IBM® Tivoli® Compliance Insight Manager
Fix Pack 8.5.0-TIV-TCIM-FP012 README

©Copyright International Business Machines Corporation 2010. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under Notices in this document.

Date: 2010 July 14

 

About the fix pack

This fix pack corrects several problems in IBM Tivoli Compliance Insight Manager, Version 8.5.0. It requires that IBM Tivoli Compliance Insight Manager, Version 8.5.0, already be installed. After installing this fix pack, your Tivoli Compliance Insight Manager installation will be at software service level 8.5.0.12.

Patch contents and distribution

This fix pack package contains:

This fix pack is distributed as an electronic download from the IBM Software Support Web site.

Architectures

This fix pack package supports the same operating system releases as the IBM Tivoli Compliance Insight Manager 8.5 product. Refer to chapter 1 ("System Requirements") of the IBM Tivoli Compliance Insight Manager 8.5 Installation Guide for a complete list.

Fix packs superseded by this fix pack

This fix pack supersedes the Windows, AIX, HP-UX, and Solaris part of fix packs from 8.5.0-TIV-TCIM-FP001 to 8.5.0-TIV-TCIM-FP011. z/OS actuator last fix pack is 8.5.0-TIV-TCIM-FP001.

Fix pack structure

Tivoli Compliance Insight Manager supports multiple platforms; for each platform requiring updates, a separate package is installed. Each package contains the updates for all components installed on that platform.

APARs and defects fixed

The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Compliance Insight Manager Support site.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP012

APAR IZ70658
SYMPTOM: Create Organizational Unit events are mapped as "Use object". The name of the OU is not mapped.

APAR IZ67232
SYMPTOM: User information data collected from Active Directory, which contains cyclic dependencies between user groups, cannot be applied to the relevant event source log sets

APAR IZ68890
SYMPTOM: Events collect process loging is not complete. Subprograms failuers was not handled properly.

APAR IZ69137
SYMPTOM: When moving file the negative handle is used for the target directory, this causes misinterpretation of following 567 event.

APAR IZ70111
SYMPTOM: It might be possible not full 24h windows is loaded into GEM databases in sliding load

APAR IZ72276
SYMPTOM: Splitter is not started after restart of TCIM Server\Actuator service

APAR IZ73055
SYMPTOM: There is an inconsistency between the documentation and the actual installed files on unix systems. While documentation specifies /etc/ibm.tcim.actuator in the scripts, the actually instalelled file is /etc/rc.cea.actuator.

APAR IZ73966
SYMPTOM: CCRG fails with SQLCODE: -803 while generating pending reports

APAR IZ74125
SYMPTOM: Chunks will not be registered if they are produced at PoP system with time zone info containing single quote.

APAR IZ74387
SYMPTOM: Mapping hangs on creating the reports for report distribution because the log file becomes too big.

APAR IZ70117
SYMPTOM: Bart.exe tool stops processing due to 'sysplatform' property in chunkheader is not present when chunks are processed by sara tool.

APAR IZ70405
SYMPTOM: Bart.exe tool creates an empty machine when restoring chunks provided by Sara tool.

APAR IZ72089
SYMPTOM: The event with record type 102 and subtype 144 is not mapped

APAR IZ73024
SYMPTOM: The empty mapped drive letter is recognized as an available to map remote folder

APAR IZ74392
SYMPTOM: DOC: After FP10 it is not necessary to disable file caching in db2 when loading a lot of data - v85

APAR IZ69699
SYMPTOM: On a Unix machine it is not possible to use operating system users to perform collection for Oracle DAT 9i 10g 11g through SSH Event Source and Oracle FGA 9i 10g 11g through SSH Event Source.

APAR IZ69731
SYMPTOM: Property "Oracle Instance Name" of Oracle DAT 9i 10g 11g through SSH Event Source and Oracle FGA 9i 10g 11g through SSH Event Source is misleading.

APAR IZ73415
SYMPTOM: Login into management console is very slow without any error messages in the logs.

APAR IZ75463
SYMPTOM: There is no possibility to display RSA token numbers (recorded in original log records) in iView reports.

APAR IZ72676
SYMPTOM: "IBM Informix Dynamic Server" and "IBM Informix Dynamic Server through SSH" event sources may stop to collect audit data.

APAR IZ70092
SYMPTOM: Incorrect year is assigned for log records, which originally do not include a year in their timestamps.

APAR IZ68334
SYMPTOM: Cisco Router syslog essential events are missing.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP011

APAR IZ66746
SYMPTOM: The documentation should be clear "Syslog from syslog host" event source is currently supported only on linux servers

APAR IZ63196
SYMPTOM: iViews Incident tracking returns DB2 SQL Error: SQLCODE: -7 SQLSTATE:42601 due to single quote in directory

APAR IZ64010
SYMPTOM: Aggregation fails during execution of merge_into_hourlyfact procedure

APAR IZ64110
SYMPTOM: Incomplete SelfAudit collect for Portal Iview.

APAR IZ64628
SYMPTOM: Cisco secure ACS v2.6 Mapping: Platformname, targetplatformname, aspect is missing

APAR IZ63853
SYMPTOM: Collection fails from WebSphere Server v6.1 FP11 and higher - v85 (main delivery)

APAR IZ64794
SYMPTOM: It is not possible to add a new 'linux syslog from syslog host' ES when another predefined syslog host is unreachable

APAR IZ64925
SYMPTOM: File access action events in Windows shows 'unavailable' user in the who field

APAR IZ65680
SYMPTOM: Incorrect sorting in 'Events by Type' report in iView

APAR IZ65399
SYMPTOM: Oracle alter database event is mapped as 'delete database'

APAR IZ66180
SYMPTOM: getnewrecs.exe crashes

APAR IZ66358
SYMPTOM: Full SQL statement is not visible in iView for oracle on Unix

APAR IZ65685
SYMPTOM: SAP Netweaver Event Source: The props file is incorrectly updated when last collected audit trail grows and there are no newer files

APAR IZ66978
SYMPTOM: Tcim users can not add a new GEM database in management console

APAR IZ67522
SYMPTOM: After FP installation it is not possible to collect from Novel Nsure event source when collecting from non-default database

APAR IZ68175
SYMPTOM: Oracle 10g ES does not map the drop database event

APAR IZ68874
SYMPTOM: Oracle: tcimsort dumps a core

APAR IZ67234
SYMPTOM: Chunks in 'work' folder are lost after an export fails

APAR IZ70127
SYMPTOM: Lack of documentation about possible performance improvement of the ITIM collection

APAR IZ67521
SYMPTOM: Sliding scheduled Gem Databases grow very fast even when less events

APAR IZ68297
SYMPTOM: GEM database load failure during "Re-enabling integrity checking" phase

APAR IZ66125
SYMPTOM: Syslog for AIX: incorrect wherefrom value when logging in remotely via ssh

APAR IZ73101
SYMPTOM: It is not possible to determine fix pack level applied on TCIM

APAR IZ73104
SYMPTOM: Consolidation failure during "InsertAggregation_main_procedure"

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP010

APAR IZ59488
SYMPTOM: IBM DB2 8.1-9.1 SP3 DB2 Event Source collection fails

APAR IZ60178
SYMPTOM: Distribution report engine broker after SARM installation

APAR IZ59993
SYMPTOM: TCIM Java Services restarts after user logs off from the TCIM

APAR IZ58728
SYMPTOM: Syntax error on awk command in linux 'syslog from syslog host' ES collection script

APAR IZ58881
SYMPTOM: FillObjectOwner step of the load process takes a long time to finish

APAR IZ58731
SYMPTOM: DB2 collect failure is reported when db2audit.log file size is 0Bytes

APAR IZ59720
SYMPTOM: During the collect the tcimsort executable dump a core

APAR IZ60179
SYMPTOM: Tcim v8.5 + FP6 is mapping sudo logons successes as if they were failures

APAR IZ58191
SYMPTOM: Collect script for Oracle DAT/AIX through SSH event source logs Oracle credentials in clear text

APAR IZ59454
SYMPTOM: Cisco ES "Modify" events shown as "Anonymous" in the who fields

APAR IZ63798
SYMPTOM: Incorrect user profile is specified in TCIM v8.5 iSeries event source documentation

APAR IZ64840
SYMPTOM: Document "Apache Tomcat Http server may allow for directory traversal attacks" vulnerability is not applicable for TCIM

APAR IZ60798
SYMPTOM: Install guide does not contains any reference to the way the password for the TCIM components should be defined

APAR IZ61156
SYMPTOM: Typo in the AIX auditing documentation of the TCIM Install Guide

APAR IZ66483
SYMPTOM: Improve processing of event-aspect and summary reports

APAR IZ66486
SYMPTOM: Create maintenance task to remove old db2 diagfiles from the system

APAR IZ66484
SYMPTOM: Ignore irrelevant events for nt and solaris event sources

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP009

APAR IZ50172
SYMPTOM: Aggregation phase takes long time to finish when loading a large UIS

APAR IZ51591
SYMPTOM: Databases fail to load in aggregation phase with error SQLCODE: -413, SQLSTATE: 22003

APAR IZ52605
SYMPTOM: TCIM AD/UIS does not recognize group within groups

APAR IZ52600
SYMPTOM: MSSQL event source fails to collect trace files that do not contain any records

APAR IZ53740
SYMPTOM: On a TCIM8.5 Enterprise Server the Log Manager Dashboard pie chart shows the percentages as "-?"

