©Copyright International Business Machines Corporation 2008, 2011. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: Friday, 22 July 2011
This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.0. It requires that Federated Identity Manager Business Gateway, Version 6.2.0, be installed. After installing this fix pack, your Federated Identity Manager Business Gateway installation will be at level 6.2.0.9.
Potential cross-site scripting vulnerabiltity via macros in event page template files
Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:
the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:
@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@
NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.0%2Freference%2FCustomPropsSPS.html.
Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)
The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.
Versions affected:
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability may cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang may occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
The following products contain affected versions of the Java Runtime Environment:
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21462019
You must use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI is not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)
This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:
java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.
The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases that are listed in the Hardware and software requirements topic for the Federated Identity Manager Business Gateway Version 6.2.0.
ATTENTION: In April 2009, FP0002 added support for WebSphere Application Server Release 7.0 Fix Pack 3 (release date March 27, 2009)
ATTENTION: In May 2009, FP0002 added support for Windows 2003 Server x86-64.
ATTENTION: In July 2009, FP0002 added support for Oracle 10g.
ATTENTION: In September 2009, FP0002 added support for Suse Linux Enterprise Server 11 (SLES 11) x86, x86-64, zSeries, pSeries. Note: Defect 91189, Webseal not configuring on SLES 11
ATTENTION: In November 2009, FP0003 added support for Internet Explorer 8 (IE8
ATTENTION: In November 2009, FP0003 added support for Windows 2008 R2 Server (x86-64). Note: 90900: GUI not thrown on GUI install for WIN2K8 R2, Workaround: -console mode is required on Windows 2008 R2 (e.g., on linux ./install_linux_x86.bin -console)
ATTENTION: In December 2009, FP0003 added support for Mozilla FireFox 3.5.
ATTENTION: In March 2010, FP0002 added support for z/OS 1.11 System z.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86-64, SUSE Linux Enterprise Server (SLES) 10.0 x86, SUSE Linux Enterprise Server (SLES) 10.0 x86-64, SUSE Linux Enterprise Server (SLES) 11.0 x86, SUSE Linux Enterprise Server (SLES) 11.0 x86-64, Windows Server 2008 Enterprise Edition x86, Windows Server 2008 Enterprise Edition x86-64, Windows Server 2008 Standard Edition x86, Windows Server 2008 Standard Edition x86-64 and Windows Server 2008 R2 Enterprise Edition x86-64 on VMware ESX 4.0.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86-64, SUSE Linux Enterprise Server (SLES) 10.0 x86, SUSE Linux Enterprise Server (SLES) 10.0 x86-64, SUSE Linux Enterprise Server (SLES) 11.0 x86, SUSE Linux Enterprise Server (SLES) 11.0 x86-64, Windows Server 2008 Enterprise Edition x86, Windows Server 2008 Enterprise Edition x86-64, Windows Server 2008 Standard Edition x86, Windows Server 2008 Standard Edition x86-64 and Windows Server 2008 R2 Enterprise Edition x86-64 on Red Hat Enterprise Virtualization Hypervisor (RHEV-H) / KVM 5.4.
ATTENTION: In December 2010, FP0008 added support for AIX 6.1 on IBM Power7 PowerVM Hypervisor. Support for POWER 7 is dependent on the upgrade to ITDS 6.1 Fixpack 5.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 4.0 AS/ES System z, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform System z, SUSE Linux Enterprise Server (SLES) 10.0 System z, SUSE Linux Enterprise Server (SLES) 11.0 System z, z/OS 1.10 and z/OS 1.11 on IBM z/VM Hypervisor 6.1.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 4.0 AS/ES System z, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform System z, SUSE Linux Enterprise Server (SLES) 10.0 System z, SUSE Linux Enterprise Server (SLES) 11.0 System z, z/OS 1.10 and z/OS 1.11 on IBM PR/SM z10.
ATTENTION: In December 2010, FP0008 added support for IBM Tivoli Directory Server 6.2.
ATTENTION: In December 2010, FP0008 added support for Oracle Database 11g Enterprise Edition Release 1.
