README IBM Tivoli Security Operations Manager(TM) Version 4.1.1 Fix Pack 010 for IBM AIX, Solaris Operating Environments, Red Hat Linux ES and Windows Server 2003 © Copyright International Business Machines Corporation 2009. All rights reserved. Contents 1.0 About this release 1.1 Supported products and components by platform 1.2 PTF and VRMF information 2.0 Installation and configuration 2.1 Supported languages for DB2 clients available from the FTP site 2.2 Prerequisites 2.3 Before installation 2.4 Installing the Tivoli Security Operations Manager 4.1.1 Fix Pack 010 2.5 After installation 2.6 Uninstalling / rollback 3.0 Documentation Updates 3.1 New handling of checkpoint conduit. 3.2 Cleanup of event_data table causing application downtime in Oracle. 3.3 Starting with 4.1.1-TIV-TSOM-FP007 logging level could be changed dynamically. 3.4 Password encryption 3.5 New Device Rules installation tool. 3.6 Additional indexes for historical data searches in DB2. 3.7 Changing TSOM encryption ciphers. 3.8 New config file for device rules. 3.9 New configuration parameters. 4.0 Resolved Problems 5.0 Contacting customer support 6.0 Notices and trademarks 1.0 About this release Set the font to monospace to better view this file. The information in this readme file should be read by Tivoli Security Operations Manager administrators who plan to install Tivoli Security Operations Manager 4.1.1 Fix Pack 010 (R). This readme file contains platform specific information about the latest changes and known problems and workarounds for TSOM. This readme file contains TSOM 4.1.1 Fix Pack 010 information for all UNIX(R) operating systems supported by Tivoli Security Operations Manager. Specific information for each supported UNIX operating system is described in separate sections of this readme. However, unless otherwise specified, the instructions are applicable to all supported UNIX operating systems. 1.1 Supported products and components by platform This readme file contains information for the following products and components for each UNIX operating system: IBM AIX Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 010 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 010 Linux(TM) (RedHat(R)) 32-bit Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 010 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 010 Solaris(R) Operating Environments (32-bit) Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 010 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 010 Windows(TM) Server 2003 Enterprise Edition R2 SP2 (64-bit) Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 010 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 010 1.2 PTF and VRMF information +-----------------------+---------------------------------------+------------------+ | Operating system | PTF | VRMF | +-----------------------+---------------------------------------+------------------+ | AIX 5L | 4.1.1-TIV-TSOM-AIXPPC32-FP010.bin | 4.1.1-FP010 | +-----------------------+---------------------------------------+------------------+ | Solaris Operating | 4.1.1-TIV-TSOM-SolarisSparc-FP010.bin | | | Environment | | 4.1.1-FP010 | +-----------------------+---------------------------------------+------------------| | LINUX (RedHat) | 4.1.1-TIV-TSOM-LinuxIA32-FP010.bin | | | | | 4.1.1-FP010 | +-----------------------+---------------------------------------+------------------+ | Windows (Server 2003) | 4.1.1-TIV-TSOM-WinX64-FP010.exe | | | | | 4.1.1-FP010 | +-----------------------+---------------------------------------+------------------+ 2.0 Installation and configuration The package names for each specific UNIX operating system are: +-----------------------------+---------------------------------------------+ | AIX | 4.1.1-TIV-TSOM-AIXPPC32-FP010.bin | +-----------------------------+---------------------------------------------+ | Linux (RedHat) | 4.1.1-TIV-TSOM-LinuxIA32-FP010.bin | +-----------------------------+---------------------------------------------+ |Solaris Operating Environment| 4.1.1-TIV-TSOM-SolarisSparc-FP010.bin | |(32-bit) | | +---------------------------------------------------------------------------+ |Windows Operating Environment| 4.1.1-TIV-TSOM-WinX64-FP010.exe | |(64-bit) | | +---------------------------------------------------------------------------+ The packages are self extracting executables. 