APAR IZ53760
SYMPTOM: TCIM v8.5 cannot send emails when the SMTP server expects a specific FQDN in the SMTP HELO message

APAR IZ54549
SYMPTOM: In a TCIM v8.5 environment, it is not possible to collect SNMP traps corresponding to Cisco router configuration change

APAR IZ54682
SYMPTOM: Postprocessing take a long time to delete older events

APAR IZ54923
SYMPTOM: Novell Nsure audit essential events are missing

APAR IZ55219
SYMPTOM: iView report shows only in event Aspect:eventid char 224 not char 225 (Job Type for iSeries JS events not shown in iView)

APAR IZ55982
SYMPTOM: Management Console login fails when the active network interface is not the most preferred one in the adapter list

APAR IZ59292
SYMPTOM: After FP7 or FP8 only cifowner can start iView's report distribution section. All other users get HTTP500 error

APAR IZ52263
SYMPTOM: Event Id 560 is not being mapped for Windows XP

APAR IZ53398
SYMPTOM: TCIMv8.5 install guide needs to be updated for iSeries remote collect configuration

Internal Defect PE08550
SYMPTOM: SAP Netweaver ES on Windows POP failed to collect more then one time

Internal Defect PE08680
SYMPTOM: Indexer does not rename and does not hide fields according to GSL parsing file

Internal Defect
SYMPTOM: Shutdown process logs a stack trace in case of lack of JNDI context

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP008

APAR IZ50030
SYMPTOM: Distribution tasks may fail to execute with a "PersistanceBroker is already in transaction" message in the error logs

APAR IZ50165
SYMPTOM: Report title is not being updated in the distribution task

APAR IZ54488
SYMPTOM: Unable to open GEM databases details in iView with a user created after FP007 installation

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP007

APAR IZ48240
SYMPTOM: No data to be displayed when the Custom Report contains a "not-in" group condition.

APAR IZ50843
SYMPTOM: The collection process fails for the IBM Tivoli Identity Manager 4.6 - 5.0 ES.

APAR IZ45457
SYMPTOM: Incident tracking report shows an incorrect time stamp at Period column.

APAR IZ44143
SYMPTOM: Performance of Oracle Apps UIS collection degrades when large files are involved.

APAR IZ44655
SYMPTOM: Password decryption fails when there is no gateway defined. This prevents logging into the Management Console.

APAR IZ40686
SYMPTOM: After upgrading from TCIM version 7.0 to 8.0, an actuator is missing.

APAR IZ43845
SYMPTOM: The collect script (genact_login) does not handle the case when calls of "lastb -R"\"last -R" system utilities return more than one record equal to the last collected record.

APAR IZ43590
SYMPTOM: If the password of cifowner account is changed, the mapper fails the very first time after the change.

APAR IZ43595
SYMPTOM: After a user password change, the report distribution cannot be accessed anymore.

APAR IZ43343
SYMPTOM: When collect was performed from more than one AIX machines attached to the same database, the value of realname is inconsistent.

APAR IZ48091
SYMPTOM: OutOfMemoryError exception is thrown while mapping chunks and processing a large UIS chunk in "collect-time" data processing mode.

APAR IZ47799
SYMPTOM: Postprocessing "fill - summaries" step takes a long time.

APAR IZ49638
SYMPTOM: Valid chunks should are marked as "Corrupted log sets" in Log Management reports.

Internal Defect PE08420
SYMPTOM: When the load is unexpectedly terminated, some tables may be left in a "pending load" state from which the application won't recover immediately when using "map on collect" mode.

APAR IZ43444
SYMPTOM: iSeries special authorities assigned by chgusrprf are not mapped.

APAR IZ45205
SYMPTOM: Mapping for FromWhere, WhereTo, Where and OnWhat W7 dimension lack information.

APAR IZ44816
SYMPTOM: An event AUDCTRL_CHUNKLOGCREATEFAILED_TIMEOUT is not mapped.

APAR IZ40685
SYMPTOM: SAP Netweaver ES on AIX does not collect files in long format (audit_YYYYMMDDXXXXXX).

APAR IZ53411
SYMPTOM: After installation FP6, it's not possible to login on the web applications after a password change.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP006

APAR IZ45421
SYMPTOM: The performance of reception of syslog events is not good enough.

APAR IZ45426
SYMPTOM: The performance of reception of snmp events is not good enough.

APAR IZ45427
SYMPTOM: Memory used by the TCIM actuator process grows too fast.

APAR IZ45432
SYMPTOM: Generating of the Chunk Continuity Report fails while generating a report on a huge amount of chunks with a socket error.

APAR IZ45462
SYMPTOM: The investigate page doesn't display any result while searching in 750+ Event Sources.

APAR IZ45578
SYMPTOM: Too many actuator.exe processes are started by the TCIM agent.

APAR IZ45579
SYMPTOM: The TCIM management console responds too slow when more than 200 Event Sources are installed.

APAR IZ45230
SYMPTOM: Bart.exe takes too much time to restore chunks after a restart.

APAR IZ44409
SYMPTOM: Socket handles are leaked in case of collects from non-existing PoPs.

APAR IZ43714
SYMPTOM: Some claims in the TCIM installation manual about supported platforms by event sources were not entirely correct.

APAR IZ43710
SYMPTOM: It is impossible to collect from MSSQL using an OS user as documented.

APAR IZ42905
SYMPTOM: A single quote in the name of a group will cause a javascript error on the User Preferences panel and that makes it impossible to use that panel to set the groups for the nodegrids.

APAR IZ42162
SYMPTOM: The link of the report editor was too long for some SSO solutions.

APAR IZ40648
SYMPTOM: After applying FP005 the indexer/searcher doesn't work anymore.

APAR IZ40684
SYMPTOM: While mapping the AIX Event Source, the function Regexmatch in aix.gml could generate exceptions.

APAR IZ40603
SYMPTOM: The rules for defining a TCIM user stated in the Install Manual are not precise enough

APAR IZ40597
SYMPTOM: A collect failure with the Solaris audit trail (through SSH) Event Source may result in incomplete chunks.

APAR IZ40556
SYMPTOM: For Oracle DAT the where field was not unique enough.

APAR IZ40543
SYMPTOM: When checking the iSeries settings, it's not possible to retrieve the journal information.

APAR IZ40019
SYMPTOM: Due a change in the Oracle 10.2.0.4 audit format, log records could not be mapped anymore.

APAR IZ40105
SYMPTOM: During the maintenance task the agent isn't shutdown properly, when the cifowner password contains a $ sign.

APAR: IZ39731
SYMPTOM: The Ubiquitous Log Event Source was not able to handle a directory structure that was wider than default.

APAR: IZ39533
SYMPTOM: The Report Editor doesn't save columns with an underscore in their name.

APAR IZ39073
SYMPTOM: Chunks cannot be imported/exported from a network drive.

APAR IZ38807
SYMPTOM: The TAMOS Event Source doesn't map the Accessor Effective Name.

APAR IZ45430
SYMPTOM: The agent memory usage grows too fast.

APAR IZ37100
SYMPTOM: When the chunk continuity report is narrowed so one chunk is split over multiple screens, a chunk is only shown in the last screen.

APAR IZ36552
SYMPTOM: The daily restart task might hang on an incomplete chunk.

APAR IZ36474
SYMPTOM: A GEM database cannot recover from sqlcode: -668

APAR IZ35670
SYMPTOM: The mapper hangs during loading a GEM database on generating reports for report distribution, in case the report is big.

APAR IZ35532
SYMPTOM: It's not always clear how the time zone of an ES is determined.

APAR IZ34350
SYMPTOM: The linux configuration is missing for TAMeb.

APAR IZ33864
SYMPTOM: It was possible to create a corrupt policy using the management console.

APAR IZ33743
SYMPTOM: Consolidation fails because the Beat.InsertAggregation.main_procedure procedure aborts with the following error: DB2 SQL error: SQLCODE: -413, SQLSTATE: 22003.

APAR IZ33760
SYMPTOM: Some issues with the MSSQL Event Source, including high usage of resources.

APAR IZ33738
SYMPTOM: Due a slow consolidation process, loading a GEM database might give a timeout and lock the database.

APAR IZ33697
SYMPTOM: In case Windows 2003 SP1 is installed, processes may crash in situations a lot of processes are started at the same time.

APAR IZ33448
SYMPTOM: Clearing of a Gem database fails with the message 'Dead lock detected'.

APAR IZ31667
SYMPTOM: When the back button of Internet Explorer is used, sometimes pages doesn't show up properly.

APAR IZ30005
SYMPTOM: It's impossible export very large pdf reports.

APAR IZ29877
SYMPTOM: It takes a long time to open the iview dashboard when the GEM database contains a lot of data.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP005

APAR IZ31172
SYMPTOM: Aggregation process fails after a GEM database has been cleared under some circumstances.

