IBM® Tivoli® Federated Identity Manager Business Gateway, Fix Pack 6.2.1-TIV-TFIMBG-FP0006 README

©Copyright International Business Machines Corporation 2008, 2013. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under Notices in this document.

Date: Tuesday, 26 November 2013

===========================================================================

Contents

  1. ABOUT THIS PATCH
    • Important notice
    • Contents and distribution
    • Architecture
    • Patches superseded
    • Structure
  2. APARS AND DEFECTS FIXED
    • Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0006
    • Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0004
    • Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0002
    • Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0001
  3. BEFORE INSTALLING THIS PATCH
  4. INSTALLING THIS PATCH
    • Downloading the fix pack
    • Setting the WebSphere security passwords
    • Deploying the fix pack runtime component
    • Restarting the ITFIMManagementService
    • Publishing the fix pack plug-ins to the runtime and reloading the configuration
  5. DOCUMENTATION UPDATES
    • SPECIFYING URLS THAT THE COMMON DOMAIN COOKIE READING AND WRITING SERVICE IN THE SAML 2.0 IDENTITY PROVIDER DISCOVERY PROFILE CAN REDIRECT TO (IV50639)
    • IRRELEVANT PARAMETERS IN SAML PARTNER RESPONSE FILE DOCUMENTATION (IV41598)
    • LDAP MIGRATION TOOL DOES NOT WORK FOR NON-DEFAULT USER IDENTIFIER ATTRIBUTE (IV25589)
    • INCORRECT ONLINE DOCUMENT FOR THE INSTALLATION NEEDS TO BE CHANGED (IV26816)
    • JAVASCRIPT MAPPING RULE VALIDATION
    • CUSTOM PROPERTIES FOR SAML 2.0 RELAY STATE (IV26763)
    • PROVIDE NONCE ON THE USC EMAIL NOTIFICATION AS SEPARATE TOKEN (APAR IV19945)
    • TRUST SERVICE CUSTOM PROPERTY (IV12418)
    • INCLUDE KEY AND REQUEST TYPE ON STS (IV15425)
    • TRUST SERVICE CUSTOM PROPERTY (IV14481)
    • RelayState in the authentication request sent by the SAML 2.0 Service Provider into the Identity Provider is not available as query string parameter in the redirect URL to the custom login page. (IV07933)
    • ADD ADDITONAL TRACES FOR FBTSPS061E ERROR (IZ98683)
    • Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token. (IZ94653)
    • When importing JavaScript mapping rule using FIM Console, FIM might incorrectly reports that the mapping rule is syntatically incorrect if it contains throw exception statements (IV01646)
    • INACCURATE DOCUMENTATION ON THE SUPPORTED SSL VERSION (IV00560)
    • NO DOCUMENTATION ON HOW TO SET AUDIENCERESTRICTION IN SAML 2.0 ASSERTION (IV00324)
    • MISSING REQUIREMENT TO NOT MODIFY BUILT-IN SSO CHAINS (IV07723)
    • RELAYSTATE PARAMETER IN UNSOLICITED SAML2 AUTH RESPONSE (IZ86275)
    • NPE TRYING TO LOAD CONFIG INSTANCE IN TDI MAPPING RULE. (IZ91348)
    • Configurations to use Oracle database for the Tivoli Federated Identity Manager Alias service (IZ91351)
    • SAML1.1 ARTIFACT RESOLUTION FAILURE NEEDS ERROR INFO IN MSG. (IZ91349)
    • Missing InResponseTo attribute in samlp:Response error responses. (IZ91350)
    • DEFAULT NAMEID FORMAT NOT WORKING WHEN NO CLAIMS PASSED. (102832)
    • NULL POINTER EXCEPTION EDITING MAPPING RULE. (101623)
    • FEDERATION PARTNER UPDATE MODIFIES NON-ZERO ACS URL INDEX. (IZ91352)
    • XML PARSING OF INCOMING SAML MESSAGE FAILS WHEN MACHINE LOCALE IS NOT UTF8-COMPATIBLE AND UTF-8 EXTENDED CHARACTERS APPEAR IN MSG. (IZ91414)
    • STATE INFORMATION IN SOME FEDERATION PROTOCOLS INVALID. (IZ91343)
    • PROVIDER NAME NEEDS TO BE PART OF THE AUTHENTICATION REQUEST. (IZ91344)
    • NULL EXCEPTION OCCURS DURING CLAIMS PROCESSING. (IZ91347)
    • The Management Console fixpack installation appears to complete successfully but the console does not operate correctly. (IZ91258)
    • SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING NOT CONFORMANT. (IZ91415)
    • SAML STS MODULES CALCULATES WRONG VALIDITY PERIOD OF ASSERTION. (IZ91356)
    • Tivoli Federated Identity Manager SAML 2.0 metadata is not properly formatted when TFIM is running on the latest versions of the WebSphere Application Server. (IZ91416)
    • SAML 2.0 STS MODULE NOT READING THE DEFAULT NAMEID FORMAT PARAM. (IZ91419)
    • Some of TFIM Console portlet pages cannot be displayed when it is installed in WAS 7 FP 11. (IZ84999)
    • For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values. (IZ91418)
    • CLI throws a StringIndexOutOfBoundsException when adding a SAML 2.0 service provider partner to a SAML 2.0 federation. (102338)
    • Fixpack installer fails to automatically deploy the runtime on WebSphere Application Server Network Deployment cluster. (103544)
    • TFIM Configuration Guide does not describe the steps to enable certificate revocation list checking for certificates that are used for XML message signing, verification, encryption, and decryption. (IV07711)
  6. SOFTWARE LIMITATIONS
  7. KNOWN PROBLEMS AND WORKAROUNDS
  8. NOTICES
    • Trademarks

===========================================================================

About the fix pack

This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.1. It requires that Federated Identity Manager Business Gateway, Version 6.2.1, be installed. After installing this fix pack, your Federated Identity Manager Business Gateway installation will be at level 6.2.1.6.


IMPORTANT NOTICE

Potential cross-site scripting vulnerabiltity via macros in event page template files

Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:

  • @EXAMPLE_MACRO1@
  • @EXAMPLE_MACRO2@
  • @EXAMPLE_MACRO3@

the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:

@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@

NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tivoli.fim.doc_6.2.1/reference/CustomPropsSPS.html.


Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)

The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.

Versions affected:

  • IBM WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
  • IBM WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.


Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This security alert addresses a serious security issue: CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, go into an infinite loop, and/or crash resulting in a denial of service exposure. The JRE might hang if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

The following products contain affected versions of the Java Runtime Environment:

  • IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for Distributed, i5/OS and z/OS operating systems.

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www.ibm.com/support/docview.wss?uid=swg21462019

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.


JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)

This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:

java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper

Examples of operations that can fail include:
  • Importing a keystore file
  • Loading a mapping rule

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.


IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway can be affected by vulnerabilities in the Websphere IBM Java Runtime Environment (CVE-2013-2407)

A unspecified vulnerability in the Websphere IBM Java Runtime Environment (JRE) component allows remote attackers to affect the confidentiality and availability of Tivoli Federated Identity Manager (TFIM) and IBM Tivoli Federated Identity Manager Business Gateway (TFIMBG) via unknown vectors related to Libraries.

The following products contain affected versions of the Java Runtime Environment:

  • IBM WebSphere Application Server Versions 7.0 through 7.0.0.29 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.1 through 6.1.0.45 for Distributed, i5/OS and z/OS operating systems.

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21644157

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.


Fix pack contents and distribution

This fix pack package contains:

  • The fix pack zip file
  • This README.

This fix pack is distributed as an electronic download from the IBM Support Web Site.


Architecture

Software requirements for IBM Tivoli Federated Identity Manager Business Gateway version 6.2.1 can be found here.