2.1 Supported languages for Tivoli Security Operations Manager available from the FTP site The following table details the supported languages that are available from the FTP site: +------------+---------------------------+ | Operating | Central Management System | | System | | +------------+---------------------------+ | AIX | English only | | | | | | | +------------+---------------------------+ | RedHat | English only | | Linux | | | Intel | | | (32-bit) | | | | | +------------+---------------------------+ | Solaris | English only | | Operating | | | System | | | | | +------------+---------------------------+ | Windows | English only | | Operating | | | System | | | (64-bit) | | +------------+---------------------------+ 2.2 Prerequisites * You must have a supported operating system installed. The supported operating systems are: - AIX 5L Version 5.3 (5.3.x) - Solaris Version 10 (10.x) - RedHat Version 5 (5.x) - Microsoft Windows Server 2003 Enterprise Edition R2 SP2 (64-bit) * You must have a supported database installed and a schema and user created and available. The supported databases are: - IBM DB2 Enterprise 9 (9.x) - Oracle 10g Release 1 (10.2.x) * This Interim fix must be installed on the Central Management System (CMS) and all Event Aggregation Modules (EAM) * Ensure that you have read the entire contents of this readme. * This Fix Pack can be installed on systems with: Tivoli Security Operations Manager 4.1.1 GA release or Tivoli Security Operations Manager 4.1.1 Interim Fix 001 or Tivoli Security Operations Manager 4.1.1 Interim Fix 002 or Tivoli Security Operations Manager 4.1.1 Interim Fix 003 or Tivoli Security Operations Manager 4.1.1 Fix Pack 004 or Tivoli Security Operations Manager 4.1.1 Interim Fix 006 or Tivoli Security Operations Manager 4.1.1 Interim Fix 007 or Tivoli Security Operations Manager 4.1.1 Fix Pack 008 or Tivoli Security Operations Manager 4.1.1 LA Fix Pack 009 2.3 Before installation * You must install this Fix pack using the same method that you used to install the product initially. - If you installed Tivoli Security Operations Manager v 4.1.1 using Xwindows install, you must use an Xwindows installation to install this Fix pack. - If you used a console install to install Tivoli Security Operations Manager, you must use the console installation to install this Fix pack. 2.4 Installing Tivoli Security Operations Manager 4.1.1 Fix Pack 010: Procedures To install Tivoli Security Operations Manager Fix Pack 010 : 1. Log in to the server hosting the Tivoli Security Operations Manager component as the root user or as a user that has privileges to sudo to root, or on Windows as the same user originally used to install Tivoli Security Operations Manager . 2. STOP all TSOM components. Preferably in following order: GUI client(s), CMS, EAM(s), UCM(s). *WARNING*: GUI clients left running during a CMS upgrade will reconnect, but they will NOT download upgraded client-side code. This will cause a code mismatch between client and server which can yield unexpected results. To avoid this, close all GUI clients before upgrading a CMS. To find all open GUI clients, use netstat to search the CMS for any IPs connected to the CMS on port tcp/9997. To stop | start TSOM on UNIX/Linux use: ./bin/tsom_server.sh stop | start ./bin/tsom_tomcat.sh stop | start On Windows stop | start relevant service. 3. Change directories to the directory where you downloaded the self-extracting binary. 4. Run the self-extracting binary (use -i console for a text based install): On UNIX/Linux: If you have Xwindows installed: ./4.1.1-TIV-TSOM--FP010.bin If you do not have Xwindows installed: ./4.1.1-TIV-TSOM--FP010.bin -i console Where is the operating system on the server. The Install Anywhere installer will launch. On Windows: Using Windows Explorer locate the downloaded file 4.1.1-TIV-TSOM-WinX64-FP010.exe and doubleclick. 