IBM® Tivoli® Federated Identity Manager, Fix Pack 6.2.0-TIV-TFIM-FP0009 README

©Copyright International Business Machines Corporation 2008, 2011. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under Notices in this document.

Date: Friday, 22 July 2011


About the fix pack

This fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager), Version 6.2.0. It requires that the IBM Federated Identity Manager, Version 6.2.0, be installed. After installing this fix pack, your Federated Identity Manager installation will be at version 6.2.0.9.


IMPORTANT NOTICE

Potential cross-site scripting vulnerabiltity via macros in event page template files

Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:

the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:

@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@

NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.0%2Freference%2FCustomPropsSPS.html.


Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)

The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.

Versions affected:

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.


Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, be in infinite loop, and/or crash resulting in a denial of service exposure. This same hang might occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

The following products contain affected versions of the Java Runtime Environment:

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access, see http://www-01.ibm.com/support/docview.wss?uid=swg21462019

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.


JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)

This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:

java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper

Examples of operations that can fail include:

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.


Fix pack contents and distribution

This fix pack package contains:

This fix pack is distributed as an electronic download from the IBM Support Web Site.


Architectures

This fix pack package supports the same operating system releases that are listed in the Hardware and software requirements topic for Federated Identity Manager Version 6.2.0.

ATTENTION: In April 2009, FP0002 added support for WebSphere Application Server Release 7.0 Fix Pack 3 (release date March 27, 2009)

ATTENTION: In May 2009, FP0002 added support for Windows 2003 Server x86-64.

ATTENTION: In July 2009, FP0002 added support for Oracle 10g.

ATTENTION: In September 2009, FP0002 added support for Suse Linux Enterprise Server 11 (SLES 11) x86, x86-64, zSeries, pSeries. Note: Defect 91189, Webseal not configuring on SLES 11

ATTENTION: In November 2009, FP0003 added support for Internet Explorer 8 (IE8

ATTENTION: In November 2009, FP0003 added support for Windows 2008 R2 Server (x86-64). Note: 90900: GUI not thrown on GUI install for WIN2K8 R2, Workaround: -console mode is required on Windows 2008 R2 (e.g., on linux ./install_linux_x86.bin -console)

ATTENTION: In December 2009, FP0003 added support for Mozilla FireFox 3.5.

ATTENTION: In March 2010, FP0002 added support for z/OS 1.11 System z.

ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86-64, SUSE Linux Enterprise Server (SLES) 10.0 x86, SUSE Linux Enterprise Server (SLES) 10.0 x86-64, SUSE Linux Enterprise Server (SLES) 11.0 x86, SUSE Linux Enterprise Server (SLES) 11.0 x86-64, Windows Server 2008 Enterprise Edition x86, Windows Server 2008 Enterprise Edition x86-64, Windows Server 2008 Standard Edition x86, Windows Server 2008 Standard Edition x86-64 and Windows Server 2008 R2 Enterprise Edition x86-64 on VMware ESX 4.0.

ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86-64, SUSE Linux Enterprise Server (SLES) 10.0 x86, SUSE Linux Enterprise Server (SLES) 10.0 x86-64, SUSE Linux Enterprise Server (SLES) 11.0 x86, SUSE Linux Enterprise Server (SLES) 11.0 x86-64, Windows Server 2008 Enterprise Edition x86, Windows Server 2008 Enterprise Edition x86-64, Windows Server 2008 Standard Edition x86, Windows Server 2008 Standard Edition x86-64 and Windows Server 2008 R2 Enterprise Edition x86-64 on Red Hat Enterprise Virtualization Hypervisor (RHEV-H) / KVM 5.4.

ATTENTION: In December 2010, FP0008 added support for AIX 6.1 on IBM Power7 PowerVM Hypervisor. Support for POWER 7 is dependent on the upgrade to ITDS 6.1 Fixpack 5.

ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 4.0 AS/ES System z, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform System z, SUSE Linux Enterprise Server (SLES) 10.0 System z, SUSE Linux Enterprise Server (SLES) 11.0 System z, z/OS 1.10 and z/OS 1.11 on IBM z/VM Hypervisor 6.1.

ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 4.0 AS/ES System z, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform System z, SUSE Linux Enterprise Server (SLES) 10.0 System z, SUSE Linux Enterprise Server (SLES) 11.0 System z, z/OS 1.10 and z/OS 1.11 on IBM PR/SM z10.

ATTENTION: In December 2010, FP0008 added support for IBM Tivoli Directory Server 6.2.

ATTENTION: In December 2010, FP0008 added support for Oracle Database 11g Enterprise Edition Release 1.

ATTENTION: In December 2010, FP0008 added support for Oracle Database 11g Enterprise Edition Release 2.

ATTENTION: In March 2011, FP0008 added support for LPAR AIX 7.1. Note: WPAR is not supported for any supported version of AIX.

Fix packs superseded by this fix pack

6.2.0-TIV-TFIM-FP0001
6.2.0-TIV-TFIM-FP0002
6.2.0-TIV-TFIM-FP0003
6.2.0-TIV-TFIM-FP0008


Fix pack structure

Federated Identity Manager consists of the following components that can be installed separately:

This fix pack applies only to the administration console, management service and runtime component, and Web services security management (first three components listed above). These three components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components. If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.


APARs and defects fixed

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0009

The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager support site.

APAR IV01293
SYMPTOM: ClassCastException is thrown when adding a SAML 2.0 Identity Provider as a partner. This problem happens when the metadata of the Identity Provider contains SAML attributes. See IV01293 for more information.

APAR IV01314
SYMPTOM: LTPA Token Module is not calculating the expiration date correctly. When a token is renewed, the expiration date is added to the userdata structure expiration array. The new expiration date is the last item added to the array. The IBM Tivoli Federated Identity Manager was incorrectly taking the first item on the array.

APAR IV01819
SYMPTOM: ClassCastException is thrown when configuring LDAP alias service using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if at least one LDAP server exists in the system.

APAR IV01295
SYMPTOM: THE WEBSPHERE APPLICATION SERVER POC CREATE WAS SECURITY CONTEXT WITH INSUFFICIENT UNIQUE ID. See IV01295 for more information.

APAR IV01254
SYMPTOM: In some SAML error circumstances, the IBM Tivoli Federated Identity Manager would return a NullPointerException when attempting to display an error page or return a SAML error to an artifact retrieval request.

APAR IV01190
SYMPTOM: Empty-valued attributes in an STSUniversalUser XML document are not preserved by the Java implementation when converting from XML to Java and back to XML.

APAR IV01822
SYMPTOM: The value of the attribute "IsDefault" of all assertion consumer services of the SAML 2.0 Service Provider partner is changed to "true" after clicking the button "OK" or "Apply" in the Partner Properties page in the IBM Tivoli Federated Identity Manager Console.

APAR IV01319
SYMPTOM: SAML 2.0 STS Module fails to validate the subject confirmation method correctly when the assertion is received as part of the SAML 2.0 Single Sign On operation. The specification requires that an assertion that is generated as part of a Single Sign On flow should at least include one of the subject confirmation methods of value urn:oasis:names:tc:SAML:2.0:cm:bearer.

APAR IV01315
SYMPTOM: SAML 2.0 SPS Module is setting the Destination attribute on LogoutReponse message when the request is received through SOAP binding at the Identity Provider and there is more than one service provider session that was authenticated based on the Identity Provider session. The Destination field might have the url for the incorrect partner that is not the one that send the LogoutRequest.

APAR IV01318
SYMPTOM: The IBM Tivoli Federated Identity Manager LTPA STS module support code is not thread safe. The code uses an static instance of a JDK class that is not thread safe causing undetermined results while verifying or generating the ltpa token signature on environments with high volume of transaction.

APAR IV03231
SYMPTOM: KERBEROS STS MODULE TO ENFORCE TOKEN ONE TIME USE. See IV03231 for more information.

APAR IV03050
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV01824
SYMPTOM: ClassCastException is thrown when adding and modifying LDAP host using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "hostPort" is not 389, or the parameter "minConnections" is not 2, or the parameter "maxConnections" is not 10.

APAR IZ03616
SYMPTOM: The SAML specification allows for the Identity Provider not to include an issuer value on the SAMLResponse as long as the assertion includes the value. The IBM Tivoli Federated Identity Manager SAML module was expecting for the issuer on the SAML Response to always be included. Such expectation was causing a Null Pointer Exception when the values was not included.

APAR IZ72928
SYMPTOM: Opening a Tivoli Federated Identity Manager page or portlet from the WebSphere Application Server ISC causes a JNDI exception of the type NameNotFoundException to be logged in the WAS server log.

APAR IZ91976
SYMPTOM: The IBM Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the Identity Provider does not include a Issuer value though the Issuer value is included in the assertion.

APAR IZ92245
SYMPTOM: Duplicate STS chain mappings are created when adding a SAML 2.0 Service Provider as a partner. This problem happens if the metadata of the Service Provider contains at least three distinct assertion consumer services with at least three distinct URLs.

APAR IZ94653
SYMPTOM: Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token. See IZ94653 for more information.

APAR IV01175
SYMPTOM: The SAML 2.0 SPS module during a Single Logout operation on Service Provider side is invoking the alias service regardless if email name id format was used to single sign on the user. While the Single Logout Operation is successful, an error is included on the logs though the alias operation is not required.

APAR IZ96477
SYMPTOM: Mapping from single logout URL to protocol is deleted from the configuration file after clicking the button "OK" or "Apply" in the Federation Properties page in TFIM Console. This problem happens if the single logout bindings that are enabled are only HTTP-Redirect and SOAP. The missing mapping causes single logout operation to fail.

APAR IV01201
SYMPTOM: CommandException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "exportPrivateKey" is specified with no value or with value "true".

APAR IV01202
SYMPTOM: ChainableRuntimeException is thrown when exporting a key from a keystore using the IBM Tivoli Federated Identity Manager Console. This problem happens if the IBM Tivoli Federated Identity Manager is deployed in certain WebSphere Application Server versions (e.g., WebSphere Application Server 7 Fix Pack 11).

APAR IV03048
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03074
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Runtime.

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0008

APAR IZ84999
SYMPTOM: Some of the IBM Tivoli Federated Identity Manager Console portlet pages cannot be displayed when it is installed in WebSphere Application Server 7 FP 11.

APAR IZ74691
SYMPTOM: For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values.

APAR IZ50813
SYMPTOM: IBM Tivoli Federated Identity Manager CLI Commands are not registered properly on WebSphere Application Server 7.0.

APAR IZ74511
SYMPTOM: A valid WS-Trust 1.3 request fails if it includes an empty Issuer address value and the matching trust chain uses a wild card for Issuer value (e.g. with Issuer Address = *).

APAR IZ73144
SYMPTOM: NullPointerException when creating a new STS chain that is not on Validate mode.

APAR IZ68018
SYMPTOM: When reading the user header from WebSEAL or a generic point-of-contact, the username is URL decoded twice.

APAR IZ70082
SYMPTOM: Exception occurs when using only.alias key selection criteria and the same key appears under multiple aliases.

APAR IZ66147
SYMPTOM: The IBM Tivoli Federated Identity Manager artifact lookup routine can consume threads if the artifact received is not in the cache.

APAR IZ61855
SYMPTOM: Using IBM Tivoli Federated Identity Manager ISC console makes it possible to remove a default mapping rule after the federation has been created.

APAR IZ64190
SYMPTOM: The IBM Tivoli Federated Identity Manager SAML 2.0 SPS module throws a NullPointerException if an issuer value is not included on the SAML Response message.

APAR IZ42265
SYMPTOM: When starting IBM Tivoli Federated Identity Manager the runtime nodes report exceptions while connecting to the config repository.

APAR IZ39501
SYMPTOM: The fimivt application incorrectly relies on the provider id of the Service Provider to build the TARGET url for Single Sign On.

APAR IZ69868
SYMPTOM: The IBM Tivoli Federated Identity Manager 6.2.0 will always sign the outgoing SAML response and SAML assertion when the HTTP/SOAP binding is used.