Fix packs superseded by this fix pack

6.2.1-TIV-TFIMBG-FP0004

6.2.1-TIV-TFIMBG-FP0002

6.2.1-TIV-TFIMBG-FP0001


Fix pack structure

Federated Identity Manager Business Gateway consists of the following components that can be installed separately:

  • Administration console
  • Management service and runtime component
  • Internet information services (IIS) Web plug-in
  • Apache/IBM HTTP Server Web plug-in
  • IBM Support Assistant plugin

This fix pack applies only to the administration console and management service and runtime components (first two components listed above). These two components must be at the same level. Therefore, if you install a fix pack for either the administration console component or the management service and runtime component, you must install the corresponding fix pack for the other of these two components.

If the administration console and management service and runtime components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.


APARs and defects fixed

Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0006

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the IBM Tivoli Federated Identity Manager Business Gateway support site for details.

APAR IV50639
SYMPTOM: Specifying URLs that the common domain cookie reading and writing service in the SAML 2.0 Identity Provider Discovery Profile can redirect to. See IV50639 for more information.

APAR IV47147
SYMPTOM: Publish plugins fails in a cluster with the following exception observed in the trace log: com.tivoli.am.fim.osgi.EclipseControllerException: Caught exception while trying to get this WebSphere Application Server's internal class acess mode.

APAR IV43779
SYMPTOM: When an alias with no certificate is present in the keystore, listing of keys fails.

APAR IV43116
SYMPTOM: Wrong X509SKI value in digital signature.

APAR IV16479
SYMPTOM: Blank page is shown when the session cannot be found.

APAR IV25246
SYMPTOM: Corrupted URLs are found in the feds.xml and sps.xml when a non-sps URL is provided for Single Sign-On Service, Single Logout Service, Soap Endpoint, Artifact Resolution Service, Assertion Consumer Service or Name ID Management Service URLs in the SAML 2.0 IP/SP Federation properties page via Management Console. Fix for this defect will include validation of the above URLs. The URL provided will be checked to ensure that it is a properly formatted URL and that it is a sps URL. If not, the same error message "The value entered for X contains an improperly formatted URL" will be shown when saving federation properties.

APAR IV25589
SYMPTOM: The default value of the attribute that the alias service uses to denote the user identifier is "uid". The LDAP Migration Tool supports only the default value and does not work for any value other than the default value. See IV25589 for more information.

APAR IV29471
SYMPTOM: SubjectConfirmationData is missing when generating a SAML 2.0 assertion with Bearer subject confirmation method and no claims is supplied in the RST.

APAR IV31308
SYMPTOM: Null pointer exception thrown when no matching protocol endpoint is found.

APAR IV51973
SYMPTOM: When using the manageItfimStsChainMapping CLI command to create a response file, the values of AppliesTo service name and namespace are provided in the wrong attributes appliesToPortTypeName and appliesToPortTypeNamespace.

APAR IV26033
SYMPTOM: The RelayState query string parameter provided to the IP-initiated SSO initial URL is used to populate the RelayState macro in the authentication response when the target query string parameter is empty or not provided. It should be ignored.

Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0004

APAR IV08525
SYMPTOM: SLO fails when 2 Service Providers are authenticated using the same session index and both Service Provider federations are in the same Tivoli Federated Identity Manager domain.

APAR IV16022
SYMPTOM: Unable to customise the error page for FBTSPS061E error. When this event occurs, there is no event mapping associated with it.

APAR IV19139
SYMPTOM: Federate this account link is generated as null?RelayState= in the federations.jsp (ivtapp) of the SAML 2.0 Identity Provider.

APAR IV20677
SYMPTOM: The STSUUSER principal does not match the incoming subject name id of the assertion when there is an existing WebSEAL session.

APAR IV15299
SYMPTOM: Requests to Tivoli Federated Identity Manager's WSTrust 1.3 endpoint URL using the ?WSDL parameter to get the WSDL document results in subsequent SOAP services to fail.

APAR IV13427
SYMPTOM: Certain point of contacts that use external authentication interface do not recognize the identity of the user that is set by Tivoli Federated Identity Manager in the response HTTP header (typically, "am-fim-eai-user-id"), since these point of contacts are not aware that Tivoli Federated Identity Manager URL encodes this identity. Tivoli Federated Identity Manager should not URL encode this identity.

APAR IV14481
SYMPTOM: The BASE64 encoded token generated by the IVCred STS module is split into multiple lines. This is not desirable in some cases. See IV14481 for more information.

APAR IV17522
SYMPTOM: No error message is reported when importing SAML 2.0 IDP or SP whose metadata contains Organization element with no OrganizationURL element.

APAR IV15425
SYMPTOM: The Tivoli Federated Identity Manager STS does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message. The RequestType value should be set to the value received on the request and the KeyType should be set on one of the values supported by WS-Trust based on an attribute in the STS universal structure. See IV15425 for more information.

APAR IV12418
SYMPTOM: The STS obtains the base security token for execution from either the base element on the RequestSecurityToken message or from the WS-Security tokens included on the soap headers. Tivoli Federated Identity Manager will take the first WS-Security token found on the soap header. After this modification the SAML STS modules will look for the appropriate token type included on the WS-Security headers when the change is enabled. See IV12418 for more information.

APAR IV26604
SYMPTOM: The Tivoli Federated Identity Manager Single Sign On protocol service (SPS) SAML 2.0 protocol implementation allows a customer to use the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier for single sign on. By default, Tivoli Federated Identity Manager will treat a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier as urn:oasis:names:tc:SAML:2.0:nameidformat:persistent name identifier unless the default name identifier is set to another type like emailAddress. The Single Logout operation incorrectly queries the alias service if the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier is used and the default name identifier is set to emailAddress.

APAR IV26770
SYMPTOM: In the federation properties page in the Tivoli Federated Identity Manager Management Console, updating the default artifact resolution service unexpectedly updates the SOAP Endpoint URL value.

APAR IV26961
SYMPTOM: FIM is incorrectly processing SAML aliases with certain directory servers.

APAR IV26775
SYMPTOM: If an invalid clusterId is used when creating a domain using the Tivoli Federated Identity Manager CLI, the command succeeds but no runtime can be deployed.

APAR IV26777
SYMPTOM: In the scenario where an identity provider federation is created with Attribute Query enabled, if Attribute Query is disabled afterwards, adding a service provider partner still creates an Attribute Query chain.

APAR IV26804
SYMPTOM: The partner entity is not cleaned from feds.xml after removing a custom STS chain through console.

APAR IV26815
SYMPTOM: Multiple SAML 2.0 Attribute Query fixes.

APAR IV26817
SYMPTOM: Single Sign-On fails when feds.xml (partner section) contains empty value for the delegationmodule_active_delegate_id.

APAR IV26818
SYMPTOM: The activate operation in manageItfimPointOfContact CLI for WebSphere as Point of Contact does not behave correctly.

APAR IV26761
SYMPTOM: Unable to modify the encryption key transport algorithm for SAML 2.0 protocol.

APAR IV26960
SYMPTOM: The SAML 1.1 STS Token Module fails to populate the STSUU's Principal correctly when the inbound SAML Assertion contains an AuthenticationStatement with a type attribute that is set to something other than "saml:AuthenticationStatement".

APAR IV26819
SYMPTOM: The macro "@TOKEN:SPDisplayName@" in pages/C/saml20/consent_to_federate.html is incorrectly replaced with the macro "@TOKEN:SPProviderID@".

APAR IV17313
SYMPTOM: If Tivoli Federated Identity Manager is configured to generate IV Credential tokens without using pdacld and WebSEAL is configured to support failover, failover cookies do not work.

APAR IV26763
SYMPTOM: RelayState URL encoding and decoding in SAML 2.0 unsolicited SSO can only be configured at the global level. Support for federation and partner level configuration is required. See IV26763 for more information.