APAR IZ16883
SYMPTOM: When adding more than one machine, the custom properties are applied only to the first event source.

APAR IZ31773
SYMPTOM: When clearing a GEM database with sliding schedule or "Map at Collect" time, subsequent loads on this database may fail with postprocessing error.

APAR IZ26004
SYMPTOM: DB2 event source collection temporarily blocks access to the database.

Internal Defect PE07400
SYMPTOM: TCIM actuators may drop connections under some special circumstances.

APAR IZ36555
SYMPTOM: Fixpack may fail to apply when the server has multiple users defined.

APAR IZ31032
SYMPTOM: Passwords generated when creating an eventsource may appear garbled.

APAR IZ27992
SYMPTOM: Mapping may be slow on some event sources.

Internal Defect PE07210
SYMPTOM: Logfile retrieval Tool doesn't show the original logs if an event source has more than 9 sublogs.

APAR IZ23381
SYMPTOM: It is not possible to login on both to management console and iView when there are more than one network adapters in the machine.

APAR IZ30569
SYMPTOM: SAP R/3 event source is not able to collect more than once a day.

APAR IZ32605
SYMPTOM: SAP Netweaver WAS ABAP 7.0 event source cannot collect UTF16 encoded logs in AIX.

APAR IZ31307
SYMPTOM: Solaris SSH login audit events are not mapped.

APAR IZ27846
SYMPTOM: No collect history for TCIM TAM 6.1 User Information Source is present.

APAR IZ25854
SYMPTOM: The "getitimgroups.jar" file is not present.

APAR IZ30928
SYMPTOM: It's not possible to have 200 ESes on a single server.

APAR IZ33813
SYMPTOM: The connection string for z/OS event source and user information source is not visible.

APAR IZ27927
SYMPTOM: The import function may create event source duplicates.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP004

APAR IZ18785
SYMPTOM: A newly created user isn't able to modify the settings in the Report Distribution even when the correct access rights were assigned to him.

APAR IZ23725
SYMPTOM: Some reports are not shown correctly to users other than CIFOWNER.

APAR IZ20152
SYMPTOM: PostProcessing takes long time for step fillUserIsRowOwner.

APAR IZ18098
SYMPTOM: iSeries mapping for deleted objects shows (user) unavailable for Who, and Object for onWhat.

Internal Defect IZ22011
SYMPTOM: Solaris Event Source does not collect all Audit Trail records.

APAR IZ20407
SYMPTOM: Collect Directory event source property is missing.

APAR IZ21023
SYMPTOM: Some Tandem events are collected more than once..

APAR IZ23051
SYMPTOM: Informix DS events with different "Who"s are grouped together.

APAR IZ16012
SYMPTOM: Notification email is not sent when multiple distribution tasks are scheduled concurrently.

APAR IZ23426
SYMPTOM: GEM_PROPERTY is not cleared before a sliding schedule.

APAR IZ23907
SYMPTOM: Empty z/OS chunks are not mapped correctly..

APAR IZ19606
SYMPTOM: All collects fail due to corruption in EPRISEDB.OBJECT table.

APAR IZ18093
SYMPTOM: Report Distribution doesn't work with a non-default EPRORADB.

Internal Defect PE06780
SYMPTOM: A "No more SearchManagers available in the pool" is shown when a new search is started.

APAR IZ23459
SYMPTOM: When two GEM names differ by an underscore character, the GEM with underscore in the name has problems when reading from the database.

APAR IZ14060
SYMPTOM: z/OS actuator runs out of memory because of a memory leak.

Internal Defect PE07120
SYMPTOM: Some iView reports don't contain report table for large (new) database

APAR IZ23664
SYMPTOM: Middleware uninstall doesn't work.

APAR IZ25201
SYMPTOM: On a grouped server installation is not possible to change the default partition to store the TCIM DB2 instance.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP003

APAR IZ26792
SYMPTOM: 8.5.0-TIV-TCIM-FP001 and 8.5.0-TIV-TCIM-FP002 don't apply on a grouped server.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP002

APAR IZ09908
SYMPTOM: Scoping shows empty report when it contains the event detail column.

APAR IZ03732
SYMPTOM: Mapping for the AIX event source is not correct.

APAR IZ19365
SYMPTOM: The WHERE or platformname is reported with the module name instead of the hostname of the Stratus machine.

APAR IZ15383
SYMPTOM: When connecting via HPUX SSH, TCIM server cannot find the gzip or sudo utilities.

APAR IZ12338
SYMPTOM: The "From where" field seems to be incorrect when Caller Domain and Target Domain are different in the Windows event source.

APAR IZ13776
SYMPTOM: Filters with EventAspect field cannot be added when creating a Summary report.

APAR IZ17154
SYMPTOM: iView dashboard shows error when creating a node grid with mode than 1000 objects.

Problems fixed by fix pack 8.5.0-TIV-TCIM-FP001


APAR IZ16064
SYMPTOM: Report distribution fails when a custom defined report contains ' symbol

APAR IZ10918
SYMPTOM: When exporting the dashboard to PDF the axis labels do not display correctly

APAR IZ14745
SYMPTOM: Informational header is missing in distributed reports

APAR IZ13138
SYMPTOM: Additional rows show up in custom report when using Aspect columns

Internal Defect PE06250
SYMPTOM: Threshold reports cannot be opened for large database

Internal Defect PE05990
SYMPTOM: In the Management Console User Management, the role "Administer Tivoli Insight Manager Users" should be listed as "Administer Tivoli Compliance Insight Manager Users"

Internal Defect PE06000
SYMPTOM: Created distribution tasks are not executed

Internal Defect PE06020
SYMPTOM: Current implementation of HistoryClean.sql and gemcln.bat can cause deadlocks if there are multiple GEMDb loading concurrently

Internal Defect PE06120
SYMPTOM: Concurrent loads of more than 6 GEM dbs, causes some of them to fail

APAR IZ05689
SYMPTOM: Mapping of TCIM mainmapper is incorrect

Internal Defect PE05960
SYMPTOM: Mapper has OutOfMemory exception when during the mapping of multiple HP-UX chunks

Internal Defect PE06230
SYMPTOM: Actuator and Agent executables showed significant memory leaks during the TCIM 8.5 performance tests

Internal Defect PE06010
SYMPTOM: Multiple stacktraces are seen in main mapper log

Internal Defect PE06040
SYMPTOM: Indexer and mapper can't find default gsl for Ubiquitous log ES while GSL scanning

Internal Defect PE06130
SYMPTOM: Mapping of sudo in linux syslog is incorrect

Internal Defect PE06240
SYMPTOM: Consolidation is slower on TCIM v8.5 than on TCIM v8.0

APAR IZ15528
SYMPTOM: Compress function (daily restart) may corrupt idx/val database files

Internal Defect PE05930
SYMPTOM: *.bcp.err, *gempst.stdout and *gemcln.stdout log files are never cleaned

Internal Defect PE06030
SYMPTOM: Perl engine generates inefficient SQL-statements

Before installing the fix pack

Be aware of the following considerations before installing this fix pack:

Prerequisites

You must already have Tivoli Compliance Insight Manager 8.5.0 and its prerequisites installed.

Fix pack package

This fix pack package is provided as an executable file for the Microsoft Windows platform and as an archive file for each supported non-Windows platform.

TCIM Backup

It is recommended to backup TCIM installation on all systems where the FP will be installed. This will allow for a smooth rollback procedure in case any problems occur after installation. Please see the Backup and Restore Procedure of TCIM v8.5

 

Installing the fix pack

Installing the fix pack on Microsoft Windows systems

  1. Before installing the fix pack, close the Management Console. Otherwise, fixes for the Management Console might fail to be applied. If this problem occurs, close the Management Console and install the fix pack again.
  2. Ensure that the fix pack is installed when there is no other process in progress, such as the daily restart task or loads.
  3. It is preferable not to have iView open while applying the fix pack. If iView is open, it might become unavailable after the fix pack is applied. In that case the "IBM Tivoli Compliance Insight Manager Tomcat" service needs to be restarted.
  4. Note: it is advised when remote desktop is used while installing the fix pack, to connect to the console session.
  5. Run the 8.5.0-TIV-TCIM-Win32-FP012.exe file to install the fix pack.

    The fix pack detects all the Tivoli Compliance Insight Manager components that are installed on the system and automatically updates them.

    Note: If one or more interim fixes have already been installed on the system, the fix pack automatically detects them and takes the appropriate action to ensure they do not need to be reapplied.

    Note 2: The fix pack should be applied on all Standard Servers before applying it on the Enterprise Server to which the Standard Servers are connected.
    In case a Standard Server is added later to the cluster so the fix pack is applied later on the Standard Server, the following workaround should be applied:

    - Start a DB2 session using cifowner
    MSDOS> db2 connect to cifdb user cifowner using [cifownerpwd]
    - Call the stored procedure
    MSDOS> db2 Call CLMDB.DataSync_CreateCompositeViews()
    (Ensure that the command execution is successful)

    After that the "Investigate" page in Log Manager will work properly again.

