IBM® Tivoli® Federated Identity Manager, Fix Pack 6.2.2-TIV-TFIM-FP0002 README

©Copyright International Business Machines Corporation 2008, 2012. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under the Notices section of this document.

Date: Tuesday, 03 July 2012


About the fix pack

This fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager) and IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.2. It requires that Federated Identity Manager or Federated Identity Manager Business Gateway, Version 6.2.2, be installed. After installing this fix pack, your Federated Identity Manager or Federated Identity Manager Business Gateway installation will be at level 6.2.2.2.


IMPORTANT NOTICE

Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)

The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.

Versions affected:

  • IBM WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
  • IBM WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.


Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This security alert addresses a serious security issue: CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, go into an infinite loop, and/or crash resulting in a denial of service exposure. The JRE might hang if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

The following products contain affected versions of the Java Runtime Environment:

  • IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for Distributed, i5/OS and z/OS operating systems.

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www.ibm.com/support/docview.wss?uid=swg21462019

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.


JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)

This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:

java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper

Examples of operations that can fail include:
  • Importing a keystore file
  • Loading a mapping rule

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.


Fix pack contents and distribution

This fix pack package contains:

  • The fix pack zip file.
  • This README.

This fix pack is distributed as an electronic download from the IBM Support Web Site.


Architecture

This fix pack package supports the same operating system releases that are listed in the Hardware and software requirements topic for Federated Identity Manager Version 6.2.2.


Fix pack structure

Federated Identity Manager consists of the following components that can be installed separately:

  • Administration console
  • Management service and runtime component
  • Web services security management (WSSM)
  • WS-provisioning runtime
  • Internet information services (IIS) Web plug-in
  • Apache/IBM HTTP Server Web plug-in
  • IBM Support Assistant plugin

This fix pack applies only to the administration console, management service and runtime component, and Web Services Security Management (first three components listed above) and the Web plug-in (Internet information services, Apache/IBM HTTP Server Web plug-in) components. These components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components. If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.


APARs and defects fixed

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0002

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV23423
SYMPTOM: Improve SAML signature conformance

IV23435
SYMPTOM: Improve signature conformance

IV23451
SYMPTOM: Improve OpenID signature conformance

IV21908
SYMPTOM: TFIM invalidates the AuthnRequest message when the Assertion Consumer Service URL doesn't exactly match the configured URL. (See the documentation updates for APAR IV21908)

IV21963
SYMPTOM: The STSUUSER principal does not match the incoming subject name id of the assertion. (See the documentation updates for APAR IV21963)

IV21960
SYMPTOM: The 'Federate this account link' is incorrectly generated as null?RelayState= in the ivtapp's federations.jsp page of the identity provider.

IV19945
SYMPTOM: The TFIM USC feature generates a validation email message that contains a link to complete the enrollment flow. That link is passed as a macro to the email template when generating the email. If the customizer wants to modify the flow by modifying the link location it needs to edit the email template file to point somewhere else but it needs to add the nonce to the query string of such link. With the current macros is difficult to achieve this because the nonce is not provided as a separate macro.(See the documentation updates for APAR IV19945.)

IV17419
SYMPTOM: The TFIM SPS is missing required HTTP methods for certain protocols to work. For example, REST protocols need at a minumum GET, POST, PUT, and DELETE. This defect will correct this issue but also ensure if previous delegates are called using previously unsupported methods the returned status code of 405 will be the same just like before the changes.

IV19827
SYMPTOM: The TFIM Single Sign On protocol service (SPS) SAML 2.0 protocol implementation allows a customer to use the 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier for single sign on. By default TFIM will treat a 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier as 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent' name identifier unless the default name identifier is set to another type like emailAddress. The Single Logout operation incorrectly queries the alias service if unspecified name identifier is used and the default name identifier is set to email.(See the documentation updates for APAR IV19827.)

IV19593
SYMPTOM: Unable to initialize CARS audit event handler plugin when the CARS webservice URL is an HTTPS endpoint.

IV19846
SYMPTOM: In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, a method is provided on how to associate the shared library with a server. This method cannot be used if FSSO is configured in the same WebSphere Application Server. A new method that associates the shared library with the web service provider or requester is documented. This new method does not have the same limitation. (See the documentation updates for APAR IV19846.)

IV19850
SYMPTOM: A command cited in the installation documentation contains a typographical error. (See the documentation updates for APAR IV19850.)

IV16979
SYMPTOM: The BASE64 encoded token generated by the IVCred STS module is split into multiple lines. This is not desirable in some cases. (See the documentation updates for APAR IV16979.)

IV18104
SYMPTOM: No error message is reported when importing SAML 2.0 IDP or SP whose metadata contains Organization element with no OrganizationURL element.

IV16948
SYMPTOM: SLO fails when two SPs are authenticated using the same session index and both SP federations are on the same TFIM domain.

IV18112
SYMPTOM: The STS obtains the base security token for execution from either the base element on the RequestSecurityToken message or from the WS-Security tokens included on the soap headers. Tivoli Federated Identity Manager will take the first WS-Security token found on the soap header. After this modification the SAML STS modules will look for the appropriate token type included on the WS-Security headers when the change is enabled. (See the documentation updates for APAR IV18112.)

IV16977
SYMPTOM: Certain point of contacts that use external authentication interface do not recognize the identity of the user that is set by Tivoli Federated Identity Manager in the response HTTP header (typically, "am-fim-eai-user-id"), since these point of contacts are not aware that the TFIM URL encodes this identity. In such cases, TFIM should not URL encode this identity.

IV16994
SYMPTOM: Requests to Tivoli Federated Identity Manager's WSTrust 1.3 endpoint URL using the ?WSDL parameter to get the WSDL document results in subsequent SOAP services to fail.

IV17595
SYMPTOM: NullPointerException is thrown when sending SAML 2.0 messages (e.g., Logout Request) with invalid IssueInstant attribute.

IV17871
SYMPTOM: The Tivoli Federated Identity Manager STS does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message. The RequestType value should be set to the value received on the request and the KeyType should be set on one of the values supported by WS-Trust based on an attribute in the STS universal structure.(See the documentation updates for APAR IV17871.)

IV17875
SYMPTOM: Tivoli Federated Identity Manager is incorrectly processing SAML aliases with certain directory servers.

IV17870
SYMPTOM: Unable to customize the error page for error FBTSPS061E as there is no event mapping associated with this event.

IV17609
SYMPTOM:
  1. When creating an identity provider federation, the OAuth 1.0 and OAuth 2.0 options are erroneously displayed.
  2. OAuth 1.0 and OAuth 2.0 federations do not provide identity information to the STS for use in mapping rules.
  3. Macro replacement is not available on OAuth 1.0 or OAuth 2.0 pages.
  4. POST is not supported at OAuth authorize endpoints.
  5. Tivoli Access Manager config utility (tfimcfg.jar) does not set '-b ignore' flag for OAuth 2.0 federations.
  6. Updating OAuth 2.0 endpoints in the federations configuration panel can lead to UndeterminableProtocolException at runtime.
  7. When an OAuth 1.0 client requests a temporary token without specifying a realm, uses that temporary token to obtain an access token, and then uses that access token and specifies a realm, Tivoli Federated Identity Manager throws a realm validation exception.
(See the documentation updates for APAR IV17609.)

IV17409
SYMPTOM: The AuthenticatingAuthority sub-element in the SAML AuthnContext is not available in Tivoli Federated Identity Manager. (See the documentation updates for APAR IV17409.)

IV17413
SYMPTOM: RelayState URL encoding and decoding in SAML 2.0 unsolicited SSO can only be configured at the global level. Support for federation and partner level configuration is required. (See the documentation updates for APAR IV17413.)

IV17403
SYMPTOM: The sample TDI mapping rule is missing the AuthenticatingAuthority attribute.

IV17412
SYMPTOM: Tivoli Access Manager WebSEAL failover cookies do not work when Tivoli Federated Identity Manager is configured to generate IV credential tokens without using PDAcld. (See the documentation updates for APAR IV17412.)

IV17180
SYMPTOM: The manageItfimPointOfContact CLI does not update the runtime custom properties when deploying Tivoli Federated Identity Manager runtime without providing the point of contact settings override response file.

IV17411
SYMPTOM:
  1. When defining a text field in GUIXML, and setting its default value to a string containing a quotation mark, Tivoli Federated Identity Manager throws an exception when loading the GUIXML page saying that the XML is invalid.
  2. In an STS module which has an 'init' page widget which has a multi-valued TextField, only the first value of the multiple values is displayed when viewing the module instance properties.

IV17485
SYMPTOM: The Tivoli Federated Identity Manager Single Sign On protocol service (SPS) collects the HTTP Request information to route the single sign on flow. That information is used to send the request to the appropriate delegate protocol, to generate the response on the appropriate locale, to authenticate the user, etc. The HTTP request information is succesfully consumed by the SPS but is never made available to the Secure Token Service (STS). (See the documentation updates for APAR IV17485.)

IV17421
SYMPTOM: The Tivoli Federated Identity Manager HTTP server Web Plugins do not support the latest versions of IIS or Apache/IHS on new operating systems. (See the documentation updates for APAR IV17421.)

IV17422
SYMPTOM: After migrating to Tivoli Federated Identity Manager 6.2.2 from previous version, OAuth event mappings are not shown in the Event pages. Hence, the customisation of template pages are not available. (See the documentation updates for APAR IV17422.)

IV15372
SYMPTOM: The Tivoli Federated Identity Manager Kerberos Delegation STS module does not support running in 64bit JVMs on 64bit versions of Windows. (See the documentation updates for APAR IV15372.)

Before installing the fix pack

Be aware of the following considerations before installing this fix pack:

Installation path specification for the Windows Server 2008 platform
This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.