APAR IV26820
SYMPTOM: Installation of the Tivoli Federated Identity Manager fails with the following error message: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getPlatformVersion operation on Server MBean because of insufficient or empty credentials.

APAR IV26821
SYMPTOM: When connecting to an existing domain, the Point of Contact profile is reset to WebSEAL.

APAR IV24202
SYMPTOM: Tivoli Federated Identity Manager does not provide 2048 bit option as key size when generating certificate request or self-signed certificate through Management Console.

APAR IV26765
SYMPTOM:
  1. When defining a text field in GUIXML, and setting its default value to a string containing a quotation mark, Tivoli Federated Identity Manager throws an exception when loading the GUIXML page saying that the XML is invalid.
  2. In an STS module which has an 'init' page widget which has a multi-valued TextField, only the first value of the multiple values is displayed when viewing the module instance properties.

APAR IV26822
SYMPTOM: Update log traces in FSSO and STS.

APAR IV26825
SYMPTOM: Update deployment descriptor for the Tivoli Federated Identity Manager Management Console servlets.

APAR IV10813
SYMPTOM: Improve SAML Signature Conformance

APAR IV23430
SYMPTOM: Improve SAML signature conformance

APAR IV23442
SYMPTOM: Improve signature conformance

APAR OA38176
SYMPTOM: NullPointerException is thrown when sending SAML 2.0 messages (e.g. Logout Request) with invalid IssueInstant attribute.

APAR IV24378
SYMPTOM: Improve XML Signature Conformance

Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0002

APAR IV10793
SYMPTOM: Improve SAML Signature Conformance

APAR IV09511
SYMPTOM: IBM Tivoli Federated Identity Manager SAML 2.0 SSO plugin will generate an "invalid_message_timestamp" error when it receives an AuthnRequest message with a IssueInstant where the second fractions are higher than 999. The following is an example of a timestamp that generates the issue: "2011-07-01T13:30:50.830773Z".

APAR IV09216
SYMPTOM: Enabling and disabling RelayState URL encoding and decoding in SAML 2.0 unsolicited authentication response.

APAR IV07933
SYMPTOM: RelayState in the authentication request sent by the SAML 2.0 Service Provider into the Identity Provider is not available as query string parameter in the redirect URL to the custom login page. See IV07933 for more information.

APAR IV07716
SYMPTOM: Security update for TFIM Runtime.

APAR IV06369
SYMPTOM: Configuration information related to keystore is removed from kessjks.xml when SAML 1.1 or SAML 2.0 partner is added through CLI, no metadata file is specified in the response file or metadata file specified does not contain signing and encryption key, and keystore password provided is wrong.

APAR IV07706
SYMPTOM: The STSUniversalUser java class does not preserve attributes with empty values.

APAR IV01254
SYMPTOM: In cases where a SAML validation error occurs and there is no message detail, the error page handler throws a NullPointerException.

APAR IZ96105
SYMPTOM: The TFIM SPS fails to return the appropriate page template when a HTTP GET request does not specify the content encoding. Most browsers do not send the Content-Type: header with the charset value defined for GET requests.

APAR IZ94653
SYMPTOM: Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token. See IZ94653 for more information.

APAR IZ98683
SYMPTOM: ADD ADDITONAL TRACES FOR FBTSPS061E ERROR. See IZ98683 for more information.

APAR IZ98685
SYMPTOM: When no Format attribute for the NameIDPolicy element is found in the SAML 2.0 AuthnRequest message, the Identity Provider will treat the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Identity Provider should instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner, which is what it does when the Format for the NameIdPolicy element in AuthnRequest message is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".

APAR IZ92853
SYMPTOM: The Audit Event Handler of an Audit Client Profile cannot be changed into CARSAuditClientEventHandler using IBM Tivoli Federated Identity Manager Management Console. This causes the CARSAuditClientEventHandler setting to be not displayed in the Event Handler Setting tab in the Audit Client Profile Properties page. This also causes the Audit Client Profile Properties page to be reloaded when clicking the OK button in that page, but without saving the Audit Client Profile.

APAR IZ97199
SYMPTOM: ClassCastException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "exportPrivateKey" is not specified, or is specified with value "false". CommandException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "exportPrivateKey" is specified with no value, or is speficied with value "true". ClassCastException is thrown when importing a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "trustedKeystore" is not specified, or is specified with value "false".

APAR IZ97766
SYMPTOM: ChainableRuntimeException is thrown when exporting a key from a keystore using the IBM Tivoli Federated Identity Manager Management Console. This problem happens if the IBM Tivoli Federated Identity Manager is deployed in certain WebSphere Application Server versions (for example, WebSphere Application Server 7 Fix Pack 11).

APAR IV00810
SYMPTOM: String "???????? Web ??????!" is returned when accessing the URL http://hostname:9080/Info/InfoService using web browser. This problem might happen when the language of the browser is different from the language of the operating system where IBM Tivoli Federated Identity Manager Runtime is installed.

APAR IV01646
SYMPTOM: Error message FBTCON366E is displayed when importing JavaScript mapping rule using IBM Tivoli Federated Identity Manager Management Console. This problem happens when the mapping rule contains statements that throw exception. See IV01646 for more information.

APAR IV03152
SYMPTOM: Security update for IBM Tivoli Federated Identity Manager Runtime.

APAR IV07710
SYMPTOM: The IBM Tivoli Federated Identity Manager LTPA STS module support code is not thread safe. The code uses an static instance of a JDK class that is not thread safe causing undetermined results while verifying or generating the ltpa token signature on environments with high volume of transaction.

APAR IV07684
SYMPTOM: The CBEXMLAuditEvent audit profile event handler is not setting the sequence number and global instance id on the audit records.

APAR IV07712
SYMPTOM: The IBM Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the Identity Provider does not include a Issuer value though the Issuer value is included in the assertion.

APAR IV07708
SYMPTOM: SAML 2.0 SPS Module is setting the Destination attribute on LogoutReponse message when the request is received through SOAP binding at the Identity Provider and there is more than one service provider session that was authenticated based on the Identity Provider session. The Destination field might have the url for the incorrect partner that is not the one that send the LogoutRequest.

APAR IV07694
SYMPTOM: SAML 2.0 STS Module fails to validate the subject confirmation method correctly when the assertion is received as part of the SAML 2.0 Single Sign On operation. The specification requires that an assertion that is generated as part of a Single Sign On flow should at least include one of the subject confirmation methods of value urn:oasis:names:tc:SAML:2.0:cm:bearer.

APAR IV07713
SYMPTOM: The SAML 2.0 SPS module, during a Single Logout operation on Service Provider side, invokes the alias service even if the email name id format was used to single sign on the user. While the Single Logout Operation is successful, an error is included on the logs though the alias operation is not required.

APAR IV07689
SYMPTOM: LDAP ALIASES NOT DELETED FOR SAML 20 DEFEDERATE OPERATION

APAR IZ95850
SYMPTOM: TFIM Management Service and Runtime fail to start on WAS 6.0.2. The following is observed in the logs: javax.management.MBeanException: null nested exception is javax.management.ServiceNotFoundException: Cannot find ModelMBeanOperationInfo for operation getInternalClassAccessMode

APAR IV07705
SYMPTOM: The STSMapDefault module in the sts.modules package allows the following global variables to be available to Javascript mapping rules: - stsuu (The STSUniversalUser), - stsrequest (the entire STSRequest object), and - stsresponse (the entire STSResponse object). The validation of the javascript fails if the javascript mapping rule references stsrequest and/or stsresponse.

APAR IV07701
SYMPTOM: When the Format attribute for the NameID element in the SAML 2.0 Assertion is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", the Service Provider treats the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Service Provider must instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner.

APAR IV03083
SYMPTOM: Provider ID and assertion consumer service URL of an existing partner of a SAML2 federation are not updated after changing the partner using a response file through the command modifyItfimPartner with the operation 'modify'.