    Note 3: Take into account that Fix Pack installation requires the 'Tivoli Compliance Insight Manager Database Account' name and password.
    If during Fix Pack installation the specified user is not a member of DB2ADMIN group the additional steps needs to be taken after FP installation in order to redefine the user running windows scheduled task to update statistics on DB2 EpriseDB:
    1) Open 'Scheduled Tasks' window (Start-> Control -> Scheduled Tasks)
    2) Right click at task named "run statistics for TCIM DB2 EPRISEDB schema"
    3) Change "Run as" properties to user name which is user from DB2ADMNS group and with his password.

Installing the fix pack on AIX

To apply the fix pack for Tivoli Compliance Insight Manager Actuator for AIX, follow these steps:

  1. Transfer the 8.5.0-TIV-TCIM-AIXPPC32-FP012.tar.gz to a temporary directory on the AIX system by using FTP in binary mode.
  2. Decompress the upgrade package:
    # gzip -dc 8.5.0-TIV-TCIM-AIXPPC32-FP012.tar.gz | tar xvf -
  3. Apply the fix pack package, (The default installation directory is assumed.)
    # sh apply.sh /usr/lpp/IBM/TCIM/actuator
  4. Verify that the Actuator agent has started by inspecting the list of active processes:
    # ps -ef | grep agent

    Note: Only one instance of the Actuator agent should be active.

Installing the fix pack on HP-UX

To apply the fix pack for Tivoli Compliance Insight Manager Actuator for HP-UX, follow these steps:

  1. Transfer the 8.5.0-TIV-TCIM-HPUXPARISC-FP012.tar.gz to a temporary directory on the HP-UX system by using FTP in binary mode.
  2. Decompress the upgrade package:
    # gzip -dc 8.5.0-TIV-TCIM-HPUXPARISC-FP012.tar.gz | tar xvf -
  3. Apply the fix pack package, (The default installation directory is assumed.)
    # sh apply.sh /opt/IBM/TCIM/actuator
  4. Verify that the Actuator agent has started by inspecting the list of active processes:
    # ps -ef | grep agent

    Note: Only one instance of the Actuator agent should be active.

Installing the fix pack on Solaris

To apply the fix pack for Tivoli Compliance Insight Manager Actuator for Solaris, follow these steps:

  1. Transfer the 8.5.0-TIV-TCIM-SolarisSparc-FP012.tar.gz to a temporary directory on the Solaris system by using FTP in binary mode.
  2. Decompress the upgrade package:
    # gzip -dc 8.5.0-TIV-TCIM-SolarisSparc-FP012.tar.gz | tar xvf -
  3. Apply the fix pack package, (The default installation directory is assumed.)
    # sh apply.sh /opt/IBM/TCIM/actuator
  4. Verify that the Actuator agent has started by inspecting the list of active processes:
    # ps -ef | grep agent

    Note: Only one instance of the Actuator agent should be active.


After installing the fix pack

Web applications not accessible after installing the fix pack

After the fix pack has been installed it is possible that one or more web applications are not accessible (for instance, failing with code 404). To solve this problem, stop the "IBM Tivoli Compliance Insight Manager Tomcat" service, delete all subfolders from the following directory:

<TCIM folder>\iView\tomcat\webapps

Do not delete the files in that folder, only the subdirectories. After that, restart the "IBM Tivoli Compliance Insight Manager Tomcat" service, and all web applications will be accessible again.

Fix Pack level on the system

After FP is installed the information about the current FP level is provided in 'ApplyPatch.log' file on Windows systems and 'FixPackLog' file on UNIX like systems.

Documentation updates

APAR IZ69731: Property "Oracle Instance Name" of Oracle DAT 9i 10g 11g through SSH Event Source and Oracle FGA 9i 10g 11g through SSH Event Source is misleading

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Chapter 54. Configuring auditing for Oracle Database Audit Trail
After applying this Fix Pack, The event source property name 'Oracle Instance Name' will be changed to 'Oracle Connection Identifier'. This property contains connection identifier of audited Oracle instance.

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Chapter 55. Configuring auditing for Oracle Fine-Grained Audit
Same changes as for 'Chapter 54. Configuring auditing for Oracle Database Audit Trail'

APAR IZ69699: On a Unix machine it is not possible to use operating system users to perform collection for Oracle DAT 9i 10g 11g through SSH Event Source and Oracle FGA 9i 10g 11g through SSH Event Source

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Chapter 54. Configuring auditing for Oracle Database Audit Trail
After applying this Fix Pack it will be possible to perform collect for 'Oracle DAT 9i 10g 11g through SSH' and 'Oracle FGA 9i 10g 11g through SSH' event sources also using Oracle Operating System User Authorization feature.
To use Oracle Operating System User Authorization you have to do following:

To use usual connect type you have to fill connection identifier of audited Oracle instance into 'Oracle Connection Identifier' property, fill 'Oracle User Name' and 'Oracle Password' fields with proper values.
To define external OS user within Oracle you have to execute following SQL statement under sysdba:

CREATE USER OPS$<os_username> IDENTIFIED EXTERNALLY;

<os_username> - is user name of your Operating System.
Also you have to grand access permission for added user to sys.aud$ database table:

GRANT SELECT ON SYS.AUD$ TO OPS$<os_username>;
GRANT SELECT ON DBA_FGA_AUDIT_TRAIL TO OPS$<os_username>;
GRANT CONNECT TO OPS$<os_username>;

OPS$ is default prefix for defining external users. It is stored in os_authent_prefix Oracle parameter. If you've changed this parameter before, then you have to use actual value.

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Chapter 55. Configuring auditing for Oracle Fine-Grained Audit
Same changes as for 'Chapter 54. Configuring auditing for Oracle Database Audit Trail'

APAR IZ73415: Login into management console is very slow without any error messages in the logs

It could happen that login into management console is very slow without any error messages in the logs.

After applying this Fix Pack, a new scheduled task will be created in Windows Scheduled Tasks. The task will be run as DB2 Administrator once per month.
The task will update DB2 statistics to improve the performance on DB2 side ,resolving possible problems with slow Management Console connection.
Affected customers will observe a delay of more than 2 minutes when login into the Management Console
Also see Note 3) in Installing the fix pack on Microsoft Windows systems

APAR IZ75463: There is no possibility to display RSA token numbers (recorded in original log records) in iView reports

In iView, "RSA Authentication Manager" event source does not display the RSA token number recorded in original audit log records. After applying this Fix Pack, displaying of that information can be activated by setting the value of the "SHOW_TOKEN_NUMBER" key in the "rsamanager.gml" section in <TCIM directory>\Server\config\mappers\rsamanager.ini file. When the value is set to "Yes", it means that the RSA token numbers are displayed in iView (in the "Event::tokennumber" aspect in the Additional Information of the event). When the value is set to "No", it means that displaying of the RSA token numbers is disabled.

In the following example, displaying of the RSA token numbers is enabled:
   [rsamanager.gml]
   SHOW_TOKEN_NUMBER = Yes
Please note if the "SHOW_TOKEN_NUMBER" key is absent, the the value is assumed to be "No", indicating that you do not want to display the RSA token numbers.

Changing the configuration affects all subsequent loading of log sets from this type of event source. The log sets must be reloaded to see the effects of changing the configuration.

Be aware that enabling displaying of the RSA token numbers in iView has performance impact since more data needs to be processed and stored in the TCIM database.

APAR IZ72676: "IBM Informix Dynamic Server" and "IBM Informix Dynamic Server through SSH" event sources may stop to collect audit data

After applying this Fix Pack, "IBM Informix Dynamic Server" (for IBM AIX, HP-UX, and Sun Solaris) and "IBM Informix Dynamic Server through SSH" event sources will have additional event source property, "Data Cleanup".
The value of the "Data Cleanup" property can be any positive number, indicating the number of days after which the old original audit log files located in the specified directory ("Informix Log Directory" ES property) and produced by the specified Informix server ("Informix Server Name" ES property) will be deleted from the target system after every successful collection.
The value can be "0", if the user wants all original audit log files (excluding the active log files) located in the specified directory and produced by the specified Informix server to be deleted from the target system after every successful collection.
Any other values (including the empty field and "no") will indicate that original audit log files will not be removed from the target system. The default value is "no".

APAR IZ70092: Incorrect year is assigned for log records, which originally do not include a year in their timestamps

After applying this Fix Pack, TCIM will deduce the correct year for timestamps (within processed log records) that originally do not include a year for the most common cases. However, it is important to ensure that the time between any two successive records is less than half a year - otherwise, TCIM may not deduce the correct year.

APAR IZ68334: Cisco Router syslog essential events are missing

After applying this Fix Pack, "Cisco Router syslog" event source will support new format of log record timestamp: "MMM dd yyyy HH:mm:ss" (e.g. "Nov 30 2009 10:45:25") in addition to already supported timestamp format: "MMM dd HH:mm:ss" (e.g. "Nov 30 10:45:25").

APAR IZ67521: Sliding scheduled Gem Databases grow very fast even when less events

The fix provided in the APAR prevents from further database growing; however it does not shrink the existing databases. If the database data can be deleted, the database should be re-created. If it is not possible, following procedure should be used to export and subsequently import the data after it is re-created.