APAR IZ69507
SYMPTOM: The IBM Tivoli Federated Identity Manager SAML 2.0 SPS Module does not create a session when the SAML AuthnRequest is received over the SOAP endpoint.

APAR IZ74720
SYMPTOM: The ITFIM console metadata support fails to validate that mandatory endpoints are included. The SPSSODescriptor requires at least one AssertionConsumerService endpoint and the IDPSSODescriptor requires at least one SingleSignOnService url.

APAR IZ74280
SYMPTOM: The ITFIM console partner properties page for a SAML 2.0 partner does not allow the user to modify the signature validation settings once set to typical or all signature settings.

APAR IZ72439
SYMPTOM: The ITFIM Alias Service fails to provide enough information to differentiate between a fatal error reading aliases and the typical alias not found return.

APAR IZ74795
SYMPTOM: ITFIM fails to send back a SOAP fault when a AuthnRequest with an invalid Issuer is received through the SOAP binding.

APAR IZ74793
SYMPTOM: The Tivoli Federated Identity Manager SAML SSO Module should add appropriate information on the SAMLResponse message to allow exploiters to debug the reasons for artifact resolution failures.

APAR IZ80240
SYMPTOM: STS service does not start when an illegal regular expression is provided for the "applies to", "issuer" or "token type" field of the STS chain mapping.

APAR IZ71991
SYMPTOM: Unable to validate SAML2.0 tokens generated through WSSM.

APAR IZ73880
SYMPTOM: LTPA XML security token issued by the STS has incorrect namespace.

APAR IZ82872
SYMPTOM: TAM authorization module does not work with federation scenario. The TAM authorization module should be able to consume TAM credential bytes from the STSUU or from the current STS response object in the case where an IVCred module has run in issue mode prior to the TAM Authorization module.

APAR IZ82855
SYMPTOM: Custom authorization tokens with attributes added by TAI are not processed by the IBM Tivoli Federated Identity Manager when creating a local token for TFIM with WebSphere point of contact.

APAR IZ82849
SYMPTOM: Chinese language page templates that contain RPT / eRPT macro blocks and any text within those blocks contains DBCS characters, the RPT block is not filled in correctly when the IBM Tivoli Federated Identity Manager returns the page template.

APAR IZ82851
SYMPTOM: If a service provider sends an SSO request containing the requested NameIDFormat of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified the IDP implementation treats this as a persistent name identifier even if the DefaultNameIDFormat parameter for the partner or federation is set to a different name id format.

APAR IZ82866
SYMPTOM: Migration fails for federations containing custom modules.

APAR IZ82846
SYMPTOM: The LTPA token validate only looks on the current Element for a prefix definition.

APAR IZ82871
SYMPTOM: The IBM Tivoli Federated Identity Manager Liberty SPS Module fails to serialize objects on the distribute cache.

APAR IZ82869
SYMPTOM: The SAML 2.0 SPS module fails to apply the appropriate signature policy when the AuthnRequest is received using the artifact binding.

APAR IZ82864
SYMPTOM: Wrong Target URL received at the Service Provider when doing an Identity Provider initiated Single Sign On using the Artifact Binding.

APAR IZ82865
SYMPTOM: The identity provider behind a WebSphere point of contact throws an NullPointerException upon receiving an Single Logout Request request from service provider behind WebSEAL.

APAR IZ82856
SYMPTOM: The IBM Tivoli Federated Identity Manager generated nonce value might have invalid characters in some situations.

APAR IZ74793
SYMPTOM: The IBM Tivoli Federated Identity Manager SAML 2.0 SSO Module does not include enough error information on the response message to allow exploiters to debug the reasons for artifact resolution failures.

APAR IZ67423
SYMPTOM: The ITFIM Authorization STS module connection pool deadlocks if connections are mark for removal. See IZ67423 for more information.

APAR IZ66397
SYMPTOM: Key alias not used to select key for XML signature and validation. See IZ66397 for more information.

APAR IZ82868
SYMPTOM: The ITFIM SAML 2.0 STS module is not honoring the default name id format parameter setting. See IZ82868 for more information.

APAR IZ82867
SYMPTOM: The ITFIM SAML 2.0 SPS module requires assertion signature even when the enclosing document is signed. See IZ82867 for more information.

APAR IZ82870
SYMPTOM: The SAML 2.0 SPS module signs the assertion in instances where the signature policy indicates that the assertion should not be signed. See IZ82870 for more information.

APAR IZ82852
SYMPTOM: The ITFIM SAML 2.0 STS module fails to validate a SAML 2.0 Assertion containing the NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. See IZ82852 for more information.

APAR IZ82874
SYMPTOM: Recipient checking is not performed correctly by the SAML browser post support. See IZ82874 for more information.

APAR IZ82853
SYMPTOM: Invalid URL encoding of the RelayState parameter being performed by the SAML 2.0 SPS module. See IZ82853 for more information.

APAR IZ83544
SYMPTOM: The LTPA STS module sends an incorrect message when the token being validated is expired. The inserts on the message are on reverse order so the expiration date is displayed where the current date field should be.

APAR IZ83543
SYMPTOM: Signed XML strings may be incorrectly encoded if the default file encoding for the operating system platform is not UTF-8 (e.g. Windows or AIX).

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0003

APAR IZ66695
SYMPTOM: JDBC alias service is case sensitive for username.

APAR IZ40010
SYMPTOM: The IBM Tivoli Federated Identity Manager IDP displays blank page when initiating solicited SSO for a second time.

APAR IZ41865
SYMPTOM: The solution was to pass the relay state to the url so the customers can use the capability to override the target url using the credential attribute we already support.

APAR IZ44890
SYMPTOM: When sending a Kerberos token to the Security Token Service the following error gets returned.

APAR IZ46723
SYMPTOM: When upgrading an expired validation and encryption certificate that the keystore "view keys" shows the certificate as expired.

APAR IZ46765
SYMPTOM: The Where Are You From (WAYF) Cookie lifetime needs to be configurable through the gui.

APAR IZ47454
SYMPTOM: Passticket module incorrect logging verbosity.

APAR IZ47952
SYMPTOM: When using samlsso and adding a target url with query string the parameters are lost and do not make it to the Service Provider.

APAR IZ50906
SYMPTOM: SOAP faults are returned for WS-Trust validates request types.

APAR IZ51243
SYMPTOM: The init url for unsolicited AuthnResponse has a Target query string parameter that is allowing for requester to inject javascript that will be executed when the request is sent to the service provider.

APAR IZ51457
SYMPTOM: When a runtime node is not configured a NullPointerException will be displayed in the browser when a sign-on transaction is attempted.

APAR IZ51459
SYMPTOM: An incorrect ByteArrayOutputStream class was used that is not supported on all platforms.

APAR IZ52979
SYMPTOM: The IBM Tivoli Federated Identity Manager fails to enforce signature policy properly for assertion.

APAR IZ53517
SYMPTOM: When calling the artifact service and passing in an assertion to get back an artifact, if a custom module encounters an error and generates an exception stack trace that includes some special characters the Artifact service fails to include the exception on the SOAP Fault.

APAR IZ54678
SYMPTOM: SAML 2.0 Configuration objects did not implement the Serializable interface.

APAR IZ55551
SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console doesn't operate correctly.

APAR IZ56179
SYMPTOM: UPDATING THE PARTNER THROUGH PROPERTIES PAGE CORRUPTS THE CONFIG.

APAR IZ56265
SYMPTOM: IBM Tivoli Federated Identity Manager fails to split url properly if "sps" is in the hostname.

APAR IZ56459
SYMPTOM: After unlinking account, under some circumstances the Alias entry will not be removed.

APAR IZ56548
SYMPTOM: IBM Tivoli Federated Identity Manager supported Oracle database for the TFIM alias service and that attempts to Use Oracle displayed errors.

APAR IZ60816
SYMPTOM: Federation stops at https://hostname/fim/sps/wssoi screen.

APAR IZ62620
SYMPTOM: Authorization decision query returning invalid decision query.

APAR IZ62955
SYMPTOM: SAML 1.X module does not validate recipient value on response.

APAR IZ63597
SYMPTOM: WS-TRUST 1.2 RequestSecurityTokenResponse message is different than the IBM Tivoli Federated Identity Manager 6.0.0 response message.

APAR IZ63967
SYMPTOM: When THE IBM Tivoli Federated Identity Manager returns HTTP Cookies to the browser none of the secure bits are set.

APAR IZ47754
SYMPTOM: ManageNameID defederate to an Service Provider where the alias does not exist.

APAR IZ48248
SYMPTOM: SAML 2.0 IDP incorrectly process unspecified nameid format and always treats unspecified as a persistent id.

APAR IZ49157
SYMPTOM: OpenID Caches are not per-federation.

APAR IZ48258
SYMPTOM: OpenID relying-party association cache indexing error.

APAR IZ48262
SYMPTOM: SOAP Client fails to initialize if using trust store with password.

APAR IZ66903
SYMPTOM: HMAC-SHA256 ASSOC TYPE FAILS WITH NO-ENCRYPTION SESSION TYPE.

APAR IZ66905
SYMPTOM: INCORRECT HANDLING OF LOST ASSOCIATION.

APAR IZ66908
SYMPTOM: POST MESSAGE TO RETURN_TO URL SHOULD USE QUERY STRING IF POSSIBLE.

APAR IZ66770
SYMPTOM: Form Post parameters should always be HTML encoded.

APAR IZ66769
SYMPTOM: INTERNAL APAR FOR STS CONFORMANCE UPDATES.

APAR IZ66771
SYMPTOM: INTERNAL APAR FOR TFIM 620 BUILD UPDATES.

APAR IZ66772
SYMPTOM: INTERNAL APAR FOR TFIM 620 POINT OF CONTACT UPDATES.

APAR IZ66773
SYMPTOM: Internal apar for SAML conformance updates.

APAR IZ52557
SYMPTOM: The Event Handler extension point does not have access to event trail id.

APAR IZ52563
SYMPTOM: tfimcfg tool doesn't work correctly in a multi-TAM domain.

APAR IZ48249
SYMPTOM: SAML 2.0 Service Provider cannot validate SSL certificate on a list of trusted signers.

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0002

APAR IZ41018
SYMPTOM: When triggering MNIDS operation, user does not have an alias stored in LDAP alias repository causes WebSEAL to return a server error.

APAR IZ35877
SYMPTOM: A NullPointerException occurs when the SAML 2.0 Response does not contain an issuer.

APAR IZ47906
SYMPTOM: The IBM Tivoli Federated Identity Manager complains "invalid_message_timestamp" when it receives an AuthnRequest with a SAML 2.0 IssueInstant with the date time format of "2008-07-01T13:30:50.830773Z"

APAR IZ44577
SYMPTOM: STSMessageLogger does not work with multiple custom extensions. If two different chains utilize the STSMessageLogger, each with its own custom extension, only one of the extensions is used, and it is used by both chains.

APAR IZ44576
SYMPTOM: STSMessageLogger does not work with Information Card IDP trust chain. When the STSMessageLogger is used as the first element in a trust chain for an Information Card IDP federation, and a card is used at a RP, the retrieval of a security token from the IDP fails. The IDP's WebSphere log shows the exception com.ibm.ws.webservices.engine.InternalException java.lang.IllegalArgumentException.

APAR IZ44575
SYMPTOM: STSMessageLogger leaves open files locked on every IBM Tivoli Federated Identity Manager single-sign-on. When the STSMessageLogger is used in a trust chain for federated single sign-on, a new message logger file is created on every request. This rapidly results in file handle starvation.

APAR IZ44573
SYMPTOM: When using the STSMessageLogger in a trust chain, a new file is created each time the "Reload Configurations" operation is performed (i.e. an OSGi runtime restart). These file handles are left open until WebSphere is restarted.

APAR IZ44572
SYMPTOM: STSMessageLogger does not work when using WS-Trust 1.3 requests to the Tivoli Federated Identity Manager(TFIM) Security Token Service.