APAR IV07681
SYMPTOM: When adding a SAML2.0 Identity Provider federation as a partner to a Service Provider federation through CLI, although signing key identifier is specified, a "FBTADM072E A key with alias 'null' was not found in the keystore ''" appears and prevents the user from adding the partner.

APAR IV06765
SYMPTOM: Property doIntrospection of STS chain mapping is set to false after updating the STS chain mapping by using the CLI.

APAR IV07683
SYMPTOM: The value of the attribute "IsDefault" of all assertion consumer services of the SAML 2.0 Service Provider partner is changed to "true" after clicking the OK or Apply button in the Partner Properties page in the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03048
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03050
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03038
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Runtime.

APAR IV05549
SYMPTOM: An HTML page, instead of a SOAP Fault, is returned as a response when sending Request Security Token SOAP request to SAML 1.1 Artifact Service endpoint. This problem happens when the request has invalid "Issuer" or "AppliesTo".

APAR IV07725
SYMPTOM: Duplicate STS chain mappings are created when adding a SAML 2.0 Service Provider as a partner. This problem happens if the metadata of the Service Provider contains at least three distinct assertion consumer services with at least three distinct URLs.

APAR IV07714
SYMPTOM: Mapping from single logout URL to protocol is deleted from the configuration file after clicking the OK or Apply button in the Federation Properties page in Tivoli Federated Identity Manager Management Console. This problem happens if the single logout bindings that are enabled are only HTTP-Redirect and SOAP. The missing mapping causes single logout operation to fail.

APAR IV07700
SYMPTOM: ClassCastException is thrown when adding or modifying LDAP host using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "hostPort" is 389, or the parameter "minConnections" is 2, or the parameter "maxConnections" is 10, or the parameter "hostOrder" is -1.

Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0001

APAR IZ91383
SYMPTOM: SECURENONCEGENERATOR NOT READING THE RIGHT AMOUNT OF TIME BYTES

APAR IZ91348
SYMPTOM: NPE TRYING TO LOAD CONFIG INSTANCE IN TDI MAPPING RULE. See IZ91348 for more information.

APAR IZ91413
SYMPTOM: CONSOLE WILL NOT SHOW LIST OF KEYS ON WEBSPHERE 7.0.0.11.

APAR IZ91349
SYMPTOM: SAML1.1 ARTIFACT RESOLUTION FAILURE NEEDS ERROR INFO IN MSG. See IZ91349 for more information.

Internal defect 100956
SYMPTOM: NPE MODIFYING XSLT MAP MODULE IN CUSTOM TRUST CHAIN

APAR IZ91350
SYMPTOM: Missing InResponseTo attribute in samlp:Response error responses. See IZ91350 for more information.

Internal defect 102832
SYMPTOM: DEFAULT NAMEID FORMAT NOT WORKING WHEN NO CLAIMS PASSED. See 102832 for more information.

Internal defect 101623
SYMPTOM: NPE in console editing mapping rule. See 101623 for more information.

APAR IZ91352
SYMPTOM: FEDERATION PARTNER UPDATE MODIFIES NON-ZERO ACS URL INDEX. See IZ91352 for more information.

APAR IZ91414
SYMPTOM: XML PARSING OF INCOMING SAML MESSAGE FAILS WHEN MACHINE LOCALE IS NOT UTF8-COMPATIBLE AND UTF-8 EXTENDED CHARACTERS APPEAR IN MSG. See IZ91414 for more information.

APAR IZ91343
SYMPTOM: STATE INFORMATION IN SOME FEDERATION PROTOCOLS ARE INVALID. See IZ91343 for more information.

APAR IZ91344
SYMPTOM: PROVIDER NAME NEEDS TO BE PART OF THE AUTHENTICATION REQUEST. See IZ91344 for more information.

APAR IZ91347
SYMPTOM: NULL EXCEPTION OCCURS DURING CLAIMS PROCESSING. See IZ91347 for more information.

APAR IZ91258
SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console does not operate correctly. See IZ91258 for more information.

APAR IZ91415
SYMPTOM: SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING ARE NOT CONFORMANT. See IZ91415 for more information.

APAR IZ91355
SYMPTOM: TDI STS MAP MODULE FAILS TO CACHE THE CONFIGURATION INFORMATION CORRECTLY

Internal defect 102057
SYMPTOM: STS LTPA TOKEN MODULE READS THE EXPIRATION DATE INCORRECTLY

APAR IZ91356
SYMPTOM: SAML STS MODULES CALCULATES WRONG VALIDITY PERIOD OF ASSERTION. See IZ91356 for more information.

APAR IZ91357
SYMPTOM: UNABLE TO MODIFY SIGNATURE POLICY SETTINGS FOR SAML 2.0 PARTNER

APAR IZ91358
SYMPTOM: SAML20 SSO FAILS TO DETECT FATAL ERRORS WHILE READING ALIAS

APAR IZ91359
SYMPTOM: NON XML RESPONSE FOR BAD SAML 2.0 AUTHNREQUEST

APAR IZ81005
SYMPTOM: FIM CONSOLE FAILS TO DISPLAY SAML2 PROPS PAGE IF NO ARTIFACT IS FOUND

Internal defect 102887
SYMPTOM: Attribute Query request messages are not reporting timestamp validation errors.

APAR IZ91416
SYMPTOM: Tivoli Federated Identity Manager SAML 2.0 metadata is not properly formatted when TFIM is running on the latest versions of the WebSphere Application Server. See IZ91416 for more information.

APAR IZ91419
SYMPTOM: SAML 2.0 STS MODULE NOT READING THE DEFAULT NAMEID FORMAT PARAMETER. See IZ91419 for more information.

APAR IZ91417
SYMPTOM: TFIM FAILS TO LOAD SAML METADATA WITH ENTITIES DESCRIPTOR

APAR IZ84999
SYMPTOM: Some of Tivoli Federated Identity Manager Console portlet pages cannot be displayed when it is installed in WAS 7 FP 11. See IZ84999 for more information.

APAR IZ91360
SYMPTOM: FIM CONSOLE INSTALL SHOULD SET JACL LANGUAGE WHEN CALLING WSADMIN

APAR IZ91418
SYMPTOM: For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values. See IZ91418 for more information.

Internal defect 100723
SYMPTOM: New domain created in 6.2.1 does not have all custom properties. The ADMIN.validateFederationName and STS.showUSCChains properties are missing.

Internal defect 102338
SYMPTOM: CLI throws a StringIndexOutOfBoundsException when adding a SAML 2.0 service provider partner to a SAML 2.0 federation. See 102338 for more information.

Internal defect 102339
SYMPTOM: ClassCastException is thrown when configuring LDAP alias service using Tivoli Federated Identity Manager Command Line. This problem happens if at least one LDAP server exists in the system.

APAR IZ91351
SYMPTOM: Attempts to use Oracle for Tivoli Federated Identity Manager alias service displayed errors. See IZ91351 for more information.

APAR IV07711
SYMPTOM: Tivoli Federated Identity Manager Configuration Guide does not describe the steps to enable certificate revocation list checking for certificates that are used for XML message signing, verification, encryption, and decryption. See IV07711 for more information.

Before installing the fix pack

Be aware of the following considerations before installing this fix pack:

Installation path specification for the Windows Server 2008 platform
This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.

Because Federated Identity Manager Business Gateway is a 32-bit application its default path when installing on Windows Server 2008 changes from

C:\Program Files\IBM\FIM

to:

C:\Program Files (x86)\IBM\FIM

NOTE: This change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:

C:\Program Files\IBM\WebSphere

changes to:

C:\Program Files (x86)\IBM\WebSphere

Prerequisites
You must have the following software installed to install this fix pack:

  • Federated Identity Management Business Gateway 6.2.1 and its prerequisites
  • WebSphere Update Installer version 7.0.0.0 (see Update Installer below.)