ATTENTION: In December 2010, FP0008 added support for Oracle Database 11g Enterprise Edition Release 2.
ATTENTION: In March 2011, FP0008 added support for LPAR AIX 7.1. Note: WPAR is not supported for any supported version of AIX.
6.2.0-TIV-TFIMBG-FP0001
6.2.0-TIV-TFIMBG-FP0002
6.2.0-TIV-TFIMBG-FP0003
6.2.0-TIV-TFIMBG-FP0008
Federated Identity Manager Business Gateway consists of the following components that can be installed separately:
This fix pack applies only to the administration console and management service and runtime components (first two components listed above). These two components must be at the same level. Therefore, if you install a fix pack for either the administration console component or the management service and runtime component, you must install the corresponding fix pack for the other of these two components. If the administration console and management service and runtime components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Federated Identity Manager Business Gateway support site.
- when calling the artifact service and passing in an assertion to get back an artifact, and
- if a custom module encounters an error and generates an exception stack trace that includes some special characters.
Be aware of the following considerations before installing this fix pack:
Because Federated Identity Manager Business Gateway is a 32-bit application its default path when installing on Windows Server 2008 changes from
C:\Program Files\IBM\FIM
to:
C:\Program Files (x86)\IBM\FIM
NOTE: The installation path name change also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files\IBM\WebSphere
changes to:
C:\Program Files (x86)\IBM\WebSphere
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.
You use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system
that you are updating.
Apply all of the pak files that are required by your installation to ensure that the software levels in
your environment are identical for all of the components for which a pak file is supplied.
The fixes are tested against all affected components; therefore, to minimize any possible issue that can
arise from applying a partial fix, ensure the you apply the complete set of files.
See
If this is the first time you are applying the fix pack to Federated Identity Manager Business Gateway, you must download and install the enablement fix for Tivoli Federated Identity Manager Business Gateway.
NOTE: Perform the following steps only if this is the first time you are applying a fix pack. You will not need to perform these steps for subsequent product updates.
jar
-xvf to unzip the file or download
an unzip utility from the HPUX Connect site.
NOTE: If you are prompted to overwrite existing files, accept it so that the target files are overwritten.
NOTE: Before installing this fix pack, be sure that you have reviewed the prerequisites in Before installing the fix pack.
To obtain the fix pack:
If security is enabled on the WebSphere Application Server
where Federated Identity Manager Business Gateway is installed, you must set
the appropriate password values in the fim.appservers.properties file before you can
apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties file, as described below,
you specify these passwords using plain text. However, at the end of the fix pack
installation process these passwords are obfuscated and will no longer be available in
plain text format.
To specify security passwords, use the following procedure:
FIM_INSTALL_DIR/etc/fim.appservers.properties.was.security.enabled property is present in the
fim.appservers.properties file and is set to true then
you must add two password properties to the file:
was.admin.user.pwd property with a value of the administrator
login password for the WebSphere Application Server
where Federated Identity Management Business Gateway is deployedwas.truststore.pwd property with a value of the password for
the trust store used for client-side SSL authentication in that
WebSphere Application Serverwas.admin.user.pwd=was_admin_pwwas.truststore.pwd=truststore_pwewas.security.enabled property is present in the
fim.appservers.properties file and is set to true then
you must add two password properties to the file:
ewas.admin.user.pwd property with a value of the administrator
login password for the Embedded WebSphere Application Server
where Federated Identity Management Business Gateway is deployedewas.truststore.pwd property with a value of the password for
the trust store used for client-side SSL authentication in that Embedded
WebSphere Application Serverewas.admin.user.pwd=ewas_admin_pwewas.truststore.pwd=truststore_pwfim.appservers.properties fileC:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows.or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
C:\Program Files\IBM\WebSphere\UpdateInstaller on
Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).C:\Program Files\IBM\FIM on Windows systems, or
/opt/IBM/FIM on UNIX-based systems), then click Next.FIM_INSTALL_DIR/etc/version.propeties file with a text editor.