Tivoli Federated Identity Manager is a 32-bit application. Therefore, its default path when installing on Windows Server 2008 changes from

C:\Program Files\IBM\FIM

to:

C:\Program Files (x86)\IBM\FIM

NOTE: Changing the installation path name affects a 32-bit WebSphere Application Server on Windows Server 2008.

C:\Program Files\IBM\WebSphere

changes to:

C:\Program Files (x86)\IBM\WebSphere

Prerequisites
You must have the following software installed to install this fix pack:

  • Federated Identity Manager 6.2.2 and its prerequisites
  • IBM WebSphere Update Installer version 7.0.0.17 (see Update Installer below.)

Runtime and management service

The runtime and management service component requires WebSphere® Application Server to be installed. The following list provides descriptions for various versions of WebSphere Application Server that are compatible with Tivoli® Federated Identity Manager, version 6.2.2.

Install one of the following versions of WebSphere Application Server:

  • Embedded WebSphere Application Server Version 6.1. No preconfiguration is required.
  • WebSphere Application Server Network Deployment Version 6.1 with a minimum level of fix pack 23.

    • NOTE: If you use WebSphere Application Server fixpack 29 or fix pack 31, you must also apply the fix for the WebSphere Application Server APAR PM10357.

  • WebSphere ApplicationServer Network Deployment Version 7.0 with fix pack 17.
  • WebSphere ApplicationServer Network Deployment Version 8.0 with fix pack 1.

Update Installer
This fix pack requires the use of the IBM WebSphere Update Installer version 7.0.0.17 or later. Ensure that you have installed the correct version of the IBM WebSphere Update Installer on each computer where you will install the fix pack. You can download the IBM WebSphere Update Installer version 7.0.0.17 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.

Fix pack packaging
This Tivoli Federated Identity Manager 6.2.2-TIV-TFIM-FP0002 patch package is provided on the Tivoli Support website as a single downloadable zip file for each supported platform. After you select the appropriate package for the target platform, download the package and unzip the contents into a target directory. Typically, the default IBM WebSphere Update Installer directory is either of the following:

C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

for Windows or

/opt/IBM/WebSphere/UpdateInstaller/maintenance

for Unix/Linux

Unzip the downloaded file before you apply the patch. The unzipped contents comprise of one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The list of product components is included in Fix pack structure.

Use the IBM WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that your installation requires to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components. To minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.

Automatic creation of a backup directory
The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager files.

Installing the fix pack

NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.


Downloading the fix pack

To obtain the fix pack:

  1. Go to the IBM Tivoli Federated Identity Manager Support Web site.
  2. Click Download. The fix pack (6.2.2-TIV-TFIM-FP0002) should be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.2-TIV-TFIM-FP0002" in the Search field to access the link to the download window.
  3. In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
  4. Select the platform that corresponds to the target platform where you must apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, configure your browser to use Java security. Click What is DD? for configuration instructions.

Setting the WebSphere Application Server security passwords

NOTE: The information provided below is only required for instances where the WebSphere Application Server administrator credentials have been changed since Tivoli Federated Identity Manager was installed. The WebSphere Application Server administrator credentials are retained by the installer so that Federation First Steps works immediately after installation.

If security is enabled on the WebSphere Application Server where Federated Identity Manager is installed, set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.

If security is not enabled, you can skip this step.

NOTE: If you add passwords to the fim.appservers.properties file, as described below, specify the passwords using plain text. However, at the end of the fix pack installation process the passwords are obfuscated and are no longer be available in plain text format.

To specify security passwords, use the following procedure:

  1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
  2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
    • the was.admin.user.pwd property with a value of the administrator login password for the WebSphere Application Server where Federated Identity Management is deployed
    • the was.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that WebSphere Application Server
    For example,
    • was.admin.user.pwd=was_admin_pw
    • was.truststore.pwd=truststore_pw
  3. If the ewas.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
    • the ewas.admin.user.pwd property with a value of the administrator login password for the Embedded WebSphere Application Server where Federated Identity Management is deployed
    • the ewas.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that Embedded WebSphere Application Server
    For example,
    • ewas.admin.user.pwd=ewas_admin_pw
    • ewas.truststore.pwd=truststore_pw
  4. Save and close the fim.appservers.properties file

Applying the fix pack

  1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default IBM WebSphere Update Installer's maintenence directory,
    C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

    for Windows, or

    /opt/IBM/WebSphere/UpdateInstaller/maintenance

    for Unix/Linux.

  2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component is running.
  3. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
  4. Start the appropriate IBM WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
  5. In the Welcome window click Next. Federated Identity Manager is not listed, but is supported.
  6. Specify the path to the installation directory for Federated Identity Manager (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
  7. Select Install maintenance in the dialog.
  8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
  9. Determine which product components are installed on the system that you are updating. You should install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:

    itfim.build.version.rte-mgmtsvcs=version
    Specifies that the management service and runtime component is installed at the level specified by version.
    itfim.build.version.mgmtcon=version
    Specifies that the administration console component is installed at the level specified by version.
    itfim.build.version.wsprov=version
    Specifies that the WS-provisioning runtime component is installed at the level specified by version.
    itfim.build.version.wssm=version
    Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
    itfim.build.version.fimpi=version
    Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.

    Apply the fix packs to the product's components in the following order:

    1. Management service and runtime and administration console
    2. Other components

    NOTE: If a domain is not created before application of Tivoli Federated Identity Manager fix pack, the fix pack installation completes successfully with a "Partially Successful" message.

  10. Compare the list of installed components to the list of pak files in the IBM WebSphere Update Installer and select the pak files that correspond to the installed components, then click Next.

    NOTE: The IBM WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.

  11. If needed (for example, if you need to install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.

NOTE: If you are using the Kerberos Delegation STS module, you need to do the following to ensure the Kerberos Delegation DLL is not loaded in the Java Virtual Machine when it is replaced during runtime component deployment:

  1. Restart all the runtime nodes.
  2. Do not make any requests to the STS chain that invokes the Kerberos Delegation STS module.
  3. Deploy the runtime component. See Deploying the fix pack runtime component for details.

Deploying the fix pack runtime component

After you install the fix pack, redeploy the Tivoli Federated Identity Manager runtime. This task is identical to the deployment task you completed after the initial installation of the management service and runtime components. In a WebSphere cluster environment, you must ensure that the new runtime component is deployed to each WebSphere node.

The initial deployment steps are described in Creating and deploying a new domain in the Configuring Guide. The specific instructions for deploying the runtime begin in step 16.

NOTES:

  • You do not have to re-configure the runtime into Tivoli Access Manager. The Tivoli Access Manager configuration is retained when the fix pack is applied.
  • During redeployment of the runtime in a cluster environment, you might receive errors, such as, "ClassNotFoundException" in the WebSphere SystemOut.log files. Any such errors should stop after you restart the cluster.

Use the following procedure to deploy the updated Federated Identity Manager runtime:

  1. Log in to the administration console.
  2. Select Domain Management-> Runtime Node Management.
  3. Ensure that the new runtime (version 6.2.2.2) is displayed as available, then click Deploy Runtime.
  4. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion...
  5. If the domain was not created before application of Tivoli Federated Identity Manager fix pack, click Publish Plug-ins.
  6. Verify that the currently deployed version is now 6.2.2.2 as follows:
    1. Navigate to the Runtime Node Management window.
    2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel and review the runtime information.

      3. Example:

      Runtime Information
      ----------------------------------------------
      Current deployed version 6.2.2.2 [120529a]

      NOTE: The number within the brackets [120529a] might be different from this example.

  7. Repeat the previous step for each node in a WebSphere cluster environment.

Restarting the ITFIMManagementService

  1. Log in to the Integrated Solutions Console.
  2. Select Applications -> WebSphere enterprise applications.
  3. Select ITFIMManagementService from the Enterprise Applications list.
  4. Click Stop.
  5. Select ITFIMManagementService in the Enterprise Applications list.
  6. Click Start.


Publish the fix pack plug-ins to the runtime and reload the configuration

After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.

Use the following procedure to re-publish the plug-ins:

  1. Log in to the administration console.
  2. Select Domain Management -> Runtime Node Management.
  3. Click Publish Plugins.
  4. After the plug-ins are published, reload the runtime configuration.

Uninstalling the fix pack

If you want to return your installation to the state it was in before installing the fix pack, you can uninstall the fix pack.

  1. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service components are running.
  2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
  3. Start the appropriate IBM WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in the equivalent directory on UNIX-based systems)
  4. In the Welcome window, click Next. Tivoli Federated Identity Manager is not listed, but is supported.
  5. Specify the path to the installation directory for Tivoli Federated Identity Manager (typically C:\Program FIles\IBM\FIM on Windows systems, or the equivalent directory for UNIX-based systems), then click Next.
  6. Select Uninstall maintenance in the dialog.
  7. The Update Installer automatically removes the fix pack and restores the previously installed version of Federated Identity Manager.
  8. Verify the successful uninstallation of the fix pack:
    1. Log in to the administration console.
    2. In the Welcome window, verify that the version number is not 6.2.2.2 and corresponds to the software level on which you installed fix pack 2.

      For example, if you installed fix pack 2 onto a Federated Identity Manager 6.2.2.0 system, then after uninstalling fix pack 2 you would see the following:

      Suite Name Version
      ----------------------------------------------------------
      Tivoli Federated Identity Manager 6.2.2.0 [111110a]

    9. NOTE: If you are using the Kerberos Delegation STS module, you need to do the following to ensure the Kerberos Delegation DLL is not loaded in the Java Virtual Machine when it is replaced during runtime component deployment:

    1. Restart all the runtime nodes.
    2. Do not make any requests to the STS chain that invokes the Kerberos Delegation STS module.
    3. Deploy the runtime component. See Deploying the fix pack runtime component for details.
  9. Publish the plug-ins to the runtime and reload the configuration:
    1. Log in to the administration console.
    2. Select Domain Management -> Runtime Node Management.
    3. Click Publish Plugins.
    4. After the plug-ins are published, reload the runtime configuration.
  10. Redeploy the runtime for each domain:
    1. Log in to the administration console.
    2. Select Domain Management -> Runtime Node Management.
    3. Click Deploy Runtime.
    4. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion....
  11. Verify that the currently deployed version is the version you had before installing the fix pack:
    1. In the administration console, navigate to the Runtime Node Management window.
    2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel. Review the Runtime Information.