Update Installer
This fix pack requires the use of the WebSphere Update Installer version 7.0.0.0. Ensure that you have installed the correct version of the WebSphere Update Installer on each computer where you will install the fix pack.

You can download the WebSphere Update Installer version 7.0.0.0 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.

Fix pack packaging
The IBM Tivoli Federated Identity Manager Business Gateway 6.2.1-TIV-TFIMBG-FP0006 patch package is provided on the Tivoli Support Web site as a single downloadable zip file for each supported platform.

Select the package that is appropriate for the target platform, then download the package and unzip the contents into a target directory, typically the default WebSphere Update Installer directory, either

C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

for Windows or

/opt/IBM/WebSphere/UpdateInstaller/maintenance

for Unix/Linux

Unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component.

The full list of product components is described in Fix pack structure.

Use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied.

The fixes are tested against all affected components; therefore, to minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.

Automatic creation of a backup directory
The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager Business Gateway files.


Installing the fix pack

NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.


Downloading the fix pack

To obtain the fix pack:

  1. Go to the IBM Tivoli Federated Identity Manager Business Gateway Support Web site.
  2. Click Download. The fix pack (6.2.1-TIV-TFIMBG-FP0006) must be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.1-TIV-TFIMBG-FP0006" in the Search field to access the link to the download window.
  3. In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
  4. Select the platform that corresponds to the target platform where you will apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, you must configure your browser to use Java security. Click What is DD? for configuration instructions.

NOTE: For z/OS platform, please contact IBM Support to obtain the fix pack.


Setting the WebSphere security passwords

If security is enabled on the WebSphere Application Server where Federated Identity Manager Business Gateway is installed, you must set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.

If security is not enabled, you can skip this step.

NOTE: If you add passwords to the fim.appservers.properties file, as described below, specify the passwords using plain text. However, at the end of the fix pack installation process these passwords are obfuscated and are no longer be available in plain text format.

To specify security passwords, use the following procedure:

  1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
  2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true, then you must add two password properties to the file:
    • the was.admin.user.pwd property with a value of the administrator login password for the WebSphere Application Server where Federated Identity Management Business Gateway is deployed
    • the was.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that WebSphere Application Server
    For example,
    • was.admin.user.pwd=was_admin_pw
    • was.truststore.pwd=truststore_pw
  3. If the ewas.security.enabled property is present in the fim.appservers.properties file and is set to true, then you must add two password properties to the file:
    • the ewas.admin.user.pwd property with a value of the administrator login password for the Embedded WebSphere Application Server where Federated Identity Management Business Gateway is deployed
    • the ewas.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that Embedded WebSphere Application Server
    For example,
    • ewas.admin.user.pwd=ewas_admin_pw
    • ewas.truststore.pwd=truststore_pw
  4. Save and close the fim.appservers.properties file

Applying the fix pack

  1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default WebSphere Update Installer's maintenence directory,
    C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

    for Windows or

    /opt/IBM/WebSphere/UpdateInstaller/maintenance

    for Unix/Linux

  2. Ensure that the WebSphere Application Server that hosts the Federated Identity Management Business Gateway runtime and management service component is running.
  3. Ensure that the WebSphere Application Server that hosts the Federated Identity Management Business Gateway console component is running.
  4. Start the appropriate WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
  5. In the Welcome window, click Next. Federated Identity Management Business Gateway is not listed, but is supported.
  6. Specify the path to the installation directory for Federated Identity Management Business Gateway (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
  7. Select Install maintenance in the dialog.
  8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
  9. Determine which product components are installed on the system that you are updating. Install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:

    itfim.build.version.rte-mgmtsvcs=version
    Specifies that the management service and runtime component is installed at the level specified by version.
    itfim.build.version.mgmtcon=version
    Specifies that the administration console component is installed at the level specified by version.
    itfim.build.version.wsprov=version
    Specifies that the WS-provisioning runtime component is installed at the level specified by version.
    itfim.build.version.wssm=version
    Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
    itfim.build.version.fimpi=version
    Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.

    Apply the fix packs to the product's components in the following order:

    1. Management service and runtime and administration console
    2. Other components

  10. Compare the list of installed components to the list of pak files in the WebSphere Update Installer, and select the pak files that correspond to the installed components. Then, click Next.

    NOTE: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.

  11. If needed (for example, if you must install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.

Deploying the fix pack runtime component

The fix pack install automatically deploys the newly installed Federated Identity Manager Business Gateway runtime. However, you must verify that the current deployed version is 6.2.1.6 by performing the following steps

  1. Log in to the console, and click Tivoli Federated Identity Manager -> Manage Configuration -> Domain Properties. The details of the components installed in the domain are listed.
  2. Review the Runtime Information. For example: 
        Runtime Information
    ----------------------------------------------
    Current deployed version       6.2.1.6 [131017a]

    NOTE: The number in the brackets [131017a] might be different from this example.

If the automatic deployment fails (see Internal defect 103544), the runtime can be deployed manually using the console by performing the following steps

  1. Log in to the console, and click Tivoli Federated Identity Manager -> Manage Configuration -> Runtime Node Management. The Runtime Node Management panel is displayed.
  2. To deploy the runtime node, click the Deploy Runtime button. If the button is inactive, the runtime node is already deployed.

Then, restart the ITFIMManagementService.


Restarting the ITFIMManagementService

  1. Log in to the Integrated Solutions Console.
  2. Select Applications -> WebSphere enterprise applications.
  3. Select ITFIMManagementService from the Enterprise Applications list.
  4. Click Stop.
  5. Select ITFIMManagementService in the Enterprise Applications list.
  6. Click Start.


Publish the fix pack plug-ins to the runtime and reload the configuration

After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.

Use the following procedure to re-publish the plug-ins:

  1. Log in to the administration console.
  2. Select Domain Management -> Runtime Node Management.
  3. Click Publish Plugins.
  4. After the plug-ins are published, reload the runtime configuration.

Back to Contents




Documentation updates

The product documentation for the IBM Tivoli Federated Identity Manager, version 6.2.1, can be found in the information center for IBM Tivoli Federated Identity Manager Business Gateway.



SPECIFYING URLS THAT THE COMMON DOMAIN COOKIE READING AND WRITING SERVICE IN THE SAML 2.0 IDENTITY PROVIDER DISCOVERY PROFILE CAN REDIRECT TO (IV50639)

In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference > Custom Properties for SAML 2.0, a new custom property is added. This property is:

SAML20.CDC.RelayStateAllowedURLs_<FEDERATIONID>

A comma-separated list of regular expressions. SAML 2.0 Identity Provider Discovery Profile common domain cookie reading and writing service of <FEDERATIONID> can redirect to a URL that matches any of the regular expressions.

  • Default value: SPS URL of the common domain cookie reading or writing service endpoint e.g. https://examplehost/FIM/sps/.*
  • Value type: string
  • Example value: https://examplehost/JCT/protectedresource/.*,https://examplehost2/JCT2/protectedresource2/.*

IRRELEVANT PARAMETERS IN SAML PARTNER RESPONSE FILE DOCUMENTATION (IV41598)

The following parameters are documented in the Command reference > manageItfimPartner > SAML partner response file reference section of the Tivoli Federated Identity Manager Administration Guide v6.2.2 and earlier:

  • IncludeCertData
  • IncludeIssuerDetails
  • IncludePublicKey
  • IncludeSubjectKeyId
  • IncludeSubjectName
  • IncludeX509CertData or IncludeX509CertificateData
  • IncludeX509IssuerDetails
  • IncludeX509SubjectKeyIdentifier
  • IncludeX509SubjectName

These parameters are not relevant to the SAML partner response file and must be removed from this section.

