IBM® Tivoli® Security Information and Event Manager, fix pack 2.0.0-ISS-TSIEM-FP007 README

©Copyright International Business Machines Corporation 2011. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication orf disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under Notices in this document.

Date: 2012 June 14


About the fix pack

This fix pack corrects problems with IBM Tivoli Security Information and Event Manager version 2.0.0.0 through 2.0.0.6. After installing this fix pack, your Tivoli Security Information and Event Manager installation will be at version level 2.0.0.7.

Do NOT use fixpack's Uninstallation and Resume functions under any circumstances!

If the fix pack installation fails do NOT use the resume function. It will break the installation. In case of fix pack installation failure please restore the previously backed up and working TSIEM version and try to install the fix pack again.

Do NOT use the fixpack's uninstallation feature, as it will uninstall the whole TSIEM installation, not only the latest fix pack. If you wish to move back to the previous TSIEM version please restore it from the backup using the exact steps from the restore procedure.

Make a backup of your Tivoli Security Information and Event Manager installation before installing the fix pack.

See the backup procedure for details on performing a backup. If the installation of the fix pack fails, you might need to restore the system using your backup copy.

If your TSIEM installation is at the level TSIEM 2.0.0.0 through 2.0.0.3 GA, then you must reinstall any compliance management modules that you have on your system after installing fix pack 7. In this situation,after installing fix pack 7, use the updated installation media provided with the 2.0.0.4 Manufacturing refresh to reinstall the compliance management modules. The 2.0.0.4 Manufacturing Refresh provides support for additional server platforms (Microsoft Windows Server 2008 R2, SUSE Linux Enterprise Server 11, and Red Hat Enterprise Linux version 5.5).

Installing fix pack 4, or installing with the 2.0.0.4 Manufacturing Refresh, allows you to upgrade your environment to DB2® version 9.7 for better sliding window feature (feature used to always keep N days of data in a Reporting database where events from the oldest day is removed before the newest days event data is loaded) performance. See Upgrading to DB2 version 9.7 in the information center for additional information. The DB2 9.7 installation media can be obtained as part of the 2.0.0.4 Manufacturing Refresh package in IBM Passport Advantage.

Important notice! The above mentioned DB2 upgrade instruction uses the Upgrading a Windows system as a reference. There should be one additional step after step 7a (Use the GUI-based setup.exe command). After running the setup.exe utility you may have the option to change the DB2 edition. If so please make sure that you're choosing the "Work with existing" option in the "DB2 Enterprise Server Edition" section.

If your environment uses DB2® 9.7 please make sure to upgrade it to at least version 9.7.4 (DB2 FP004) before proceeding with TSIEM fix pack 5, TSIEM fix pack 6 or TSIEM fix pack 7 installation. Fix pack 5/fix pack 6/fix pack 7 installation fails on systems with DB2 9.7 version lower than 9.7.400.501. Guidelines for installing of DB2 9.7's FP004 can be found in the following technote: Updating DB2 9.7.0 to 9.7.4.


Patch contents and distribution

This fix pack package contains:

This fix pack is distributed as an electronic download from the IBM Support website.


Architectures

This fix pack package supports the same operating system releases as the Tivoli Security Information and Event Manager release. A list of the supported operating systems can be found in the Hardware and software requirements document in the information center.


Fix pack structure

Tivoli Security Information and Event Manager (TSIEM) supports multiple operating system platforms. A separate package must be installed on each platform that requires updates. The package contains the updates for all components installed on that platform.

Note: Even though the fix pack contains updated agent software for Windows, AIX, HP-UX, and Solaris systems, you do not need to upgrade your agent systems, unless there is an specific need of installing the fix pack on the agent side. The agent software installed using a previous version of TSIEM is compatible with this fix pack and can continue to be used.


APARs and defects fixed by fix pack 2.0.0-ISS-TSIEM-FP007

The following problems are corrected by this fix pack. For more information about the specific APARs listed, see the Tivoli Security Information and Event Manager support website.

Problems fixed by fix pack 2.0.0-ISS-TSIEM-FP007

APAR: IV02836
SYMPTOM: ES: Windows Agent fails to start actuator.exe process due to TCP port in use

APAR: IV00838
SYMPTOM: Javascript error when adding/removing who/onwhat groups from the iView Dashboard Settings window

APAR: IV11118
SYMPTOM: ES: TSIEM agents abruptly shutdown when the TSIEM server becomes unreachable for several hours

APAR: IV16038
SYMPTOM: Indexing W7log CSV event source: specifiyng "*" in the indexer search string does not return all events

APAR: IV16266
SYMPTOM: TSIEM is showing modify auditpolicy failure for opening a file using NT mapping

APAR: IV11017
SYMPTOM: TSIEM agent on AIX configured with respawn restarts continuously and consumes high CPU

APAR: IV16302
SYMPTOM: TSIEM Limitation - not possible to schedule more than 3 collects in the same time

APAR: IV17989
SYMPTOM: ES: Cannot parse Guardium ES data due to the missing "Count" collumn data in chunk

APAR: IV10559
SYMPTOM: ES: AIX Agent installation failing because it cannot bind to IPv4 socket

Additional fixes in fix pack 2.0.0-ISS-TSIEM-FP007

TSIEM00020985: ES: "Unavailable" is shown in Who for iSeries TYR events
SYMPTOM: If the event-specific 'Office User' record field is empty then "Unavailable" is displayed in the Who field.