The following list describes how to interpret the properties in the version.properties file:
itfim.build.version.rte-mgmtsvcs=versionitfim.build.version.mgmtcon=versionitfim.build.version.wsprov=versionitfim.build.version.wssm=versionitfim.build.version.fimpi=versionApply the fix packs to the product components in the following order:
Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
The fix pack install automatically deploys the newly installed Federated Identity Manager Business Gateway runtime. However, you should verify that the current deployed version is 6.2.0.9.
Runtime Information
----------------------------------------------
Current deployed version 6.2.0.9 [080922a]
Note: The number within the brackets [080922a] might be different
from this example.
The product documentation for Federated Identity Manager Business Gateway, Version 6.2.0, can be found on the information center for IBM Tivoli Federated Identity Manager Business Gateway.
The kerberos STS module can enforce one time use of Kerberos tokens. The functionality is disabled by default and is only available to standalone WebSphere environments. No cluster support is provided at this time.
To enable this support set the following custom property:
kerberos.one.time.use.enabled = true
Once enabled, the TFIM Kerberos STS Module enforces a one time use of Kerberos tokens during validation. Once validated, any subsequent validation call for the same Kerberos token will fail.
The IvCred STS Module has been enabled to consume and validate ivcred tokens that corresponds to an unauthenticated user. The modification done as part of this fix will allow for two modes of operation.
For behavior #1 (Default), the sts module will generate an error if a token received corresponds to an unauthenticated user. The error is the following:
FBTSTS015E The IV-Cred binary token is invalid or not present.?
For Behavior #2 the IvCred STS Module can be configure to map the unauthenticated user token to a special user account that can be configured. The user account selected should be considered as a low entitlements or guest account.
The IVCRED STS module add an unauthenticated user name to the universal user structure.
To enable behavior #2 add the following custom property:
ivcred.unauthenticated.user.name=myusername
where myusername is the user name value to use for mapping.
The following additional properties can also be provided to describe the user account to map to when using behavior #2:
ivcred.unauthenticated.user.registry.id
ivcred.unauthenticated.user.uuid
ivcred.unauthenticated.user.registry.id is used to include the registry id of the account and ivcred.unauthenticated.user.uuid to indicate the unique id for the user account.
This fix ensures that Identity Provider with a metadata that contains SAML attributes can be added as a SAML 2.0 federation partner. However, these attributes are ignored, since they are currently not supported by FIM 620.
In some Tivoli Federated Identity Manager SSO Service Provider scenarios with WebSphere as point of contact and when the application relies on extended attributes added to the SSO token, a user might be authenticated using the wrong WebSphere credential from the credential cache. This fix will ensure that a unique WebSphere credential is created for every TFIM SSO as a service provider with WebSphere point of contact.
In the IBM Tivoli Federated Identity Manager Installation and Configuration Guide, under the topic Sample identity mapping rules for SAML
federations->Mapping a local identity to a SAML 2.0 token using an alias, the following entry is added to Table 40. STSUUSER entries used to generate a SAML token (using an alias):
[STSUU Element] Attribute: AudienceRestriction
[SAML Token Information] The audience of the audience restriction condition.
[Required] Optional
Under the same topic, it states:
3. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners.
It should state:
3. Setting the audience of the audience restriction condition to the value of the STSUU element "AudienceRestriction". If this STSUU element is not present, the audience is set to the Provider ID of the federation partner.
4. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners
In the IBM Tivoli Federated Manager Version Administration Guide, under the topic Managing Modules->Modifying trust service chain properties, the following note is added:
NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.
In the IBM Tivoli Federated Manager Version Administration Guide, under the topic Managing Modules->Modifying chain module properties, the following note is added:
NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.
The response generated by an STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule module for a WS-Trust v1.3 request includes more than 1 status code. In addition, some of the status codes contains a URI value that belongs to the WS-Trust v1.2 specification.
This fix ensures that the WS-Trust v1.3 response returned for a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule has only 1 status code that will contain a URI value belonging to the WS-Trust v1.3 specification.