      For example:

      Runtime Information
      ----------------------------------------------
      Current deployed version 6.2.2.0 [111110a]

  12. Repeat the previous step for each node in a WebSphere cluster environment.

Documentation updates

The product documentation for Federated Identity Manager, Version 6.2.2, can be found in the information center for IBM Tivoli Federated Identity Manager.


IBM TIVOLI FEDERATED IDENTITY MANAGER WEB PLUGIN UPDATES (IV17421)

Tivoli® Federated Identity Manager provides Web plug-ins for various HTTP web servers. The primary function of the plug-in is to extract the user identity information from the LTPA cookie in a web request. The plug-in also makes the identity information available to the target application hosted by the web server. The plug-in uses either HTTP headers or server variables, if supported by the web server.

This section covers the following topics:

  • About the Tivoli Federated Identity Manager Web plugin updates
  • Contents
  • Prerequisites and requirements
  • Known issue with workaround
  • Known limitation
  • Installing the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI on specific platforms
  • Other Setup and Configuration
  • Uninstalling the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI on specific platforms

About Tivoli Federated Identity Manager Web plugin updates

The IBM® Tivoli Federated Identity Manager 6.2.2 fix pack 2 ships with updated Tivoli Federated Identity Manager plug-ins which were tested with current versions of the HTTP servers and operating systems.

Contents

This technote details the following information about the updated Tivoli Federated Identity Manager plug-ins:
  • Support for new platforms
  • Support for new HTTP server versions
  • Work around for installing IBM Tivoli Federated Identity Manager 6.2.2 fix pack 2 in Windows Server 2008
  • Instructions for installing the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack
  • Instructions for configuring the IBM Tivoli Federated Identity Manager Web plug-in Custom LTPA Cookie Name
  • Instructions for uninstalling the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack

Prerequisites and requirements

Install the following prerequisites before you use the updated IBM Tivoli Federated Identity Manager plug-ins:
  • For Windows: Microsoft Visual C++ version 10.0 Redistributable package
The updated IBM Tivoli Federated Identity Manager plug-ins were tested with the following operating systems and software combinations:
  • IIS 6.0 on Windows Server 2003 (32 bit)
  • IIS 7.0 on Windows Server 2008 (32 bit and 64 bit)
  • IIS 7.5 on Windows Server 2008 R2 (32 bit* and 64 bit)
  • Apache 2.0 on Linux (32 bit)
  • Apache 2.2 on Linux (32 bit and 64 bit)
  • IBM HTTP Server 6.1 on Linux (32 bit)
  • IBM HTTP Server 7.0 on Linux (32 bit)
  • IBM HTTP Server 8.0 on Linux (32 bit and 64 bit)
NOTE: * Denotes compatibility mode.

Known issue with workaround

Issue Description Work around
The IBM Tivoli Federated Identity Manager 6.2.2 GA installer cannot install the IIS plug-in on Windows Server 2008 In the IBM Tivoli Federated Identity Manager 6.2.2 GA version, the IIS plug-in can be installed only on Windows Server 2003, and cannot be installed on Windows Server 2008

This is an issue when trying to install the Web plug-ins for Windows Server 2008 because the GA installer cannot install the Web plug-ins. An IBM Tivoli Federated Identity Manager component must be installed before installing any fix pack package.

Install a lightweight IBM Tivoli Federated Identity Manager component such as Web Services Security Management. Then, use the Update Installer to install the web plug-in fix pack package.

Known limitation

LTPA Cookie name

Tivoli Federated Identity Manager 6.2.2 fix pack 2 introduced the ability to modify the name of the LTPA cookie that the Web plug-ins can process.

The LTPA Cookie Name cannot be modified from the Tivoli Federated Identity Manager console.

It can be modified only in the itfimwebpi.xml file.

Installing the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack on specific platforms

For x86 Linux
NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
  1. Back up the existing $FIMInstallLocation/webpi directory.
  2. Remove any files in the $FIMInstallLocation/webpi directory.
  3. Install the WebSphere® Application Server Update Installer utility for x86 Linux.
  4. Run the Update Installer.
  5. Select 6.2.2-TIV-TFIM-FP0002-WebPlugin.pak.
  6. Install GSKit. In the command line, type: 
    rpm -ivh /opt/IBM/FIM/webpi/x86_linux_2/gskit-installer/gsk7bas-7.0-4.38.i386.rpm
  7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation/webpi directory that you backed up, to the $FIMInstallLocation/webpi/x86_linux_2/etc/ directory.
  8. Copy the ltpa.keys file to the $FIMInstallLocation/webpi/x86_linux_2/etc directory.
  9. Reconfigure the HTTP Server to use the new plug-in binary. Add or modify the following line for the appropriate HTTP servers:
    apache20: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache20.so
apache22: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache22.so
IHS 6.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache20.so
IHS 7.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache22.so
IHS 8.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache22.so
  10. Add the following environment variables permanently to the shell environment of the current user.
    export LD_LIBRARY_PATH=/opt/IBM/FIM/webpi/x86_linux_2/lib
export ITFIMWEBPI=/opt/IBM/FIM/webpi/x86_linux_2
  11. Restart the web server.

For x86 Windows
NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
  1. Back up the existing $FIMInstallLocation\webpi directory.
  2. Remove any files in the $FIMInstallLocation\webpi directory.
  3. Install the WebSphere Application Server Update Installer utility for x86 Windows.
    NOTE: For Windows Server 2008, install a Tivoli Federated Identity Manager component in the $FIMInstallLocation directory so that the Update Installer can allow the fix pack installation.
  4. Run the Update Installer utility.
  5. Select 6.2.2-TIV-TFIM-FP0002-WebPlugin.pak.
  6. Install GSKit. In the command line, type:
    C:\Program Files\IBM\FIM\webpi\x86_nt_4\gskit-installer>setup.exe setup.iss
  7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation directory that you backed up to the $FIMInstallLocation\webpi\x86_nt_4\etc directory.
  8. Copy the ltpa.keys file to the $FIMInstallLocation\webpi\x86_nt_4\etc directory.
  9. Configure IIS to use the Tivoli Federated Identity Manager Web plug-ins ISAPI filter.
    • For IIS 6, run the following commands. The first command lists the web server IDs to be used in the configuration script:
      C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin>cscript.exe /nologo fimpiiiscfg.vbs -action list-webservers
C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin>cscript.exe /nologo fimpiiiscfg.vbs -action config -path "c:\Program Files\IBM\FIM\webpi\x86_nt_4" -webserver <web-server-id>
    • For IIS7.x, run the following commands:
      C:\Windows\System32\inetsrv>appcmd.exe set config "<i>Default Web Site</i>" -section:system.webServer/isapiFilters/+"[name='ITFIMWEBPI',path='C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
  10. Install any additional prerequisites.
    In this case, install the following Microsoft Visual C++ Redistributable packages:
    • Microsoft Visual C++ 2010 Redistributable Package (x86): http://www.microsoft.com/download/en/details.aspx?id=5555
  11. Set the environment variable for the Operating System. Select My Computer > Properties > Environment Variables. 
    ITFIMWEBPI=c:\Program Files\IBM\FIM\webpi\x86_nt_4
  12. Add C:\Program Files\IBM\gsk7\lib to the path.
  13. Restart the system and the web server.

For x64 Linux
NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
  1. Back up the existing $FIMInstallLocation/webpi directory.
  2. Remove any files in the $FIMInstallLocation/webpi directory.
  3. Install WebSphere Application Server Update Installer utility for x64 Linux.
  4. Run the Update Installer.
  5. Select 6.2.2-TIV-TFIM-FP0002-WebPlugin.pak.
  6. Install GSKit. On the command line, type: 
    rpm -ivh /opt/IBM/FIM/webpi/amd64_linux_2/gskit-installer/gsk7bas64-7.0-4.38.x86_64.rpm
  7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation/webpi directory to the $FIMInstallLocation/webpi/x64_linux_2/etc/ directory that you backed up.
  8. Copy the ltpa.keys file to the $FIMInstallLocation/webpi/x64_linux_2/etc directory.
  9. Reconfigure the HTTP Server to use the new plug-in binary. Add or modify the following line for the appropriate HTTP servers:
    apache22: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/amd64_linux_2/lib/libitfimwebpi-apache22.so
IHS 7.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/amd64_linux_2/lib/libitfimwebpi-apache22.so
IHS 8.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/amd64_linux_2/lib/libitfimwebpi-apache22.so
  10. Add the following environment variables permanently to the shell environment of the current user:
    export LD_LIBRARY_PATH=/opt/IBM/FIM/webpi/amd64_linux_2/lib
export ITFIMWEBPI=/opt/IBM/FIM/webpi/amd64_linux_2
  11. Restart the web server.