TSIEM00021007: ES: Solaris syslog: WhereFrom is not mapped (Did not receive identification string from )
SYMPTOM: Solaris Syslog does not show in WhereFrom field the identification string source.

TSIEM00021020: ES: Pix-Syslog: Incorrect mapping of 106023 event
SYMPTOM: Pix-syslog 106023 event is not correctly mapped when there is "access-group" instead of "access_group" in the log entry.

TSIEM00021352: ES: Syslog from syslog host event source collects successfully even if the log directory is not accessible
SYMPTOM: "Syslog from syslog host" event source does not fail when the log directory and file does not exist.

TSIEM00022699: '*' in onWhat objectname for Windows ES
SYMPTOM: In Windows ES data events may be groupped by the OnWhat field where they should be displayed separate.

TSIEM00022527: "on Server CIFDB" message in the Compliance Dashboard is misleading and should be removed
SYMPTOM: In some reports there may be the "on server CIFDB" information which may be misleading.

TSIEM00022690: Cannot map Win 2008 R2 events with nanosecond audit timestamp precision
SYMPTOM: Win 2008 R2 events are not mapped with millisecond precision.

TSIEM00022757: GSL Update for z/OS Event Source

TSIEM00022773: GEMs which contain zOS chunks take between 2 and 4 hours to execute the load fill summaries step
SYMPTOM: The main "fill - summaries stage" of the mapping process takes much time to complete.

TSIEM00022808: The date.exe parameter string is using m both for minutes and months - It should be M for minutes and m for months
SYMPTOM: Win 2008 ES timestamp created during collect may not be correct due to the typo in the collect script.

TSIEM00022854: Post Load Performance Improvement - FillCounts, FillChunks
SYMPTOM: Post Load processing may be slow when the scoping is enabled.

TSIEM00022519: ES: Windows 2008 collect fails due to error in timestamp parsing of lastevent.xml
SYMPTOM: Windows 2008 collect may fail due to the error in the timestamp parsing of lastevent.xml.

TSIEM00022756: compress.sh script contains errors
SYMPTOM: On RHEL the compress.sh script may return syntax errors.

TSIEM00022767: ES: Microsoft windows agentless does not collect all the events
SYMPTOM: While collecting the Windows Event Log data some of the events may be ommited.

TSIEM00022861: Improvement, Bugfixes - fillOwner, fillEventMDCTable
SYMPTOM: Postprocessing may be slow when scoping is enabled.

TSIEM00022898: fillSummaryMetatimestamp
SYMPTOM: Postprocessing may be slow when scoping is enabled.

Problems fixed by fix pack 2.0.0-TIV-TSIEM-FP006

APAR: IV02880
SYMPTOM: ES: Update the Informix AIX scripts with an option to delete already collected files

APAR: IV07878
SYMPTOM: ES: Solaris SSH Logon events logged at WTMP are not being mapped correctly

APAR: IZ92502
SYMPTOM: Japanese charecters not being displayed properly on dashboard

APAR: IZ92930
SYMPTOM: iView shows garbage characters for events from TSIEM Server event source

APAR: IZ97977
SYMPTOM: ES: Windows NT-2003 mapping problem for multiple 628 id events within 5 seconds

APAR: IZ97879
SYMPTOM: Custom reports condition string with group names / W7 field names with spaces are not migrated correctly

APAR: IZ98686
SYMPTOM: ES: Not all Windows events with 566 id are getting mapped

APAR: IV00128
SYMPTOM: ES: Lotus Notes Collect/Mapping missing Login and Logout events

APAR: IV00837
SYMPTOM: Custom Threshold reports does not show events matching the threshold report filter

APAR: IV03197
SYMPTOM: TIP error message at the status bar when using Internet Explorer

APAR: IV02113
SYMPTOM: Current time is proposed as a load schedule timing when adding a new event source

APAR: IV02293
SYMPTOM: Poor performance to login into Log Manager

APAR: IV02459
SYMPTOM: TSIEM susceptible to Cross Site Vulnerability (XSS)

APAR: IV02697
SYMPTOM: Audit Data Export Task exports a committed policy, which is still in use by the customer

APAR: IV02837
SYMPTOM: ES: Authenticate User Failure (event id 675) does not show the correct SID (originator) for the W7 logonname

APAR: IV03314
SYMPTOM: ES: SAP Netweaver missing index information in Investigation Report of Log Manager

APAR: IV07509
SYMPTOM: ES: Windows 2003 EventID 540 source IP address should be mapped since the Workstation name is not resolved

APAR: IV02862
SYMPTOM: Policy Explorer shows CIFPE0502W even when the group being added is present at the same platform of the policy that is being modified

APAR: IV02880
SYMPTOM: ES: IBM Informix Dynamic Server Event Source is not collecting.

APAR: IV03654
SYMPTOM: ES: IBM TSIEM Server Event source stops collecting

APAR: IV07046
SYMPTOM: ES: Cleanup script fails to connect, event collection fails

APAR: IV05818
SYMPTOM: The mapper does not stop processing chunks resulting in endless map cycle - causing the "bulk load + postprocessing" to never end

APAR: IV06193
SYMPTOM: TSIEM Server and Agent are unable to recover from a failed collect

APAR: IV06879
SYMPTOM: ES: Windows 2008 event source does not map correctly the events with id 4656

APAR: IV06890
SYMPTOM: ES: Windows 2008 event source does not show the path of the object that's been modified for events with id 4674

APAR: IV07353
SYMPTOM: Aggregation is not working properly when executed through the command line in TSIEM 2.0.0.4