5. On the Locale screen, select the locale in which the install utility will run and click Ok. 6. On the Introduction screen, click Next. 7. Review the installation on the Pre-Installation Summary screen, and click Install. 8. When the installation has completed, click Done on the Install Complete screen. General reminder - Fix Pack installer does not upgrade Device Rules. To resolve all APARs mentioned in this document install TSOM 4.1/4.1.1 Device Rules Update Package : 2010/03 or newer. 2.5 After installation * Ensure the installed components are running by logging into the UI using the admin user (username: admin password:password): https://:8443 where is the IP address of the server hosting the CMS. *** Important Note *** This Interim Fix includes an updated UCM that will run as a service on windows. After installing the fix the UCM file that should be installed on a windows system is /misc/install_ucm.exe. This file can also be obtained from the downloads link on the TSOM Portal at: https://:8443 -or- http://:8080 where is the IP address of the server hosting the CMS. Known issue: The default configuration does not include the necessary library ITSOM_LogParser.dll in the java library path. There are two ways to get the ITSOM_LogParser.dll into the JAVA library PATH: (Assuming default install dir of C:\Program Files\IBM\TSOM) ------------------------------------------------------------ 1) Copy the file ITSOM_LogParser.dll from C:\Program Files\IBM\TSOM\lib\ITSOM_LogParser.dll to C:\Program Files\IBM\TSOM\ITSOM_LogParser.dll For example: cd C:\Program Files\IBM\TSOM\ copy lib\ITSOM_LogParser.dll ITSOM_LogParser.dll ------------------------------------------------------------ 2) Alter the C:\Program Files\IBM\TSOM\UCM.iax file. Add this block of text: # LAX.NL.JAVA.OPTION.ADDITIONAL # ----------------------------- # -Dargument=value args to JAVA lax.nl.java.option.additional= -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false -Djava.library.path=lib General reminder - the UCM will also need Windows Log Parser installed. This is a free tool from Microsoft that that is used to safely communicate with the Event Log system. 2.6 Uninstall *** Warning *** Uninstalling a cumulative fix (such as this one) will uninstall the complete product 1. Log in to the server hosting the Tivoli Security Operations Manager component as the root user or as a user that has privileges to sudo to root. 2. Change directories to the directory /Uninstall_Tivoli Security Operations Manager where is the directory where you installed Tivoli Security Operations Manager. 3. Execute the uninstaller(use -i console for a text based install): If you have Xwindows installed: ./Uninstall_Tivoli_Security_Operations_Manager If you do not have Xwindows installed: ./Uninstall_Tivoli_Security_Operations_Manager -i console Where is the operating system on the server. The Install Anywhere uninstaller will launch. 4. On the Summary screen, click Uninastall. 5. When the uninstallation has completed, click Done on the Uninstall Complete screen. 3.0 Documentation Updates 1. New handling of checkpoint conduit. Starting with 4.1.1-TIV-TSOM-FP004 native handling checkpoint conduit is running as separate service on all supporting platform. On Solaris and Linux: On each EAM server which collect date via checkpoint conduit you have to start tsom_leads.sh service by: ./bin/tsom_leads.sh start Service stop automatically when EAM process stop. On Windows: New service TSOMLEADS will be created when EAM on Windows is installed. You can stop it manually when do not use checkpoint conduit on EAM. 2. Cleanup of event_data table causing application downtime in Oracle. In order to efficiently clean up the EVENT_DATA tables, drop partition is used in the Oracle install. To achieve this all indexes that are created must be partitioned by normalization_time as well. This was already done, however as EVENT_DATA_ID is the primary key of the event data table this creates an implicit index. So after issuing drop partition statements, this index becomes invalid and must be manually rebuilt which takes 3-4 hours approximately. During this time, CMS is unavailable. This was resolved by issuing 2 schema change sqls: 1. Remove the constraint of the primary key from the table ALTER TABLE EVENT_DATA DROP PRIMARY KEY DROP INDEX 2. Create an index on EVENT_DATA_ID and NORMALIZATION_TIME such that a partitioning by NORMALIZATION_TIME is possible . ALTER TABLE EVENT_DATA ADD CONSTRAINT UNIQ_EVTDATA_NORMTIME UNIQUE (Event_data_id, Normalization_time) The above 2 sqls can be provided to customers (on oracle) on a need basis if they encounter similar problem. 