The following parameters are relevant to the SAML federation response file and are documented in the Command reference > manageItfimFederation > SAML federation response file reference section:

  • IncludeCertData
  • IncludeIssuerDetails
  • IncludePublicKey
  • IncludeSubjectKeyId
  • IncludeSubjectName

Back to Contents



LDAP MIGRATION TOOL DOES NOT WORK FOR NON-DEFAULT USER IDENTIFIER ATTRIBUTE (IV25589)

In the IBM Tivoli Federated Manager 6.2.1 Installation Guide, under the topic Appendix A. Upgrading to version 6.2.1->Upgrading LDAP, it states:

Other parameters are available to pass to this tool:

  • -reverse performs a reverse migration.
  • -deleteAbandonedEntries deletes any entries that refer to a DN that no longer exists. This process occurs before the migration step.
  • -Z enables the SSL connection to the LDAP server.

For the -reverse parameter, it should state:

  • -reverse performs a reverse migration. This does not delete entries added during migration. It ensures that the entries are compatible with versions of Tivoli Federated Identity Manager Version before 6.2.1.

2 new parameters are now available to pass to this tool:

  • -userAttr specifies the attribute that the alias service uses to denote the user identifier.
  • -force performs migration for all entries including those that have previously been migrated.

Back to Contents



INCORRECT ONLINE DOCUMENT FOR THE INSTALLATION NEEDS TO BE CHANGED (IV26816)

There was an error in the command value used for installing the Tivoli Federated Identity Manager Business, version 6.2.1 IBM Support Assistant feature.

Replace the installation command note in the following sections of the Tivoli Federated Identity Manager Business Gateway, version 6.2.1 Installation Guide:

  • Installing the IBM Support Assistant

    • with the following:

    NOTE: The installation is designed so that the WebSphere® Application Server deployment can listen on localhost. If it does not listen on localhost, use the parameter websphereProperties.adminClientConnectorHost on the installation command to specify the host name. For example, on Linux:

    ./install_linux_x86.bin -W websphereProperties.adminClientConnectorHost=<hostname>

    Back to Contents



    JAVASCRIPT MAPPING RULE VALIDATION

    Problem

    When you use the Tivoli® Federated Identity Manager console or command line to import a JavaScript mapping rule, an empty Security Token Service Universal User (STSUU) is used as an input to validate the JavaScript.

    Symptom

    Validating the JavaScript using an empty STUU input can cause problems. Problems occur when the JavaScript rule throws exceptions on cases that do not occur in their real federation runtime flow, but occurs when the empty STSUU is passed to the rule during validation.

    Cause

    If the JavaScript mapping rule throws an exception during validation, the Tivoli Federated Identity Manager console rejects it as bad syntax and does not load it.

    Diagnosing the problem

    When you use the Tivoli Federated Identity Manager console or command line to import a JavaScript mapping rule, the software runs basic JavaScript validation. The JavaScript validation process prevents the upload of a mapping rule with an invalid syntax.

    Tivoli Federated Identity Manager validates the JavaScript mapping rule with the JavaScript engine, which executes the mapping rule. JavaScript mapping rules have three context variables which can be accessed by name. The names correspond to Java objects, which are elements of a WS-Trust request. The names are also available in the STSModule interface seen by pure Java mapping rule developers. The three context variables, which come from the invoke method of the STSModule interface, are:
    • stsuu – The Java STSUniversalUser object returned from STSResponse.getSTSUniversalUser().
    • stsrequest – The Java STSRequest object from the invoke method.
    • stsresponse – The STSResponse object from the invoke method.
    When you run the JavaScript mapping rule at run time, the context variables are populated with real data based on the following factors:
    • The request made to the Security Token Service (STS).
    • Any other STS modules that were executed in the chain before your mapping module.

    When the Tivoli Federated Identity Manager console or command line validates the mapping rule, no real request exists. The variables are then populated with empty objects.

    Your mapping rule might use conditional statements. The conditional statements make sense during real runtime operations, but do not work properly when empty objects are passed to it during validation.

    The following sample JavaScript mapping rule illustrates the problem:
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

// Throw an STS exception if the STSUU does not contain an attribute I am expecting
var attrvalue = stsuu.getAttributeValueByName("myattr");
if (attrvalue == null) {
          IDMappingExtUtils.throwSTSException('missing attribute');

    Resolving the problem

    As a workaround, create an empty-object-aware JavaScript rule to prevent it from throwing exceptions when it detects the empty STSUU.

    Build a mechanism to detect the validation sequence into the rule itself and to not terminate with an exception if the rule is operating on empty objects.

    The detection code varies depending on the assumptions you can make about request objects in your runtime flow. For example, an STSUU typically contains one or more attributes in the Principal, AttributeList , or ContextAttributes sections of the STSUU.

    If it does not contain any attributes, it is an empty STSUU.

    To skip further rule execution using the workaround, author your JavaScript mapping rule using the following pattern:
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

var isEmptySTSUU = (
  (stsuu.getPrincipalAttributeContainer().getNumberOfAttributes() == 0) &&
        (stsuu.getAttributeContainer().getNumberOfAttributes() == 0) &&
        (stsuu.getContextAttributesAttributeContainer().getNumberOfAttributes() == 0));
if (!isEmptySTSUU) {
    // rest of your normal runtime mapping rule logic goes here
    .......
}

    Back to Contents



    CUSTOM PROPERTIES FOR SAML 2.0 RELAY STATE (IV26763)

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding
    When specified as true, the RelayState in an unsolicited authentication response is URL encoded by the identity provider before it is sent to the service provider. This configuration applies to a response that is sent using HTTP POST binding and HTTP ARTIFACT binding with the HTTP POST artifact delivery method.
    The URL encoding can be controlled in three levels:
    Global level
    Controls the URL encoding for all federations and partners.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding = true

    Federation level
    Controls the URL encoding for a specific federation and all its partners.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true

    Example for a federation with the ID https://idp/sps/fed/saml20:

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20 = true

    Partner level
    Controls the URL encoding for a specific federation and a specific partner.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true

    Example for a federation with the ID https://idp/sps/fed/saml20 and its partner with the ID https://sp/sps/fed/saml20

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20_https://sp/sps/fed/saml20 = true

    Default value: True

    • Value type: Boolean
    • Example value: False

    <FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.

    You can use the three levels of control concurrently. Tivoli Federated Identity Manager implements concurrent use by checking the RelayState settings to decide what action to take in the following order:
    1. Partner level setting
    2. Federation level setting
    3. Global level setting

    When at least one of the settings is false, add the macro @TOKEN:RelayState@ to the list of comma-separated list of tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add the macro so that the RelayState is HTML-escaped in the authentication response.

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding
    When specified as true, the RelayState in an unsolicited authentication response is URL decoded by the service provider after it is received from the identity provider.
    The URL encoding can be controlled in three levels:
    Global level
    Controls the URL encoding for all federations and partners.

    Configuration example:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding = true

    Federation level
    Controls the URL encoding for a specific federation and all its partners.

    Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true

    Example for a federation with the ID https://sp/sps/fed/saml20:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20 = true

    Partner level
    Controls the URL encoding for a specific federation and a specific partner.

    Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true

    Example for a federation with the ID https://sp/sps/fed/saml20 and its partner with the ID https://idp/sps/fed/saml20:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20_https://idp/sps/fed/saml20 = true

    Default value: True

    • Value type: Boolean
    • Example value: False

    <FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.

    You can use the three levels of control concurrently. Tivoli Federated Identity Manager implements concurrent use by checking the RelayState settings to decide what action to take in the following order:
    1. Partner level setting
    2. Federation level setting
    3. Global level setting

    Back to Contents




    TRUST SERVICE CUSTOM PROPERTY (IV12418)

    The SAML STS Modules validates that the token provided on the STS request is the correct type. The STS obtains the input token from either the Base element of the RequestSecurityToken message or from the WS-Security headers included on the SOAP envelope.