APAR: IV07447
SYMPTOM: Depot investigation tool returns to page no. 1 everytime customer selects any other option, i.e. Dashboard

APAR: IV08557
SYMPTOM: Opening "This is a policy exception" details page causes the "Array index out of range: 0" exception

APAR: IV08546
SYMPTOM: Builtin Users report shows User Information not owned by the TSIEM Scoped user

APAR: IV08969
SYMPTOM: Mapper fails to process "locked" .bcp.mapping files, but yet signals the GEM load as "success"

APAR: IV08663
SYMPTOM: Path changes when shifting from the Compliance dashboard to the Reporting view

APAR: IV09271
SYMPTOM: Warning Message displayed at the IE status bar when opening the TSIEM SIM Dahsboard

Additional fixes in fix pack 2.0.0-TIV-TSIEM-FP006

TSIEM00022618: ES/DOC: TSIEM 2.0.1 AIX log collection fails with Error 253, caused due to an empty "working" file
SYMPTOM: Fixing issue described in TSIEM 2.0 AIX Remote Collect fails with Error 253 due to empty working file.

TSIEM00022564: ES: z/OS agent: It should be possible to suppress the active SMF datasets for ES collect strategy LIVE
SYMPTOM: With strategy LIVE, the active MAN datasets are always read. It should be possible to prevent reading the MAN datasets.

TSIEM00021167: Long labels are not properly displayed by iView in custom report charts
SYMPTOM: Bar and pie charts long labels are not properly displayed, hence hard to distinguish.

TSIEM00022463: Wrong owner of splitter
SYMPTOM: Splitter process on Linux/AIX TSIEM servers is not able to open port 514 UDP.

TSIEM00022468: Incorrect warnings during scheduling load of DB
SYMPTOM:

TSIEM00022472: Lack of symbolic link to libidsmsg.a on AIX
SYMPTOM: Export/Import functionality is not working on AIX TSIEM servers due to the missing library sim/server/bin/libidsmsg.a.

TSIEM00022540: XSS in Report distribution task when adding new task
SYMPTOM: Report Title, Body, Section and Help Text text fields are vulnerable for XSS attack.

TSIEM00022650: Fdodbc: ODBC error from: insert into Object values - State: 23505 error: -803
SYMPTOM: Wrong ChunkIX in insert statement is causing the collect to fail forever and data to remain on the remote agent.

TSIEM00022582: Log wrapping feature
SYMPTOM: TSIEM agent is unable to detect overwriting of security event logs of Win NT platform.

TSIEM00022657: Missing FP6 COI steps
SYMPTOM: JRE update fails in some cases while installing FP5.

TSIEM00022151: Microsoft SQL Server 2008 (Server Audit) Event Source to support Microsoft SQL Server 2008 server audit trail
New event source.

TSIEM00021980 : Microsoft Exchange Server 2007 - 2010 Event Source to support MS Exchange 2007 and 2010
New event source.

TSIEM00022576: HP-UX 11i V3 System Event Source to support HP-UX 11iv3 system audit trail
New event source.

TSIEM00022149: IBM Tivoli Key Lifecycle Manager (TKLM) Event Source is updated to support TKLM v2.0
Event source update.

TSIEM00022148: IBM Tivoli Federated Identity Manager (TFIM) Event Source is updated to support TFIM v6.2.1
Event source update.

TSIEM00022156: Cisco ASA Event Source is updated to support full event mapping
Event source update.

TSIEM00022157: Linux Auditing Framework (LAF) Event Source is updated to support SUSE Linus Enterprise Server (SLSE) Edition v10 and v11
Event source update.

TSIEM00022535: Following Oracle event sources are updated to support Linux as a hosting operating system
Oracle Database Audit Trail, Oracle Fine-Grained Audit, Oracle Operating System Audit Trail event sources update.

TSIEM00022419: Syslog for Syslog Host event sources are updated to support AIX and Solaris as syslog host system
Event source update.

Problems fixed by fix pack 2.0.0-TIV-TSIEM-FP005

APAR: IV02800
SYMPTOM: ES: IBM TDS Self Audit Event Source collects duplicate data for 2 sublogs (ibmslapd.log, ibmdiradm.log)

APAR: IV03095
SYMPTOM: Agent causing high CPU usage on zOS

APAR: IZ96557
SYMPTOM: C2EAUDIT looping with TCPGrowSendBuffer message

APAR: IZ85736
SYMPTOM: Add GEM Database in TIP times out after 10 minutes, leaving an inconsistent GEM

APAR: IZ90415
SYMPTOM: Sort for any column does not work for customized reports

APAR: IZ90615
SYMPTOM: The Iview section of the Portal does not display the date format according to the operating system locale.

APAR: IZ78383
SYMPTOM: ES: Solaris SU logs contain text values from different locales

APAR: IZ77982
SYMPTOM: Impossible to set database load schedule frequency equal to the highest collection frequency among the attached ESes

APAR: IZ89713
SYMPTOM: ES: Informix. Iview shows 5 events, but the original chunk contains only 3.

APAR: IZ98903
SYMPTOM: Incorrect Username Parsing

APAR: IZ89538
SYMPTOM: ORA-22835: Buffer too small for CLOB error when collecting Oracle DAT

APAR: IZ88894
SYMPTOM: ES: Windows W2K8 collect failed when more than one machine is schedule to collect at the same minute.