APAR IZ44571
SYMPTOM: If an OP returns an OP-Identifier as the claimed identifier then the Relying-Party does not reject the login and allows authentication to succeed. The Replying-Party should reject the login. This issue affects only OpenID relying-party configurations during OP-identifier login.

APAR IZ44569
SYMPTOM: OpenID Identity Provider hangs for long time when the relying-party sends an empty association handle. This results in a 30-second login time from this type of relying-party.

APAR IZ44567
SYMPTOM: Some OpenID relying-party logins fail if an empty OpenID invalidate_handle value is sent in the login response. This problem is discovered when testing with WebSphere sMash.

APAR IZ44562
SYMPTOM: If any page template that contains repeatable replacements is called with a replacement string that contains a single backslash or a dollar sign ($) then the replacement will not function correctly and will cause an IllegalArgumentException.

APAR IZ44560
SYMPTOM: When tracing is turned on for the class com.tivoli.am.fim.infocard.delegates.InfoCardSTSDelegate and username/password information card is presented at the IDP to exchange for a SAML assertion, the user's password is exposed in clear text in trace.

APAR IZ44570
SYMPTOM: OpenID Identity Provider SREG Namespace handling is broken. This problem is discovered when testing with WebSphere sMash. The OpenID identity provider should return the same SREG namespace as it received.

APAR IZ44555
SYMPTOM: If a user trusts an OpenID relying party site, then deletes the trust from the site manager, and re-accesses the site, the consent-to-authenticate page is not being displayed when it should. This affects OpenID identity provider installations.

APAR IZ44557
SYMPTOM: The OpenID 2.0 flows are non-conformant with the specification regarding a claimed identifier of identifier_select. See IZ44557 for more information.

APAR IZ44559
SYMPTOM: The closing macro delimiter, @OPTIONAL_ATTRIBUTE@, is missing from the consent.html template file for the label for optional SREG attributes. This only applies to OpenID identity provider federations. See IZ44559 for more information.

APAR IZ44563
SYMPTOM: OpenID RP in white-list scenario has severely slow performance. See IZ44563 for more information.

APAR IZ35057
SYMPTOM: The SAML Assertion token generator was not issuing Assertions correctly with SubjectConfirmation methods of holder-of-key and sender-vouches. See IZ35057 for more information.

APAR IZ47911
SYMPTOM: The publish plugins MBean action requires a domain to be passed in which causes a problem on systems where an IBM Tivoli Federated Identity Manager fix pack is applied before TFIM is configured.

APAR IZ47912
SYMPTOM: Calls to IDMappingExtUtils.AddAliasForUser (which is typically made from a mapping rule) appear to succeed for non-existent users when they actually do not succeed. No alias is added. This problem is only applicable on systems with the IBM Tivoli Federated Identity Manager Alias service set to LDAP using TAM.

APAR IZ35742
SYMPTOM: IDP source validation can not be done because the SAML 1.x browser-artifact doesn't contain the IDP source. Relying-parties must be able to check in the mapping rule that the Issuer contained in an assertion comes from the expected IDP partner. Without this capability rouge IDP's can spoof other IDP's assertion issuers. See IZ35742 for more information.

APAR IZ47913
SYMPTOM: When making STS requests to the WS-T 1.3 endpoint and authentication is enabled the requestor is not challenged to authenticate. This is because the WS-T 1.3 endpoint is missing the security constraint definition.

APAR IZ47917
SYMPTOM: When uninstalling a fixpack, the process might fail at the very end. The UPDI log shows that the backup pak file for the fixpack could not be removed from the system. The problem affects only Windows platform.

APAR IZ47918
SYMPTOM: The authentication data used during authentication callback is not made available when WebSeal is the PoC. The authentication mechanism being used for WebSeal PoC will not work because the authentication information such as the federation name, federation id, etc is not available.

APAR IZ47919
SYMPTOM: When running the IBM Tivoli Federated Identity Manager using WebSphere Application Server as the Point of Contact at the Service Provider and WebSEAL at the IDP you will get a null pointer exception when logout is invoked from the Service Provider after successfully SSO.

APAR IZ48040
SYMPTOM: The mapping rule example file ip_saml_20_email_nameid.xml is missing the namespace definition.

APAR IZ48041
SYMPTOM: Routine build maintenance.

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0001

APAR IZ32487
SYMPTOM: SAML 2.0 sessions expire immediately if the Amount of time the assertion is valid property is set to 4294080 seconds or greater (49.7 days or greater).

APAR IZ31416
SYMPTOM: The WSSM trust client inserts erroneously a wsse namespace declaration into the wst:Base element when building requests to the trust service.

APAR IZ25784
SYMPTOM: When running in a WebSphere 6.0.2.x environment, an error could occur when importing or upgrading a Federated Identity Manager 6.1.1.x domain, if custom token modules were developed for it.

APAR IZ29211
SYMPTOM: A failure could occur while performing a SAML 2.0 single logout with the Service Provider, if the assistant name identifier was configured for the federation. The reported error was FBTSML219E.

APAR IZ29167
SYMPTOM: The underlying secure protocol of an HTTPS connection created by Tivoli Federated Identity Manager is hard-coded to be SSL. See IZ29167 for more information.

APAR IZ30074
SYMPTOM: A timestamp is embedded within a passticket, but the time value interval is only granular to a full second. See IZ30074 for more information.

APAR IZ30083
SYMPTOM: An error could occur when attempting to run the tfimcfg tool in a Sun Solaris(TM) environment. The error was seen after the WebSEAL hostname was provided. The reported error stated that HTTPS is not a recognized protocol.

APAR IZ30053
SYMPTOM: A performance degradation problem could occur when a federated single sign-on is attempted using LDAP registries containing millions of federated users. Depending on system and network conditions, a single sign-on operation could fail due to timeouts. The associated error reported a bad subtree search in LDAP.

APAR IZ30060
SYMPTOM: A potential problem could occur with the use of the OpenId Provider local identifier. When using OpenID 2.0, the Relying Party should differentiate between Claimed Identifiers and OP-Local Identifiers. The Federated Identity Manager implementation used the OP-Local identifier, if present, for both values. This APAR fixes this problem by ensuring compliance with the OpenID 2.0 specification.

APAR IZ30061
SYMPTOM: The OpenID Claimed Identifier was incorrectly normalized during HTML discovery. While performing an OpenID HTML discovery, the default action in the OpenID Relying Party was to follow redirections automatically which prevented the proper canonicalization of the final Claimed Identifier (claimed_id) URL.

APAR IZ30076
SYMPTOM: LTPA v2 issued tokens that were rejected by WebSphere Application Server versions 6.0.2 and 6.1. See IZ30076 for more information.

APAR IZ30078
SYMPTOM: Logging and tracing could not be set for identity mapping from within an XSLT rule. See IZ30078 for more information.

APAR IZ30080
SYMPTOM: An XSLT identity mapping failure occurred when using the alias server with JDBC. See IZ30080 for more information.

APAR IZ34569
SYMPTOM: When an RST is sent to the STS with an empty textnode for either the AppliesTo, PortType or OperationName a null pointer exception is thrown.

APAR IZ34571
SYMPTOM: The Higgins Client Jars directory adks/client/sts is missing some dependency JARs and includes unnecessary server JARs.

APAR IZ34573
SYMPTOM: In an OpenID exchange the RP cannot display an appropriate login identifier on the screen to end users if the OP-identifier was used to login. See IZ34573 for more information about the fix.

Before installing the fix pack

Be aware of the following considerations before installing this fix pack:

Installation path specification for the Windows Server 2008 platform
This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.

Because Federated Identity Manager is a 32-bit application its default path when installing on Windows Server 2008 changes from

C:\Program Files\IBM\FIM

to:

C:\Program Files (x86)\IBM\FIM

Note that this change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:

C:\Program Files\IBM\WebSphere

changes to:

C:\Program Files (x86)\IBM\WebSphere

Prerequisites
You must have the following software installed in order to install this fix pack:

Update Installer
This fix pack requires the use of the WebSphere Update Installer version 7.0.0.0. Ensure that you have installed the correct version of the WebSphere Update Installer on each computer where you will install the fix pack. You can download the WebSphere Update Installer version 7.0.0.0 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.

Fix pack packaging
This Tivoli Federated Identity Manager 6.2.0-TIV-TFIM-FP0009 patch package is provided on the Tivoli Support Web site as a single downloadable zip file for each supported platform. After you select the package that is appropriate for the target platform, download the package and unzip the contents into a target directory, typically the default WebSphere Update Installer directory, either

C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

for Windows or

/opt/IBM/WebSphere/UpdateInstaller/maintenance

for Unix/Linux

You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.

Use the WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components; therefore, to minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.

Automatic creation of a backup directory
The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager files.

Preinstallation enablement requirement for installing the fix pack for the first time

If this is the first time you are applying the fix pack to Federated Identity Manager, you must download and install the enablement fix for Tivoli Federated Identity Manager.

NOTE: Perform the following steps only if this is the first time you are applying a fix pack. You will not need to perform these steps for subsequent product updates.

  1. Download the enablement fix into the Federated Identity Manager installation directory (typically C:\Program Files\IBM\FIM on a Windows system or /opt/IBM/FIM on a UNIX-based system) by clicking here.
  2. Use the unzip option of the zip program for your operating system to unzip the file. On HP-UX, either use jar -xvf to unzip the file or download an unzip utility from the HPUX Connect site.

    NOTE: If you are prompted to overwrite an existing file, accept it so that the target file is overwritten.


Installing the fix pack

NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.


Downloading the fix pack

To obtain the fix pack:

  1. Go to the IBM Tivoli Federated Identity Manager Support Web site.
  2. Click Download. The fix pack (6.2.0-TIV-TFIM-FP0009) should be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.0-TIV-TFIM-FP0009" in the Search field to access the link to the download window.
  3. In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
  4. Select the platform that corresponds to the target platform where you will apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, you will need to configure your browser to use Java security. Click What is DD? for configuration instructions.

Setting the WebSphere security passwords

If security is enabled on the WebSphere Application Server where Federated Identity Manager is installed, you must set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.

If security is not enabled, you can skip this step.

NOTE: If you add passwords to the fim.appservers.properties file, as described below, you specify these passwords using plain text. However, at the end of the fix pack installation process these passwords are obfuscated and will no longer be available in plain text format.

To specify security passwords, use the following procedure:

  1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
  2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file: For example,
  3. If the ewas.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file: For example,
  4. Save and close the fim.appservers.properties file

Applying the fix pack

  1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default WebSphere Update Installer's maintenence directory,
    C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

    for Windows.or

    /opt/IBM/WebSphere/UpdateInstaller/maintenance

    for Unix/Linux

  2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component is running.
  3. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
  4. Start the appropriate WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
  5. In the Welcome window click Next. Federated Identity Manager will not be listed, but is supported.
  6. Specify the path to the installation directory for Federated Identity Manager (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
  7. Select Install maintenance in the dialog.
  8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
  9. Determine which product components are installed on the system that you are updating. You should install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:

    itfim.build.version.rte-mgmtsvcs=version
    Specifies that the management service and runtime component is installed at the level specified by version.
    itfim.build.version.mgmtcon=version
    Specifies that the administration console component is installed at the level specified by version.
    itfim.build.version.wsprov=version
    Specifies that the WS-provisioning runtime component is installed at the level specified by version.
    itfim.build.version.wssm=version
    Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
    itfim.build.version.fimpi=version
    Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.

    Apply the fix packs to the product's components in the following order:

    1. Management service and runtime and administration console>
    2. Other components

    Note: If a domain is not created before application of the IBM Tivoli Federated Identity Manager fix pack, the fix pack installation completes successfully with a "Partially Successful" message.

  10. Compare the list of installed components to the list of pak files in the WebSphere Update Installer and select the pak files that correspond to the installed components, then click Next.

    Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.