  1. Export data of the database
  2. Verify the logs of the export to ensure the data has been exported without errors
  3. Delete the database using delgemdb.bat
  4. Create database with the same name using addgemdb.bat
  5. Execute sql query: update eprisedb.fap_dirty_flag set user_change=1, db_change=1
  6. Import the database:

APAR IZ66358: Full SQL statement is not visible in iView for Oracle SYSDBA log records.

In iView, "Oracle 9i 10g 11g" and "Oracle 9i 10g 11g through SSH" event sources do not display the SQL statement recorded in original SYSDBA Oracle log records. After applying this Fix Pack, displaying of that information can be activated by setting the value of the "SYSDBA_SQL_STATEMENTS_REPORTING" key in the "oracle.gml" section in <TCIM directory>\Server\config\mappers\oracle.ini file. The following settings are available:

In the following example, the display of the SQL statement of every SYSDBA record in the iView aspect is selected:
   [oracle.gml]
   SYSDBA_SQL_STATEMENTS_REPORTING = High
Please note if the "SYSDBA_SQL_STATEMENTS_REPORTING" key is absent, the value is assumed to be "None", indicating that you do not want to display the SQL statement.

Changing the configuration affects all subsequent loading of log sets from these types of Oracle event sources. The log sets must be reloaded to see the effects of changing the configuration.

These types of Oracle event sources combine similar multiple log records that generated during a short window of time (10 minutes) into a single GEM event. When the value of the "SYSDBA_SQL_STATEMENTS_REPORTING" key is set to "None" or absent, it means that the SQL statement is ignored while combining with similar log records (however, the type of recorded SQL statement is considered). When the value of the "SYSDBA_SQL_STATEMENTS_REPORTING" key is set to "Low", it means that the SQL statement of SYSDBA records of the following only types: "ALTER", "CREATE", "DROP", "GRANT", "REVOKE", "RENAME" is considered while combining with similar log records. When the value of the "SYSDBA_SQL_STATEMENTS_REPORTING" key is set to "High", it means that the SQL statement of every SYSDBA record is considered while combining with similar log records.

Be aware that specifying "Low" or "High" values of the "SYSDBA_SQL_STATEMENTS_REPORTING" key has performance impact since more data needs to be processed and stored in the TCIM database.

APAR IZ64794: It is not possible to add a new "linux syslog from syslog host" ES when another predefined syslog host is unreachable

After applying this Fix Pack, the Management Console will not anymore transfer configuration files to systems, which are specified in "Syslog host" property of "syslog from syslog hosts" event sources, via SSH while adding, removing, or changing parameters of any "syslog from syslog hosts" event source. Those configuration files are solely intended for custom syslog-ng daemon shipped in the predecessor of TCIM 8.0.
It is possible to enable transferring configuration files again by adding the following lines to <TCIM directory>\ManConsole\console.ini:
   [SyslogHosts]
   auto_config=1
 The Management Console must be restarted to see the effects of changing the configuration.

APAR IZ70127: Lack of documentation about possible performance improvement of the ITIM collection

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Chapter 41. Configuring auditing for IBM Tivoli Identity Manager
The configuration steps in 'Configuring IBM Tivoli Identity Manager for auditing' section should be updated with the following text:
It is recommended to apply additional indexes to improve collection performance. The indexes can be identified by running db2advis command:
db2advis -d ITIMDB –q ENROLE -i -o
The query input file should specify one sql command:
SELECT * FROM TIM_AUDIT_VIEW WHERE TIMESTAMP > 'custom date' ORDER BY TIMESTAMP
The prerequisite is to run the ITIM collection at least once to assure TIM_AUDIT_VIEW view is created.

APAR IZ66746: "Syslog from syslog host" event source is currently supported only on linux servers

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Chapter 65. Configuring auditing for syslog-ng
The first sentence needs to be updated to specify correctly the supported systems, so it should be read as:
Syslog-ng is an open source implementation of the syslog protocol for Linux systems. so the 'Syslog from syslog host' event source, which depends on the syslog_ng utility is supported on this kind of systems only.

APAR IZ63798: Incorrect user profile is specified in TCIM v8.5 iSeries event source documentation

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Chapter 43. Configuring auditing for iSeries, Configuring iSeries manually
second line of the 7th step should be modified to:
CHGOWN OBJ(’/QSYS.LIB/TCIM.LIB’) NEWOWN(TCIM)

APAR IZ64840: TCIM vulnerability "Apache Tomcat Http server may allow for directory traversal attacks"

Although some security scans might report the [CVE-2007-0450] and [CVE-2007-1860] Tomcat vulnerability, TCIM is not affected by it as the mod_jk module is not used by TCIM (the Apache HTTP server is not used).

APAR IZ60798: Install guide does not mention how TCIM passwords should be defined

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Installing Tivoli Compliance Insight Manager, Planning the installation (page 13)
Additional, 6th Note should be added:
6. When installing infrastructure components, the TCIM password policy needs to be applied for any new user created (TCIM v85 User Guide, page 86):
"Passwords must start with a letter, can include up to 20 alphanumeric characters, but cannot include spaces, punctuation, or other symbol characters, such as ~ or +".
Although it is not enforced, it is important to use passwords, which are acceptable by TCIM in further installation steps.

APAR IZ61156: Typo in the AIX auditing documentation of the v85 TCIM Install Guide

Addendum for TCIM v85 Install Guide, Tivoli Compliance Insight Manager 8.5 Installation Guide, Setting up and configuring the AIX audit subsystem (page 154)
One of the commands in '/etc/security/audit/bincmds' file should be using "`" symbol. Following line:
/usr/bin/cat /var/log/eprise/working >> /var/log/eprise/trail.'date +"%Y%m%d%H"'
should be read as:
/usr/bin/cat /var/log/eprise/working >> /var/log/eprise/trail.`date +"%Y%m%d%H"`

APAR IZ53760: TCIM v8.5 cannot send emails when the SMTP server expects a specific FQDN in the SMTP HELO message

Configuration of the hostname used in SMTP HELO message when sending alerts:

  1. Navigate to \Server\config
  2. Locate alert.ini file and open it in text editor.
  3. In the [SMTP] section add the following line:
    Localhost=myhostname
    4. Substitute myhostname with the name You actually want to use.
  4. Restart TCIM services.
Configuration of the hostname used in SMTP HELO message when sending reports:
  1. Navigate to <TCIM>\iView\tomcat\conf
  2. Locate server.xml file and open it test editor.
  3. Within the GlobalNamingResourcesTag create the following tag:
    <Environment name="localhost-name" value="myhostname" type="java.lang.String" override="false" />
    Substitute myhostname with the name You actually want to use.
  4. Restart TCIM services.

APAR IZ53398: iSeries installation documentation update

Addendum for TCIM v85 install manual, Tivoli Compliance Insight Manager 8.5 Installation Guide (page 302), requirement 4
If a firewall is present, ports 446, 448 and 449 also need to be opened, as they're needed to perform DDM/DRDA on iSeries.

Correction for TCIM v85 install manual, Tivoli Compliance Insight Manager 8.5 Installation Guide (page 306), "Configuring iSeries manually" point 12
The final step of the manual configuration of iSeries (point 12, scheduling a job) should be skipped, as it will override the operation at point 10; also, the functionality of that scheduled job is already taken care of by the actions of point 11 of the same section. In case that job has already been scheduled, make sure to remove it and repeat the operations described in point 10.

APAR IZ54550: SNMP Trap version supported by tcim real time collector

Following note has been added to the technote ( Available Compliance Management Modules and Event Sources): 

Note:
All Event Sources, which support SNMP protocol, are limited to work only with version 1 of it.

APAR IZ53302: TCIM supports 'BY ACCESS' configuration setting only for Oracle Auditing

Addendum for TCIM v85 installation manual, Chapter 56. Configuring auditing for Oracle Operating System Audit Trail:

Configuration process, Configuring Oracle on AIX, HP-UX, Solaris, and Windows systems, Configuring Oracle auditing, Auditing options
Note 1 should be read:
If you specify BY ACCESS for the AUDIT command BY parameter, Oracle writes one audit record for each statement and operation. This is the only way of audit record generation supported by TCIM.

Configuration process, Tivoli Compliance Insight Manager guidelines for audit settings
The example SQL commands should be read as following (changed to 'BY ACCESS' configuration): 
AUDIT SELECT, INSERT, UPDATE, DELETE ON DEFAULT BY ACCESS, and AUDIT SYSTEM GRANT
AUDIT SELECT, INSERT, UPDATE, or DELETE ON DEFAULT BY ACCESS

APAR IZ40685: SAP Netweaver ES on AIX does not collect files in format audit_YYYYMMDDXXXXXX

Addendum for TCIM v85 install manual, Chapter 60. Configuring auditing for SAP Netweaver Web Application Server. Following information should be added below SSH collect section:

The auditing of SAP Netweaver Web Application Server supports collection of log files with short (audit_YYYYMMDD) and long (audit_YYYYMMDDXXXXXX) names.