For x64 Windows
NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
  1. Back up the existing $FIMInstallLocation\webpi directory.
  2. Remove any files in the $FIMInstallLocation\webpi directory.
  3. Install WebSphere Application Server Update Installer utility for x64 Windows.
    NOTE: For Windows Server 2008, install a Tivoli Federated Identity Manager component in the $FIMInstallLocation directory so that the Update Installer can allow the fix pack installation.
  4. Run the Update Installer.
  5. Select 6.2.2-TIV-TFIM-FP0002-WebPlugin.pak.
  6. Install GSKit. Execute the following command: 
    C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4\gskit-installer>GSK7BAS_64.msi
  7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation directory that you backed up to the $FIMInstallLocation\webpi\x86_64_nt_4\etc directory.
  8. Copy the ltpa.keys file in $FIMInstallLocation\webpi\x86_64_nt_4\etc directory.
  9. Configure IIS to use the Tivoli Federated Identity Manager Web plug-ins ISAPI filter. Run the following commands:
    C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/isapiFilters /+"[name='ITFIMWEBPI',path='C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
  10. Install any additional prerequisites.
    In this case, install the following Microsoft Visual C++ Redistributable packages:
    • Microsoft Visual C++ 2010 Redistributable Package (x64): http://www.microsoft.com/download/en/details.aspx?id=14632
  11. Set the environment variable for the Operating System. Select My Computer > Properties > Environment Variables. 
    ITFIMWEBPI=C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4
  12. Add C:\Program Files\IBM\GSK7_64\lib64 to the path.
  13. Restart the system and the web server.

Other Setup and Configuration

Tivoli Federated Identity Manager Web plug-ins Custom LTPA Cookie Name

Configure the name of the cookie containing the LTPA token in FIM WebPI. The WebPI uses the default value LtpaToken2 when a custom name is not provided.
  1. Update the itfimwebpi.xml.template file with a new attribute in the LTPAConfiguration element called ltpaCookieName. For example:
    <pi:LTPAConfiguration id="uuid-6cd36543-3404-42fg-8314-0800200c9a66" ltpaPassword="@@LTPA_PASSWORD@@" ltpaCookieName="LtpaToken2"/>
  2. Modify the custom LTPA cookie name in a text editor.

Uninstalling the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack on specific platforms

NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
For x86 Linux
  1. Stop the web server.
  2. Use the IBM WebSphere Update Installer to uninstall the Web plug-ins.

    The Web plug-in files are removed from the $FIMInstallLocation directory.

  3. Modify the web server configuration files. Find and remove any of the following instances:
    • For Apache22 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache22.so
    • For Apache20 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache20.so
  4. Unset or modify the LD_LIBRARY_PATH so that it does not contain a path where the Tivoli Federated Identity Manager 6.2.2 fix pack 2 Web plug-in were installed.
  5. Unset the ITFIMWEBPI environment variable.

For x86 Windows

Before running the update installer to uninstall the Web plug-in fix pack, do the following steps to remove the Web plug-in fix pack configurations.
  1. Run the unconfigure script or command:
    • For IIS 6.0
      cd "C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin"
cscript.exe /nologo "C:\Program files\IBM\FIM\webpi\x86_nt_4\bin\fimpiiiscfg.vbs" -action unconfig
    • For IIS 7.x
      C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site" -section:system.webServer/isapiFilters/-"[name='ITFIMWEBPI',path='C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
  2. Uninstall the Microsoft Visual C++ redistributable.
  3. Delete the ITFIMWEBPI environment variable.
  4. Delete the GSKit library path from the path env variable.
For x64 Linux
NOTE:All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
  1. Stop the web server.
  2. Use the IBM WebSphere Update Installer to uninstall the Web plug-ins.

    The Web plug-in files are removed from the $FIMInstallLocation directory.

  3. Modify the web server configuration files. Find and remove any of the following instances:
    • For Apache22 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache22.so
    • For Apache20 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache20.so
  4. Unset or modify the LD_LIBRARY_PATH so that it does not contain a path where the Tivoli Federated Identity Manager 6.2.2 fix pack 2 Web plug-in were installed.
  5. Unset the ITFIMWEBPI environment variable.
For x64 Windows
  1. Run the unconfigure command:
    C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site" -section:system.webServer/isapiFilters/-"[name='ITFIMWEBPI',path='C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
  2. Uninstall the Microsoft Visual C++ redistributable.
  3. Delete the ITFIMWEBPI environment variable.
  4. Delete the GSKit library path from the path env variable.

JAVASCRIPT MAPPING RULE VALIDATION

Problem

When you use the Tivoli® Federated Identity Manager console or command line to import a JavaScript mapping rule, an empty Security Token Service Universal User (STSUU) is used as an input to validate the JavaScript.

Symptom

Validating the JavaScript using an empty STUU input can cause problems. Problems occur when the JavaScript rule throws exceptions on cases that do not occur in their real federation runtime flow, but occurs when the empty STSUU is passed to the rule during validation.

Cause

If the JavaScript mapping rule throws an exception during validation, the Tivoli Federated Identity Manager console rejects it as bad syntax and does not load it.

Diagnosing the problem

When you use the Tivoli Federated Identity Manager console or command line to import a JavaScript mapping rule, the software runs basic JavaScript validation. The JavaScript validation process prevents the upload of a mapping rule with an invalid syntax.

Tivoli Federated Identity Manager validates the JavaScript mapping rule with the JavaScript engine, which executes the mapping rule. JavaScript mapping rules have three context variables which can be accessed by name. The names correspond to Java objects, which are elements of a WS-Trust request. The names are also available in the STSModule interface seen by pure Java mapping rule developers. The three context variables, which come from the invoke method of the STSModule interface, are:
  • stsuu – The Java STSUniversalUser object returned from STSResponse.getSTSUniversalUser().
  • stsrequest – The Java STSRequest object from the invoke method.
  • stsresponse – The STSResponse object from the invoke method.
When you run the JavaScript mapping rule at run time, the context variables are populated with real data based on the following factors:
  • The request made to the Security Token Service (STS).
  • Any other STS modules that were executed in the chain before your mapping module.

When the Tivoli Federated Identity Manager console or command line validates the mapping rule, no real request exists. The variables are then populated with empty objects.

Your mapping rule might use conditional statements. The conditional statements make sense during real runtime operations, but do not work properly when empty objects are passed to it during validation.

The following sample JavaScript mapping rule illustrates the problem:
importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

// Throw an STS exception if the STSUU does not contain an attribute I am expecting
var attrvalue = stsuu.getAttributeValueByName("myattr");
if (attrvalue == null) {
          IDMappingExtUtils.throwSTSException('missing attribute');

Resolving the problem

As a workaround, create an empty-object-aware JavaScript rule to prevent it from throwing exceptions when it detects the empty STSUU.

Build a mechanism to detect the validation sequence into the rule itself and to not terminate with an exception if the rule is operating on empty objects.

The detection code varies depending on the assumptions you can make about request objects in your runtime flow. For example, an STSUU typically contains one or more attributes in the Principal, AttributeList , or ContextAttributes sections of the STSUU.

If it does not contain any attributes, it is an empty STSUU.

To skip further rule execution using the workaround, author your JavaScript mapping rule using the following pattern:
importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

var isEmptySTSUU = (
  (stsuu.getPrincipalAttributeContainer().getNumberOfAttributes() == 0) &&
        (stsuu.getAttributeContainer().getNumberOfAttributes() == 0) &&
        (stsuu.getContextAttributesAttributeContainer().getNumberOfAttributes() == 0));
if (!isEmptySTSUU) {
    // rest of your normal runtime mapping rule logic goes here
    .......
}

FIXES FOR OAUTH (IV17609)

OAuth authentication macros are now available in IBM Tivoli Federated Identity Manager, version 6.2.2, fix pack 2.

IBM® Tivoli® Federated Identity Manager supplies contextual authentication parameters in customizing login forms.

When using WebSEAL as the point of contact server, these are query-string parameters to the login page.

For WebSphere Application Server, they are in the WASReqURL cookie when the login page is loaded. The parameters are macros in the configuration of the authentication callback for the point of contact server profile.

NOTE: When you use the WebSphere point of contact, the value of the query string parameter needs to be URL decoded twice.

The OAuth 1.0 and 2.0 authorization endpoints in IBM® Tivoli® Federated Identity Manager, version 6.2.2, fix pack 2, now support OAuth parameters in the HTTP POST body.

NOTE: The Tivoli Access Manager configuration utility was modified to attach an unauthenticated ACL to the authorization endpoints instead of an authenticated ACL.

If you have existing OAuth federations that use Tivoli Access Manager WebSEAL as their point of contact that were created with an earlier version (before IBM Tivoli® Federated Identity Manager 6.2.2 fix pack 2), rerun the Tivoli Access Manager configuration utility after updating to IBM Tivoli® Federated Identity Manager 6.2.2 fix pack 2.

OAuth protocol supported macros for customizing an authentication login form

The following table indicating how an OAuth federation populates the authentication macros is added in the Supported macros for customizing an authentication login form section of the Configuration Guide.

Macro Query-String Parameter name Description and value
%FEDID% FedId A unique identifier (UUID) used internally by Tivoli Federated Identity Manager to identify the federation.
%FEDNAME% FedName The user-assigned name of the federation.
%PARTNERID% PartnerId The OAuth unique client identifier.
%TARGET% Target OAuth client redirection URI.
%SSOREQUEST% SSORequest A base-64 encoded string representing the query and body parameters from the OAuth request.

FIM FSSO AND WSSM CANNOT BE INSTALLED ON THE SAME WAS (IV19846)

Use the following documentation updates for the corresponding IBM® Tivoli® Federated Identity Manager versions:

  • Updates in the IBM Tivoli Federated Identity Manager version 6.2.0 documentation
  • Updates in the IBM Tivoli Federated Identity Manager version 6.2.1 and 6.2.2 documentation

Updates in the IBM Tivoli Federated Identity Manager version 6.2.0 documentation

In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the Configuring WebSphere Application Server, add a subsection that describes methods to associate the shared library with web service applications after the Configuring for a Cluster Environment section. See the following instructions:

Associating a shared library

Associate the shared library with web service provider and requester applications before the shared library can be used by these applications. Use any of the following methods:
  • Associating a shared library with an application.
  • Associating a shared library with a server.