The RelayState parameter is used to share state information between the sender and the receiver of a SAML 2.0 message. The receiver of a RelayState is expected to return the value without any modification. ITFIM SAML 2.0 SPS module used to URL encode the RelayState causing changes on the value in some instances. This fix modifies the code so it only URL encodes the RelayState during unsolicited (Identity Provider initiated) Single Sign On operations where the Target URL is the value sent in the RelayState.
If a SAML 1.x service provider needs to accept a samlp:Response that does not contain a Recipient attribute, use the followning runtime custom property:
SAML.AllowNoRecipient=true
Typically the Recipient is a required attribute so there should be no need to set this runtime custom property. It is only offered for uncommon backwards compatibility use cases.
When configuration a custom STS chain that includes a SAML 2.0 STS module a new configuration parameter has been added to configure the default name id format. This parameter will control the treatment to be given to the unspecified name id format value.
The new parameter is called:
com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat
The value should be the complete NameID Format that you wish to use for processing the NameID. Most commonly this will be:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
This will cause the NameID included in the assertion to be treated as a string literal and no alias service lookup will be used.
The SAML 2.0 SPS module allows the customer to specify if signatures are required for the SAML Artifact Resolution Response, SAML Response and SAML Assertion XML documents. The requirement for SAML assertion signature requirement can be fulfilled if the enclosing document is signed. For example a signed SAML Response. The SAML 2.0 SPS module will no longer issue a signature validation error if the assertion is not signed if either the SAML Response or SAML Artifact Resolution Response is signed.
The assertion signature is controlled by the WantAssertionsSigned property on the federation and partner configuration. The federation property will override the setting on the partner. That is different for most of the properties on the ITFIM federation configuration.
The WantAssertionsSigned for the federation configuration will be set to true when typical message signature settings is chosen and false when all or none message signature is selected on the federation signature configuration.
Even if WantAssertionSigned is set to false on the federation configuration the Identity Provider might still sign the assertion in two situations:
The Tivoli Federated Identity Manager SAML 2.0 SPS module allows the customer to specify a default name id format to use when the name id format has not been specified. At the Service Provider that value is use to determine the type of treatment that will be given to an unspecified name id format that is received on a SAML assertion. By default TFIM will treat unspecified name id format as persistent name id. The SAML 2.0 STS module will process the assertion name identifier with an unspecified name id format according to the value configured on the default name id format configuration selection. For steps on how to set the default name id format configuration parameter using the command line interface see the ITFIM 6.2 Administration Guide.
By default Tivoli Federated Identity Manager out-of-the-box allows an administrator to specify a key to use for signing or validation by having them select an alias from a key store. The alias is not actually used at runtime to select the key, the alias is only used to determine the X.509 Distinguished Name (DN). Once the DN is determined a list of all keys from all key stores is built based on the exact same DN and the oldest still valid X.509 (or Private Key) is used for the specific runtime operation first.
This fix provides two additional options for key selection criteria. The supported key selection criteria are:
Key: key.selection.criteria
Possible Values (only one can be set):
only.alias - only the alias will be used for select the key. No key list is created.
longest.lifetime - a list of keys built sorted by longest lifetime.
shortest.lifetime - a list of keys built sorted by shortest lifetime.
In Tivoli Federated Identity Manager Service Provider(SP) deployments of SAML 1.x when signatures are not used in assertions, it is often required to definitively identify to an application from which Identity Provider (IdP) source a credential has come. To satisfy this requirement, this fix inserts new attirbutes into the Claims element for SAML 1.x service provider federations that use browser artifact profile. The new attributes are called ArtifactSourceID and ArtifactResolutionServiceEndpoint. The new Claims element attributes will be included in the RequestSecurityToken message that is sent to the Service Provider trust service during single sign-on.
Mapping rules on the Service Provider can use these values to map to an expected Issuer URL and perform that check in the mapping rule and throw an exception if a bad Issuer is detected.