3. Starting with 4.1.1-TIV-TSOM-FP007 logging level could be changed dynamically. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH&q1=log4j&uid=swg21404702&loc=en_US&cs=utf-8&lang=en 4. Password encryption DB PASSWORDS Password is not hashed in configuration file and is stored in clear-text. This was resolved by providing a tool to perform password encryption of existing cleartext passwords. The encryption tool can be run in the following modes: cms, vuln and migration. Syntax: >bin/encrypt.sh -c cms|vuln|migration In cms mode passwords from: - conf/db/repository_database.xml - tomcat/webapps/TSOM-Reports/WEB-INF/classes/conf/db/repository_database.xml - Tivoli_Security_Operations_Manager_InstallLog.xml - Uninstall_Tivoli Security Operations Manager/installvariables.properties - maint/*/installvariables.properties will be deleted or encrypted. In vuln mode passwords in: conf/scanner.conf will be encrypted. In migration mode passwords in conf/Migration/migration.xml will be encrypted. TOMCAT To encrypt password in tomcat configuration file tomcat/conf/server.xml use tool specific for it: bin/encrypt_tomcat_pass.sh Syntax: ./bin/encrypt_tomcat_pass.sh DBPassword The generated encrypted password should be stored into server.xml config file under tsom/tomcat. This mode will require the following information to be input from the user: 1) Run the encryption tool as above. 2) On the tomcat/conf/server.xml - replace the clear text password with the encrypted one - if it does not exist the "digest" attribute on element set with value "md5". From now we use strong algorithm for password encoding in tomcat. Sample: 3) Restart tomcat. UCM The encryption tool for UCM can be invoke in 1 mode: > encrypt.sh or on Windows: > encrypt.bat All passwords in ucm.cfg file will be encrypted. Lines with comments in ucm.cfg are ignored. The encryption tool for UCM can be executed multiple times as new password are added to the ucm.cfg file. 5. New Device Rules installation tool As part of the Fix Pack 10 a new installer for Device Rules packages is introduced that replaces bin/dev_support.sh script. The new installer will help to install, uninstall and display installation history for both Central Management System (CMS) and Event Aggregation Module (EAM) on all Windows and UNIX platforms supported by TSOM components. The installer works with existing and will work with future Device Rules packages. Starting from Fix Pack 10, the most recent Device Rules package is provided – but not installed - as part of a Fix Pack installation in the ‘devicerules_repository’ sub-directory of TSOM installation directory. The installer is aware of this default location of Device Rules packages and uses it when installing without providing the explicit path to a Device Rules package. Customers are encouraged to store manually downloaded Device Rules packages in the ‘devicerules_repository’ sub-directory of TSOM installation directory. Please read the following examples, to quickly learn how to use the new installer for Device Rules packages: a) In order to display information about the installer invocation, go to the TSOM installation directory and invoke: For UNIX systems: ./bin/devicerules_install.sh help For Windows: bin\devicerules_install.bat help b) In order to install recent Device Rules package stored in ‘devicerules_repository’, invoke: For UNIX systems: ./bin/devicerules_install.sh install For Windows: bin\devicerules_install.bat install c) In order to install Device Rules package from arbitrary location, invoke: For UNIX systems: ./bin/devicerules_install.sh install –file “/home/DeviceRules-20100326.jar” For Windows: bin\devicerules_install.bat install –file “c:\Program Files\DeviceRules-20100326.jar” d) In order to display the installation history and the version of recently installed Device Rules package invoke: For UNIX systems: ./bin/devicerules_install.sh version For Windows: bin\devicerules_install.bat version Note: The installer 'version' command does not list Device Rules packages which were installed manually or were installed incorrectly when using dev_support.sh script. 