    If multiple security headers are included on the SOAP envelop, Tivoli Federated Identity Manager selects the very first one that it finds even if the STS module configured to consume the token can handle the token type retrieved.

    To enable the SAML STS modules to notify the STS of the expected token type so that the correct token is retrieved from the SOAP envelop headers, enable the following custom property:

    sts.multiple.tokens.security.header.enabled=true

    Back to Contents




    INCLUDE KEY AND REQUEST TYPE ON STS (IV15425)

    The Tivoli Federated Identity Manager Security Trust Service (STS) chain does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message.

    The RequestType value must be set to the value received on the request. The KeyType must be set to one of the values supported by WS-Trust based on an attribute on the STSUU structure.

    To enable the ability to set the KeyType use the following sample xsl fragment:

        <xsl:template match="//stsuuser:ContextAttributes">
        <stsuuser:ContextAttributes>

            <!-- Add the key type to the Request Security Token Response generated by the SAML module -->
            <stsuuser:Attribute 
                name="RequestSecurityTokenResponse.KeyType" 
                type="urn:ibm:names:ITFIM:5.1:accessmanager">
                    <stsuuser:Value>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</stsuuser:Value>
            </stsuuser:Attribute>
        
        </stsuuser:ContextAttributes>
    </xsl:template>
    The new property RequestSecurityTokenResponse.KeyType allows the administrator to set the KeyType on theRequestSecurityTokenResponse.

    In this scenario, the KeyType is set to: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey.

    For more information about other valid values, see the WS-Trust specification from the OASIS Website.

    Back to Contents




    TRUST SERVICE CUSTOM PROPERTY (IV14481)

    The Trust Service custom property must add the new custom property.

    ivcred.insert.CRLF76
    When set to true, the base64 encoded IVCred generated by the Security Token Service module STSTokenIVCred is split into multiple lines. If this custom property is set to false, the base64 encoded IVCred generated by the Security Token Service module STSTokenIVCred is not split into multiple lines.

    Default value: True

    • Value type: Boolean
    • Example value: False

    Back to Contents




    RelayState in the authentication request sent by the SAML 2.0 Service Provider into the Identity Provider is not available as query string parameter in the redirect URL to the custom login page. (IV07933)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing an Authentication Login Form for Single Sign On, under the sub-section Supported Macros for Customizing an Authentication Login Form, the following new row is added into Table 2 (Supported SAML Protocol Macros) as the third row:

    Macro Query String Parameter Name Description
    %SPRELAYSTATE% SPRelayState Supported for SAML 2.0 only

    Represents RelayState data accompanying the SSO request, if applicable.

    SAML value: The RelayState data that accompanies the SAML AuthnRequest.

    Back to Contents




    ADD ADDITONAL TRACES FOR FBTSPS061E ERROR. (IZ98683)

    The Point of Contact implementations shipped by Tivoli Federated Identity Manager rely on some state information populated on the HTTP session object.

    In some instances, the customers improperly setup their Tivoli Federated Identity Manager environments where the HTTP session information is not accessible by the TFIM code. This is primarily caused by:

    1. The point of contact implementation, for example, WebSEAL is filtering the JSESSIONID cookie set by the application server.
    2. The HTTP Server is not maintaining proper affinity to the back end WAS node or
    3. If affinity is not desired, the HTTP session information is not properly replicated through the cluster.

    When the HTTP session information is not accessible, the error FBTSPS061E occurs when the browser is redirected to /wssoi for authentication during a single sign-on flow.

    The fix for this APAR is to add traces that includes some of the above debug pointers to help troubleshooters identity the cause of the issue.

    Back to Contents




    Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token. (IZ94653)

    The IvCred STS Module has been enabled to consume and validate ivcred tokens that corresponds to an unauthenticated user. The modification done as part of this fix will allow for two modes of operation.

    For behavior #1 (Default), the STS module generates an error if a token received corresponds to an unauthenticated user. The error is the following:

     FBTSTS015E The IV-Cred binary token is invalid or not present.

    For Behavior #2 the IvCred STS Module can be configured to map the unauthenticated user token to a special user account that can be configured. The user account selected must be considered as a low entitlements or guest account.

    The IVCRED STS module adds an unauthenticated user name to the universal user structure.

    To enable behavior #2 add the following custom property:

     ivcred.unauthenticated.user.name=myusername

    where myusername is the user name value to use for mapping.

    The following additional properties can also be provided to describe the user account to map to when using behavior #2:

     ivcred.unauthenticated.user.registry.id
     ivcred.unauthenticated.user.uuid

    ivcred.unauthenticated.user.registry.id is used to include the registry id of the account and ivcred.unauthenticated.user.uuid to indicate the unique id for the user account.

    Back to Contents




    When importing JavaScript mapping rule using FIM Console, FIM might incorrectly reports that the mapping rule is syntatically incorrect if it contains throw exception statements (IV01646)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties, the sub-section Custom Properties Reference, and the sub-sub-section Custom Property for the Trust Service, the following new custom property is added:

    STS.validateMappingRules

    Specifies whether the mapping rule is validated when it is imported using the console or the command line interface. If the STS.validateMappingRules parameter is specified, and the value is equal to the string "false", ignoring the case, then the mapping rule is not validated. Otherwise, the mapping rule is validated.

    • Value type: boolean
    • Example value: false

    Back to Contents




    INACCURATE DOCUMENTATION ON THE SUPPORTED SSL VERSION (IV00560)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties, the sub-section Custom Properties Reference, and the sub-sub-section Custom Property for Transport Security Protocol, the list of supported protocols is updated. The following sentence:

    where the value of PROTOCOL can be any of the following values: SSL_TLS, SSL, SSLv2, SSLv3, TLS or TLSv1.

    is updated into:

    where PROTOCOL refers to one of the protocols supported by the Java Secure Socket Extension used by the underlying WebSphere Application Server. Examples: SSL, TLS, and SSL_TLS. NOTE: The protocol examples might not necessarily be supported.

    Back to Contents




    NO DOCUMENTATION ON HOW TO SET AUDIENCERESTRICTION IN SAML 2.0 ASSERTION (IV00324)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the topic Sample identity mapping rules for SAML federations > Mapping a local identity to a SAML 2.0 token using an alias, the following entry is added to Table 21. STSUUSER entries used to generate a SAML token (using an alias):
    [STSUU Element] Attribute: AudienceRestriction
    [SAML Token Information] The audience of the audience restriction condition.
    [Required] Optional

    Under the same topic, it states:
    3. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners.

    It must state:
    3. Setting the audience of the audience restriction condition to the value of the STSUU element "AudienceRestriction". If this STSUU element is not present, the audience is set to the Provider ID of the federation partner.

    4. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that makes use of information that is to be transmitted between federation partners

    Back to Contents




    MISSING REQUIREMENT TO NOT MODIFY BUILT-IN SSO CHAINS (IV07723)

    In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules > Modifying trust service chain properties > About this task, the following note is added:
    NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.

    In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules > Modifying chain module properties > About this task, the following note is added:
    NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.

    Back to Contents




    RELAYSTATE PARAMETER IN UNSOLICITED SAML2 AUTH RESPONSE (IZ86275)

    In the IBM Tivoli Federated Manager Configuration Guide, under the topic SAML 2.0 > Profiles > Web browser single sign-on > Message initiation, it states:
    The message flow can be initiated from the identity provider or the service provider.

    It must state:
    The message flow can be initiated from the identity provider or the service provider. When the message flow is initiated from the identity provider, a RelayState parameter can be provided in the unsolicited response delivered by the identity provider to the service provider. This parameter will contain the URL encoded value of the Target element provided in the single sign-on service initial URL (identity provider).

