix 1A on the Windows platform, the following error message appears:

WASX7411W: Ignoring the following provided option: [AdminConfig.save()]
'CWWIM4545I The password is changed for tklmadmin(uid=tklmadmin,o=defaultWIMFileBasedRealm) in the file registry in the
emporary workspace. You must use the "$AdminConfig save" command to save it in the master repository.'
Restart the WebSphere server1, this may take several minutes ...

This error message can be ignored. The interim fix will be performing the AdminConfig.save() and restarting the WebSphere server1 upon completion.

Known limitations

Tivoli Key Lifecycle Manager version 1.0 must be successfully installed prior to the installation of the Tivoli Key Lifecycle Manager interim fix.
After running Tivoli Key Lifecycle Manager interim fix 1A, there will be no version update. It can be run multiple times without causing an issue.

Special characters are not allowed in the password fields. Only alphabetic (A-Z, a-z) or numeric (0-9) characters may be used.

TIPAdmin cannot contain special characters. Prior to running the interim fix, please change the TIPAdmin to not contain special characters and then restore it after running the interim fix. See the Tivoli Key Lifecycle Manager Information Center for instructions on how to change the TIPAdmin password.

A TKLMAdmin password of "null" or "NULL" cannot be specified. When installing interim fix 1A and this password was specified the following error message appears:

ADMF0002E: Required parameter password is not found for command changeFileRegistryAccountPassword.
Exit Code=2. Error: Failed to change tklmadmin's password, the error code from wsadmin is 103.

Please reinstall interim fix 1A and specify a different password.

Installing the Tivoli Key Lifecycle Manager interim fix

Prior to interim fix installation

Logon as Administrator or Root. For Windows, login as Administrator and for Unix systems, login as Root.
Ensure that the Tivoli Key Lifecycle Manager is not being utilized before installing the interim fix. If your facility has a "service maintenance outage" process, consider installing this interim during an arranged service outage.
Make sure to start the Tivoli Key Lifecycle Manager server, if not already started.

Steps for installing interim fix 1A on existing Tivoli Key Lifecycle Manager version 1.0 Windows platforms.

Instruction	Command
Open a command prompt.	Click the Start button, Click Run, type cmd and Click the OK button.
Make a temporary directory. For this example, the directory is called "c:\tklmv1fp".	md c:\tklmv1fp
Change directory to the temporary directory.	cd c:\tklmv1fp
Download the Windows interim fix into the temporary directory.	Link to interim fix download table
Unzip the downloaded file.	unzip 1.0.0-TIV-TKLM-IF0001A-WINDOWS.zip
Start the TKLM server, if necessary	cd TIP_HOME\bin startServer.bat server1
Install and run the interim fix	Enter the command: changeTklmPassword [TIP_USERNAME TIP_PASSWORD TKLMADMIN_PASSWORD] where: TIP_USERNAME is the Tivoli Integrated Portal user name TIP_PASSWORD is the Tivoli Integrated Portal password for TIP_USERNAME TKLMADMIN_PASSWORD is the TKLMAdmin's new password Defaults: The interim fix uses the Windows Tivoli Integrated Portal installation location of: C:\IBM\tivoli\tip. To override the default Tivoli Integrated Portal default installation location, set the environment variable TIP_HOME prior to running. (example: set TIP_HOME=C:\IBM\tip). If the TIP_HOME specified does not exist, then it will try to use the default Windows Tivoli Integrated Portal installation location as specified above. If that does not exist, the user will be prompted to supply the TIP location. Command example: changeTklmPassword.bat tipadmin tipadminpw tklmadminpw >> changeTklmPwd.log
Check error codes for the interim fix installation success	Check the error conditions produced by the interim fix installation. An error code of "0" is a success.

Steps for installing interim fix 1A on existing Tivoli Key Lifecycle Manager version 1.0 AIX, Solaris and Linux platforms.

Instruction	Command
Open a ksh or bash shell.	if your default shell is not ksh or bash, run "exec ksh" or "exec bash".
Make a temporary directory. For this example, the directory is called "/tmp/tklmv1fp".	mkdir /tmp/tklmv1fp
Change directory to the temporary directory.	cd /tmp/tklmv1fp
Download the AIX, Solaris and Linux interim fix into the temporary directory.	Link to interim fix download table.
Untar and gunzip the downloaded file.	gunzip 1.0.0-TIV-TKLM-IF0001A-UNIX-LINUX.tar.gz tar -xvf 1.0.0-TIV-TKLM-IF0001A-UNIX-LINUX.tar
Start the TKLM server, if necessary	cd TIP_HOME/bin ./startServer.sh server1
Install and run the interim fix.	./changeTklmPassword.sh [ TIP_USERNAME] where: TIP_USERNAME is the Tivoli Integrated Portal user name Defaults: The interim fix uses the AIX, Solaris and Linux Tivoli Integrated Portal installation default location of: /opt/IBM/tivoli/tip. To override the default Tivoli Integrated Portal installation location, set the environment variable TIP_HOME prior to running. (example: export TIP_HOME=/opt/tip). If the TIP_HOME specified does not exist, then it will try to use the default AIX, Solaris and Linux Tivoli Integrated Portal installation location as specified above. If that does not exist, the user will be prompted to supply the TIP location. Command example: ./changeTklmPassword.sh tipadmin \| tee -a changeTklmPwd.log 2>&1
Check error codes for the interim fix installation success	Check the error conditions produced by the interim fix installer. An error code of "0" is a success.