6.0 Additional indexes for historical data searches in DB2. To improve historical data searches on large DB2 with large amount of data please add additional indexes on EVENT_DATA_SECURITY_DOMAIN_MAP and EVENT_DATA. 1. Shutdown TSOM and DB2 instance. 2. Start DB2, login as the owner of the TSOM database. 4. Connect to TSOM database (e.g. db2 connect to tsom). 5. Execute following commands (e.g. db2 -tf ). Below command assume that DB2INST1 was used. CREATE INDEX DB2INST1.EDSDM_NORM ON DB2INST1.EVENT_DATA_SECURITY_DOMAIN_MAP ("NORMALIZATION_TIME" ASC, "SECURITY_DOMAIN_ID_FK" ASC, "EVENT_DATA_ID_FK" ASC) ALLOW REVERSE SCANS ; COMMIT WORK ; RUNSTATS ON TABLE DB2INST1.EVENT_DATA_SECURITY_DOMAIN_MAP FOR INDEX DB2INST1.EDSDM_NORM ; COMMIT WORK ; CREATE INDEX DB2INST1.ED_NORM ON DB2INST1.EVENT_DATA ("NORMALIZATION_TIME" ASC, "EVENT_DATA_ID" ASC) ALLOW REVERSE SCANS ; COMMIT WORK ; RUNSTATS ON TABLE DB2INST1.EVENT_DATA FOR INDEX DB2INST1.ED_NORM ; COMMIT WORK ; 6. Start all TSOM services. Because the whole procedure could take hours (depending on the amount of data and hardware) please do this in convenient time. 7.0 Changing TSOM encryption ciphers. To change cipher used by TSOM you have to add in the GenericStageStarter.config on CMS, in the Configuration element, additional section that should look as such: . . . . SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA . . SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA . . . . After that you have to restart CMS. To debug cipher used by TSOM set java system property by adding "-Djavax.net.debug=all" to the java parameters. For complete list of available cipher go to the Java Secure Socket Extension documentation. 8.0 New config file for device rules. In TSOM 4.1.1 Fix Pack 010 was added configuration file that allows specification of java rules detection/execution order, easy enabling/disabling of rules and passing initialization parameters (optional). For that initialization starting from TSOM 4.1.1 FP010 ARulesFile API has been extended by adding public void init(String parameterStr) method which is called right after rule instantiation (e.g. every time when conduit is restarted/reinitialized). On EAM startup rules and rules/system directories are searched for rules.conf file. If no such file is found then all *.java files existing in directory are used (backward compatibility). TSOM 4.1.1 FP010 is required for that config file support. For more details see rules.conf files in proper conduit directories. 9.0 New configuration parameters. Starting from TSOM 4.1.1 FixPack 010 the are a few new configuration parameters. All could be changed by update TSOM_CONFIGURATION table and system restart. EVENT_TYPE_PAGINATION_FLAG - Flag to turn on event type pagination EVENT_TYPE_PAGINATION_BATCH_LIMIT - Event type pagination batch limit. Both above to use on environments with large amount of event types (e.g. more than 200 thousands of event types). By default event type pagination are disabled. DEVICE_RULES_FALLBACK_IP_ADDRESS - Fallback IP address to be used when real address does not exists, is not defined or is just invalid. As default is used "0.0.0.0" IP address but could be switch to any other use to be not real in current installation. 