  11. If needed (for example, if you need to install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.

Deploying the fix pack runtime component

After you install the fix pack, you need to redeploy the Tivoli Federated Identity Manager runtime. This task is identical to the deployment task you completed after the initial installation of the management service and runtime components. In a WebSphere cluster environment, you must ensure that the new runtime component is deployed to each WebSphere node.

The initial deployment steps are described in Creating and deploying a new domain in the Installation and Configuration Guide. The specific instructions for deploying the runtime begin in step 16.

NOTES:

Use the following procedure to deploy the updated Federated Identity Manager runtime:

  1. Log in to the administration console.
  2. Select Domain Management-> Runtime Node Management.
  3. Ensure that the new runtime (version 6.2.0.9) is displayed as available, then click Deploy Runtime.
  4. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion...
  5. If the domain was not created before application of the IBM Tivoli Federated Identity Manager fix pack, click Publish Plug-ins.
  6. Verify that the currently deployed version is now 6.2.0.9 as follows:
    1. Navigate to the Runtime Node Management window.
    2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel and review the runtime information.
    3. Example:

      Runtime Information
      ----------------------------------------------
      Current deployed version 6.2.0.9 [080922a]

      Note: The number within the brackets [080922a] might be different from this example.

  7. Repeat the previous step for each node in a WebSphere cluster environment.

Uninstalling the fix pack

If you want to return your installation to the state it was in prior to installing the fix pack, you can uninstall the fix pack.

  1. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service components are running.
  2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
  3. Start the appropriate WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in the equivalent directory on UNIX-based systems)
  4. In the Welcome window click Next. Tivoli Federated Identity Manager will not be listed but is supported.
  5. Specify the path to the installation directory for Tivoli Federated Identity Manager (typically C:\Program FIles\IBM\FIM on Windows systems, or the equivalent directory for UNIX-based systems), then click Next.
  6. Select Uninstall maintenance in the dialog.
  7. The Update Installer will automatically remove the fix pack and restore the previously installed version of Federated Identity Manager.
  8. Verify successful uninstallation of the fix pack:
    1. Log in to the administration console.
    2. In the Welcome window, verify that the version number is not 6.2.0.9 and corresponds to the software level on which you installed fix pack 9.

      For example, if you installed fix pack 9 onto a Federated Identity Manager 6.2.0.0 system, then after uninstalling fix pack 9 you would see the following:

      Suite Name Version
      ----------------------------------------------------------
      Tivoli Federated Identity Manager 6.2.0.0 [080612a]

  9. Publish the plug-ins to the runtime and reload the configuration:
    1. Log in to the administration console.
    2. Select Domain Management -> Runtime Node Management.
    3. Click Publish Plugins.
    4. After the plug-ins are published, reload the runtime configuration.
  10. Redeploy the runtime for each domain:
    1. Log in to the administration console.
    2. Select Domain Management -> Runtime Node Management.
    3. Click Deploy Runtime.
    4. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion....
  11. Verify that the currently deployed version is the version you had prior to installing the fix pack:
    1. In the administration console, navigate to the Runtime Node Management window.
    2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel. Review the Runtime Information.

      For example:

      Runtime Information
      ----------------------------------------------
      Current deployed version 6.2.0.0 [080612a]

  12. Repeat the previous step for each node in a WebSphere cluster environment.

Documentation updates

The product documentation for Federated Identity Manager, Version 6.2.0, can be found on the information center for IBM Tivoli Federated Identity Manager.


KERBEROS STS MODULE TO ENFORCE TOKEN ONE TIME USE (IV03231)

The kerberos STS module can enforce one time use of Kerberos tokens. The functionality is disabled by default and is only available to standalone WebSphere environments. No cluster support is provided at this time.

To enable this support set the following custom property:

kerberos.one.time.use.enabled = true

Once enabled, the TFIM Kerberos STS Module enforces a one time use of Kerberos tokens during validation. Once validated, any subsequent validation call for the same Kerberos token will fail.


Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token. (IZ94653)

The IvCred STS Module has been enabled to consume and validate ivcred tokens that corresponds to an unauthenticated user. The modification done as part of this fix will allow for two modes of operation.

For behavior #1 (Default), the sts module will generate an error if a token received corresponds to an unauthenticated user. The error is the following:

 FBTSTS015E The IV-Cred binary token is invalid or not present.?

For Behavior #2 the IvCred STS Module can be configure to map the unauthenticated user token to an special user account that can be configured. The user account selected should be considered as a low entitlements or guest account.

The IVCRED STS module add a unauthenticated user name to the universal user structure.

To enable behavior #2 add the following custom property:

 ivcred.unauthenticated.user.name=myusername

where myusername is the user name value to use for mapping.

The following additional properties can also be provided to describe the user account to map to when using behavior #2:

 ivcred.unauthenticated.user.registry.id
 ivcred.unauthenticated.user.uuid

ivcred.unauthenticated.user.registry.id is used to include the registry id of the account and ivcred.unauthenticated.user.uuid to indicate the unique id for the user account.


ClassCastException is thrown when adding an Identity provider as a SAML 2.0 federation partner when the metadata of the partner contains SAML attributes. (IV01293)

This fix ensures that Identity Provider with a metadata that contains SAML attributes can be added as a SAML 2.0 federation partner. However, these attributes are ignored, since they are currently not supported by FIM 620.


WEBSPHERE APPLICATION SERVER POC CREATE WAS SECURITY CONTEXT WITH INSUFFICIENT UNIQUE ID (IV01295)

In some IBM Tivoli Federated Identity Manager SSO service provider scenarios with WebSphere as point of contact and when the application relies on extended attributes added to the SSO token it is possible that a user may be authenticated using the wrong WebSphere credential from the credential cache. This fix will ensure that a unique WebSphere credential is created for every Tivoli Federated Identity Manager SSO as a service provider with WebSphere point of contact.


NO DOCUMENTATION ON HOW TO SET AUDIENCERESTRICTION IN SAML 2.0 ASSERTION (IV00324)

In the IBM Tivoli Federated Identity Manager Installation and Configuration Guide, under the topic Sample identity mapping rules for SAML federations->Mapping a local identity to a SAML 2.0 token using an alias, the following entry is added to Table 40. STSUUSER entries used to generate a SAML token (using an alias):
[STSUU Element] Attribute: AudienceRestriction
[SAML Token Information] The audience of the audience restriction condition.
[Required] Optional

Under the same topic, it states:
3. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners.

It should state:
3. Setting the audience of the audience restriction condition to the value of the STSUU element "AudienceRestriction". If this STSUU element is not present, the audience is set to the Provider ID of the federation partner.

4. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners


Missing requirement to not modify built-in SSO chains (IZ79192)

In the IBM Tivoli Federated Manager Version Administration Guide, under the topic Managing Modules->Modifying trust service chain properties, the following note is added:
Note: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.

In the IBM Tivoli Federated Manager Version Administration Guide, under the topic Managing Modules->Modifying chain module properties, the following note is added:
Note: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.

Some of Tivoli Federated Identity Manager Management Console portlet pages cannot be displayed when the Management Console is installed in WebSphere Application Server 7 Fix Pack 11. (IZ84999)

This workaround ensures that, in this environment, these portlet pages can be displayed.

For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values. (IZ74691)

The response generated by a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule module for a WS-Trust v1.3 request includes more than 1 status code. In addition, some of the status codes contains a URI value that belongs to the WS-Trust v1.2 specification.

This fix ensures that the WS-Trust v1.3 response returned for a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule has only 1 status code that will contain a URI value belonging to the WS-Trust v1.3 specification.

Invalid URL encoding of the RelayState parameter being performed by the SAML 2.0 SPS module. (IZ82853)

The RelayState parameter is used to share state information between the sender and the receiver of a SAML 2.0 message. The receiver of a RelayState is expected to return the value without any modification. ITFIM SAML 2.0 SPS module used to URL encode the RelayState causing changes on the value in some instances. This fix will modifies the code so it only URL encodes the RelayState during unsolicited (Identity Provider initiated) Single Sign On operations where the Target URL is the value sent in the RelayState.

Recipient checking is not performed correctly by the SAML browser post support. (IZ82874)

If a SAML 1.x service provider needs to accept a samlp:Response that doesn't contain a Recipient attribute, this runtime custom property can be used:

 SAML.AllowNoRecipient=true

Typically the Recipient is a required attribute so there should be no need to set this runtime custom property. It is only offered for uncommon backwards compatibility use cases.

The ITFIM SAML 2.0 STS module fails to validate a SAML 2.0 Assertion containing the NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. (IZ82852)

When configuration a custom STS chain that includes a SAML 2.0 STS module a new configuration parameter has been added to configure the default name id format. This parameter will control the treatment to be given to the unspecified name id format value.

The new parameter is called:

 com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat

The value should be the complete NameID Format that you wish to use for processing the NameID. Most commonly this will be:

 urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

This will cause the NameID included in the assertion to be treated as a string literal and no alias service lookup will be used.

The ITFIM SAML 2.0 STS module is not honoring the default name id format parameter setting (IZ82867)

The SAML 2.0 SPS module allows the customer to specify if signatures are required for the SAML Artifact Resolution Response, SAML Response and SAML Assertion XML documents. The requirement for SAML assertion signature requirement can be fulfilled if the enclosing document is signed. For example a signed SAML Response. The SAML 2.0 SPS module will no longer issue a signature validation error if the assertion is not signed if either the SAML Response or SAML Artifact Resolution Response is signed.

The SAML 2.0 SPS module signs the assertion in instances where the signature policy indicates that the assertion should not be signed. (IZ82870)

The assertion signature is controlled by the WantAssertionsSigned property on the federation and partner configuration. The federation property will override the setting on the partner. That is different for most of the properties on the ITFIM federation configuration.

The WantAssertionsSigned for the federation configuration will be set to true when typical message signature settings is chosen and false when all or none message signature is selected on the federation signature configuration.

Even if WantAssertionSigned is set to false on the federation configuration the Identity Provider might still sign the assertion in two situations:

  1. The WantAssertionsSigned property is set to true on the partner configuration. That property is set during metadata import of the Service Provider partner. The wantAssertionsSigned attribute on the metadata schema for SPDescriptor is used to populate the partner property.
  2. When POST binding is used to deliver the assertion and the AuthnResponse is not signed. In that case the SAML 2.0 specification dictates that the assertion needs to be signed.
  3. If the no message signatures setting is selected and POST binding is used there will be an error if there is no key available to sign the message.

The ITFIM SAML 2.0 STS module is not honoring the default name id format parameter setting (IZ82868)

The IBM Tivoli Federated Identity Manager SAML 2.0 SPS module allows the customer to specify a default name id format to use when the name id format has not been specified. At the Service Provider that value is use to determine the type of treatment that will be given to an unspecified name id format that is received on a SAML assertion. By default, IBM Tivoli Federated Identity Manager will treat unspecified name id format as persistent name id. The SAML 2.0 STS module will process the assertion name identifier with a unspecified name id format according to the value configured on the default name id format configuration selection. For steps on how to set the default name id format configuration parameter using the command line interface see the ITFIM 6.2 Administration Guide.

The ITFIM Authorization STS module connection pool deadlocks if connections are mark for removal (IZ67423)

The ITFIM AuthorizationSTSModule connects to Tivoli Access Manager to make authorization decisions. To perform better it maintains a pool of connections. When an error happens the connection used is mark for removal from the pool. The connection removal code had an issue that caused the STS module to run out of connections and subsequent threads looking for connections would hang. The change provide on this APAR provides two new custom properties to control the amount of connections created and maintained by the pool.

authorizationsts.initial.num.context - Allows customer to specify the initial amount of context objects to be created at startup.
authorizationsts.max.num.context - Allows the customer to specify the maximum amount of context objects to be created throughout.