IZ45050: Event source properties for IBM Tivoli Identity Manager 4.6 - 5.0 are not documented completely

The IBM Tivoli Identity Manager event source has the following editable properties after applying FP005 or higher:

Database Product The name of the database product where IBM Tivoli Identity Manager audit records are stored. Possible values are: DB2, MS SQL, and Oracle.

Database Name The name of the database where IBM Tivoli Identity Manager audit records are stored. The default value is itimdb.

Database Schema The name of the database schema where the Tivoli Identity Manager audit tables reside. The default value is itimuser.
Note: For IBM Tivoli Identity Manager 4.6, the only possible value is enroll. For IBM Tivoli Identity Manager 4.6, the schema of the audit tables is enrole and cannot be configured.

Database Port The port number on the audited system that is assigned to the IBM Tivoli Identity Manager database service. The default ports are:

The default value is 50000.

User Name The name of the user account that Tivoli Compliance Insight Manager can use to connect to the IBM Tivoli Identity Manager database back-end. This account must have at least read permissions on the AUDIT_EVENT, AUDIT_MGMT_TARGET, and AUDIT_MGMT_DELEGATE, AUDIT_MGMT_PROVISIONING tables of the Tivoli Identity Manager database. The default value is username.

User Password Defines the password for the user account defined in the User Name property. The default value is "" (empty).

Collect Directory The name of the directory to store temporary files. The default value is /tmp. (This property is not present for Windows systems.)

APAR IZ45421/IZ45426: New real time event sources for AIX actuator

After applying this Fix Pack, two new event sources will be available for AIX actuators: SNMP and Syslog realtime event sources. These are defined and configured in a similar way to their Microsoft Windows equivalents.

However, it's important to ensure that the actuator folder in the AIX system will have enough disk space assigned to handle the collected data.

Internal defect TSIEM00004544

Addendum for TCIM v85 user manual, Managing the Tivoli Compliance Insight Manager system, Viewing data and reporting, Creating and managing custom reports in iView
A report title should not contain special characters, like the ' sign.

APAR IZ43714: Some claims in the TCIM installation manual about supported platforms by event sources were not entirely correct.

Addendum for TCIM v85 installation manual, Chapter 23. Configuring auditing for BMC CONTROL-SA, page 166
"ESS Version 3.2.03 or higher" should be replaced by "ESS Version 3.2.03"

Addendum for TCIM v85 installation manual, Chapter 45. Configuring auditing for McAfee IntruShield IDS, page 315
"McAfee Version 1.9 or higher" should be replaced by "McAfee Version 1.9"

Addendum for TCIM v85 installation manual, Chapter 50. Configuring auditing for Novell Advanced Audit Service, page 381
"Novell Netware 6.0 Support Pack 2 or higher" should be replaced by "Novell NetWare 6.0 Support Pack 2"

Addendum for TCIM v85 installation manual, Chapter 64. Configuring auditing for Symantec Anti Virus, page 465
"Symantec AntiVirus Version 9.0 and higher." should be replaced by "Symantec AntiVirus Version 9.0"

Please have a look at Available Compliance Management Modules and Event Sources for the platforms that are supported by TCIM. Note: some of the supported platforms may require an additional installation of an event source.

APAR IZ43710: MSSQL user name

Addendum for TCIM v85 installation manual, Chapter 49. Configuring auditing for Microsoft SQL Server, page 343, and the README for the MSSQL 2008 ES
Windows Authentication is not possible for this Event Source, only MSSQL Authentication is possible.

APAR IZ40019/IZ40556: Oracle 10g 10.2.4.0+ mapping issues/uniqueness of the where field of the Oracle Dat event source

After applying this Fix Pack, the Oracle event sources will be renamed:

Oracle                  ==>  Oracle 9i 10g 11g
Oracle through SSH      ==>  Oracle 9i 10g 11g through SSH
Oracle DAT              ==>  Oracle DAT 8i 9i 10g 11g
Oracle DAT through SSH  ==>  Oracle DAT 9i 10g 11g  through SSH
Oracle FGA              ==>  Oracle FGA 9i 10g 11g
Oracle FGA through SSH  ==>  Oracle FGA 9i 10g 11g  through SSH
Note: TCIM v8.5 doesn't support Oracle 11g out of the box. To get support for Oracle 11g the eImage with part number C1WN3EN should be installed.

APAR IZ31667: Using 'Back' button of the Internet Explorer browser when navigating through the pages of iView

In case the 'Back' button is used when working with reports that have additional parameters (e.g. 'Events by rule'), the error "Warning: Page has expired" or "The page cannot be displayed" (in case user friendly errors are defined) could be shown.

In order to be redirected to the required page, the refresh button needs to be used (and 'Retry' to send information). When "Show friendly HTTP error message" option of IE browser is turned on, the user is redirected to the dashboard page. Therefore in order to be redirected to the required page, it is advised to turn off the "Show friendly HTTP error message" option.

The following steps can be used to turn off the setting:

http://support.microsoft.com/kb/294807

  1. Turn off the friendly error message option in the browser as follows:
    1. In Internet Explorer 5.x and 6.x, on the Tools menu, click Internet Options.
    2. On the Advanced tab, under the Browsing section, click to clear the Show friendly HTTP error messages check box, and then click OK.
    3. Close the browser.

APAR IZ40105: Problems when cifowner user's password contains a $ sign

When applying a fix for this issue (the first time), the cifowner password should not contain a $ sign.

APAR IZ40603: Usernames/passwords

Addendum for TCIM v85 user manual, Managing the Tivoli Compliance Insight Manager system, Managing users and roles, Creating and managing users, Adding users
In addition to step 2 and 3, the following additional rules should be kept in mind when defining a username or password:

  1. Username and password must begin with a letter. (Note: As convention, you may start the username with the string cif to avoid any naming conflicts.)
  2. The username and password must be at least 6 characters long and maximum of 20 characters long.
  3. The username can contain alphanumeric characters, and the allowed special character in the username is: _
  4. The password can contain alphanumeric characters and the allowed special characters in the password are: @ # $ - +
  5. The username and password cannot end with a special character.
  6. The username and password should not contain space or punctuation characters.
  7. The alphabetic characters in a username must be in lower case.

APAR IZ40543: The iSeries Remote Collect user profile should be fully authorized to itself

Addendum for TCIM v85 install manual, Chapter 43. Configuring auditing for iSeries, Configuring the platform for auditing
It's important to confirm that the iSeries Remote Collect user profile (i.e. TCIM) is fully authorized to itself. In the rare case that the collect user isn't fully authorized to it's profile, the CHGAUT (Change Authority) iSeries CL command may be used to provide full permissions to the collect user profile on the object representing collect user profile (*USRPRF). For example, if the collect user name is TCIM, the full command is:

CHGAUT OBJ('/qsys.lib/tcim.usrprf') USER(TCIM) DTAAUT(*RWX) OBJAUT(*ALL)

APAR IZ39073: Importing/Exporting data to/from a network drive

Addendum for TCIM v85 user manual, Chapter 11. Getting started with the Management Console, Using the Management Console tools, Setting a data export schedule and Importing audit data

The export/import will run under a different context than the user who initiates the process, as it will use the TCIM OS user, so mapped drive letters that are visible for the user may not be available for the import/export process. In case of exporting/importing to a network drive, the UNC (Universal Naming Convention) path can be used instead of a drive letter (for example, \\Source\data), and ensure that the TCIM OS user (by default cifadmin) has enough permissions to write/read that network drive (see above for situation in domain/standalone environment).

APAR IZ36474: A GEM database cannot recover from sqlcode: -668

This fix will correct the problems that may occur when a database load has been interrupted. This error can produce 3 types of situations:

  1. Table in pending load state. This is the most common scenario, and manifests itself as a SQL error -668. The affected table will not be accessible due to an unfinished load. After applying the fix, TCIM will attempt to finalize the pending load.
  2. Data inconsistency. Due to the unfinished load, some of the data already loaded into the database may contain references to non-existing fields. The SQL errors in the log include SQL error -673. TCIM recovers automatically from this error; the first load after this situation will take longer than usual and fail, but the one after that will take the usual time and succeed.
  3. Load temporary file locked. In special circumstances, one of the files from the load that failed will be kept open, and the load will fail. The logs will show references to an SQL error -668, and a "SQLERRMC" value that starts with "TEMP_FILE". This error can be solved by restarting the DB2 service, and performing a load.

APAR IZ35532: Time zone information

Addendum for TCIM v85 install manual, Chapter 6. Deploying Tivoli Compliance Insight Manager event sources, Configuring the event source for auditing, "Point of Presence, A system where Tivoli Compliance Insight Manager Actuator (Actuator) is installed to collect the audit data"
The time zone for the audited machine is retrieved from the Point of Presence in most cases.