APAR: IZ94829
SYMPTOM: TSIEM cannot map DB2 9.5 events: GRANT_DBAUTH and REVOKE_DBAUTH

APAR: IZ91386
SYMPTOM: Oracle DAT ES: handle ORA-* errors during collection and log them logfile of ES

APAR: IZ91354
SYMPTOM: ES: Cannot distinguish identical OU and Group names in two different domains

APAR: IZ97562
SYMPTOM: Fixing Export CSV report

APAR: IZ91388
SYMPTOM: Update zOS ES mapper files for not displaying LOGSTR field in iView reports for SMF 80-2

APAR: IZ98651
SYMPTOM: ES: Local collect of Windows 2008 fails

APAR: IV01148
SYMPTOM: Custom report distribution adds "_" to the report

APAR: IZ84311
SYMPTOM: IPValidator fails to accept valid IP addresses in the create new audited machine wizard

Additional fixes in fix pack 2.0.0-TIV-TSIEM-FP005

TSIEM00018094 : TSSL: Scoped user having auditor permission can see all events, when he should see only a subset of events
SYMPTOM: Scoped user having auditor permission can see all events, when he should see only a subset of events.

TSIEM00021859 : Fixing Java parseDouble sec. vulnerability
SYMPTOM: Fixing issue shown in Security Alert for CVE-2010-4476

TSIEM00021863 : Scoped users can see all W7 groups even if that user does not own the groups
This fix addresses the following issues of the TSIEM 2.0 Scoping engine functionality:

TSIEM00021868 : Error in Mapping table for ITIM (Change Password action)
SYMPTOM : Error in Mapping table for ITIM (Change Password action) should be (Synchronize Password)

TSIEM00021955 : TSSL: iViewBase.java missing method in FP4
SYMPTOM : New audited machine with ip address containing 255 not being added

TSIEM00022053 : TSSL:Exporting TSIEM CSV reports in different encoding than UTF-8
SYMPTOM: Adding byte-order mark depending on the customer local setting.

TSIEM00021876: TSSL:Data Segregation - TSIEM SCOPING - Hide all username + Indicator
The enhancement of scoping functionality is to include a new user bound flag Hide all user names.
If the user has the Hide all user names flag set, he will not see any user names in W7 reports.
If the user does not have the Hide all user names flag set, the current scoping behavior applies: If the user has the Auditor flag set, he is able to see all user names.
If the user does not have the Auditor flag set, he will only see the names of users belonging to a Who group he owns.
The scoping of the OnWhat and Where columns as well as record selection will not be affected by the Hide all user names flag.

TSIEM00022101 : TSSL:Severe performance problems with regard to iView report query and navigation
Severe performance problems with regard to iView report query and navigation..

TSIEM00021956: TSSL: ES Windows 2003 Archived Event Logs Support
SYMPTOM: Add Ability to collect online and archived Microsoft Windows Security Event Log and Directory.

TSIEM00021533 : Log and Save excerpt upon detectable distribution failure
SYMPTOM:log and save excerpt upon detectable distribution failure.

TSIEM00021967 : FP4 : Fix COI step UpdateMapperStartStop
SYMPTOM:TSIEM FP004 fails to install at step UpdateMapperStartStop: Reason: User ID or Password invalid.

Problems fixed by fix pack 2.0.0-TIV-TSIEM-FP004

APAR: IZ75884
SYMPTOM: TSIEM 2.0 install can't make the user/groups

APAR: IZ90656
SYMPTOM: Apache Web Server 2.x syslog from syslog Event source is not available in the event source list

APAR: IZ91007
SYMPTOM: AD UIS doesn't collect "Deleted Objects" group if specify "ExcludeUsers" and "IncludeDeletedUsers" options in Data filter

APAR: IZ76941
SYMPTOM: Tsiem 2.0 paxfile for z/OS is unpacked into the home directory of the user who runs the unpack

APAR: IZ83575
SYMPTOM: Wrong selection of orphan chunks

APAR: IZ76681
SYMPTOM: TIP 1036 - After TIP's timeout user needs to log in to TIP two times to be logged in

APAR: IZ87434
SYMPTOM: alert.mib missed in the 2.0 GA installation

APAR: IZ84905
SYMPTOM: z/OS ES ignores the user defined encoding.

APAR: IZ90606
SYMPTOM: Group mapping error when line feed character (\n) is present in the group name of 'IN SRC_GROUP' rule

APAR: IZ84639
SYMPTOM: Update to WAS ES\UIS to support data collection from WAS 6.1, 7.0 with recent WAS fixpacks

APAR: IZ82844
SYMPTOM: TAMOS Sudo events show no resource information

APAR: IZ77689
SYMPTOM: getnewrecs crashes for TSIEM Server selfaudit collection

APAR: IZ76231
SYMPTOM: Scoped user having auditor permission can see all events, when only a subset of events should be visible

APAR: IZ83584
SYMPTOM: It should be documented the 32-bit version of DSN Administrator tool should be used to configure ODBC based ES

APAR: IZ78315
SYMPTOM: Custom Reports with more than 7 aspect fields defined does not work

APAR: IZ74107
SYMPTOM: Collect history tab determines highlighted log continuity tab

APAR: IZ76588
SYMPTOM: Hyphen ("-") not allowed in service account name when installing TSIEM 2.0 Windows PoP using GUI install

APAR: IZ77681
SYMPTOM: Collect process fails to retrieve data from IIS

APAR: IZ77092
SYMPTOM: Control characters in TSIEM install path causes TCR update step to fail

APAR: IZ73488
SYMPTOM: Fields specified in documentation do not match the fields in the event source for BMC Control SA

APAR: IZ83586
SYMPTOM: Import of event sources with non-english name fails on non-english locale.