Key alias not used to select key for XML signature and validation (IZ66397)

By default TFIM out-of-the-box allows an administrator to specify a key to use for signing or validation by having them select an alias from a key store. The alias is not actually used at runtime to select the key, the alias is only used to determine the X.509 Distinguished Name (DN). Once the DN is determined a list of all keys from all key stores is built based on the exact same DN and the oldest still valid X.509 (or Private Key) is used for the specific runtime operation first.

This fix provides two additional options for key selection criteria. The supported key selection criteria are:

  1. Build the list of keys sorted by shortest lifetime first. (default and previous behavior)
  2. Build the list of keys sorted by longest lifetime first.
  3. Use only the key alias.
To configure the above listed key selection criteria the following custom runtime property needs to be set:

Key:  key.selection.criteria

Possible Values (only one can be set):

only.alias - only the alias will be used for select the key. No key list is created.
longest.lifetime - a list of keys built sorted by longest lifetime.
shortest.lifetime - a list of keys built sorted by shortest lifetime.

Enabling OP-identifier authentication to a configured IBM Tivoli Federated Identity Manager OpenID identity provider configuration (IZ44557)

Attempts to pass identifier_select as the claimed identifier to the IBM Tivoli Federated Identity Manager OpenID IDP fail. Despite the fact that TFIM doesn't support XRDS publication directly, it should handle the processing of OP identifier authentications. To maintain the consistency behavior, this APAR adds the support for OP-identifier authentication with a configuration option to enable or disable it. By default it's disabled. To enable this fix, a manual change must be made to the <was_config_root>/itfim/<tfim_domain>/etc/feds.xml on the identity provider to add this parameter:

<fc:EntityProperty name="OPENID.IPSupportOPIdentifier">
 <fim:Value>true</fim:Value>
</fc:EntityProperty>

If the value is missing, the default is false.

If OPENID.IPSupportOPIdentifier is true, then this additional parameter MUST also be included:

<fc:EntityProperty name="OPENID.IPGeneratedClaimedIDPattern">
 <fim:Value>see_below</fim:Value>
</fc:EntityProperty>

The value should be a string template which contains the @ID@ pattern which will be replaced with the user's username. Note this is very similar to the existing Identity Pattern parameter that is used to verify regular claimed identifier logins (not OP-identifier logins), EXCEPT that the OPENID.IPGeneratedClaimedIDPattern parameter is NOT a regular expression it is just a template which must include the replacement macro @ID@.

For example the value could be: https://myidp.com/@ID@

Missing the closing marco delimiter "@" from the consent.html template (IZ44559)

The closing macro delimiter, @OPTIONAL_ATTRIBUTE@, is missing from the consent.html template causing the label field for the optional attributes not to render correctly. To work around this problem, go to the page template <fim_install_root>/pages/<lang>/openid/consent.html and make the following change:

Look for:

<label for="chk_@OPTIONAL_ATTRIBUTE">@OPTIONAL_ATTRIBUTE@</label><br/>

and change to:

<label for="chk_@OPTIONAL_ATTRIBUTE@">@OPTIONAL_ATTRIBUTE@</label><br/>

After making the change, use the console to "Publish Pages", and "Reload Configurations" for the change to take effect.

Configuring performance improvement for the OpenID RP in white-list scenario (IZ44563)

There is a 4x performance hit on single sign-on in scenarios where a relying-party white lists an OpenID identity provider that should be avoided. This APAR provides two configuration parameters to control the performance issues, and they are disabled by default.

The first parameter, "OPENID.DiscoveredInformationExpirationSeconds", has a value which is the number of seconds for which discovered information for any OpenID user-supplied identifier should be cached. If this value is less than or equal to zero, the data is not cached at all (default). controls a cache for discovered information, and should only be used when the same OP identifier login is frequently being used by a majority of the end-users of the system (such as might be done in an intranet deployment).

The second parameter, "OPENID.SkipClaimedIdDiscovery", has a true/false value with the default being false. It controls whether or not verification will be done on claimed identifiers when an OP-identifier login is performed. This should ONLY ever be set to true in an environment where the OP's that may be used with the relying party are trusted, otherwise a security exposure exists. Again, this is typical in an intranet environment.

To configure the performance improvement, manually edit the <was_config_root>/itfim/<tfim_domain>/etc/feds.xml file and add these two configuration parameters to the "Self" configuration parameters for the OpenID relying party federation. To add these parameters, insert them with text similar to:

 <fc:EntityProperty name="OPENID.DiscoveredInformationExpirationSeconds">
  <fim:Value>604800</fim:Value>
 </fc:EntityProperty>
 <fc:EntityProperty name="OPENID.SkipClaimedIdDiscovery">
  <fim:Value>true</fim:Value>
 </fc:EntityProperty>

A good reference for the location to add them is to search for the existing parameter "OPENID.AuthenticationMode" and add them adjacent to that.

Missing the KeyInfo for the holder-of-key type from the SubjectComfirmationMethod (IZ35057)

For the SubjectConfirmationMethod (SCM) to be issued correctly the client when sending the RequestSecurityToken (RST) will need to sign the RST request and include a KeyInfo that can be used for the SCM. To exploit the holder-of-key capability, the XSLT mapping rules must be updated.

The STSUU attribute in the example below is not new but is included for completeness. The example below is for SAML 1.0 and 1.1 Assertions.

<stsuuser:AttributeList>
 <stsuuser:Attribute name="SamlSubjectConfirmationMethod"
       type="urn:oasis:names:tc:SAML:1.0:assertion">
  <stsuuser:Value>
    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
  </stsuuser:Value>
 </stsuuser:Attribute>
</stsuuser:AttributeList>

For SAML 2.0 Assertions change the values:

urn:oasis:names:tc:SAML:1.0:assertion
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key

to:

urn:oasis:names:tc:SAML:2.0:assertion
urn:oasis:names:tc:SAML:2.0:cm:holder-of-key

Another way to exploit the holder-of-key capability is to pass it as a claim in the RST. The example below is for SAML 1.x:

<wst:Claims Dialect="urn:ibm:names:ITFIM:saml" 
xmlns:fimsaml="urn:ibm:names:ITFIM:saml"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" >
 <fimsaml:SAMLClaims>
 <fimsaml:ConfirmationMethod>
  urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
 </fimsaml:ConfirmationMethod>
 </fimsaml:SAMLClaims>
</wst:Claims>

And the example below is for SAML 2.0:

<wst:Claims Dialect="urn:ibm:names:ITFIM:saml"   
xmlns:fimsaml="urn:ibm:names:ITFIM:saml"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
 <fimsaml:Saml20Claims> 
 <fimsaml:ConfirmationMethod>
  urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
 </fimsaml:ConfirmationMethod>
 </fimsaml:Saml20Claims>
</wst:Claims>

Availability of new claims attributes for SAML 1.x service provider federations that use browser artifact profile (IZ35742)

In the IBM Tivoli Federated Identity Manager Service Provider (SP) deployments of SAML 1.x when signatures are not used in assertions, it is often required to definitively identify to an application from which identity provider (IdP) source a credential has come. To satisfy this requirement, this fix inserts new attirbutes into the Claims element for SAML 1.x service provider federations that use browser artifact profile. The new attributes are called ArtifactSourceID and ArtifactResolutionServiceEndpoint. The new Claims element attributes will be included in the RequestSecurityToken message that is sent to the Service Provider trust service during single sign-on.

Mapping rules on the Service Provider can use these values to map to an expected Issuer URL and perform that check in the mapping rule and throw an exception if a bad Issuer is detected.

To check for the new attributes ArtifactSourceID and ArtifactResolutionServiceEndpoint of the new SAML claims, you can do the following:

  1. Assuming that your IBM Tivoli Federated Identity Manager environment is already configured with TFIM single sign-on with SAML 1.0 using browser artifact profile and mapping rules.
  2. On the Service Provider machine, turn on the following trace string: com.tivoli.am.fim.trustserver.sts.modules.STSMapDefault=all
  3. Perform single sign-on.
  4. Inspect the SP trace and verify that the STSUU contains SAMLClaims which includes the attributes ArtifactSourceID and ArtifactResolutionServiceEndpoint.

An example STSUU is as follows:

<stsuuser:Attribute name="Claims" type="http://schemas.xmlsoap.org/ws/2005/02/trust"> 
  <stsuuser:Value>
     <wst:Claims xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
        Dialect="urn:ibm:names:ITFIM:saml">
           <fimsaml:SAMLClaims xmlns:fimsaml="urn:ibm:names:ITFIM:saml"
              ProtocolProfile="" TokenUsername=""
              ArtifactSourceID="KmoOP8TQR6rMbUFZwpcy6rtxWzE="          
              ArtifactResolutionServiceEndpoint="http://soap_endpoint">
          </fimsaml:SAMLClaims>
     </wst:Claims>
  </stsuuser:Value>
</stsuuser:Attribute>

Configuration of Novell eDiretory for use as an IBM Tivoli Federated Identity Manager User Registry (IZ34547)

The IBM Tivoli Federated Identity Manager 6.1.1 documentation lists the supported user registries in the "User Registry support" section of the "Hardware and Software Requirements" document.

This document lists support for Novell eDirectory 8.6.x and Novell eDirectory 8.7.x. This section does not list Novell eDirectory 8.8.x, because eDirectory 8.8 was not available at the time and the TAM Base product did not claim support for this level yet. However, TAM claimed support for Novell eDirectory 8.8 in the TAM Base 6.0.0 FP0009 README.

Based upon this information, it would seem that the IBM Tivoli Federated Identity Manager would support eDirectory 8.8.x as a user registry. Support for eDirectory 8.8.x was verified, but in the process it was found that additional configuration steps for eDirectory were required in order to be used by TFIM successfully. These configuration steps are not in the current documentation, so a Tech Note has been written and published that documents the required actions to configure the Novell eDirectory to be a supported TFIM user registry.

The TechNote entitled "Configuration of Novell eDirectory v8.8 required to be a supported IBM Tivoli Federated Identity Manager v6.1.1 user registry" has been published and is publicly available on the TFIM support site.

You must read and follow techNote before attempting to use the Novell eDirectory as an IBM Tivoli Federated Identity Manager user registry.


Documentation for using TAM Login Module in an STS Module Chain (IZ34558)

Configuring the TAM Login Module

The following steps should be performed in order to use the TAM Login Module, shipped with the IBM Tivoli Federated Identity Manager product, with the test application shipped with TFIM, the echoapplication program.

  1. In the WebSphere Application Server (WAS) with the echoapplication installed and running, create a JAAS configuration. In the WAS administration console, browse to "Security" -> "Secure administration, applications and infrastructure".

    Under the "Authentication" section on the right side of the panel expand the "Java Authentication and Authorization" section, and select the "System logins" link.

    Add a new entry for itfim.wssm.tam, then select the new module and specify the "JAAS login modules" with the "Module class name":

    com.tivoli.am.fim.wssm.loginmodules.TAMLoginModule

  2. Import the echoapplication.ear into Rational Application Developer or WebSphere Application Server Toolkit. Then modify:
    1. Extension

      For EchoServiceUsername port component binding, edit the caller part and set:

      URI: <nothing>
      Local name: http://ibm.com/2004/01/itfim/ivcred
    2. Binding

      In the EchoServiceUsername port component binding, change the "Token consumer" jaas.config name to:
      system.itfim.wssm.tam

      Save the new application for later installation into WAS.

  3. In <wssm_install_root>/wssm.properties, add :

    pdjrte.configuration=<path-to-TAM-config-file>

    For example, this can be the same file as used for the IBM Tivoli Federated Identity Manager runtime configuration, i.e.:

    /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/itfim/dp-autotest-server1/nodes/dp-autotestNode01Cell/dp-autotestNode01/server1/amconfig.conf

    This setting is used by the TAM login module.

  4. In the IBM Tivoli Federated Identity Manager trust service, set the application trust chain to issue TAM credentials using the TAM credential module. If an application trust chain was previously created, for example a chain was already created issuing SAML 2.0 credentials, then change the application trust chain to issue TAM credentials rather than SAML 2.0 credentials, for example by editing the application chain and changing the last module from SAML 2.0 to TAM credential module.