APAR IZ34350: Configuring IBM Tivoli Access Manager for e-business for auditing on linux

Addendum for TCIM v85 install manual, Chapter 36. Configuring auditing for IBM Tivoli Access Manager for e-business, Configuring IBM Tivoli Access Manager for e-business for auditing
This chapter should be renamed to Configuring IBM Tivoli Access Manager for e-business for auditing for windows. And the following section should be added:

Configuring IBM Tivoli Access Manager for e-business for auditing on linux

Follow the steps below to configure the IBM Tivoli Access Manager for e-business platform for auditing by the Tivoli Compliance Insight Manager:

  1. Edit the configuration files for policy, authorization, and resource managers (ivmgrd.conf, ivacld.conf, and aznapi.conf configuration files respectively) to define the logcfg entry in the [aznapi-configuration] stanza: (by default these config files are in /opt/PolicyDirector/etc/ directory)
    1. Remove the # character before logcfg.
    2. Define the path parameter which specifies the name and location of a log file. For example:
      logcfg = audit.azn:file path=/var/PolicyDirector/audit/pdmgrd.log,rollover_size=50000,flush_interval=5,log_id=PDMgrAudit
      logcfg = audit.authn:file log_id=PDMgrAudit
      logcfg = audit.mgmt:file log_id=PDMgrAudit
  2. Edit the configuration files for the plug-in for Web Servers and a WebSEAL server (the pdwebpi.conf and webseald.instance.conf configuration files), to define the logcfg entry in the [aznapi-configuration] stanza: (by default these config files are in /opt/pdwebpi/etc/ and /opt/pdweb/etc/ directories respectively):
    1. Set logaudit to yes.
    2. If necessary, change the logsize and logflush entries to your value.
    3. Define the auditlog parameter that specifies the name and location of a log file.
    4. Define the auditcfg parameter that disables or enables a component-specific audit record. For example:
      [aznapi-configuration]
      logsize = 50000
      logflush = 5
      logaudit = yes
      auditlog = /var/pdweb/log/msg__webseald.log
      auditcfg = azn
      auditcfg = authn
      auditcfg = wpi
Notes:
  • Log data specified in each of the IBM Tivoli Access Manager for e-business configuration files must be stored in separate log files. This is because the platform which writes the log records locks each log file during the writing process. Consequently, each log file only contains log data from the first process which initiated the log writing into the file. Because the log files are separate, you must also configure a separate IBM Tivoli Access Manager for e-business event source for each log file you want to audit.
  • IBM Tivoli Access Manager for e-business auditing is disabled by default. To enable it, restart IBM Tivoli Access Manager for e-business after you have finished the configuration file. For additional information see the information on native auditing in the IBM Tivoli Access Manager for e-business documentation.

    APAR IZ33760: MS SQL collect issues

    The MS SQL Server event source that is provided with Tivoli Compliance Insight Manager Version 8.0 supports the audit trails only for systems running Microsoft SQL Server versions 2000 SP3, 2000 SP4, 2005 (default instances). The existing 'MS SQL Server' event source was renamed to 'MS SQL Server 2000-2005(deprecated)'.

    The new MS SQL Server 2000-2008 event source that is provided adds support for named instances of MS SQL Server 2000, 2005, and 2008 MS SQL Server clusters.

    A new option, 'MSSQL instance name,' is used to provide access to clusters and named instances:

    The format of the 'MSSQL instance name' option is: server_name\instance_name

    To connect to the named (non-default) instance of an SQL Server, specify the option as server_name\instance_name. To connect to an MS SQL Server on clusters, specify instance_name.

    server_name is the hostname (or IP) of the server where the MS SQL instance is located; instance_name is the name of an MS SQL instance (or MS SQL cluster). When collecting from default instances, the 'MSSQL instance name' option is not needed.

    NOTES:

    IZ30928: More than 125 Event Sources

    In case more than 125 ESes are attached to the same agent TCIM L2 needs to be contacted to enlarge the non interactive desktop heapsize on the TCIM server

    APAR IZ30005: Limitation on the size of exported pdf reports

    Addendum for TCIM v85 user manual, Exporting iView data to other formats, Exporting to PDF format (page 189)
    Only reports up to 32 000 rows can be exported as PDF. For larger reports, one of the other formats has to be used.

    APAR IZ26004: How to roll back mitigation provided by document "Control growing DB2 audit log on Tivoli Compliance Insight Manager 8.5 Server "

    After applying the fixpack, a new option named "Truncate" is present in the DB2 8-9.1 ES properties. It's set to 'yes' by default in the DB2 SelfAudit ES (the one that audits TCIM's DB2 instance) and 'no' by default for all the other ES instances. If this option is set to 'yes', TCIM will automatically prune db2audit.log after each collect, at most once an hour; the db2audit.log pruning process consists in removing logs that have already been collected, reducing the log file size. A mitigation was provided by the support document named "Control growing DB2 audit log on Tivoli Compliance Insight Manager 8.5 Server", and this fix renders the described mitigation obsolete.

    To roll back the mitigation:

    Remove cifdb2prune.vbs script from the scheduled tasks

    From the Windows Start menu, open the Control Panel, and then "Scheduled Tasks". Delete the task that executes C:\ibm\TCIM\Tools\cifdb2prune.vbs.

    Deleting cifdb2prune.vbs script

    Delete the cifdb2prune.vbs file from the C:\ibm\TCIM\Tools\ folder.

    Enable TCIM's db2audit.log truncation

    If you are using DB2 SelfAudit ES, and want to prune the log file, you simply need to apply the fix pack; the 'Truncate' option will appear in all DB2 ES properties, and it will be set to 'yes' for the SelfAudit one, which will prune the db2audit.log as described before. If you are using other DB2 ES, and want to enable this feature, set the 'Truncate' option to 'yes' in the ES properties panel after applying the fix pack.

    Note: It's highly recommended to prune "db2audit.log" periodically to keep that file small, as a large audit log file may affect the database performance.

    APAR IZ33813: z/OS Event Source (ES) or User Information Source (UIS)

    If the z/OS Event Source (ES) or User Information Source (UIS) is installed in a VIPA Network Configuration, the Event Source property "Connect String" must be updated for that z/OS ES or UIS. The part of the "Connect String" 127.0.0.1 must be replaced with the IP-address of the VIPA Network Interface. Only 127.0.0.1 has to be replaced, the rest of the Connect String field value must remain unchanged. So for example, a connect string A:127.0.0.1:5994 for a machine with ip address 9.142.236.10, the string should be updated to A:9.142.236.10:5994.

    APAR IZ29877: It takes a long time to open the iview dashboard when the GEM database contains a lot of data

    To improve the speed of opening the iview dashboard, additional forms of the NodeGrid on the GEM dashboard page are introduced. Besides the "Full" dashboard, the only mode that was available before this fix, the mode "Reduced" and the mode "Disabled" are introduced. Which mode will be used for GEM databases, can be defined on the Settings page, in the section "NodeGrid Mode".

    When the "Full" mode is enabled, the NodeGrid is calculated based on all events in the GEM database. This mode can be slow when a lot of data is stored in the GEM database.

    When the "Reduced" mode is enabled, on the GEM Db Summary page a "reduced" version of NodeGrid is shown in order to speed up the time of opening the page. The "reduced" mode of NodeGrid is based on the first N events in the gem event table. The default N value is 1 000 000.

    To change the performance of the "Reduced" mode, it's possible to change the N that is used for this mode. To change N - the value of events limit, the following lines should be added to [TCIM directory]\iView\tomcat\conf\iview.ini file:
       [NodeGrid]
       nodegrid_reduced_limit=3000000

     where parameter nodegrid_reduced_limit indicates the value of the limit (N).

    The less the value for nodegrid_reduced_limit is, the faster db summary opens and the less NodeGrid looks like full NodeGrid, because it is based only on the part of the events. The "reduced" version of NodeGrid also does not contain composite groups. It contains only the information about the events of selected or the most important groups. The caption of NodeGrid reflects the fact that NodeGrid is reduced.

    When the "Disabled" mode of NodeGrid is enabled, no NodeGrid is shown on GEM Db Summary page. Instead of NodeGrid message "NodeGrid is disabled" is shown. This mode is used to get the best time performance of opening the GEM dashboard.

    APAR IZ27992: Improve mapping speed in case of a big amount of hostname lookups

    For experienced TCIM users only, when in doubt, please contact TCIM L2
    During the mapping phase, the "gethostname" GSL operator queries the DNS for the host name corresponding to the supplied argument, which is assumed to be an IP address. Use of this operator can seriously reduce the performance of the mapper.

    To solve the performance problem, it's possible to disable the "gethostname" function in "gensub.ini", at the cost of not having the reverse lookups in the mapped results.

    To disable the "gethostname" function for all ESes, the following lines have to be added to <TCIM directory>\server\run\gensub.ini:

    [RegexOperators]
    gethostname=nl.consul.cea.gensub.scanning.regex.OperLit

    It's also possible to disable the operator for a specific GSL file. To disable the function for a specific GSL file, the following lines should be added to the <TCIM directory>\server\run\gensub.ini file:

    [RegexOperators.<GSL file name without the extension>]
    gethostname=nl.consul.cea.gensub.scanning.regex.OperLit

    For instance, the following lines will disable the "gethostname" function for FW1.gsl:

    [RegexOperators.FW1]
    gethostname=nl.consul.cea.gensub.scanning.regex.OperLit

    APAR IZ25201: Instructions to move the DB2 instance to another drive

    After TCIM v85 group server is installed on a drive other than c:, the TCIM DB2 instance is installed on c:. Follow the instructions to move the DB2 instance to the right drive:

    1. Create a file called reloc.cfg with the following contents: 
          DB_NAME=CIFDB
    DB_PATH=C:,F:
    INSTANCE=CIFINST
    NODENUM=0
    STORAGE_PATH=C:,F:

      STORAGE_PATH variables should be taken for each case separately from the database: select * from sysibmadm.dbpaths where type='DB_STORAGE_PATH' If there are more then one storage path all them should be added.