APAR: IZ80767
SYMPTOM: Custom reports using non-existing or incorrect aspect keys duplicate events

APAR: IZ78126
SYMPTOM: Migration tool crash with large number of files in the depot

APAR: IZ80926
SYMPTOM: TSIEM 2.0 64bit : NON IBM Java environment create problem with platformplugger

APAR: IZ74077
SYMPTOM: Time stamp is incorrect for some ITDS events

APAR: IZ77548
SYMPTOM: PDF report of the compliance dashboard doesn 't contain the expected appearance it used to had

APAR: IZ77930
SYMPTOM: TAMeB ES - Positive Timezones "+" are reflected as if they were added nine more hours

APAR: IZ80769
SYMPTOM: Events by Type report switch information of columns Policy Exception and Special Attention events

APAR: IZ86024
SYMPTOM: Incorrect display of Group Name when modifying its significance

APAR: IZ80768
SYMPTOM: No manual steps to clean up Windows system manually after failed TSIEM installation

APAR: IZ78414
SYMPTOM: Policy Editor must not round the time values when creating/ updating WHEN requirements

APAR: IZ86004
SYMPTOM: Who aspect in eventlist should contain logonname and if logonname is different than realname, not the latter {2}

APAR: IZ86004
SYMPTOM: TSIEM 2.0 Admin Guide uses incorrect file name of alert.mib

APAR: IZ85345
SYMPTOM: It is not possible to add aspect key column with underscore character to a custom report

APAR: IZ86720
SYMPTOM: Splitter tool must produce event record timestamp in according to English location format

Additional fixes in fix pack 2.0.0-TIV-TSIEM-FP004

Windows Server 2008 R2, SUSE Linux Enterprise Server 11, and Red Hat Enterprise Linux 5.5 are now supported for TSIEM servers.
The associated event sources have been updated to support these new operating system platforms.

TSIEM00020910
Added support to collect logs from DB2 version 9.7.
Following event sources have been renamed:
"IBM DB2 9.5" to "IBM DB2 9.5 - 9.X"
"IBM DB2 9.5 through SSH" to "IBM DB2 9.5 - 9.X through SSH"
"Grouping IBM DB2 9.5" to "Grouping IBM DB2 9.5 - 9.X"
"Grouping IBM DB2 9.5 through SSH" to "Grouping IBM DB2 9.5 - 9.X through SSH"

TSIEM00020910
The Red Hat Enterprise Linux event source has been deprecated and replaced by the Linux Auditing Framework event source.

TSIEM00020910
New event source added: Linux Auditing Framework and relevant user information source.
Supported versions are:
Event Source (ES) name: "Linux Auditing Framework"
User Information Source (UIS) name: "Grouping Linux Auditing Framework"

TSIEM00020910
Introduction of support for Tivoli Identity Manager version 5.1

TSIEM00020533
Update for "Microsoft Windows Server 2000-2008 Active Directory user information source". New "Data Filter File" property added.

Problems fixed by interim fix 2.0.0-TIV-TSIEM-IF001

APAR IZ74981
SYMPTOM: Searcher performance is worse than in TCIM8.5

APAR IZ75009
SYMPTOM: TCR Database Activity Summary Report cannot see any events from: Microsoft SQL Server 2000-2008 and db2 8.1-9.3 SP3

APAR IZ74999
SYMPTOM: Japanese ciflogs\agent.log gets partially garbled

APAR IZ75000
SYMPTOM: DB2 audit trail collection failure for Japanese DB2 9.5 on AIX 6.1

APAR IZ74982
SYMPTOM: Hourly load with map-at-collecttime potentially missing chunks

APAR IZ75005
SYMPTOM: Re-attach of audited machine does not work

Fix pack installation considerations

Consider the following before installing the fix pack:


Before installing the fix pack

Before installing this fix pack on a Tivoli Security Information and Event Manager server, you must do the following:

Servers running on Microsoft Windows systems

Using the Services console on the Windows server:

  1. Stop all TSIEM services:

  2. Remove all files and directories from TSIEM_HOME\tip\profiles\TIPProfile\wstemp

  3. Stop all TSIEM DB2 services:

  4. Restart all TSIEM DB2 services.

  5. Start the TIP service

  6. Ensure services with names similar to the following are started:

Servers running on AIX or Linux systems

Run the following scripts, located in the /etc/init.d directory on Linux systems or the /etc/rc.d/init.d directory on AIX systems, as root:

To verify on a TSIEM System if DB2 was started successfully, look in the ${TSIEM_HOME}/sim/server/log/DB2_StartOutput.log file.

To verify on a TSIEM System if TIP was started successfully, look in the ${TSIEM_HOME}/tip/profiles/TIPProfile/logs/server1/startServer.log file.

Tivoli Security Information and Event Manager clusters

If you have multiple servers running Tivoli Security Information and Event Manager in a cluster, for example, one Enterprise Server and three Standard Servers, you must perform the above procedure on all systems in the cluster before proceeding.

After you have completed these steps on all servers, you can begin to install the fix pack. Start with the Security Server. After you have installed the fix pack on the Security Server, you can install the fix pack on one of the other servers in the cluster. Continue installing the fix pack on each of the other servers until all servers have been upgraded to fix pack 7.