  5. Install the new version of the application into WebSphere Application Server and restart WAS.

  6. Using the echoclientapplication, select UsernameToken, and press "WhoAmI". You should see that the JAAS subject has a private WSSMCredential containing the BinarySecurityToken representing the TAM credential. It is a simple matter to read this in and create a TAM PDPrincipal from that (for more information, see the DeveloperWorks tutorial).

    Here's the text from a "WhoAmI" on the browser :

    The web service JAAS subject contains:
    
    Principals:
    Principal: dp-autotest.dp.gc.au.ibm.com:389/wssm-testuser
    
    Public Credentials:
    Public credential type:
    com.ibm.ws.security.auth.WSCredentialImpl
    Public credential value:
    com.ibm.ws.security.auth.WSCredentialImpl@577c577c
    
    Private Credentials:
    Private credential type:
    com.tivoli.am.fim.wssm.credentials.WSSMCredential
    Private credential value: 
    BAKs3DCCAooMADCCAoQwggKAAgIGADBgMC8wHgIEI7pnEAIDANjWAgIR2wICAK8CAUUEBgAMKV90
    NQwNd3NzbS10ZXN0dXNlcjAtMCswHgIEI4/bfAIDANlIAgIR2wICAK8CAUYEBgAMKV90NQwJRWNo
    b1VzZXJzAgEBMIICEzCCAg8wLAwSQVpOX0NSRURfQVVUSFpOX0lEMBYwFAIBBAwNd3NzbS10ZXN0
    dXNlcgQAMCUMD0FaTl9DUkVEX0dST1VQUzASMBACAQQMCUVjaG9Vc2VycwQAMDkMG0FaTl9DUkVE
    X0dST1VQX1JFR0lTVFJZX0lEUzAaMBgCAQQMEWNuPUVjaG9Vc2VycyxjPXVzBAAwRQwUQVpOX0NS
    RURfR1JPVVBfVVVJRFMwLTArAgEEDCQyMzhmZGI3Yy1kOTQ4LTExZGItYWY0Ni0wMDBjMjk1Zjc0
    MzUEADApDBBBWk5fQ1JFRF9NRUNIX0lEMBUwEwIBBAwMSVZfTERBUF9WMy4wBAAwLQwZQVpOX0NS
    RURfUFJJTkNJUEFMX0RPTUFJTjAQMA4CAQQMB0RlZmF1bHQEADAxDBdBWk5fQ1JFRF9QUklOQ0lQ
    QUxfTkFNRTAWMBQCAQQMDXdzc20tdGVzdHVzZXIEADBIDBdBWk5fQ1JFRF9QUklOQ0lQQUxfVVVJ
    RDAtMCsCAQQMJDIzYmE2NzEwLWQ4ZDYtMTFkYi1hZjQ1LTAwMGMyOTVmNzQzNQQAMDYMFEFaTl9D
    UkVEX1JFR0lTVFJZX0lEMB4wHAIBBAwVY249d3NzbS10ZXN0dXNlcixjPXVzBAAwJwwQQVpOX0NS
    RURfVkVSU0lPTjATMBECAQQMCjB4MDAwMDA2MDAEAA==
    
    Private credential type:
    com.tivoli.am.fim.wssm.securitytokens.TAMSecurityToken
    Private credential value:
    com.tivoli.am.fim.wssm.securitytokens.TAMSecurityToken@34c034c
    Private credential type:
    com.ibm.ws.security.token.SingleSignonTokenImpl
    Private credential value:
    com.ibm.ws.security.token.SingleSignonTokenImpl@432e432e
    Private credential type:
    com.ibm.ws.security.token.AuthenticationTokenImpl
    Private credential value:
    com.ibm.ws.security.token.AuthenticationTokenImpl@56165616
    Private credential type:
    com.ibm.ws.security.token.AuthorizationTokenImpl
    Private credential value:
    com.ibm.ws.security.token.AuthorizationTokenImpl@42264226
    

  7. IBM Tivoli Federated Identity Manager Runtime Deployment on z/OS can hang and fail (IZ34559)

    A limitation of the z/OS platform can cause the IBM Tivoli Federated Identity Manager actions to hang and fail. This has been observed with the deployment of the TFIM runtime, and can be diagnosed by examining the WebSphere Application Server log file and looking for a WARNING message such as the following:

     Trace: 2008/02/20 15:30:48.909 01 t=9BE748 c=UNK key=P8 (13007002)
       ThreadId: 00000044
       FunctionName: com.ibm.ws.runtime.component.ThreadMonitorImpl
       SourceId: com.ibm.ws.runtime.component.ThreadMonitorImpl
       Category: WARNING
       ExtendedMessage: BBOO0221W: WSVR0605W: Thread "WebSphere:ORB.thread.pool t=009c22b8"
            (00000022) has been active for 181010 milliseconds and may be hung.
            There is/are 1 thread(s) in total in the server that may be hung.
    

    To resolve this problem, a WebSphere Application Server environment variable that increases an essential thread pool size must be defined.

    To define the environment variable for a standalone application server from the WebSphere administration console, select Servers -> "Application servers -> server_name -> Server Infrastructure -> Administration -> Custom properties.

    Add the property private_bboo_internal_work_thread_pool_size with the value of 5.

    To define the environment variable for a network deployment configuration from the WebSphere administration console, select System Administration -> Deployment manager -> Administration services -> Custom properties.

    As in the standalone environment, add the property private_bboo_internal_work_thread_pool_size with the value of 5.

    Restart the WebSphere Application Server that has had the environment changed. To verify that the new value has taken effect, look for the following message in the output of the server when the server starts:

    BBOM0001I private_bboo_internal_work_thread_pool_size: 5.
    

    These failures have currently only been reported on the deployment of the IBM Tivoli Federated Identity Manager runtime, and the value of 5 has resolved the issue. However, if similar error messages are seen performing other TFIM activities, the pool size environment variable should be increased to resolve the problem.


    Console installation can fail if wsadmin.properties files are out of sync (IZ34562)

    Because this failure is caused by a WebSphere Application Server administration error, it cannot be fixed in a fix pack. Consequently it is a permanent restriction in IBM Tivoli Federated Identity Manager 6.1.1. The same code is used by the fix pack installer so the same restriction applies to fix pack installations.

    Tech Note #1315672 discusses the work-around for this permanent restriction in more detail.


    The FIM Installer fails if a '$' is used in a WebSphere Application Server JKS or P12 file's password (IZ34565)

    Because this is a defect in the installer, it cannot be fixed in a fix pack. Consequently it is a permanent restriction in the IBM Tivoli Federated Identity Manager 6.1.1. The same code is used by the fix pack installer so the same restriction applies to fix pack installations.

    TechNote #1307656 entitled "A $ symbol in a truststore or key store password prevents installation" documents work-arounds for this restriction and is publicly available on the TFIM support site.


    Specifying the transport security protocol for HTTPS connections (IZ29167)

    The default secure protocol for HTTPS connections created by Tivoli Federated Identity Manager is SSL_TLS. To change (override) the default protocol, specify the following runtime custom property in the fim.appservers.properties file:

    com.tivoli.am.fim.soap.client.ssl.protocol= PROTOCOL

    where the value of PROTOCOL can be any of the following values: SSL_TLS, SSL, SSLv2, SSLv3, TLS or TLSv1


    Disabling replay validation detection in a passticket (IZ30074)

    A timestamp is embedded within a passticket, but the time value interval is only granular to a full second. If two passtickets are generated for the same object (user, target app, secret-key) within one second, then the two passtickets will be identical, that is, the passtickets will look to the validator like a "replay attack." To manage this problem, RACF allows "disable replay detection," and this APAR enables Federated Identity Manager to support this functionality.

    To disable replay, you can set either or both of the following custom runtime properties:

    passticket.disable.replay.check.[chainid_uuid]=true
    passticket.disable.replay.check=true

    where chainid_uuid is the value of the chain UUID. For example:

    passticket.disable.replay.check.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true

    To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.


    Specifying custom Federated Identity Manager runtime properties that force compatible QName generation (IZ30076)

    WebSphere Application Server versions 6.0.2 and 6.1 do not distinguish between LTPA v1 and LTPA v2 tokens in Web Services. Only one BinarySecurityToken ValueType is supported for LTPA tokens, and the QName of the value type is:

    http://www.ibm.com/websphere/appserver/tokentype/5.0.2#LTPA

    When the Federated Identity Manager STS issues an LTPA v2 token, the token is created with the following QName. This QName is correct, but it is not supported by WebSphere Application Server versions 6.0.2 and 6.1:

    http://www.ibm.com/websphere/appserver/tokentype#LTPAv2

    This APAR provides custom Federated Identity Manager runtime properties that force compatible QName generation if needed. To enable compatibility mode, set either or both of the following custom runtime properties:

    ltpa.enable.compat.mode.[chainid_uuid]=true ltpa.enable.compat.mode=true

    where chainid_uuid is the value of the Chain UUID. For example:

    ltpa.enable.compat.mode.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true

    To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.


    Generating debug statements for identity mapping in XSLT rules (IZ30078)

    When authoring XSLT rules for identity mapping, there is no mechanism to log or trace statements for debugging purposes. This APAR adds an extension that enables you to generate debugging statements to XSLT rules.

    To invoke debug statements for identity mapping, add entries in the XSLT rules using the following syntax:

      <xsl:variable name="variablename" select="mapping-ext:traceString('debug string')">
    

    XSLT identity mapping failed when using the alias server with JDBC (IZ30080)

    This APAR fixes an XSLT identity mapping failure that occurred when using the alias server with JDBC. An XSLT identity mapping that links accounts from a JDBC configure-alias service would fail with the following exception:

    com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc
    init javax.naming.NoInitialContextException: Need to specify class name in environment or system property,
    or as an applet parameter, or in an application resource file: java.naming.factory.initial
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:657)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:259)
    at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:296)
    at javax.naming.InitialContext.lookup(InitialContext.java:363)
    at com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc.(IdServiceJdbc.java:54)
    at com.tivoli.am.fim.identity.service.client.jdbc.IdServiceJdbcClient.(IdServiceJdbcClient.java:66)
    at java.lang.Class.newInstanceImpl(Native Method)
    at java.lang.Class.newInstance(Class.java:1301)
    at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:170)


    Creating a Federated Identity Manager domain might require a WebSphere Application Server restart (IZ33723)

    You might need to restart the WebSphere Application Server if you specified inaccurate information in the security settings panel when creating a Federated Identity Manager domain (or a connection to a domain).

    If you enter correct data and the Federated Identity Manager console successfully connects to the management service (use Test Connection to test the connection), you do not need to reconnect to WebSphere Application Server. If the Federated Identity Manager console cannot connect to the Management Service, even if correct security information is supplied, then you need to restart WebSphere Application Server.


    Profiles using POST artifacts for single sign-on might not work when using WebSphere Application Server 6.1.0.17 or 6.1.0.19 (IZ36892)

    See Tech Note #1326460, "IBM Tivoli Federated Identity Manager 6.1.1 and 6.2 POST profile SSO can fail with a SRVE0216E error". for a description of how to address this problem.


    Use of the Federated Identity Manager configuration tool tfimcfg.jar (IZ34546)

    Run the command (java -jar tfimcfg.jar) to view a list of options associated with the tool.

    A white paper has been added to the Federated Identity Manager support site that explains the use of the tfimcfg.jar tool. The tfimcfg.jar tool is used to configure Tivoli Access Manager WebSEAL as a contact point for a federation. This white paper supplements the information in Configuration of a single sign-on federation in the Installation and Configuration Guide.

    The tfimcfg.jar white paper is listed as "TFIM Configuration Tool V1.pdf" in the Tivoli support Web site.


    Management of keys and keystores by the Federated Identity Manager key service (IZ34554)

    The Federated Identity Manager key service manages keystores (for Signing/Encryption keys and for CA Certificates) and the keys and certificates in these keystores. However, the logical organization of the keys and certificates in keystores and the specification of keys and certificates using KeystoreName_AliasName as part of partner/federation configuration does not accurately represent how the Federated Identity Manager key service actually manages the keys and certificates.