4.0 Resolved Problems Problems fixed by 4.1.1-TIV-TSOM-FP010 APAR IZ73534 NO WAY TO KNOW IF DEVICE SUPPORT PACKAGE HAS BEEN UPDATED PROPERLY APAR IZ60799 MAPPING REQUESTED FOR BLUECOAT, AND 0.0.0.0 IP ADDRESSED WITH THE MOST LIKELY TO INVESTIGATE AN ORIGIN. APAR IZ71314 NEW INDEXES PROPOSED TO IMPROVE HISTORICAL SEARCH PERFORMANCE ON TSOM DATABASES WITH LARGE AMOUNTS OF EVENT DATA. APAR IZ68504 REPORTS CONSOLE STOPS WORKING AFTER INSTALLING FIX PACK APAR IZ70115 WHEN SCHEDULING REPORTS TO RUN PERIODICALLY EVERY DAY, BEGIN AND END DATE FOR EACH EXECUTION IS CALCULATED INCORRECTLY APAR IZ70766 (devices) SAP 7 EVENTS ARE NOT PARSED BY TSOM APAR IZ70403 KB ARTICLES NOT ASSOCIATED TO EVENT CLASSES AND TYPE APAR IZ70880 MODIFY EXISTING DEVICE RULES PARSING CODE FOR SECURIFY EVENTS APAR IZ72465 CUSTOMER WANTS TO CUSTOMIZE THE ENCRYPTION BETWEEN EAM AND CMS, AND HAS REQUSTED A HOW TO DOCUMENT? APAR IZ72673 UCM NOT GETTING INSTALLED ON WINDOWS 2003 SERVER with sun java 6 APAR IZ72979 ISSUE WITH EVENT CLASS RULE DERAILS THE EVENT CLASSIFICATION APAR IZ53255 SUPPORT FOR ISS PROVENTIA M SERIES THROUGH SNMP APAR IZ61671 TOP SOURCES/TOP DESTINATION VIEW MAY NOT WORK PROPERLY APAR IZ66580 CMS STOPS PROCESSING EVENTS APAR IZ65973 ARBOR PEAK FLOW - SP EVENTS WHO UP AS X. APAR IZ69816 (devices) SSHD EVENTS ARE NOT GETTING PARSED PROPERLY APAR IZ70322 IF TICKETS ARE SORTED BY TIME IN DESCENDING ORDER, NEWLY CREATED TICKETS ARE INSERTED AT THE BOTTOM OF THE LIST, NOT THE TOP. APAR IZ68797 FORMAT CLIENT USED IS NOT WORKING FOR BLUECOAT PROXY APAR IZ49799 (FIN) TSOM 3.X CHECKPOINT CONDUIT CORE DUMP This problem has been rectified in TSOM 4.1.1 and this APAR will close without a code change in 3.1 release. APAR IZ50743 (UR3) TSOM PROCESSES NEED TO RUN AS A NON-PRIVILEGED USER This problem will be fix if new release of TSOM will publish. APAR will close without a code change in 4.1.1 release. APAR IZ67305 (devices) TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM PIX/ASA APAR IZ67584 (doc) HOW TO UPGRADE TO LATEST VERSION OF TOMCAT FOR TSOM 4.1.1 http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH&uid=swg21416941&loc=en_US&cs=UTF-8&lang=en APAR IZ68019 (doc) FAIL-SAFE FOR REMOTE AUTHENTICATION FAILURE NOT DOCUMENTED. CUSTOMER IS UNAWARE OF HOW TO RECOVER FROM LDAP FAILURE. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH&uid=swg21417142&loc=en_US&cs=utf-8&lang=en APAR IZ67486 ORDER IN WHICH THE DATA IS DISPLAYED FOR "TOP N EVENTS FOR EVENT CLASS" WITH DB2 AS BACK-END DATABASE IS NOT CORRECT. APAR IZ67484 (devices) WINDOWS EVENTS THROUGH SNMP DO NOT HAVE SOURCE/DESTINATION IP ADDRESS PARSED. APAR IZ67330 (devices) MCAFEE EPO 4 EVENTS DOES NOT HAVE PROPER EVENT TYPE. APAR IZ66646 ALTERING COLUMN ORDER AND SORT ORDER IN TICKET WINDOW DOES NOT SAVE WHEN TSOM CLIENT IS CLOSED APAR IZ59820 NETSCREEN IDP 100 EVENTS COMING IN WITH GENERIC SYSLOG AS SENSOR TYPE Problems fixed by 4.1.1-TIV-TSOM-LA009 APAR IZ66457 EAM DOES NOT CONNECT TO THE CMS Problems fixed by 4.1.1-TIV-TSOM-FP008 APAR IZ65378 TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM PIX/ASA APAR IZ65441 TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM WEBSEAL APAR IZ65435 (devices) TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM PIX APAR IZ51558 EVENT CONSOLE AND POWER GRID NETBLOCK BASED FILTERS NOT WORKING PROPERLY. APAR IZ62954 CONNECTION OF THE CMS BREAKS WITH THE DATABASE APAR IZ62983 PERFORMANCE HIT FOR SYSTEMS WITH A VERY HIGH NUMBER OF WATCHLIST APAR IZ64149 PASSWORD DISPLYED IN CLEAR TEXT IN ALL CONFIG FILES APAR IZ65152 WEBSEAL LOGS DON'T ROLLOVER WHEN UCM IS CONFIGURED TO TAIL THEM. APAR IZ66172 THE DEFAULT UCM.CFG FILE HAS A TYPO WHICH COULD CAUSE CONFIGURATION CONFUSION AND ERRORS. APAR IZ62495 LOCAL WATCHLISTS WINDOW SIZE FIXED. ADD/CHANGE/DELETE BUTTONS CAN BECOME HIDDEN UNDER PARENT WINDOW EDGE. APAR IZ60100 RESIDENT APPLICATION VIEW UNDER THE PROPERTIES TAB FOR ANY HOST DOES NOT WORK PROPERLY. APAR IZ63943 PROBLEM WITH PARSING CHINESE CHARACTER IN SYSLOG. APAR IZ63762 (devices) LDAP CONNECTION ID DETAILS OF IPLANET EVENTS IS NOT BEING DISPLAYED. APAR IZ63569 WHEN A NEW SENSOR IS CONFIGURED VIA AUTOCONFIGURE (ONLY) THE SENSOR CANNOT BE ACCEPTED (ACCEPT & REJECT GRAYED OUT). APAR IZ64704 (devices) RSA/ACE MANAGEMENT SERVER EVENTS DO NOT PARSE DUE TO ITS SET UP IN NS_SYSLOG.RULES AS THE ANTIQUATED ETYPE EVENT APAR IZ61686 POWERGRID FILTERS DO NOT WORK CORRECTLY APAR IZ59596 UNABLE TO CONFIGURE SSL FOR UCM ON SOLARIS APAR IZ58393 EAM GIVES MALFORMEDINPUTEXCEPTION ERRORS. APAR IZ63560 (devices) CISCO ACS EVENTS ARE IMPROPERLY PARSED APAR IZ60526 SNMP CONDUIT NOT CORRECTLY POPULATING $TRAPID WITH THE OID VALUE. APAR IZ61965 IIS PARSER DOES NOT REMOVE IIS HEADER. BATCH INSERT FAILS. APAR IZ63356 (devices) TSOM IS NOT PROVIDING PIX SYSLOG SRC, DST, AND UID INFORMATION APAR IZ55591 NESSUS 3.X AND 4.X SCAN RESULTS FILE DOSE NOT WORKS WITH VULNIMPORT UTILITY. APAR IZ55577 TSOM 4.1.1 VULNIMPORT UTIL WOULD NOT WORK WITH FOUNDSTONE 6.5/7.X APAR IZ58730 SENSOR SELECTION FOR REPORTS CREATION DOES NOT RETURN THE CORRECT RESULT APAR IZ60394 TICKETS VIEW GIVE A TIME-OUT ERROR Problems fixed by 4.1.1-TIV-TSOM-FP007 APAR IZ58989 TSOM/TOMCAT FAILS TO INSTALL WHEN NOT USING THE DEFAULT DIRECTORY. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH&q1=C+drive&uid=swg21403929&loc=en_US&cs=utf-8&lang=en APAR IZ60123 ADD/REMOVE PROGRAMS CANNOT UNINSTALL TSOM UCM. ERROR: AN ERROR OCCURRED WHILE TRYING TO REMOVE. MAY ALREADY BE UNINSTALLED. APAR IZ60117 TICKETS SHOW UP TWICE FOR NON ADMIN USERS. APAR IZ59821 COPY/PASTE FUNCTION OF RULES DOES NOT WORK APAR IZ52607 CONFIGURING MULTIPLE CHECKPOINTS ONTO A SIGLE EAM WITH IF 03 ON TSOM 4.1.1 NEEDS A RESTART OF THE CMS. APAR IZ52882 CUSTOMER IS GETTING "DUPLICATE SENSOR NAME" ERROR WHILE CREATING EAM APAR IZ50915 INTERIM FIX 03 GETS INSTALLED IN C:\PROGRAM FILES\IBM\TSOM\ IRRESPECTIVE OF TSOM BEING INSTALLED ON A DIFFERENT DRIVE. APAR IZ53747 EXTENSIVE CMS-DATABASE COMMUNICATION UNDER LOAD WITH RELATIVELY HIGH 'NEW' HOSTS FRACTION. APAR IZ52884 "CONNECTION TIMED OUT" POPUP ERROR WHEN OPENING PUBLIC_MASTER_NETBLOCK. NETBLOCK CONTAINS 3 MILLION HOSTS APAR IZ59902 (devices) EVENTS FROM MICROSOFT EXCHANGE SERVER 2003 DOES NOT HAVE THE OBJECT NAME APAR IZ54879 (devices) CISCO ASA EVENTS HAVE THE SENSOR CLASS SET TO OS, BUT SHOULD BE SET TO FIREWALL APAR IZ55996 (devices) IP ADDRESS DOES NOT GET PARSED FROM CISCO IOS 12X TCP-6-BADAUTH EVENTS. APAR IZ55215 CISCO NIDS EVENTS NEED TO HAVE THE SIGNATURE ID PARSED APAR IZ49811 WEBSEAL LOG FILES NOT BEING READ APAR IZ54255 (devices) THE USERNAME IS NOT PARSING OUT OF A CISCO IOS EVENT BY THE SYSLOG CONDUIT. Problems fixed by 4.1.1-TIV-TSOM-IF006 APAR IZ54449 WITH FP 04 ON TSOM 4.1.1, THE CMS MAY START FACING MEMORY LEAK ISSUE. APAR IZ53550 VULNIMPORT FAILS TO CONNECT TO QUALYS DUE TO UNKNOWN PROTOCOL "HTTPS", RUNNING ON THE SOLARIS PLATFORM. APAR IZ54448 WITH FP 04 ON TSOM 4.1.1, THE SAME CHECKPOINT EVENT MAY COME IN MORE THAN ONCE INTO TSOM APAR IZ57753 SDEE CONDUIT STOPS WORKING AFTER RUNNING FINE FOR SOME TIME APAR IZ58261 IP ADDRESS FILTERS ON EAM NOT FUNCTIONING Problems fixed by 4.1.1-TIV-TSOM-FP004 APAR IZ46175 PARSING ISSUE WITH CISCO ASA DEVICE APAR IZ53012 PARSING ISSUE WITH CISCO IPS USING THE SDEE CONDUIT APAR IZ48223 CHECKPOINT CONDUIT[S] STOPS SENDING EVENTS TO EAM Internal defect 3239 No Pause When Investigating Events. The Event Console/Top Sources/Top Destinations does not pause incoming events when you click on row item as it did in the past. Now, if an event of concern scrolls by it is necessary to explicitly click on the Pause/Play button whereas in previous versions simply clicking on a row item data would invoke the Pause action. Internal defect 3240 Investigation Window Disapears. As new events are drawn the right-click menu data is terminated. This means an explicit Pause must be issues before there is any chance of successfully executing the 'Show Event Details' right-click pop-up menu. Internal defect 3296 Filtering based on 'Host name' column doesn't work in 'Top Sources' and 'Top Destinations' views. Internal defect 3295 Filtering based on 'Watchlist' column doesn't work in 'Top Sources' and 'Top Destinations' views. Internal defect 3245 Text search case sensitivity. The 'contains' search entity was case sensitive, now user can choose an option regarding case sensitivity. APAR IZ52955 CAN CREATE AND DELETE BUT CANNOT MODIFY EXISTING ROLES. RECEIVE "CAN NOT UPDATE ROLE" ERROR MESSAGE. APAR IZ47012 ONCE EVER 2-3 DAYS CMS WOULD CORE DUMP. APAR IZ47026 SYSLOG AND UCM EVENTS WOULD STOP FLOWING FROM EAM TO CMS. APAR IZ51121 ERRORS RELATED TO THE CHECK POINT CODE ADDITION APAR IZ50903 SOME FIELDS IN THE TSOM GUI ARE NOT UPDATABLE IF THE OS LANGUAGE IS SET TO PORTUGUESE (BRAZIL) APAR IZ51191 LARGE NUMBER OR