      (Assuming the destination drive is drive F:, and the DB name/DB instance name are the default CIFDB/CIFINST.)

    2. Stop all TCIM services
    3. Execute from the command line: db2stop force
    4. Copy C:\CIFINST to D:\CIFINST with the same permissions!! (after copying add DB2ADMNS user with full control)
    5. Execute from the command line: db2start
    6. Execute from the command line: db2relocatedb -f reloc.cfg
    7. Execute from the command line: db2stop force
    8. Remove C:\CIFINST folder
    9. Execute from the command line: db2start
    10. Start TCIM sevices

    APAR IZ23664: Uninstalling IBM Tivoli Compliance Insight Manager components

    This procedure will replace "Chapter 5. Uninstalling IBM Tivoli Compliance Insight Manager components", page 35 from the TCIM v8.5 Installation Guide

    To uninstall IBM Tivoli Compliance Insight Manager to the following steps should be executed in order. (Note the steps need to be performed with a user that has local administrator privileges.)

    1. Uninstall any Management Modules that are installed, using the use the Add/Remove Programs option in Windows.
    2. You can uninstall the following Tivoli Compliance Insight Manager components, using the Add/Remove Programs option in Windows:
      • Server
      • Consolidation Server
      • Enterprise Server
      • Management Console
      • Web Applications
      • TCIM Diagnostics
      • Actuator installed on a Microsoft Windows platform
    4. Stop the following ITDS services from the Windows Services Panel:
      • IBM Tivoli Directory Admin Daemon V6.1 - idsinst
      • IBM Tivoli Directory Server Instance V6.1 - idsinst, where, idsinst refers to the ITDS instance name.
    5. Navigate to the %ProgramFiles%\IBM\ldap\V6.1\sbin folder
    6. Run the following idsidrop command to drop the ITDS instance. The command must be run from the folder chosen in the previous step. In this example we assume the default ITDS instance name - "idsinst". 
      MSDOS> idsidrop.cmd -I idsinst
      Choose option 1 : (1) - Continue and delete the directory server instance
      Subsequently, choose option 2: (2) Completely erase the database instance (and all databases).
      Subsequently, choose option 1: (1) Continue with the above actions.
      The above actions will drop the ITDS instance.
    7. Uninstall ITDS using the use the Add/Remove Programs option in Windows. This action may prompt a restart of the machine. Please choose not to perform a restart immediately, and continue with the next steps below.
    8. Uninstall ITDS DB2 instance using the use the Add/Remove Programs option in Windows.
    9. Uninstall CIF DB2 instance , using the use the Add/Remove Programs option in Windows.
    10. The following folders or files need to be removed manually after completing the above steps. (Note: E: drive was chosen as target drive for installation, idsinst refers to the ITDS instance name, CIFINST refers to the TCIM DB2 instance and IDSINST refers to the ITDS DB2 instance name):
      • Delete the [Install drive]:\idsslapd-idsinst folder
      • Delete the [Install drive]:\cifinst folder
      • Delete the [Install drive]:\idsinst folder
      • Delete the %ProgramFiles%\IBM\tdsdb2 folder
      • Delete the %ProgramFiles%\IBM\ldap folder
      • Delete the [Install drive]:\idsinstinfo folder
      • Delete the %ProgramFiles%\SolutionFiles folder
      • Delete the %ProgramFiles%\IBM\SQLLIB folder
    11. Delete the OS users cifdb2admin, db2adminitds, idsinst 
         MSDOS>net user /delete cifdb2admin
   MSDOS>net user /delete db2adminitds
   MSDOS>net user /delete idsinst
    12. Delete the following directories
      • C:\ibm\TCIM (When TCIM is the only subdirectory of c:\ibm, c:\ibm may also be deleted)
      • %ALLUSERSPROFILE%\Start Menu\Programs\IBM Tivoli Compliance Insight Manager
    13. Reboot the machine

    APAR IZ23954: RSA Authentication Manager Configuration

    When configuring RSA, ensure that only RSA authentication logfiles will be found in the Eventsource Properties RSA Log directory because all files in this directory will be processed and deleted, even when these are not logfiles.

    APAR IZ20407: New event source property

    For the following Event Sources we added an additional property 'Collect Directory':

    This property could be used to specify a path to the directory where the TCIM Actuator stores its temporary files; these temporary files contain audit data created during collect before it is transferred to the log depot. The default value points to the directory /tmp. This value can be changed. Ensure that the directory exists; otherwise, collect will not start.

    Note: For SSH version of the event sources, represented above, the 'Collect Directory' property is not used. The TCIM Actuator stores its temporary files in the run directory in the SSH user's home directory.

    APAR IZ14806: Depot investigation tool usage

    This document contains some additional information which is missing in the IBM Tivoli Compliance Insight Manager (TCIM) version 8.0 and 8.5 user manuals.

    The depot investigation tool works in 2 steps:

    1. In the first step, the "Search summary" will list all the blocks of events (maximum 10000 events) which contain the search value, regardless of the specified search field.
    2. The second step will list in the "Search results" only those events which contain the search value in the specified search field.

    Therefore it is possible that the "Search summary" will list some block of events while the "Search results" doesn't contain any results.

    This is illustrated by the following example:

    This is explained by the fact that "Cleve400" is contained in the block of events, but NOT in the field "result".

    Precedence of logical operators

    The search query isn't case sensitive regarding the logical operators (for example "or" is the same "OR").

    The query parser starts evaluating the search query from the right to the left and works by creating a (binary) tree of nodes.

    Attention: This is not in line with some other logical parsers where the AND operator takes precedence over the OR operator.

    Therefore it is recommended always to use parentheses in the search query in case of using more than a single logical operator.

    The tree contains compound nodes (OR nodes and AND nodes) and single nodes that signify simple expressions.

    For example the search query:
    a OR b AND C

    gets interpreted in the query parser as
    OR[a, AND [b,c]]

    Some additional examples :
    Search queryEquivalent toInterpreted by parser
    aaa
    Aaa
    (a)aa
    a or ba OR bOR[a, b]
    a OR b OR ca OR (b OR c)OR[a, OR[b, c]]
    a AND ba AND bAND[a, b]
    a OR b AND ca OR (b AND c)OR[a, AND[b, c]]
    (a OR b) AND c(a OR b) AND cOR[a, AND[b, c]]
    (a OR b) AND (c OR d)(a OR b) AND (c OR d)AND[OR[a, b], OR[c, d]]
    (a OR b) AND (c OR d OR e)(a OR b) AND (c OR (d OR e))AND[OR[a, b], OR[c, OR[d, e]]]
    a OR b AND c OR d OR ea OR (b AND (c OR (d OR e)))OR[a, AND[b, OR[c, [OR[d, e]]]]]

    Special characters and wildcards in search query

    The Depot Investigation Tools handles also special characters like "@_&#$%/\:" in the search query.

    Please note that using special characters doesn't work in combination with wildcard characters "*".

    Software limitations

    Installing a component after installing the fix pack

    If you install a Tivoli Compliance Insight Manager component on the system after the fix pack has been applied, you must install the fix pack on that system again to ensure that all components are running at the same software service level.

    Known problems and workarounds

    It is not possible to create TCIM user if it's name is defined in upper case

    WORKAROUND: do not use uppercase characters in usernames.

    Problems with access to Chunk Continuity Report Generation

    After cifowner's and other user's password changes both cifowner and user having access to Portal with necessary roles might not be able to launch Chunk Continuity Report Generation.
    WORKAROUND: Restart TCIM Tomcat service.

    Password synchronization

    Password synchronization issue might be encountered on TCIM installations with multiple servers authorizing against one security server. The problem may occur when the same TCIM user is logged in from more than one server and the password is changed in one of the sessions.
    WORKAROUND: Restart server service on affected machines. If that does not work change password back to the old one and retry.

    Problems with handling empty trace files in "MS SQL 2000-2005 (deprecated)" event source

    There might be a problem with traces collection when initially collected file is empty. The problem disappears, when non-empty file is collected - subsequent empty and non-empty files are collected successfully.

    Notices

    This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

    IBM Director of Licensing
    IBM Corporation
    North Castle Drive
    Armonk, NY 10504-1785
    U.S.A.

    For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

    IBM World Trade Asia Corporation
    Licensing
    2-31 Roppongi 3-chome, Minato-ku
    Tokyo 106, Japan

    The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

    Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

    IBM Corporation
    2Z4A/101
    11400 Burnet Road
    Austin, TX 78758
    U.S.A.

    Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

    The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

    Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

    Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

    All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

    This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.


    Trademarks

    IBM and Tivoli are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

    Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

    Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

    Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

    UNIX is a registered trademark of The Open Group in the United States and other countries.

    Other company, product, and service names may be trademarks or service marks of others.