    When the WebSphere Application Server instance where the Federated Identity Manager runtime is installed is started, the Federated Identity Manager runtime will read in all keystore data as part of the initialization of the Federated Identity Manager key service. When a new key/certificate for DN X is added using the Federated Identity Manager console, it is stored in the specified keystore on the disk. The Federated Identity Manager runtime configuration needs to be reloaded to read these keystores and build its maps of DNs and their keys/certs, making them available for use by the Federated Identity Manager key service.

    To reload the Federated Identity Manager runtime configuration so that configuration changes are recognized:

    1. Log in to the console and select Tivoli Federated Identity Manager-> Domain Management-> Runtime Node Management. The Runtime Node Management window is displayed.
    2. Click Reload Configurations.

    When initializing the Federated Identity Manager key service, each of the managed keystores is processed (in an unspecified order), reading in each key/cert in the keystore. Each new key/cert for a DN X is added to the DN-to-key/cert map as follows:

    1. If there is already a different key/cert stored for DN X, then the new key/cert is added to the list of X's keys/certs in order of expiration date.
    2. If there is already an identical key/cert stored for DN X then the new key/cert is discarded.
    3. If the new cert's signing key is already stored, then the cert is discarded.
    4. If the new key is a signing key for an already stored cert for X, then the cert is discarded, the key is added to the map, and X's key/cert mapping is changed to point to this new key.

    The keys/certificates are managed in this fashion to allow for "key rollover," which is the process that allows both a soon-to-expire key/cert and a new key/cert to reside in the keystores. Communications can occur using both keys/certificates while the new certificate is being disseminated to services that must use the certificate.

    Consider the following example:

    keystore1(Signing/EncryptionKeys)keyA1DN:CN=A,O=Comp,C=USexpires:Dec31,2010serial=1234keyB1DN:CN=B,O=Comp,
    C=USexpires:Dec31,2010serial=2345certstore1(CACertificates)certA1DN:CN=A,O=Comp,
    C=USexpires:Dec31,2010serial=1234certC1DN:CN=C,O=Comp,C=USexpires:May31,2007serial=4567certC2DN:CN=C,O=Comp,
    C=USexpires:Dec31,2007serial=5678keystore2(Signing/EncryptionKeys)keyB2DN:CN=B,O=Comp,
    C=USexpires:Dec31,2010serial=2345certstore2(CACertificates)certC3DN:CN=C,O=Comp,C=US expires:Dec 31,2007 serial=5678

    Keystores are processed in the order (first to last):

    certstore1
    keystore1
    certstore2
    keystore2
    

    After the Federated Identity Manager key service processes all of the keystores, the reference for the DN's in the example will be:

    1. CN=A,O=Comp,C=US will map to the keystore1_keyA1 key alias, since the private/public key pair takes precedence over the public certificate of certstore1_certA1.
    2. CN=B,O=Comp,C=US will map to the keystore1_keyB1 key alias since it was the first key found, and duplicate keystore2_keyB2 is discarded/ignored.
    3. CN=C,0=Comp,C=US will map to a chain with the certs certstore1_certC1 and certstore1_certC2. The duplicate cert certstore2_certC3 is discarded/ ignored.

    There are limitations with certain versions of the javax.net.ssl shipped with Java Secure Socket Extension (JSSE) that do not allow the specification of a CA certificate stored as a public/private key pair in a keystore that is for Signing/Encryption keys. A certificate used to validate a server for an SSL connection cannot be stored as part of a public/private key pair in a keystore.

    NOTE: This issue will only occur with WebSphere Application Server version 6.0.2.x.

    Referring to the example scenario above, this would occur if the specification for a CA certificate was keystore1_key1 OR certstore1_certA1, because the keystore1_key1 key would take precedence. (This could be considered an improper configuration since a public certificate should only be stored as a public signer certificate in a trusted keystore with CA certificates, and secure communications should not have a server, signing with a key, and a client, validating with a certificate, using the same DN.)

    This limitation will result in an "unknown certificate" exception occurring when the Federated Identity Manager runtime attempts to establish an SSL connection as part of an SSO protocol operation. The exception would be similar to the following:

      [4/19/07 16:26:42:233 GMT] 00000048 HttpClientImp I com.tivoli.am.fim.soap.client.HttpClientImpl doRequest
      javax.net.ssl.SSLHandshakeException: unknown certificate
    	at com.ibm.jsse.bv.a(bv.java:67)
    	at com.ibm.jsse.bv.startHandshake(bv.java:163)
    	at com.ibm.net.ssl.www2.protocol.https.b.o(b.java:136)
    	at com.ibm.net.ssl.www2.protocol.https.i.connect(i.java:28)
    	at com.ibm.net.ssl.www2.protocol.http.bc.getOutputStream(bc.java:44)
    	at com.ibm.net.ssl.www2.protocol.https.l.getOutputStream(l.java:23)
    	at com.tivoli.am.fim.soap.client.HttpClientImpl.sendRequest(Unknown Source)
    	at com.tivoli.am.fim.soap.client.HttpClientImpl.doRequest(Unknown Source)
    	at com.tivoli.am.fim.soap.client.SOAPClientImpl.send(Unknown Source)
    	at com.tivoli.am.fim.saml.protocol.soap.SAMLSOAPClient.send(Unknown Source)
    	at com.tivoli.am.fim.saml.protocol.soap.SAMLSOAPClient.send(Unknown Source)
    	at com.tivoli.am.fim.saml20.types.SAML20HTTPSOAPResponseWriterImpl.sendSoapRequestMessage(Unknown Source)
    	at com.tivoli.am.fim.saml20.types.SAML20HTTPSOAPResponseWriterImpl.writeResponse(Unknown Source)
    	at com.tivoli.am.fim.saml20.protocol.actions.SAML20SendMessageAction.runProtocol(Unknown Source)
    	at com.tivoli.am.fim.fedmgr2.protocol.ProtocolActionChainImpl.runProtocol(Unknown Source)
    	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.doChainAndResponseOnDelegate(Unknown Source)
    	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(Unknown Source)
    	at com.tivoli.am.fim.fedmgr2.proper.FederationManager.processRequest(Unknown Source)
    	at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(Unknown Source)
    	at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServlet.doGet(Unknown Source)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    	at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1282)
    	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:673)
    	at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:2965)
    	at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:221)
    	at com.ibm.ws.webcontainer.VirtualHost.handleRequest(VirtualHost.java:210)
    	at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1931)
    	at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:84)
    	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
    	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
    	at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
    	at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminaters(NewConnectionInitialReadCallback.java:207)
    	at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:109)
    	at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
    	at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
    	at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
    	at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
    	at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1470)
    

    To eliminate this problem, configure the Federated Identity Manager runtime to use IBMJSSE2 which will support the extraction of a public certificate from a private/public key pair. A runtime custom property value can be set for the runtime node that experiences the error. This is done in the Federated Identity Manager administration console by selecting Domain Management-> Runtime Node Management-> Runtime Custom Properties. Create a property with a name of "com.tivoli.am.fim.soap.client.jsse.provider" and a value of "IBMJSSE2" then restart WebSphere Application Server.

    The Federated Identity Manager runtime will use the IBMJSSE2 provider as the default. The runtime custom property com.tivoli.am.fim.soap.client.jsse.provider can be used to specify IBMJSSE as the provider if desired.


    Querying the Federated Identity Manager runtime status (IZ34555)

    It is impossible to query the Federated Identity Manager runtime status from the eWAS console. The following wsadmin commands show how to query the Federated Identity Manager runtime's status and how to start and stop the Federated Identity Manager runtime from the command line. These commands assume the WebSphere Application Server instance is named "server1."


    Fix pack installation script fails due to SOAP port mismatch (IZ37076)

    The fix pack installation of the Federated Identity Manager runtime must connect to a WebSphere Application Server SOAP port in order to deploy the runtime. The fix pack installer acquires its SOAP port value from the following line in the /<-installation-directory>/etc/fim.appservers.properties file of the Federated Identity Manager instance being patched:

    was.soap.port=8880

    OR

    ewas.soap.port=8880

    This value is set in the file when the Federated Identity Manager instance is installed.

    For the connection to be successful, the WebSphere Application Server instance to which it is being deployed must still be using that SOAP port. If it is not, then the Federated Identity Manager fix pack installation fails in the WebSphere Application Server UPDI and the error is reported as:

    Prerequisite checking has failed. Click Back to select a different package, or click Cancel to exit.

    Associated failure messages are:

    The WebSphere server does not seem to be listening in host localhost port 8881 as specified in /opt/IBM/FIM/etc/fim.appservers.properties. Make sure the server is running and that the specified port and host are correct.

    If the specified port is different than the actual SOAP port used, then change the value in the fim.appservers.properties file to agree with the port being used by WebSphere Application Server and reapply the fix pack.


    Documentation for using the Tivoli Access Manager Login Module in an STS module chain (IZ34558)

    Configuring the Tivoli Access Manager Login Module

    The following steps should be performed in order to use the Tivoli Access Manager Login Module, shipped with the Federated Identity Manager product, with the test application shipped with Federated Identity Manager, the echoapplication program.

    1. In the WebSphere Application Server instance with the echoapplication installed and running, create a JAAS configuration. In the WebSphere Application Server administration console, browse to Security->Secure administration, applications and infrastructure.

      Under the Authentication section on the right side of the panel, expand the Java Authentication and Authorization section, and select the System logins link.

      Add a new entry for itfim.wssm.tam, then select the new module and specify the "JAAS login modules" with the "Module class name":

      com.tivoli.am.fim.wssm.loginmodules.TAMLoginModule

    2. Import the echoapplication.ear into Rational Application Developer or WebSphere Application Server Toolkit. Then modify:
      1. Extension

        For EchoServiceUsername port component binding, edit the caller part and set:

        URI: <nothing>

        Local name: http://ibm.com/2004/01/itfim/ivcred

      2. Binding

        In the EchoServiceUsername port component binding, change the "Token consumer" jaas.config name to:

        system.itfim.wssm.tam

        Save the new application for later installation into WebSphere Application Server.

    3. In <wssm_install_root>/wssm.properties, add:

      pdjrte.configuration=<path-to-TAM-config-file>

      For example, this can be the same file as used for the Federated Identity Manager runtime configuration, i.e.:

      /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/itfim/dp-autotest-server1/
      nodes/dp-autotestNode01Cell/dp-autotestNode01/server1/amconfig.conf

      This setting is used by the Tivoli Access Manager login module.

    4. In the Federated Identity Manager trust service, set the application trust chain to issue Tivoli Access Manager credentials using the Tivoli Access Manager credential module. If an application trust chain was previously created, for example a chain was already created issuing SAML 2.0 credentials, then change the application trust chain to issue Tivoli Access Manager credentials rather than SAML 2.0 credentials, for example by editing the application chain and changing the last module from SAML 2.0 to Tivoli Access Manager credential module.
    5. Install the new version of the application into the WebSphere Application Server (WAS) and restart WAS.
    6. Using the echoclientapplication, select UsernameToken, and press "WhoAmI". You should see that the JAAS subject has a private WSSMCredential containing the BinarySecurityToken representing the Tivoli Access Manager credential. It is a simple matter to read this in and create a Tivoli Access Manager PDPrincipal from that (for more information, see the DeveloperWorks tutorial).