Associating a shared library with an application

Associate the shared library with a specified application. All the applications that use the shared library must follow this procedure:
This method associates the shared library with a specified application. All the applications that use the shared library must follow this procedure:
NOTE: You must use the administrative console associated with the application server where the Web services security management component is installed.
  1. Select Applications > Enterprise Applications > application_name > Shared library references in the console navigation to access the Shared library references page.
  2. In the Shared library references page, select an application or module that you want to associate with the shared library.
  3. Select Reference shared libraries.
  4. In the Shared Library Mapping page, select the ITFIM_WSSM shared library from the Available list.
  5. Click >> to add the ITFIM_WSSM shared library to the selected list.
  6. Click OK.
  7. In the Shared library references page, click OK.
  8. Save the configuration changes.

Associating a shared library with a server

NOTE: In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, move the Configuring the Class Loader subsection under the Associating Shared Library subsection as the second subsection.

See the following content changes:

Associate the shared library with a specified server. The shared library is associated with all the applications in the server.

NOTE: Do not use this method if Federated Single Sign On is configured in the same WebSphere Application Server.
  1. Start the WebSphere Application Server administrative console.
  2. Log in, if necessary.
    NOTE: You must use the administrative console associated with the application server where the Web Services Security Management component is installed.
  3. Select Servers > Application Servers.
  4. Select the server associated with your application. For example, server1.
  5. In the Server Infrastructure pane, expand Java and Process Management option.
  6. Click Class loader.
  7. Click New.
  8. Do not change any options.
  9. Click Apply.
  10. In the Additional Properties pane, select Shared Library references.
  11. Click Add to specify a shared library.
  12. In the Library name field, select the ITFIM_WSSM shared library previously defined.
  13. Click OK.
  14. In the Messages pane at the top of the Application Servers window, click Save to commit your changes.

Updates in the IBM Tivoli Federated Identity Manager version 6.2.1 and 6.2.2 documentation

In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, the fifth step to configure WebSphere Application Server is changed into: You must associate the shared library with web service provider and requester applications before the shared library can be used by these applications.

About this task

In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, add a subsection that describes methods to associate the shared library with web service applications is added right after the section Configuring for a Cluster Environment. See the following instructions:

Associating a shared library

You must associate the shared library with web service provider and requester applications before the shared library can be used by these applications. Use any of the following methods:
  • Associating a shared library with an application.
  • Associating a shared library with a server.
NOTE: Add a subsection that describes the method to associate the shared library with a web service application. See the following section for details:

Associating a shared library with an application

This method associates the shared library with a specified application. All the applications that use the shared library must follow this procedure:
  1. Start the WebSphere Application Server administrative console.
  2. Log in, if necessary.
    NOTE: You must use the administrative console associated with the application server where the Web Services Security Management component is installed.
  3. Select Applications > Enterprise Applications > application_name > Shared library references from the console navigation tree to access the Shared library references page.
  4. In the Shared library references page, select an application or module that you want to associate with the shared library.
  5. Select Reference shared libraries.
  6. In the Shared Library Mapping page, select the ITFIM_WSSM shared library from the Available list.
  7. Click >> to add them to the selected list.
  8. Click OK.
  9. In the Shared library references page, click OK.
  10. Save the configuration changes.

Associating a shared library with a server

NOTE: In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, move the Configuring the Class Loader subsection under the Associating shared library with an application section as the second subsection. See the following instructions for details:

Associate the shared library with a specified server. The shared library is associated with all the applications in the server.

NOTE: Do not use this method if Federated Single Sign On is configured in the same WebSphere Application Server.
  1. Start the WebSphere Application Server administrative console.
  2. Log in, if necessary.
    NOTE: You must use the administrative console associated with the application server where the Web Services Security Management component is installed.
  3. Select Servers > Application Servers.
  4. Select the server associated with your application. For example, server1.
  5. In the Server Infrastructure pane, expand the Java and Process Management option.
  6. Click Class loader.
  7. Click New.
  8. Do not change any of the options.
  9. Click Apply.
  10. In the Additional Properties pane, select Shared Library references.
  11. Click Add to specify a shared library.
  12. In the Library name field, select the ITFIM_WSSM shared library previously defined.
  13. Click OK.
  14. In the Messages pane at the top of the Application Servers window, click Save to commit your changes.

INCORRECT ONLINE DOCUMENT FOR THE INSTALLATION NEEDS TO BE CHANGED (IV19850)

There was an error in the command value used for installing the Tivoli Federated Identity Manager, version 6.2.2 Web Services Security Management feature.

Replace the installation command note in the following sections of the Tivoli Federated Identity Manager, version 6.2.2 Installation Guide:

  • Installing federated single sign-on or token exchange > Installing the federated single sign-on feature > Installing federated single sign-on on an existing WebSphere Application Server
  • Installing Web services security management > Installing the Web services security management feature
  • Installing federated provisioning > Installing WS-Provisioning runtime
  • Installing the management console > Installing the management console
  • Installing the IBM Support Assistant

    • with the following:

    NOTE: The installation is designed so that the WebSphere® Application Server deployment can listen on localhost. If it does not listen on localhost, use the parameter websphereProperties.adminClientConnectorHost on the installation command to specify the host name. For example, on Linux:

    ./install_linux_x86.bin -W websphereProperties.adminClientConnectorHost=<hostname>

    ENABLING THE AUTHENTICATING AUTHORITY ATTRIBUTE (IV17409)

    The AuthenticatingAuthority attribute is a unique identifier that determines the authenticating authority involved in the authentication of the principal.

    An example of an authenticating authority is WebSEAL. For scenarios where you might have multiple authenticating authorities, this feature helps in identifying the specific authentication authority that authenticated the principal. Service providers can then use this information to carry out different actions.

    To enable this capability, you must add the following STSUUSER attribute:

    • Name: AuthenticatingAuthority
    • Type:urn:oasis:names:tc:SAML:2.0:assertion
    You must add this attribute in the mapping module of the Identity Provider. You can use one of the supported mapping rules such as XSL, Tivoli Directory Integrator (TDI), JavaScript, and custom map module.

    Insert the AuthenticatingAuthority attribute in the mapping rule as shown in the examples.

    JavaScript example:
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

...

// Example of adding the AuthenticatingAuthority for SAML 2.0
var authenticatingAuthorityAttr = new Attribute("AuthenticatingAuthority",
"urn:oasis:names:tc:SAML:2.0:assertion", "https//idp.example.com");
stsuu.addAttribute(authenticatingAuthorityAttr);
    XSL example:
    <xsl:stylesheet extension-element-prefixes="mapping-ext" version="1.0">
<xsl:strip-space elements="*"/>
<xsl:output method="xml" version="1.0" encoding="utf-8" indent="yes"/>
...
-
<xsl:template match="//stsuuser:AttributeList">
-
<stsuuser:AttributeList>
-
<!--
 Example of adding the authenticating authority attribute 
-->
-
<stsuuser:Attribute name="AuthenticatingAuthority" 
type="urn:oasis:names:tc:SAML:2.0:assertion">

<stsuuser:Value>https//idp.example.com</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:AttributeList>
</xsl:template>

...
</xsl:stylesheet>

    When the AuthenticatingAuthority subelement is available in the AuthnContext element of the SAML 2.0 assertion, the following STSUUSER attribute is available at the Service Provider:

    <stsuuser:Attribute name="AuthenticatingAuthority" 
type="urn:oasis:names:tc:SAML:2.0:assertion">
<stsuuser:Value>https://idp.example.com</stsuuser:Value>;
</stsuuser:Attribute>"
    After obtaining information from this attribute, service providers can then perform any required actions.

    CUSTOM PROPERTIES FOR SAML 2.0 RELAY STATE (IV17413)

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding
    When specified as true, the RelayState in an unsolicited authentication response is URL encoded by the identity provider before it is sent to the service provider. This configuration applies to a response that is sent using HTTP POST binding and HTTP ARTIFACT binding with the HTTP POST artifact delivery method.
    The URL encoding can be controlled in three levels:
    Global level
    Controls the URL encoding for all federations and partners.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding = true

    Federation level
    Controls the URL encoding for a specific federation and all its partners.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true

    Example for a federation with the ID https://idp/sps/fed/saml20:

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20 = true

    Partner level
    Controls the URL encoding for a specific federation and a specific partner.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true

    Example for a federation with the ID https://idp/sps/fed/saml20 and its partner with the ID https://sp/sps/fed/saml20

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20_https://sp/sps/fed/saml20 = true

    Default value: True

    • Value type: Boolean
    • Example value: False

    <FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.

    You can use the three levels of control concurrently. Tivoli Federated Identity Manager implements concurrent use by checking the RelayState settings to decide what action to take in the following order:
    1. Partner level setting
    2. Federation level setting
    3. Global level setting

    When at least one of the settings is false, add the macro @TOKEN:RelayState@ to the list of comma-separated list of tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add the macro so that the RelayState is HTML-escaped in the authentication response.

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding
    When specified as true, the RelayState in an unsolicited authentication response is URL decoded by the service provider after it is received from the identity provider.
    The URL encoding can be controlled in three levels:
    Global level
    Controls the URL encoding for all federations and partners.

    Configuration example:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding = true

    Federation level
    Controls the URL encoding for a specific federation and all its partners.

    Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true

    Example for a federation with the ID https://sp/sps/fed/saml20:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20 = true

    Partner level
    Controls the URL encoding for a specific federation and a specific partner.

    Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true

    Example for a federation with the ID https://sp/sps/fed/saml20 and its partner with the ID https://idp/sps/fed/saml20:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20_https://idp/sps/fed/saml20 = true

    Default value: True

    • Value type: Boolean
    • Example value: False

    <FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.