To check for the new attributes ArtifactSourceID and ArtifactResolutionServiceEndpoint of the new SAML claims, you can do the following:
An example STSUU is as follows:
<stsuuser:Attribute name="Claims" type="http://schemas.xmlsoap.org/ws/2005/02/trust">
<stsuuser:Value>
<wst:Claims xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
Dialect="urn:ibm:names:ITFIM:saml">
<fimsaml:SAMLClaims xmlns:fimsaml="urn:ibm:names:ITFIM:saml"
ProtocolProfile="" TokenUsername=""
ArtifactSourceID="KmoOP8TQR6rMbUFZwpcy6rtxWzE="
ArtifactResolutionServiceEndpoint="http://soap_endpoint">
</fimsaml:SAMLClaims>
</wst:Claims>
</stsuuser:Value>
</stsuuser:Attribute>
The Tivoli Federated Identity Manager 6.1.1 documentation lists the supported user registries in the "User Registry support" section of the "Hardware and Software Requirements" document.
This document lists support for Novell eDirectory 8.6.x and Novell eDirectory 8.7.x. This section does not list Novell eDirectory 8.8.x, because eDirectory 8.8 was not available at the time and the TAM Base product did not claim support for this level yet. However, TAM claimed support for Novell eDirectory 8.8 in the TAM Base 6.0.0 FP0009 README.
Based upon this information, it would seem that Tivoli Federated Identity Manager would support eDirectory 8.8.x as a user registry. Support for eDirectory 8.8.x was verified, but in the process it was found that additional configuration steps for eDirectory were required in order to be used by TFIM successfully. These configuration steps are not in the current documentation, so a Tech Note has been written and published that documents the required actions to configure the Novell eDirectory to be a supported TFIM user registry.
The TechNote entitled "Configuration of Novell eDirectory v8.8 required to be a supported Tivoli Federated Identity Manager v6.1.1 user registry" has been published and is publicly available on the TFIM support site.
Read and follow this TechNote before attempting to use the Novell eDirectory as a Tivoli Federated Identity Manager user registry.
It is not possible to query the status of the FIM runtime
from the eWAS console. The following wsadmin commands
show how
to query the FIM runtime's
status as well as how to start and stop the FIM runtime from the
command line.
These commands assume the WebSphere Application Server server instance is named "server1".
wsadmin>$AdminApp listwsadmin>$AdminControl queryNames
type=Application,process=server1,name=ITFIMRuntime,*wsadmin>set appManager [$AdminControl queryNames
type=ApplicationManager,process=server1,*]wsadmin>$AdminControl invoke $appManager
stopApplication ITFIMRuntimewsadmin>set appManager [$AdminControl queryNames
type=ApplicationManager,process=server1,*]wsadmin>$AdminControl invoke $appManager
startApplication ITFIMRuntimeA limitation of the z/OS platform can cause Tivoli Federated Identity Manager actions to hang and fail. This has been observed with the deployment of the TFIM runtime, and can be diagnosed by examining the WebSphere Application Server log file and looking for a WARNING message such as the following:
Trace: 2008/02/20 15:30:48.909 01 t=9BE748 c=UNK key=P8 (13007002)
ThreadId: 00000044
FunctionName: com.ibm.ws.runtime.component.ThreadMonitorImpl
SourceId: com.ibm.ws.runtime.component.ThreadMonitorImpl
Category: WARNING
ExtendedMessage: BBOO0221W: WSVR0605W: Thread "WebSphere:ORB.thread.pool t=009c22b8"
(00000022) has been active for 181010 milliseconds and may be hung.
There is/are 1 thread(s) in total in the server that may be hung.
To resolve this problem, a WebSphere Application Server environment variable must be defined that increases an essential thread pool size.
To define the environment variable for a standalone application server from the WebSphere administration console, browse to: Servers -> Application servers -> server_name -> Server Infrastructure -> Administration -> Custom properties.
Add the property private_bboo_internal_work_thread_pool_size
with the value of 5.
To define the environment variable for a network deployment configuration from the WebSphere administration console, browse to: System Administration -> Deployment manager -> Administration services -> Custom properties.