TICKETS CAUSE A DB2 QUERY ERROR WITH SQLSTATE:54001 STATEMENT TOO LONG OR TOO COMPLEX APAR IZ50828 A '$' IN THE INFO FIELD CAUSES THE STRING '$EVENT.INFO' TO POPULATE A TICKET'S SUMMARY OR E-MAIL BODY CREATED BY AN ACTION Problems fixed by 4.1.1-TIV-TSOM-IF003 APAR IZ27430 EAMS & SENSORS: UI FAILING TO LOAD SENSOR IDENTIFIER LIST ON START-UP AND EAMS & SENSORS VIEW FAILS TO LOAD AS WELL APAR IZ38257 LEA_X.CONF GETTING OVERWRITTEN WHEN CHECKPOINT CONDUIT IS STARTED APAR IZ32568 EXTREMELY HIGH CPU LOAD THEN GUI LOCKUP ON LARGE THREAT VIEW APAR IZ40155 USERNAME AND USERCONTEXT BEING DROPPED BY SNMP CONDUIT. APAR IZ40118 WATCHLISTS ARE 'UNATTACHED' WHEN DUPLICATE ADDRESSES ARE CONFIGURED. APAR IZ45708 Allow opsec to connect to multiple CheckPoint devices Internal defect 3220 Flaw in logic in UCMParser would only allow one Java rules file to be checked for event compatibility Internal defect 3199 Added clear channel handling. Internal defect 3198 Added the functionality to match the language selected in Raports Advanced Format to match the browser locale. Internal defect 3224 Breaking suport for Windows 2003 in Installer. Problems caused by JVM on linux: Java Out of Memory and SNMP problem. Problems fixed by 4.1.1-TIV-TSOM-IF002 APAR IZ25896 PERFORMANCE DEGREDATION WITH MULTIPLE CLIENTS CONNECT APAR IZ29743 IF TOKEN REF $EVENT.INFO CONTAINS DOUBLE QUOTES TSOM RETURNS BLANK APAR IZ31058 Windows Syslog adds debug to messages APAR IZ33559 EAM Filter: Duplicate Filter issue APAR IZ34660 SNMP v3 Engine ID needs to be stored in Octect String format APAR IZ33759 Syslog binding to port 514 APAR IZ37268 TSOM 4.1.1 CMS Core dump/ Heap Dump APAR IZ38624 SNMP MESSAGES LOST ON HEAVILY LOADED EAM APAR IZ39499 Performance fix for Host Creation Queue APAR IZ39500 EAM Memory leak from Apache commons pool Problems fixed by 4.1.1-TIV-TSOM-IF001 APAR IZ32566 EAM crashes or hangs after every few hours with perl errors APAR IZ27248 TSOM 4.1.1 init script poiting wrong tomcat scripts APAR IZ27280 4.1.1 UCM INSTALLER FOR WINDOWS BROKE APAR IZ29081 A NEW SENSOR IS CREATED FOR EVERY EVENT THAT THE JAVA RULE PROCESSES APAR IZ29719 CMS runs out of memory on systems with over 300,000 hosts APAR IZ29739 GUI Help --> About still shows 4.1.0 after upgrade 5.0 Contacting customer support Support for Tivoli Security Operations Manager products, including documentation, FixPaks,and APAR information is provided at: http://www-306.ibm.com/software/sysmgmt /products/support/IBMTivoliSecurityOperationsManager.html?S_CMP=rnav IBM hardware, software, and systems support * 1-800-IBM-SERV (1-800-426-7378) 5.0 Notices and trademarks IBM may not offer the products, services, or features discussed in this document in all countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country/region or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country/region where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product, and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact: IBM Canada Limited Office of the Lab Director 8200 Warden Avenue Markham, Ontario L6G 1C7 CANADA Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems, and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements, or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information may contain examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious, and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. This information may contain sample application programs, in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. Trademarks IBM, Tivoli Security Operations Manager, DB2, and AIX are trademarks of International Business Machines Corporation in the United States, other countries, or both. Check Point FireWall-1, the Check Point logo, OPSEC, Site-Manager-1, SmartCenter Pro are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Red Hat and Red Hat Linux are registered trademarks of Red Hat Incorporated. Oracle and Oracle 10g are registered trademarks of Oracle Incorporated. Solaris and Solaris 10 are registered trademarks of Sun Microsystems Incorporated. Windows is a registered trademark of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others.