Installing the fix pack

Installing the server fix pack on a Microsoft Windows system

To install the fix pack on a Microsoft Windows server system:

  1. Extract the files from the 2.0.0-ISS-TSIEM-SRV-Multi-FP007.zip file to a temporary directory on the Windows system.

    It is advised to use the console mode connection when using remote desktop to connect to the server, e.g. mstsc /console

  2. Install the fix pack by running the Launcher.bat file.

The fix pack installation program determines which Tivoli Security Information and Event Manager components are installed on the system and applies the necessary updates to those components.

To uninstall the fix pack:


Installing the server fix pack on an AIX or Linux system

To install the fix pack on an AIX or Linux server system:

  1. Extract the files from the 2.0.0-ISS-TSIEM-SRV-Multi-FP007.zip file to a temporary directory on the system.
  2. Modify permission attributes of all extracted files in the temporary directory by issuing the following command : chmod -R 755 <temp_dir>.
  3. Install the fix pack by running the Launcher.sh script.

The fix pack installation program determines which Tivoli Security Information and Event Manager components are installed on the system and applies the necessary updates to those components.

To uninstall the fix pack:


Installing the agent fix pack on a Microsoft Windows system

To apply the agent fix pack to a Microsoft Windows system:

  1. Make a backup copy of the existing agent installation folder.

    Note: You cannot uninstall the agent fix pack after it has been applied. Use your backup to restore the system, if necessary.

  2. Extract the files from the 2.0.0-ISS-TSIEM-ACT-Win32-FP007.zip file to a temporary directory on the Windows system.

    It is advised to use the console mode connection when using remote desktop to connect to the server, e.g. mstsc /console

  3. Install the fix pack by running the apply.bat file.

Installing the agent fix pack on an AIX system

To apply the agent fix pack to an AIX system:

  1. Make a backup copy of the existing agent installation folder, /opt/IBM/tsiem/actuator.

    Note: You cannot uninstall the agent fix pack after it has been applied. Use your backup to restore the system, if necessary.

  2. Transfer the 2.0.0-ISS-TSIEM-ACT-AIX-FP007.tar.gz file to a temporary directory on the AIX system by using FTP in binary mode.
  3. Extract the files from the upgrade package:
    # gzip -dc 2.0.0-TIV-TSIEM-ACT-AIX-FP007.tar.gz | tar xvfp -
  4. Apply the fix pack package, (The default installation directory is assumed.)
    # sh apply.sh /opt/IBM/tsiem/actuator
  5. Verify that the agent has started by inspecting the list of active processes:
    # ps -ef | grep agent

  6. There may be an additional action needed regarding the agent respawn option. To avoid agent high CPU/diskspace usage please review the following technote TSIEM Agent on AIX respawns rapidly - high CPU usage and /var/adm/wtmp grows large in size.

Installing the agent fix pack on an HP-UX system

To apply the agent fix pack to an HP-UX system:

  1. Make a backup copy of the existing agent installation folder, /opt/IBM/tsiem/actuator.

    Note: You cannot uninstall the agent fix pack after it has been applied. Use your backup to restore the system, if necessary.

  2. Transfer the 2.0.0-ISS-TSIEM-ACT-HPUX-FP007.tar.gz file to a temporary directory on the HP-UX system, via FTP in binary mode.
  3. Extract the files from the upgrade package:
    # gzip -dc 2.0.0-ISS-TSIEM-ACT-HPUX-FP007.tar.gz | tar xvfp -
  4. Apply the fix pack package. (The default installation directory is assumed.)
    # ./apply.sh /opt/IBM/tsiem/actuator
  5. Verify that the agent has started by inspecting the list of active processes:
    # ps -ef | grep agent


Installing the agent fix pack on a Solaris system

To apply the agent fix pack to a Solaris system:

  1. Make a backup copy of the existing agent installation folder, /opt/IBM/tsiem/actuator.

    Note: You cannot uninstall the agent fix pack after it has been applied. Use your backup to restore the system, if necessary.

  2. Transfer the 2.0.0-ISS-TSIEM-ACT-SolarisSparc-FP007.tar.gz to a temporary directory on the Solaris system by using FTP in binary mode.
  3. Decompress the upgrade package:
    # gzip -dc 2.0.0-ISS-ACT-TSIEM-SolarisSparc-FP007.tar.gz | tar xvfp -
  4. Apply the fix pack package, (The default installation directory is assumed.)
    # sh apply.sh /opt/IBM/tsiem/actuator
  5. Verify that the Actuator agent has started by inspecting the list of active processes:
    # ps -ef | grep agent

Installing the agent fix pack on a z/OS system

To install the agent on z/OS system please follow the guidelines mentioned in
Security zSecure Suite: CARLa-Driven Components - "Installation and Deployment Guide"
see Inst & Deployment Guide in the IBM Security zSecure information center.

After installing the fix pack

Reorganized TIP portlets after installing the fix pack.

After the fix pack has been installed, it is possible that the Tivoli Integrated Portal (TIP) might reorganize the portlets on its sidebar. If this reorganization occurs, the TIP menu items might not appear where expected. You can fix this situation by using a tool provided with TSIEM. Log in to TIP using the TIPADMIN account, and then go to the Settings->Page Management menu item to use the tool.

Compliance management module compatibility with previous versions

If your TSIEM installation is at the level TSIEM 2.0.0.0 through 2.0.0.3 GA, then you must reinstall any compliance management modules that you have on your system after installing fix pack 7. In this situation,after installing fix pack 7, use the updated installation media provided with the 2.0.0.4 Manufacturing refresh to reinstall the compliance management modules. The updated installation media can be obtained from Passport Advantage. Refer to the download document for details. If you encounter during PCI installation reporting that the Normalization Component was not installed please ignore it.