      Here's the text from a "WhoAmI" on the browser:

      The web service JAAS subject contains:
      
      Principals:
      Principal: dp-autotest.dp.gc.au.ibm.com:389/wssm-testuser
      
      Public Credentials:
      Public credential type:
      com.ibm.ws.security.auth.WSCredentialImpl
      Public credential value:
      com.ibm.ws.security.auth.WSCredentialImpl@577c577c
      
      Private Credentials:
      Private credential type:
      com.tivoli.am.fim.wssm.credentials.WSSMCredential
      Private credential value: <wss:binarysecuritytoken
      
      
      
      
      wsu:id="uuiddd1a9699-0113-1259-beb9-e017c8c721d4" valuetype=
      
      
      
      
         "http://ibm.com/2004/01/itfim/ivcred"
      
      
      
      
      encodingtype="http://ibm.com/2004/01/itfim/base64encode"
      xmlns:wss= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wsu= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:itam="urn:ibm:names:ITFIM:5.1:accessmanager">
      BAKs3DCCAooMADCCAoQwggKAAgIGADBgMC8wHgIEI7pnEAIDANjWAgIR2wICAK8CAUUEBgAMKV90
      NQwNd3NzbS10ZXN0dXNlcjAtMCswHgIEI4/bfAIDANlIAgIR2wICAK8CAUYEBgAMKV90NQwJRWNo
      b1VzZXJzAgEBMIICEzCCAg8wLAwSQVpOX0NSRURfQVVUSFpOX0lEMBYwFAIBBAwNd3NzbS10ZXN0
      dXNlcgQAMCUMD0FaTl9DUkVEX0dST1VQUzASMBACAQQMCUVjaG9Vc2VycwQAMDkMG0FaTl9DUkVE
      X0dST1VQX1JFR0lTVFJZX0lEUzAaMBgCAQQMEWNuPUVjaG9Vc2VycyxjPXVzBAAwRQwUQVpOX0NS
      RURfR1JPVVBfVVVJRFMwLTArAgEEDCQyMzhmZGI3Yy1kOTQ4LTExZGItYWY0Ni0wMDBjMjk1Zjc0
      MzUEADApDBBBWk5fQ1JFRF9NRUNIX0lEMBUwEwIBBAwMSVZfTERBUF9WMy4wBAAwLQwZQVpOX0NS
      RURfUFJJTkNJUEFMX0RPTUFJTjAQMA4CAQQMB0RlZmF1bHQEADAxDBdBWk5fQ1JFRF9QUklOQ0lQ
      QUxfTkFNRTAWMBQCAQQMDXdzc20tdGVzdHVzZXIEADBIDBdBWk5fQ1JFRF9QUklOQ0lQQUxfVVVJ
      RDAtMCsCAQQMJDIzYmE2NzEwLWQ4ZDYtMTFkYi1hZjQ1LTAwMGMyOTVmNzQzNQQAMDYMFEFaTl9D
      UkVEX1JFR0lTVFJZX0lEMB4wHAIBBAwVY249d3NzbS10ZXN0dXNlcixjPXVzBAAwJwwQQVpOX0NS
      RURfVkVSU0lPTjATMBECAQQMCjB4MDAwMDA2MDAEAA==
      
      
      
      
      </wss:binarysecuritytoken>
      Private credential type:
      com.tivoli.am.fim.wssm.securitytokens.TAMSecurityToken
      Private credential value:
      com.tivoli.am.fim.wssm.securitytokens.TAMSecurityToken@34c034c
      Private credential type:
      com.ibm.ws.security.token.SingleSignonTokenImpl
      Private credential value:
      com.ibm.ws.security.token.SingleSignonTokenImpl@432e432e
      Private credential type:
      com.ibm.ws.security.token.AuthenticationTokenImpl
      Private credential value:
      com.ibm.ws.security.token.AuthenticationTokenImpl@56165616
      Private credential type:
      com.ibm.ws.security.token.AuthorizationTokenImpl
      Private credential value:
      com.ibm.ws.security.token.AuthorizationTokenImpl@42264226
        


    Federated Identity Manager runtime deployment on z/OS might hang and fail (IZ34559)

    A limitation of the z/OS platform can cause Federated Identity Manager actions to hang and fail. This has been observed with the deployment of the Federated Identity Manager runtime, and can be diagnosed by examining the WebSphere Application Server log file and looking for a WARNING message such as the following:

     Trace: 2008/02/20 15:30:48.909 01 t=9BE748 c=UNK key=P8 (13007002)
       ThreadId: 00000044
       FunctionName: com.ibm.ws.runtime.component.ThreadMonitorImpl
       SourceId: com.ibm.ws.runtime.component.ThreadMonitorImpl
       Category: WARNING
       ExtendedMessage: BBOO0221W: WSVR0605W: Thread "WebSphere:ORB.thread.pool t=009c22b8"
            (00000022) has been active for 181010 milliseconds and may be hung.
            There is/are 1 thread(s) in total in the server that may be hung.
    

    To resolve this problem, define the WebSphere Application Server environment variable to increase an essential thread pool size.

    To define the environment variable for a standalone application server from the WebSphere administration console, browse to: Servers-> Application servers-> server_name-> Server Infrastructure-> Administration-> Custom properties.

    Add the property private_bboo_internal_work_thread_pool_size with the value of 5.

    To define the environment variable for a network deployment configuration from the WebSphere administration console, browse to: System Administration-> Deployment manager-> Administration services-> Custom properties.

    As in the standalone environment, add the property private_bboo_internal_work_thread_pool_size with the value of 5.

    Restart the WebSphere Application Server instance that has had the environment changed. To verify that the new value has taken effect, when the server starts look for this message in the output of the server:

    BBOM0001I private_bboo_internal_work_thread_pool_size: 5.

    These failures have currently only been reported on the deployment of the Federated Identity Manager runtime, and the value of 5 has resolved the issue. However, if similar error messages are seen performing other Federated Identity Manager activities, the pool size environment variable should be increased to resolve the problem.


    An RP cannot always display an appropriate login identifier (IZ34573)

    With the capability to perform OP-identifier based login, the RP needs to differentiate this use case so that an appropriate login identifier can be displayed on the screen to end users. It does not make sense to display the user-supplied identifier (which is the "normal" choice) if an OP-identifier like yahoo.com was used for login.

    The fix for this defect introduces a new OpenID claims attribute to the call between the IBM Tivoli Federated Identity Manager SPS and the STS. The claims attribute has been added to both IDP and RP implementations, though at the time of writing the IDP doesn't support OP-Identifier login, so should always be false. For the RP (which does support entering OP Identifiers like yahoo.com), the value will be true if OpenID 2 login is being used and the login occurred using the claimed identifier of http://specs.openid.net/auth/2.0/identifier_select.

    The following is an example of the claims when an OP Identifier is used at the RP:

    <wst:Claims xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" Dialect="urn:ibm:names:ITFIM:openid">
      <fimopenid:OpenIDClaims xmlns:fimopenid="urn:ibm:names:ITFIM:openid"
        ClaimedId="https://sbweeden.myopenid.com/"
        IdentityURL="https://www.myopenid.com"
        IsOPIdentifierLogin="true"
        NormalizedIdentityURL="https://sbweeden.myopenid.com/"
        OPLocalId="https://sbweeden.myopenid.com/"
        OpenIDServerURL="https://www.myopenid.com/server"
        ReturnTo="https://ibmaus27.lnk.telstra.net/FIM/sps/openidfedsp/openid/loginreturn?nonce=uuid8cf114bc-011c-1594-a9ec-b42cb8676ee1"
        Signed="openid.assoc_handle,openid.claimed_id,openid.identity,openid.mode,openid.ns,openid.ns.sreg,openid.op_endpoint,openid.response_nonce,openid.return_to,openid.signed,openid.sreg.email,openid.sreg.fullname,openid.sreg.nickname"
        Target="https://ibmaus27.lnk.telstra.net:443/FIM/demo/protected/sp/textlanding.jsp"
        Version="http://specs.openid.net/auth/2.0" />
      </wst:Claims>
    

    In this case, the IdentityURL contains the user-supplied identifier https://www.myopenid.com, and the IsOPIdentifierLogin is set to true.


    Configurations to use Oracle database for the IBM Tivoli Federated Identity Manager Alias service (IZ56548)

    Attempts to use Oracle database for TFIM alias service displayed errors like:

    com.ibm.ws.ejbpersistence.utilpm.PersistenceManagerException:
    PMGR1012E: The current backend id DB2UDBNT_V8_1, does not match
               the datasource connected to.

    To fix this error, follow these additional steps after installing the Fix Pack (assume on UNIX-based system):
    1. Configure FIM for use of Oracle as the Alias service:
      1. Create a backup of the itfim.ear file using the following commands:
        1. cd FIM_INSTALL_DIR/pkg/release
        2. cp itfim.ear itfim-orig.ear
      2. Modify the EAR to be Oracle-aware for deployment, using the following commands:
        1. mkdir /tmp/work
        2. rm FIM_INSTALL_DIR/pkg/release/itfim.ear
        3. WEBSPHERE_INSTALL_DIR/AppServer/bin/ejbdeploy.sh FIM_INSTALL_DIR/pkg/release/itfim-orig.ear /tmp/work FIM_INSTALL_DIR/pkg/release/itfim-oracle.ear -dbschema FIMAliasesSchema -dbname FIMAliases -dbvendor ORACLE_V10G -trace

          NOTE: Set the value of the input parameter "dbvendor" to "ORACLE_V11G" for Oracle Database 11g.

        4. cp FIM_INSTALL_DIR/pkg/release/itfim-oracle.ear FIM_INSTALL_DIR/pkg/release/itfim.ear
        5. rm -rf /tmp/work
      3. A new FIM_INSTALL_DIR/pkg/release/itfim.ear should now be available for deployment to work with Oracle. Use a text editor to update the file FIM_INSTALL_DIR/pkg/software.properties to change the property com.tivoli.am.fim.rte.software.serialId to a different value (e.g. increment).
      4. Use the TFIM console to navigate to Tivoli Federated Identity Manager -> Domain Management -> Runtime Node Management. There should be a message indicating that a new runtime is available for deployment. Use the console to deploy the new runtime.
      5. After deployment, restart the WebSphere process(es) on which the runtime is deployed.
    2. For more details including setting up Oracle database and configuring the WebSphere Application Server to use JDBC, see technote entitled "After installing FP3 for FIM 6.2, Oracle db still can not be used for FIM Alias Service." , which has been published and is publicly available on the TFIM support site.

    If you receive subsequent fixpacks, or anything that alters the deployed itfim.ear, step 1 above needs to be re-performed.


    The IBM Tivoli Federated Identity Manager Configuration Guide does not describe the steps to enable certificate revocation list checking for certificates that are used for XML message signing, verification, encryption, and decryption. (102791)

    From the updated TFIM Configuration Guide, the steps are:

    1. Login to the Console, and click Tivoli Federated Identity Manager -> Domain Management -> Runtime Node Management. The Runtime Node Management panel is displayed.
    2. Click Runtime Custom Properties. The Runtime Custom Property panel is displayed.
    3. Click Create. A list item is added to the list of properties with the name of new key and a value of new value.
    4. Select the newly created placeholder property.
    5. Type kessjksservice.revocation.enabled in the Name field.
    6. Type true in the Value field.
    7. Click OK to apply the changes that you have made and exit from the panel.


    Software limitations

    None.


    Known problems and workarounds

    None.


    Notices

    This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

    IBM Director of Licensing
    IBM Corporation
    North Castle Drive
    Armonk, NY 10504-1785
    U.S.A.

    For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

    Intellectual Property Licensing
    Legal and Intellectual Property Law
    IBM Japan, Ltd.
    1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan

    The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

    INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

    Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

    IBM Corporation
    2Z4A/101
    11400 Burnet Road
    Austin, TX 78758
    U.S.A.

    Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

    The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

    Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

    Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

    All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

    This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.


    Trademarks

    IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at &odq;Copyright and trademark information&cdqg; at www.ibm.com/legal/copytrade.shtml.

    The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

    AIX
    IBM
    IBM logo
    iSeries
    pSeries
    S/390
    Tivoli
    Tivoli logo
    xSeries
    zSeries

    Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

    IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

    Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

    Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

    Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

    ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

    UNIX is a registered trademark of The Open Group in the United States and other countries.

    Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

    Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

    Other company, product, and service names may be trademarks or service marks of others.