    You can use the three levels of control concurrently. Tivoli Federated Identity Manager implements concurrent use by checking the RelayState settings to decide what action to take in the following order:
    1. Partner level setting
    2. Federation level setting
    3. Global level setting

    TRUST SERVICE CUSTOM PROPERTY (IV16979)

    For Tivoli Federated Identity Manager 6.2.2 release, the Trust Service custom property must add the new custom property.

    ivcred.insert.CRLF76
    When set to true, the base64 encoded IVCred generated by the Security Token Service module STSTokenIVCred is split into multiple lines. If this custom property is set to false, the base64 encoded IVCred generated by the Security Token Service module STSTokenIVCred is not split into multiple lines.

    Default value: True

    • Value type: Boolean
    • Example value: False

    TRUST SERVICE CUSTOM PROPERTY (IV18112)

    The SAML STS Modules validates that the token provided on the STS request is the correct type. The STS obtains the input token from either the Base element of the RequestSecurityToken message or from the WS-Security headers included on the SOAP envelope.

    If multiple security headers are included on the SOAP envelop, Tivoli Federated Identity Manager selects the very first one that it finds even if the STS module configured to consume the token can handle the token type retrieved.

    To enable the SAML STS modules to notify the STS of the expected token type so that the correct token is retrieved from the SOAP envelop headers, enable the following custom property:

    sts.multiple.tokens.security.header.enabled=true

    PROVIDE HTTP REQUEST INFORMATION TO THE STS (IV17485)

    SPS.http.request.claims.enabled
    When set to true, this parameter enables the Secure Protocol Service (SPS) to include a WS-Trust claims element. The WS-Trust claims element is included on the WS-Trust request to the Security Token Service. The claims element contains all the HTTP request information received at the SPS that causes the call to the Security Token Service. To avoid XML parsing problems, the values from the request are XML encoded before they are included as values to the claims element structure. The following HTTP request information is included in the claims element:
    • Cookies
    • HTTP headers
    • HTTP request attributes
    • HTTP request parameters
    You can configure the runtime custom property in three levels with the following order of significance:
    Partner level
    Controls the retrieval of claims for a specific federation and specific partner. The partner level configuration custom property varies depending on the type of protocol you use.
    SAML 1.X, SAML 2.0, WS-Federation, and Info Card partner level custom property:
    SPS.http.request.claims.enabled%SELF_PROVIDER_
ID%PARTNER_PROVIDER_ID=true
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    PARTNER_IDENTIFIER
    Refers to the partner provider ID.

    SAML 2.0 example:

    SPS.http.request.claims.enabled%https://
saml20sp:444/FIM/sps/saml20sp/saml20%https://
saml20ip/FIM/sps/saml20ip/saml20
    OpenID partner level custom property:
    The format of the partner level custom property for Open ID varies depending if you have an Identity Provider or a Service Provider federation.
    OpenID partner level custom property at the Identity Provider:
    SPS.http.request.claims.enabled%SELF_PROVIDER_ID%
ADVERTISED_TRUST_ROOT
    OpenID partner level custom property at the Service Provider:
    SPS.http.request.claims.enabled%SELF_PROVIDER_ID%
OPENID_SERVER_ENDPOINT
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    ADVERTISED_TRUST_ROOT
    Refers to the advertised trust root key value from the request.
    OPENID_SERVER_ENDPOINT
    Refers to the server endpoint included on the request.

    OpenID Identity Provider example:

    SPS.http.request.claims.enabled%https://fimabcip:9443/
sps/openidip/openid%https://fimxyzsp:9443/

    OpenID Service Provider example:

    SPS.http.request.claims.enabled%https://fimxyzsp:9443/
sps/openidsp/openid%https://fimabcip:9443/sps/
openidip/openid/sso
    OAuth partner level custom property:
    SPS.http.request.claims.enabled%SELF_PROVIDER_ID%CLIENT_ID
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    CLIENT_ID
    Refers to the client ID value.

    OAuth example:

    SPS.http.request.claims.enabled%https://fimabc:9443/
sps/oauth20fed1/oauth20%Adxfwregw5mL8oP90gZz
    Federation level
    Controls the retrieval of claims for a specific federation and all its partners.

    Federation level custom property:

    SPS.http.request.claims.enabled%SELF_PROVIDER_ID=true

    Example:

    SPS.http.request.claims.enabled%https://
saml20sp:444/FIM/sps/saml20sp/saml20=true
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    Global level
    Controls the retrieval of claims for all federations and partners.

    Configuration example:

    SPS.http.request.claims.enabled=true

    Default value: False

    • Value type: Integer
    • Example value: True

    The request cookies, headers, and parameters in an HTTP request might be numerous and result in a large claims element. You can filter for request cookies, headers, and parameters by using a custom property. Use the custom property to avoid including information that cannot not be processed by the Security Token Service.

    Use the following custom property to specify the request cookies, headers, and parameters to include in the claims element.

    The custom property name is: SPS.http.request.claims.filter.spec

    For each data type, you can choose to add all values or filter the values based on the item name.

    The default filter is: cookies=*:headers=*

    The default filter causes all cookies and headers to be included and excludes all parameters.

    The format for the filter specification syntax is:

    cookies=[*|cookieName1,cookieName2]:

    headers=[*|header1,header2]: parameters=[*|param1,param2]

    NOTES:
    • To filter for a specific element, define the custom property with the specific element on the data type to which it belongs. For example, if you want to receive a cookie called MyCookie, specify the filter as: 
      cookies=MyCookie
      To retrieve all cookies in the request but exclude all parameters and headers, set the custom property to: 
      SPS.http.request.claims.filter.spec = cookies=*
    • The header, cookies and parameters could be multi-valued.

    • The cookie value includes the actual cookie value, the domain and the path separated by "; " For example a cookie named MyCookie with value of MyValue, path of / and domain of my.domain will be formatted on the XML document as follows: 
      <Cookie Name="MyCookie" Type="urn:ibm:names:ITFIM:httprequest:cookies">
    <Value>MyValue; %2F; my.domain</Value>
</Cookie>

    An example of using the custom property to enable all the cookies, headers, and parameters is:

    SPS.http.request.claims.filter.spec = cookies=*:headers=*:parameters=*

    The resulting HTTPRequestClaims element is:

    <HTTPRequestClaims xmlns="urn:ibm:names:ITFIM:httprequest">
	<Attributes>

		<Attribute Name="remoteAddress"
			Type="urn:ibm:names:ITFIM:httprequest:remoteAddress">
			<Value>127.0.0.1</Value>
		</Attribute>
		<Attribute Name="remoteHost" Type="urn:ibm:names:
      ITFIM:httprequest:remoteHost">
			<Value>fim620</Value>

		</Attribute>
		<Attribute Name="protocol" Type="urn:ibm:names:ITFIM:
    httprequest:protocol">
			<Value>HTTP</Value>
		</Attribute>
		<Attribute Name="method" Type="urn:ibm:names:ITFIM:
      httprequest:method">

			<Value>POST</Value>
		</Attribute>
		<Attribute Name="pathInfo" Type="urn:ibm:names:ITFIM:
      httprequest:pathInfo">
			<Value>/saml20sp/saml20/login</Value>
		</Attribute>

		<Attribute Name="queryString"
			Type="urn:ibm:names:ITFIM:httprequest:queryString">
			<Value>Test=value</Value>
		</Attribute>
		<Attribute Name="requestURI" Type="urn:ibm:names:
      ITFIM:httprequest:requestURI">
			<Value>/sps/saml20sp/saml20/login</Value>

		</Attribute>
		<Locales>
			<Locale Name="locales" Type="urn:ibm:names:
       ITFIM:httprequest:locales">
				<Value>en_US</Value>
				<Value>en</Value>

			</Locale>
		</Locales>
	</Attributes>
	<Headers>
		<Header Name="iv-creds" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>Version=1,
				BAKs3DCCBO0MADCCBOcwggT....WgQA
			</Value>

		</Header>
		<Header Name="keep-alive" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>115</Value>
		</Header>
		<Header Name="accept-charset" Type="urn:ibm:names:
    ITFIM:httprequest:headers">

			<Value>ISO-8859-1,utf-8;q=0.7,*;q=0.7</Value>
		</Header>
		<Header Name="accept" Type="urn:ibm:names:ITFIM:
   httprequest:headers">
			<Value>text/html,application/xhtml+xml,
      application/xml;q=0.9,*/*;q=0.8
			</Value>
		</Header>

		<Header Name="host" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>fim620:9081</Value>
		</Header>
		<Header Name="iv-user" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>elain</Value>

		</Header>
		<Header Name="referer" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>https://saml20ip/FIM/sps/saml20ip/saml20/
       login?SAMLRequest=nVNdT8IwFP0rS....d%2FmV928%3D
			</Value>
		</Header>
		<Header Name="via" Type="urn:ibm:names:ITFIM:
    httprequest:headers">

			<Value>HTTP/1.1 fim620:444</Value>
		</Header>
		<Header Name="content-type" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>application/x-www-form-urlencoded</Value>
		</Header>

		<Header Name="iv-groups" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value />
		</Header>
		<Header Name="iv_server_name" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>webseald-sp-webseald-localhost</Value>

		</Header>
		<Header Name="user_session_id" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>bG9jYWxob3N0LXdlYnNlYWxkLXNwAA==_9ZlLTwIAAAAwA
      AAAgB1uCTNsc1Y3Mk5Nc2N4WnpZQThTVGFIUFNleVJwcC1hRTgrU1J
      sNjJadkhRT3RXYTZIVQ==:default
			</Value>
		</Header>
		<Header Name="content-length" Type="urn:ibm:names:
    ITFIM:httprequest:headers">

			<Value>6245</Value>
		</Header>
		<Header Name="accept-language" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>en-us,en;q=0.5</Value>
		</Header>

		<Header Name="connection" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>close</Value>
		</Header>
	</Headers>
	<Cookies>