Changing the SSL port number used by the Tivoli Integrated Portal (TIP)

The default port number for SSL communications in the Tivoli Integrated Portal (TIP) was changed in the 2.0.0.4 Manufacturing Refresh to be 16316. Prior to the 2.0.0.4 Manufacturing Refresh, TIP used the standard SSL port number of 443 on Windows servers. Installing fix pack 7 on an existing Tivoli Security Information and Event Manager system does not change the port number.

If you wish to change the port number on an existing Windows-based TSIEM server to be 16316, do the following:

  1. Ensure that the TIP service, Tivoli Integrated Portal – TIPProfile_Port_<number>, is running. If it is not running, start it.
  2. Open a command window and change to the <TSIEM_HOME>\tip\profiles\TIPProfile\bin directory.
  3. Run the following command:
    wsadmin.bat -lang jython -username <tipadmin_user_name> -password <tipadmin_password> -f ./updatePortsTIP.py
  4. Stop TIP
  5. Start TIP
  6. Open a web browser and enter this URL to log in using the new port number:
    https://<host_name>:16316/ibm/console

After fix pack installation Management portlets does not work on Linux/Unix platforms.

If after fix pack installation Management portlets does not work on Linux/Unix platforms please check the Management portlets could not work on Linux/Unix platforms section in the Known problems and workarounds section.


Documentation updates

Fix pack 7 documentation updates

TSIEM00022859: DOC/ES: Problem with collecting ES SAP ABAP at Solaris OS

To successfully collect from the SAP Netweaver Application Server ABAP 6.10-7.0 through SSH ES on Solaris there must be correct version of both fold and tr commands available.
You may need to installing the textutils 1.22:
1) Download package from ftp://ftp.sunfreeware.com/pub/freeware/sparc/2.6/textutils-1.22-sol26-sparc-local.gz
2) Gunzip installed package
3) Install gunzipped content using pkgadd -d textutils-1.22-sol26-sparc-local
4) In /usr/bin make a backup of fold and tr files (for example rename them to fold.old and tr.old)
5) Link fold and tr from /usr/local/bin in /usr/bin directory by
ln -s /usr/local/bin/fold fold
ln -s /usr/local/bin/tr tr
6) In the TSIEM console edit the SAP Netweaver Application Server ABAP 6.10-7.0 through SSH ES properties and set UTF-16BE encoding for both "Text encoding for collect" and "Text encoding for audit trial" options.

Fix pack 6 documentation updates

TSIEM00022526: DOC: Pie Chart does not have labels and the Bar Chart labels are cut

The Pie Chart element count is limited to 17 elements. Higher number of elements makes the chart unreadable, the percentage values are overlapping with either the color legend or are hidden below the layout of the picture.

TSIEM00022618: ES/DOC: TSIEM 2.0.1 AIX log collection fails with Error 253, caused due to an empty "working" file

Please review the following technote TSIEM 2.0 AIX Remote Collect fails with Error 253 due to empty working file for problem cause description, diagnosis and resolution instructions.
Note: The new version of the collect script is included in the FP6 as well.

TSIEM00022722: DOC: Enabling and disabling of respawn functionality for TSIEM agent on AIX

HANGUP signal sent to the TSIEM agent's startup script may cause a continuous cycle of start and exit of /etc/ibm.tsiem.actuator (and TSIEM agent thereof). This leads to high CPU and diskspace useage. Please review the following technote TSIEM Agent on AIX respawns rapidly - high CPU usage and /var/adm/wtmp grows large in size for problem cause description, diagnosis and resolution instructions.

TSIEM00022758: DOC: Export audit data documentation should precise policy export

The fix for the IV02697 APAR (Audit Data Export Task exports a committed policy, which is still in use by the customer) change the behaviour of the Export Audit Data feature.
Now if a commited policy belongs to the time period that is being exported, it will be copied to the export folder.
Note: The fix for the IV02697 APAR is included in the FP6 as well.

TSIEM00022615: DOC: Adding TSIEM user to correct group to allow collect IDS logs

When the Informix Dynamic Server is installed on Unix system then you should add TSIEM user to the "informix" group to allow logs collect.
When the Informix Dynamic Server is installed on Windows system then you should add TSIEM user to the "Informix-Admin" group to allow logs collect.

TSIEM00022751: DOC : TSIEM Migration from TCIM85 to TSIEM2004 MR failed

When migrating from TCIM 8.5 to TSIEM you should migrate to the 2.0.0.0 GA version and then install desired fix pack level.
Migration from TCIM 8.5 to TSIEM 2.0.0.4 MR fails.

Fix pack 5 documentation updates

APAR: IV05046

SYMPTOM: DOC : Instruction for moving the DB2 instance of TSIEM 2.0 are not correct.

Instructions given in the link Moving Db2 instance for moving the DB2 instance of TSIEM 2.0 are not correct.

The file reloc.cfg is supposed to contain the following as per the link which is not correct:
    DB_NAME=CIFDB                                                   
    DB_PATH=C:,F:                                                   
    INSTANCE=CIFINST                                                
    STORAGE_PATH=C:,F:

reloc.cfg should actually contain the following: 
    DB_NAME=CIFDB                                                   
    DB_PATH=C:\,F:\                                                 
    INSTANCE=CIFINST                                                
    STORAGE_PATH=C:\,F:\
LOCAL FIX: Change the following lines in the reloc.cfg file as shown: 
DB_PATH=C:,F:                                                   
STORAGE_PATH=C:,F:

TO
DB_PATH=C:\,F:\                                                 
STORAGE_PATH=C:\,F:\

APAR: IZ97253
SYMPTOM: TSIEM 2.0 Documentation change request in Admin Guide -Backing up DB2 database: executing db2stop and db2start commands- within Windows 2008; UAC enabled.