Performing the necessary tasks after the interim fix installation.

Verify Installation -

After the interim fix is installed, verify that you can log in as the TKLM Administrator using the new password.

Recovering from a failed interim fix installation

In the event that the interim fix installation fails, or you are unable to log in with the TKLM Administrator using the new password, restore the Tivoli Integrated Portal registry file from the backup taken by the interim fix installation. Make sure to stop the Tivoli Key Lifecycle Manager server, if not already stopped, prior to restoring the Tivoli Integrated Portal registry file and then starting the Tivoli Key Lifecycle Manager server, upon restoring the registry file.

Steps for restoring the Tivoli Integrated Portal registry on the Windows platforms.

Instruction	Command
Open a command prompt.	Click the Start button, Click Run, type cmd and Click the OK button.
Stop the TKLM server, if not already stopped.	cd TIP_HOME\bin stopServer.bat server1
Change to the temporary backup directory which was created by this interim fix	cd c:\TIP_HOME\temp
Restore the Tivoli Integrated Portal registry file from the backup directory.	copy /y fileRegistry.xml %TIP_HOME%\profiles\TIPProfile\config\cells\TIPCell
Start the TKLM server	cd TIP_HOME\bin startServer.bat server1

Steps for restoring the Tivoli Integrated Portal registry on AIX, Solaris and Linux platforms.

Instruction	Command
Open a ksh or bash shell.	if your default shell is not ksh or bash, run "exec ksh" or "exec bash".
Stop the TKLM server, if not already stopped.	cd TIP_HOME/bin ./stopServer.sh server1
Change to the temporary backup directory which was created by this interim fix	cd $TIP_HOME/temp
Restore the Tivoli Integrated Portal registry file from the backup directory	cp -f fileRegistry.xml $TIP_HOME/profiles/TIPProfile/config/cells/TIPCell
Start the TKLM server,	cd TIP_HOME/bin ./startServer.sh server1

Interim fix installation error conditions

Exit Code	Description	Possible Causes, Recovery Actions and Log Locations
-1	User is not "root" user	AIX, Solaris and Linux: execute the interim fix as the "root" user.
1	passwords do not match	When prompted to reenter the password for verification, a different password was entered. Please try again.
2	Failed to change tklmadmin's password	See the error code from wsadmin is <code from wsadmin>. If the error code is: 103 - the TKLM server was not started, the wrong password was provided for <tip_admin>, an invalid TIP user name was specified, or a password of "null" or "NULL" was specified as the new TKLMAdmin password.
3	TIP_HOME environment variable not found or contents of TIP_HOME environment variable incorrect	AIX, Solaris and Linux: Check if the $TIP_HOME environment variable is valid. Ensure that the $TIP_HOME variable points to the directory where Tivoli Integrated Portal is installed when Tivoli Key Lifecycle Manager is deployed. Windows: Check if the %TIP_HOME% environment variable is valid. Ensure that the %TIP_HOME% variable points to the directory where Tivoli Integrated Portal is installed when Tivoli Key Lifecycle Manager is deployed.
4	Failed to stop WAS server1	The error code from stopServer is <code from stopServer>. Note: Check TIP_HOME/profiles/TIPProfile/logs/server1/stopServer.log for the failure.
5	Failed to start WAS server1.	The error code from startServer is <code from startServer>. Note: Check TIP_HOME/profiles/TIPProfile/logs/server1/startServer.log for the failure.
6	Password cannot be empty	Please correct the password and try again.
7	Password contained a space	Password contained a space. Please correct the password and try again.
8	TIP_HOME does not point to a valid TIP installation	The Tivoli Integrated Portal registry file is missing from the TIP installation. AIX, Solaris and Linux: Check if the $TIP_HOME environment variable is valid. Ensure that the $TIP_HOME variable points to the directory where Tivoli Integrated Portal is installed when Tivoli Key Lifecycle Manager is deployed. Windows: Check if the %TIP_HOME% environment variable is valid. Ensure that the %TIP_HOME% variable points to the directory where Tivoli Integrated Portal is installed when Tivoli Key Lifecycle Manager is deployed.

List of fixes

**APAR fixes included in Interim Fix 1A**
APAR No.	Sev.	Abstract
IZ56515	1	A password security vulnerability exists on Tivoli Key Lifecycle Manager V1. This vulnerability applies to the AIX, Linux, Solaris, and Windows platforms.

Copyright and trademark information

http://www.ibm.com/legal/copytrade.shtml

Notices

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION

The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:

the Excluded Components are provided on an "AS IS" basis
IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
IBM will not be liable to you or indemnify you for any claims related to the Excluded Components
IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.

Document change history

Change Date	Reason	Modified by
27 July 2009	Create initial 1.0.0-TIV-TKLM-IF0001A	ajt
3 Aug 2009	Tivoli Key Lifecycle Manager version 1.0 Interim Fix 1A (1.0.0-TIV-TKLM-IF0001A) README finalized.	ajt

End of Document