		<Cookie Name="fim_ivtapp_target" Type="urn:ibm:names: 
   ITFIM:httprequest:cookies">
			<Value>https%3A%2F%2Fsaml20sp%3A444%2FFIM%2Ffimivt%
       2Fprotected%2Fivtlanding.jsp
			</Value>
		</Cookie>
		<Cookie
			Name="https%3a%2f%2fsaml20sp%3a444%2ffim%2fsps%
      2fsaml20sp%2fsaml20fimsaml20"
			Type="urn:ibm:names:ITFIM:httprequest:cookies">
			<Value>uuidbf50ca56-0135-1d3f-89fa-883ae744b81b</Value>

		</Cookie>
		<Cookie Name="jsessionid" Type="urn:ibm:names:ITFIM:
    httprequest:cookies">
			<Value>0000ZOelYEj9RH1aQVymcofXoKc:-1</Value>
		</Cookie>
		<Cookie Name="iv_jct" Type="urn:ibm:names:
     ITFIM:httprequest:cookies">

			<Value>%2FFIM</Value>
		</Cookie>
	</Cookies>
	<Parameters>
		<Parameter Name="Test"
			Type="urn:ibm:names:ITFIM:httprequest:query:param">

			<Value>value</Value>
		</Parameter>
		<Parameter Name="RelayState" Type="urn:ibm:names:
    ITFIM:httprequest:body:param">
			<Value>uuidbf50ca56-0135-1d3f-89fa-883ae744b81b</Value>
		</Parameter>

		<Parameter Name="SAMLResponse" Type="urn:ibm:names:
    ITFIM:httprequest:body:param">
			<Value>nVNdT8IwFP0rS....d%2FmV928%3D</Value>
		</Parameter>
	</Parameters>
</HTTPRequestClaims>
    NOTE: The parameter attribute type value indicates whether the parameter was received using the query string or as part of the request body. For query string parameters, the type is set to urn:ibm:names:ITFIM:httprequest:query:param. For parameters received as part of the request body, the value is set to urn:ibm:names:ITFIM:httprequest:body:param.

    In the example, the cookies, headers, and parameters are filtered according to the specified values.

    This example filters the jsessionid cookie, host header, and RelayState parameter:

    SPS.http.request.claims.filter.spec =

    cookies=jsessionid:headers=host:parameters=RelayState

    NOTE: The values specified for parameters are case-sensitive. The values for cookies and headers are not case-sensitive.

    The resulting HTTPRequestClaims element is:

    <HTTPRequestClaims xmlns="urn:ibm:names:ITFIM:httprequest">
	<Attributes>
		<Attribute Name="remoteAddress"
			Type="urn:ibm:names:ITFIM:httprequest:remoteAddress">

			<Value>127.0.0.1</Value>
		</Attribute>
		<Attribute Name="remoteHost" 
    Type="urn:ibm:names:ITFIM:httprequest:remoteHost">
			<Value>fim620</Value>
		</Attribute>

		<Attribute Name="protocol" 
   Type="urn:ibm:names:ITFIM:httprequest:protocol">
			<Value>HTTP</Value>
		</Attribute>
		<Attribute Name="method" 
    Type="urn:ibm:names:ITFIM:httprequest:method">
			<Value>POST</Value>

		</Attribute>
		<Attribute Name="pathInfo" 
    Type="urn:ibm:names:ITFIM:httprequest:pathInfo">
			<Value>/saml20sp/saml20/login</Value>
		</Attribute>
		<Attribute Name="queryString"
			Type="urn:ibm:names:ITFIM:httprequest:queryString">

			<Value>Test=value</Value>
		</Attribute>
		<Attribute Name="requestURI" 
    Type="urn:ibm:names:ITFIM:httprequest:requestURI">
			<Value>/sps/saml20sp/saml20/login</Value>
		</Attribute>

		<Locales>
			<Locale Name="locales" 
      Type="urn:ibm:names:ITFIM:httprequest:locales">
				<Value>en_US</Value>
				<Value>en</Value>
			</Locale>

		</Locales>
	</Attributes>
	<Headers>
		<Header Name="host" 
   Type="urn:ibm:names:ITFIM:httprequest:headers">
			<Value>fim620:9081</Value>

		</Header>
	</Headers>
	<Cookies>
		<Cookie Name="jsessionid"
    Type="urn:ibm:names:ITFIM:httprequest:cookies">
			<Value>0000sOnmzkbGcYdIcevoYRuxq0m:-1</Value>

		</Cookie>
	</Cookies>
	<Parameters>
		<Parameter Name="RelayState" 
    Type="urn:ibm:names:ITFIM:httprequest:body:param">
			<Value>uuidbfd7cb00-0135-177e-9c06-fa9b2fb1485f</Value>

		</Parameter>
	</Parameters>
</HTTPRequestClaims>

    An example HTTPRequestClaims as shown in the STSUUSER during the execution of the trust chain is:
    <stsuuser:RequestSecurityToken>

.......
    <stsuuser:Attribute name="Claims" type="com:tivoli:am:fim:sts:RST">
        <stsuuser:Value>
            <wst:Claims Dialect="urn:ibm:names:ITFIM:saml"
                xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
                <fimc:Saml20Claims
                    AssertionConsumerServiceURL=
                    "https://saml20sp:444/FIM/sps/saml20sp/saml20/login"
                    DefaultNameIDFormat=
                    "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                    InResponseTo="FIMREQ_ed579ffa-0134-1f44-a1f3-886448eada7e"
                    ProtocolProfile="urn:oasis:names:tc:SAML:2:0:profiles:SSO"
                    RelayState="uuided51083a-0134-1634-825f-f3cdd64676bd"
                    SignatureValidated="true"
                    Target=
                    "https://saml11sp:444/FIM/fimivt/protected/ivtlanding.jsp"
                    xmlns:fimc="urn:ibm:names:ITFIM:saml">
                    <fimc:PrincipalName>elain</fimc:PrincipalName>

                </fimc:Saml20Claims>
            </wst:Claims>
        </stsuuser:Value>
        <stsuuser:Value>
            <wst:Claims Dialect="urn:ibm:names:ITFIM:httprequest"
                xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
                <HTTPRequestClaims xmlns="urn:ibm:names:ITFIM:httprequest">

                    ........
            </HTTPRequestClaims>
            </wst:Claims>
        </stsuuser:Value>
    </stsuuser:Attribute>
.......    
</stsuuser:RequestSecurityToken>

    MISSING OAUTH IDENTIFIER ENTRIES FROM EVENTS PAGE PANEL (IV17422)

    APAR Symptom
    OAuth event identifier entries are missing from the Event Pages panel after upgrading to IBM® Tivoli® Federated Identity Manager 6.2.2 or after importing existing configuration archive.
    Error description
    Notice that the OAuth event identifier entries are not shown in the Event Pages panel in the Integrated Solutions Console after you upgrade to Tivoli Federated Identity Manager 6.2.2 or after you import an existing configuration archive.

    Local fix

    About this task

    After the Tivoli Federated Identity Manager 6.2.2 Fixpack 2 is installed follow these steps below.

    Procedure

    1. From the Integrated Solutions Console navigate to Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.
    2. Click Runtime Custom Properties.
    3. Set a new runtime custom property TFIM.UpgradeConfig to true.
    4. Click OK.
    5. Click Load the configuration changes to the Tivoli Federated Identity Manager runtime.
    6. Restart WebSphere® Application Server where the Tivoli Federated Identity Manager management service is installed.

    Results

    The OAuth event identifier entries are displayed in the Event Pages panel.

    Problem summary

    Since the OAuth event identifiers are not available the template pages cannot be customized.

    Temporary Fix

    Procedure

    1. Modify the sps.xml configuration file.
      ATTENTION: The sps.xml file is a critical configuration file. Editing errors are likely to prevent IBM Tivoli Federated Identity Manager from running. Always maintain a backup copy if you plan to edit it and test your changes. WebSphere Application Server must be restarted after changing this file so that the changes are recognized by IBM Tivoli Federated Identity Manager.
    2. Stop the WebSphere Application Server.
    3. Open the sps.xml file in an XML editor. The file is located in the following default locations:

      AIX, Linux, Solaris

      <p>/opt/IBM/WebSphere/AppServer/profiles/dmgr/config/
  itfim/<domain&gt;/etc/sps.xml</p>

      Windows

      C:\Program Files\IBM\WebSphere\AppServer\profiles\ <DMGR_PROFILE>\config\
itfim\<domain>\etc\sps.xml
    4. Review the content of the PageConfiguration section of the sps.xml file to determine what parameters you want to change.
    5. Add the following entries for the event pages under the <sps:PageIdentifierMappings> tag. 
      <sps:PageIdentifierMapping location="/oauth/user_consent.html" name="/oauth/user_consent.html"/>
<sps:PageIdentifierMapping location="/oauth/clients_manager.html" name="/oauth/clients_manager.html"/>
<sps:PageIdentifierMapping location="/oauth/user_error.html" name="/oauth/user_error.html"/>
<sps:PageIdentifierMapping location="/oauth/user_response.html" name="/oauth/user_response.html"/>
<sps:PageIdentifierMapping location="/oauth/user_consent_denied.html" name="/oauth/user_consent_denied.html"/>

<sps:PageIdentifierMapping location="/oauth20/user_consent.html" name="/oauth20/user_consent.html"/>
<sps:PageIdentifierMapping location="/oauth20/clients_manager.html" name="/oauth20/clients_manager.html"/>
<sps:PageIdentifierMapping location="/oauth20/user_error.html" name="/oauth20/user_error.html"/>
<sps:PageIdentifierMapping location="/oauth20/user_response.html" name="/oauth20/user_response.html"/>
    6. Restart the Deployment Manager where the Tivoli Federated Identity Manager management service is installed.
    7. Synchronize all the nodes.
    8. From Integrated Solutions Console, navigate to Domain Management > Runtime Node Management.
    9. Click Reload Configurations.