Customers usually have Windows 2008 UAC turned on which make db2stop and db2start end with error SQL1092N.

LOCAL FIX:
From \ibm\tsiem\db2\bin directory Right click on db2start file then Properties,
Select the Compatibility tab.
Then click on -Show settings for all users- button,
In the Privilege level section, enable the -Run this program as an administrator

Repeat above steps for db2stop file.
After enabling the Privilege, we can run the db2stop and db2start commands.

TSIEM00022466: DOC: The password for cifdbadm longer than 8 characters causes installation failure.

Considering tsiem cluster deployment one should take into account pass. length for DB2 admin user.
If TSIEM Sec. Server is going to be installed on Windows platform and we have TSIEM Grouped Server.
on AIX DB2 Admin password should not exceed 8 chars.

TSIEM00021623: DOC: For ESs using cyclic buffer as a log records storage, TSIEM won't discover some records are overriden
SYMPTOM: DOC: For ESs using cyclic buffer as a log records storage, TSIEM won't discover some records are overriden

For ESs using cyclic buffer as a log records storage, TCIM won't discover some records are overridden.
The log continuity report won't report this as well

Japanese ciflogs\agent.log gets partially garbled

TSIEM logs have to be viewed in UTF-8 encoding. Some native Windows tools, such as notepad.exe and wordpad.exe, detect the correct encoding of the files they view. Although some ciflog files are correctly recognized, the encoding deduction algorithm does not work correctly in all cases. Use UTF-8 enabled viewers to display the ciflog files.


Software limitations

Installing a component after installing the fix pack

If you install a Tivoli Security Information and Event Manager component to the system after the fix pack has been applied, you must use the updated installation media from the 2.0.0.4 Manufacturing Refresh and you must reinstall the fix pack on that system. This sequence ensures that all installed components are at the same service level.

To install a Tivoli Security Information and Event Manager component to the system after fix pack 7 has been applied, use the updated installation media from the 2.0.0.4 Manufacturing Refresh. The components on the updated installation media are at the 2.0.0.4 version level.


Known problems and workarounds

Installing FP7 at russian lang OS's

During FP7 installation with the Russian language selected, it will fail at the last installation step, even if the installaiton was actually successful. To prevent this issue, perform the FP7 installation using English language.

Windows domain installation considerations

To install a TSIEM server on a system that is part of a Microsoft Windows domain, you must perform the following steps before starting the installation program.

  1. Create a domain group called CIFUsers.
  2. Create a domain called CIFUsersGlobal.

    This domain group must be a member of both the CIFUsers and Administrators domain groups.

  3. Create a user ID called cifadmin.

    The cifadmin user must be a member of the CIFUsersGlobal domain, and a member of the domain users group.

  4. Run the installation program from a user ID that is a member of the domain Administrators group.

Stopping actuator.exe processes

In rare situations, the SIM service on Windows servers might not kill the actuator.exe processes when the service is stopped. If these processes are not stopped, the fix pack installation might fail. You can kill the processes manually using the Task Manager. After the processes have been killed, restart the installation of the fix pack.

z/OS pax file

The 2.0.0.0 and MR 2.0.0.3 version of the z/OS pax file was built incorrectly (see APAR IZ76941). With the introduction of the 2.0.0.4 Manufacturing Refresh, this problem has been fixed. Fix pack 2.0.0-ISS-TSIEM-FP007 provides new version of the z/OS agent.

To install the agent on z/OS system please follow the guidelines mentioned in
Security zSecure Suite: CARLa-Driven Components - "Installation and Deployment Guide"
see Inst & Deployment Guide in the IBM Security zSecure information center.

SSL Handshake Failure in TIP eWAS after reregistering Grouped Standard Server to Security Enterprise Server

After reregistering Grouped Standard Server to Security Enterprise Server with the same hostname there may be a "No trusted certificate found" in NodeDefaultSSLSettings error written to the SystemOut.log file on TIP Server.

In this case some additional steps described in the following technote are required: SSL Handshake Failure in TIP eWAS SystemOut.log.

Management portlets could not work on Linux/Unix platforms

After fix pack installation or machine reboot Management portlets could not work on Linux/Unix. In such case please verify that all TSIEM services are in the running state.

In some rare cases command 

# tsiem_sim_service.sh status
can return not accurate results and indicate that all SIM components are running when it is not true.
To verify that please check server's agent port usage with the following command: 
# netstat -an | grep 5992
If there will be no output for the above command please perform the following actions.
On Linux: 
/etc/init.d/tsiem_sim_service.sh stop
On AIX: 
/etc/rc.d/init.d/tsiem_sim_service.sh stop
If the above command will return Error 5 or 6 on the standard output, repeat the step once more.

After clean shutdown please start the SIM module once again using the following command:
On Linux: 
/etc/init.d/tsiem_sim_service.sh start
On AIX: 
/etc/rc.d/init.d/tsiem_sim_service.sh start

Troubleshooting

All of the workarounds described in the TSIEM 2.0.0.4 Troubleshooting Guide are applicable for fix pack 7 troubleshooting.


Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.


Trademarks

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

AIX
IBM
IBM logo
iSeries
pSeries
OS/390
Tivoli
Tivoli logo
xSeries
zSeries
z/OS

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.