As in the standalone environment, add the property
private_bboo_internal_work_thread_pool_size
with the value of 5.
Restart the WebSphere Application Server server that has had the environment changed. To verify that the new value has taken effect, look for the following message in the output of the server when the server starts:
BBOM0001I private_bboo_internal_work_thread_pool_size: 5.
These failures have currently only been reported on the deployment of the Tivoli Federated Identity Manager runtime, and the value of 5 has resolved the issue. However, if similar error messages are seen performing other TFIM activities, the pool size environment variable should be increased to resolve the problem.
The default secure protocol for HTTPS connections created by Federated
Identity Manager Business Gateway is SSL_TLS. To change (override) the default protocol, specify the
following runtime custom property in the fim.appservers.properties file:
com.tivoli.am.fim.soap.client.ssl.protocol= PROTOCOL
where the value of PROTOCOL can be any of the following values: SSL_TLS, SSL, SSLv2, SSLv3, TLS or TLSv1
A timestamp is embedded within a passticket, but the time value interval is only granular to a full second. If two passtickets are generated for the same object (user, target app, secret-key) within one second, then the two passtickets will be identical; that is, the passtickets will look to the validator like a "replay attack." To manage this problem, RACF allows "disable replay detection," and this APAR enables Federated Identity Manager Business Gateway to support this functionality.
To disable replay, you can set either or both of the following custom runtime properties:
passticket.disable.replay.check.[chainid_uuid]=true
passticket.disable.replay.check=true
where chainid_uuid is the value of the Chain UUID. For example:
passticket.disable.replay.check.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true
To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.
WebSphere Application Server versions 6.0.2 and 6.1 do not distinguish between LTPA v1 and LTPA v2 tokens in Web Services. Only one BinarySecurityToken ValueType is supported for LTPA tokens, and the QName of the value type is:
http://www.ibm.com/websphere/appserver/tokentype/5.0.2#LTPA
When the Federated Identity Manager Business Gateway STS issues an LTPA v2 token, the token is created with the following QName. This QName is correct, but it is not supported by WebSphere Application Server versions 6.0.2 and 6.1:
http://www.ibm.com/websphere/appserver/tokentype#LTPAv2
This APAR provides custom Federated Identity Manager Business Gateway runtime properties that force compatible QName generation if needed. To enable compatibility mode, set either or both of the following custom runtime properties:
ltpa.enable.compat.mode.[chainid_uuid]=true
ltpa.enable.compat.mode=true
where chainid_uuid is the value of the Chain UUID. For example:
ltpa.enable.compat.mode.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true
To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.
When authoring XSLT rules for identity mapping, there is no mechanism to log or trace statements for debugging purposes. This APAR adds an extension that enables you to generate debugging statements to XSLT rules.
To invoke debug statements for identity mapping, add entries in the XSLT rules using the
following syntax:
<xsl:variable name="variablename" select="mapping-ext:traceString('debug string')">
This APAR fixes an XSLT identity mapping failure that occurred when using the alias server with JDBC. An XSLT identity mapping that links accounts from a JDBC configure-alias service would fail with the following exception:
com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc
init javax.naming.NoInitialContextException: Need to specify class name in environment or system property,
or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:657)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:259)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:296)
at javax.naming.InitialContext.lookup(InitialContext.java:363)
at com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc.
at com.tivoli.am.fim.identity.service.client.jdbc.IdServiceJdbcClient.
at java.lang.Class.newInstanceImpl(Native Method)
at java.lang.Class.newInstance(Class.java:1301)
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:170)
You might need to restart the WebSphere Application Server if you specify inaccurate information in the security settings panel when creating a Federated Identity Manager domain (or a connection to a domain).
If you enter correct data and the Federated Identity Manager console successfully connects to the management service (use Test Connection to test the connection), you do not need to reconnect to WebSphere Application Server. If the Federated Identity Manager console cannot connect to the Management Service, even if correct security information is supplied, then you need to restart WebSphere Application Server.