    Results

    The OAuth event identifier entries are displayed in the Event Pages panel.

    THE TFIM KERBEROS DELEGATION STS MODULE DOES NOT SUPPORT RUNNING IN 64-BIT JVMs ON 64-BIT VERSIONS OF WINDOWS (IV15372)

    IBM® Tivoli® Federated Identity Manager version 6.2.2, fix pack 2 supports Kerberos authentication using 64-bit DLL.

    Prerequisite:

    Install Microsoft Visual C++ 2010 Redistributable Package on your computer.

    Reference:

    For instructions on how to configure a typical environment for Kerberos authentication, see the IBM Tivoli Access Manager: WebSEAL Kerberos Junctions article in the developerWorks® wiki (http://www.ibm.com/developerworks/ tivoli/library/t-tamwkj/).

    See the related formal IBM document available at: http://www-01.ibm.com/ support/search.wss?q=6.1.0-TIV-ITAMEBI-1.0.03-AmMsIISAdapter.

    NOTE: For details in using IBM Tivoli Access Manager and IBM Tivoli Federated Identity Manager to issue Kerberos authentication to Microsoft Exchange 2010 and Microsoft SharePoint 2010, see Using Kerberos for Microsoft Windows Authentication Foundation Guide (https://www-304.ibm.com/support/ entdocview.wss?uid=swg24029517).

    INCORRECT ALIAS LOOKUP DURING SLO WITH UNSPECIFIED NAME ID FORMAT (APAR IV19827)

    You can configure the Tivoli Federated Identity Manager Single Sign-on Protocol Service (SPS) SAML 2.0 implementation to use the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier format. You can choose to use this name identifier format when issuing a SAML assertion in a single sign-on flow.

    By default, Tivoli Federated Identity Manager treats a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier as a urn:oasis:names:tc:SAML:2.0:nameidformat:persistent name identifier. This means that the SAML 2.0 implementation invokes the alias service to determine the user identity.

    The SAML 2.0 implementation calls the alias service to obtain a user alias by default when:
    • The single sign-on was done using a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier.
    • A single logout flow is invoked.

    To avoid the call to the alias service, set the DefaultNameIDFormat configuration property to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    See the "Handling an unspecified name identifier" topic in the Tivoli Federated Identity Manager Information center for more information about:
    • How Tivoli Federated Identity Manager handles unspecified name identifiers.
    • How to configure DefaultNameIDFormat.

    WEBSEAL FAIL OVER COOKIES WITHOUT PDACLD (APAR IV17412)

    APAR Symptom
    Tivoli Access Manager WebSEAL failover cookies do not work when Tivoli Federated Identity Manager is configured to generate IV credential tokens without using PDAcld.

    About this task

    After the Tivoli Federated Identity Manager 6.2.2 Fixpack 2 is installed, follow the procedure below.

    Procedure

    Modify the mapping rule of your federation and add the following attribute on the attribute list section of the STSUU.

        <stsuuser:Attribute name="AZN_CRED_AUTH_METHOD" type="urn:ibm:names:ITFIM:5.1:accessmanager">
       <stsuuser:Value>password</stsuuser:Value>
    </stsuuser:Attribute>

    PROVIDE NONCE ON THE USC EMAIL NOTIFICATION AS SEPARATE TOKEN (APAR IV19945)

    The Tivoli Federated Identity Manager User Self Care (USC) feature sends a user enrollment validation email to complete the user enrollment process.

    A link is included in the email that users need to access to complete the enrollment process. The USC code indexes the outstanding user enrollment in the cache using a nonce value. The nonce value is added to the validation URL as a query string parameter.

    The current USC only returns the nonce as part of the validation URL.

    In some scenarios, you might need to get access to the nonce value without it being part of the validation URL.

    To provide this flexibility, you can enable the USC email validation code to include two macros that can be used to generate the email content:

    • @USC_VALIDATION_NONCE_NOENC@ - Nonce without url encoding.
    • @USC_VALIDATION_NONCE@ - Nonce with url encoding.

    INCLUDE KEY AND REQUEST TYPE ON STS (APAR IV17871)

    The Tivoli Federated Identity Manager Security Trust Service (STS) chain does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message.

    The RequestType value must be set to the value received on the request. The KeyType must be set to one of the values supported by WS-Trust based on an attribute on the STSUU structure.

    To enable the ability to set the KeyType use the following sample xsl fragment:

        <xsl:template match="//stsuuser:ContextAttributes">
        <stsuuser:ContextAttributes>

            <!-- Add the key type to the Request Security Token Response generated by the SAML module -->
            <stsuuser:Attribute 
                name="RequestSecurityTokenResponse.KeyType" 
                type="urn:ibm:names:ITFIM:5.1:accessmanager">
                    <stsuuser:Value>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</stsuuser:Value>
            </stsuuser:Attribute>
        
        </stsuuser:ContextAttributes>
    </xsl:template>
    The new property RequestSecurityTokenResponse.KeyType allows the administrator to set the KeyType on theRequestSecurityTokenResponse.

    In this scenario, the KeyType is set to: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey.

    For more information about other valid values, see the WS-Trust specification from the OASIS Website.

    SUPPORT DYNAMIC ACS URL IN SAML 2.0 AUTHNREQUEST (IV21908)

    Symptom
    Tivoli® Federated Identity Manager invalidates the AuthnRequest message when the Assertion Consumer Service URL does not exactly match the configured URL.
    Cause
    By default, the Tivoli Federated Identity Manager checks the Assertion Consumer Service URL of the authentication request with the configured URL by exact string comparison. Tivoli Federated Identity Manager cannot validate the authentication requests that do not have an exact string match with the configured URL.
    Resolving the problem
    Use a custom runtime property that contains regex pattern for Assertion Consumer Service URL matching validation for a specific federation, partner, and binding.
    There are two custom runtime properties you can use. Depending on which custom runtime property you use, Tivoli Federated Identity Manager executes the appropriate validation.

    • SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId> = <regex>
      Example value:
      SAML20.IDP.ACSUrlPattern_https://ip.example.com/sps/saml20ip/
saml20_https://sp.example.com/sps/saml20sp/saml20 = https://sp.example.com/sps/saml20sp/saml20(\\?(\\S+?)=(\\S+?))?
    • SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId>_<binding> = <regex>
      Example value:
      SAML20.IDP.ACSUrlPattern_https://ip.example.com/sps/saml20ip/
saml20_https://sp.example.com/sps/saml20sp/saml20_urn:oasis:
names:tc:SAML:2.0:bindings:HTTP-POST = https://sp.example.com/sps/saml20sp/saml20(\\?(\\S+?)=(\\S+?))?

    The fedId value is the provider ID in the federation properties page.

    The partnerId value is the provider ID in the partner properties page.

    The values for the binding are:
    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    The custom runtime property SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId>_<binding> takes precedence over SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId>.

    It means that if both custom runtime properties are used, Tivoli Federated Identity Manager will use the regex pattern in which the specified binding value matches the value used for <binding> first.

    STSUUSER PRINCIPAL DOES NOT MATCH INCOMING ASSERTION NAMEID (IV21963)

    Symptom
    The STSUUSER principal name does not match the incoming Subject Name ID of the assertion.
    Cause
    When a user signs on in an existing authenticated session, and the username in the incoming Subject Name ID of the SAML 2.0 assertion does not match the existing user session, the token created as a result of the single sign-on is still associated with the existing user session.
    NOTE: This issue is only applicable for single sign-on sessions using email Name ID format.
    Resolving the problem
    The fix modifies the behavior of the token issuance. The default behavior is to use the incoming Subject Name ID of the assertion as the principal name. This behavior happens if the existing session username does not match the Subject Name ID of the assertion.
    To set the validation to use the existing session principal name instead of the incoming Subject Name ID of the assertion, set the SAML20.SP.IV20677.Enabled custom runtime property to false.

    Software limitations

    None.


    Known issues and workarounds

    Incorrect version shows in the Tivoli Federated Identity Manager Runtime Node Management panel

    Issue:

    After uninstalling the fix pack, the user can deploy the base version of Tivoli® Federated Identity Manager from the Runtime Node Management panel.

    After deploying the runtime, the Runtime Management panel shows the correct version of Tivoli Federated Identity Manager.

    However, the Runtime Nodes panel shows an incorrect Runtime version.

    Workaround:

    1. Select Tivoli Federated Identity Manager > Domains > Domain Properties > Domain Information.
    2. Click Refresh Management Service.
    3. Select Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.
    4. Click Publish Plug-ins.
    5. Click Load configuration changes to Tivoli Federated Identity Manager runtime from the Integrated Solutions Console.
    6. Log off from the Integrated Solutions Console.
    7. Log on again.
    8. Select Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.

      The correct Tivoli Federated Identity Manager runtime version now shows in the Runtime Management and Runtime Nodes panels.


    Notices

    This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

    IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

    IBM Director of Licensing
    IBM Corporation
    North Castle Drive
    Armonk, NY 10504-1785
    U.S.A.

    For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

    Intellectual Property Licensing
    Legal and Intellectual Property Law
    IBM Japan, Ltd.
    1623-14, Shimotsuruma, Yamato-shi
    Kanagawa 242-8502 Japan

    The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

    INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

    Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

    Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

    IBM Corporation
    2Z4A/101
    11400 Burnet Road
    Austin, TX 78758
    U.S.A.

    Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

    The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

    Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

    Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

    All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

    This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.


    Trademarks

    IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

    Adobe®, Acrobat, PostScript® and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

    IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

    Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

    Linux® is a trademark of Linus Torvalds in the United States, other countries, or both.

    Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

    ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

    UNIX® is a registered trademark of The Open Group in the United States and other countries.

    Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.

    Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

    Other company, product, and service names may be trademarks or service marks of others.

    End of the IBM® Tivoli® Federated Identity Manager 6.2.2-TIV-TFIM-FP0002.README file.