This APAR fixes an error exception that can occur when posting artifacts for a single sign-on operation in WebSphere Application Server version 6.1.0.17 or version 6.1.0.19. When using WebSphere Application Server version 6.1.0.17 or 6.1.0.19, the POST artifacts for single sign-on operation can sometimes fail with the following exception text:
[9/4/08 10:59:44:143 CDT] 0000002b MultibrokerDo E CWWDR0008E: Runtime exception occurred :
Unable to locate Replication Domain.
[9/4/08 10:59:44:148 CDT] 0000002b CacheServiceI I DYNA1001I: WebSphere Dynamic Cache
instance named itfim/distributedmaps/ssops_plugins initialized successfully.
[9/4/08 11:00:08:532 CDT] 0000002b SRTServletReq E SRVE0133E: An error occurred while parsing
parameters. java.io.IOException: SRVE0216E: post body contains less bytes than specified by content-length
at com.ibm.ws.webcontainer.servlet.RequestUtils.parsePostData(RequestUtils.java:301)
at com.ibm.ws.webcontainer.srt.SRTServletRequest.parseParameters(SRTServletRequest.java:1623)
at com.ibm.ws.webcontainer.srt.SRTServletRequest.getParameterMap(SRTServletRequest.java:2153)
at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.logRequest(SSOPSServletBase.java:203)
at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(SSOPSServletBase.java:97)
It is not possible to query the status of the Federated Identity Manager Business Gateway runtime
from the eWAS console. The following wsadmin commands show how
to query the Federated Identity Manager Business Gateway runtime's
status as well as how to start and stop the Federated Identity Manager Business Gateway runtime from the command line.
These commands assume the WebSphere Application Server instance is named "server1".
wsadmin>$AdminApp list
wsadmin>$AdminControlqueryNamestype=Application,process=server1,name=ITFIMRuntime,*
wsadmin>setappManager[$AdminControlqueryNamestype=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager stopApplication ITFIMRuntime
wsadmin>setappManager[$AdminControlqueryNamestype=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager startApplication ITFIMRuntime
The fix pack installation of the Federated Identity Manager Business Gateway runtime must
connect to a WebSphere Application Server SOAP port in order to deploy
the runtime. The fix pack installer acquires its SOAP port value from the following line
in the
/<TFIM-installation-directory>/etc/fim.appservers.properties file
of the Federated Identity Manager Business Gateway instance being patched:
was.soap.port=8880
OR
ewas.soap.port=8880
This value is set in the file when the Federated Identity Manager Business Gateway instance is installed.
For the connection to be successful, the WebSphere Application Server instance to which it is being deployed must still be using that SOAP port. If it is not, then the Federated Identity Manager Business Gateway fix pack installation fails in the WebSphere Application Server UPDI and the error is reported as:
Prerequisite checking has failed. Click Back to select a different package, or click Cancel to exit.
Associated failure messages are:
The WebSphere server does not seem to be listening in host localhost port 8881 as specified
in
/opt/IBM/FIM/etc/fim.appservers.properties. Make sure the server is running and that the specified
port and host are correct.
If the specified port is different than the actual SOAP port used, then change the value in the
fim.appservers.properties file to agree with the port being used by WebSphere Application Server and
reapply the fix pack.
Attempts to use Oracle database for Tivoli Federated Identity Manager alias service displayed errors like:
com.ibm.ws.ejbpersistence.utilpm.PersistenceManagerException:
PMGR1012E: The current backend id DB2UDBNT_V8_1, does not match
the datasource connected to.
To fix this error, follow these additional steps after installing the Fix Pack (assume on UNIX-based system):
If you receive subsequent fixpacks, or anything that alters the deployed itfim.ear, repeat step 1.
From the updated Tivoli Federated Identity Manager Configuration Guide, the steps are:
None.
None.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at &odq;Copyright and trademark information&cdqg; at www.ibm.com/legal/copytrade.shtml.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
AIX IBM IBM logo iSeries pSeries S/390 Tivoli Tivoli logo xSeries zSeries
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.