    In the IBM Tivoli Federated Manager Configuration Guide, under the topic URLs for initiating SAML single sign-on actions > SAML 2.0 profile initial URLs > Single sign-on service initial URL (identity provider) > Syntax for initiating single sign-on at the identity provider states:
    https://provider_hostname:port_number/sps/federation_name/saml20/logininitial?RequestBinding=RequestBindingType&&PartnerId=target_partner_provider_ID&NameIdFormat=NameIDFormatType&AllowCreate=[true|false]

    It must state:
    https://provider_hostname:port_number/sps/federation_name/saml20/logininitial?RequestBinding=RequestBindingType&PartnerId=target_partner_provider_ID&NameIdFormat=NameIDFormatType&AllowCreate=[true|false]&Target=target_application_location

    Another element will also be added to Elements in the same topic
    Target: This will be URL encoded and set as the value of the RelayState parameter provided in the unsolicited response delivered by the identity provider to the service provider. A Tivoli Federated Identity Manager Service Provider interprets this value as the URL of the application that a user can log in to using single sign-on.

    Back to Contents




    NPE TRYING TO LOAD CONFIG INSTANCE IN TDI MAPPING RULE. (IZ91348)

    If a TDI configuration instance could not be loaded by the TDI mapping module (for any reason), a NullPointerException exception was thrown. This APAR causes failures to be reported gracefully and adds more tracing capability to help determine the root cause of configuration instance loading issues.

    Back to Contents




    Configurations to use Oracle database for the Tivoli Federated Identity Manager Alias service (IZ91351)

    Attempts to use Oracle database for TFIM alias service displayed errors like: 

    com.ibm.ws.ejbpersistence.utilpm.PersistenceManagerException:
PMGR1012E: The current backend id DB2UDBNT_V8_1, does not match
           the datasource connected to.

    To fix this, you must perform additional steps after installing the Fix Pack (assume on UNIX-based system):
    1. Configure FIM for use of Oracle as the Alias service:
      1. Create a backup of the itfim.ear file using the following commands:
        1. cd FIM_INSTALL_DIR/pkg/release
        2. cp itfim.ear itfim-orig.ear
      2. Modify the EAR to be Oracle-aware for deployment, using the following commands:
        1. mkdir /tmp/work
        2. rm FIM_INSTALL_DIR/pkg/release/itfim.ear
        3. WEBSPHERE_INSTALL_DIR/AppServer/bin/ejbdeploy.sh FIM_INSTALL_DIR/pkg/release/itfim-orig.ear /tmp/work FIM_INSTALL_DIR/pkg/release/itfim-oracle.ear -dbschema FIMAliasesSchema -dbname FIMAliases -dbvendor ORACLE_V10G -trace
        4. cp FIM_INSTALL_DIR/pkg/release/itfim-oracle.ear FIM_INSTALL_DIR/pkg/release/itfim.ear
        5. rm -rf /tmp/work
      3. A new FIM_INSTALL_DIR/pkg/release/itfim.ear becomes available for deployment to work with Oracle. Use a text editor to update the file FIM_INSTALL_DIR/pkg/software.properties to change the property com.tivoli.am.fim.rte.software.serialId to a different value (for example, increment).
      4. Use the Tivoli Federated Identity Manager console to navigate to Tivoli Federated Identity Manager -> Domain Management -> Runtime Node Management. There must be a message indicating that a new runtime is available for deployment. Use the console to deploy the new runtime.
      5. After deployment, completely restart the WebSphere process(es) on which the runtime is deployed.
    2. For more details including setting up Oracle database and configuring WAS to use JDBC, see the technote entitled "After installing FP3 for FIM 6.2, Oracle db still can not be used for FIM Alias Service." , which has been published and is publicly available on the TFIM support site.

    If you receive subsequent fixpacks, or anything that alters the deployed itfim.ear, you must do step 1 again.

    Back to Contents




    SAML1.1 ARTIFACT RESOLUTION FAILURE NEEDS ERROR INFO IN MSG. (IZ91349)

    A new English-only message has been added to include more request information in the error log when a SAML artifact resolution failure occurs. This message will only be enabled if the following runtime custom property is set:

    SAML.AllowDebugMessages=true

    If this runtime custom property is set and a SAML artifact resolution failure occurs, the SystemOut.log and SystemErr.log will contain an informational message with extra debug information about the request which contained the failed artifact and why.

    Back to Contents




    Missing InResponseTo attribute in samlp:Response error responses. (IZ91350)

    SAML 1.x artifact resolution error responses will now include the InResponseTo attribute if a correctly formatted request that is received contains a request ID.

    Back to Contents




    DEFAULT NAMEID FORMAT NOT WORKING WHEN NO CLAIMS ARE PASSED. (102832)

    This fix addresses a problem with validating SAML assertions that do not contain a NameID Format attribute.

    Back to Contents




    NULL POINTER EXCEPTION EDITING MAPPING RULE. (101623)

    This fix addresses a NullPointerException that can occur in the Tivoli Federated Identity Manager console if the XSLT mapping module is selected for a federation but no mapping rule is specified.

    Back to Contents




    FEDERATION PARTNER UPDATE MODIFIES NON-ZERO ACS URL INDEX. (IZ91352)

    If the SAML metadata of your partner contains service URLs that begin with a non-zero index, Tivoli Federated Identity Manager will now preserve the index that was used for the URL as contained in the original partner's metadata.

    Back to Contents




    XML PARSING OF INCOMING SAML MESSAGE FAILS WHEN MACHINE LOCALE IS NOT UTF8-COMPATIBLE AND UTF-8 EXTENDED CHARACTERS APPEAR IN MESSAGE. (IZ91414)

    This fix allows Tivoli Federated Identity Manager to receive SAML browser-POST messages for either SAML 1.x or SAML 2.0 even if the locale of the locale machine is not a UTF-8 compatible character set.

    Back to Contents




    STATE INFORMATION IN SOME FEDERATION PROTOCOLS ARE INVALID. (IZ91343)

    This fix corrects erroneous behaviour caused by invalid object caching in user session or distributed maps.

    Back to Contents




    PROVIDER NAME NEEDS TO BE PART OF THE AUTHENTICATION REQUEST. (IZ91344)

    For SAML 2.0 service providers setups to enable the ProviderName on the AuthnRequest, set the following custom property:

    SAML20.authn.request.provider.name.enabled = true

    The ProviderName will be populated with the Company Name collected as part of the federation wizard.

    Back to Contents




    NULL EXCEPTION OCCURS DURING CLAIMS PROCESSING. (IZ91347)

    Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the identity provider contains a SAML Assertion that does not include a Issuer value.

    Back to Contents




    The Management Console fixpack installation appears to complete successfully but the console does not operate correctly. (IZ91258)

    After the installation of the Tivoli Federated Identity Manager Management Console the fixpack install seems to complete but the console does not function correctly. This problem is not common but has occurred on some systems. Some of the symptoms are:

    1. ClassNotFoundException logged in SystemOut.log and SystemErr.log.
    2. The 'Tivoli Federated Identity Manager' root task does appear correctly in the console's task bar.
    3. Portlet loading errors returned to user through the browser.

    Back to Contents




    SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING NOT CONFORMANT. (IZ91415)

    For SAML 2.0 identity provider scenarios, or other STS scenarios which issue SAML 2.0 assertions you can now override the Recipient attribute in SubjectConfirmationData for bearer subject confirmation method by setting an Attribute in the ContextAttributes section of the STSUniversalUser in your mapping rule. An example of this attribute will look like:

    https://example.com

    Additionally when validating SAML 2.0 assertions, the Recipient attribute will only be validated for bearer subject confirmation methods when the assertion is being validated as part of a single sign-on flow. One exception to this is if you set a runtime custom property:

    SAML2.AlwaysValidateBearerSubjectConfirmationData = true

    Back to Contents




    SAML STS MODULES CALCULATES WRONG VALIDITY PERIOD OF ASSERTION. (IZ91356)

    The Tivoli Federated Identity Manager, by default, adds a clock skew of 60 seconds when validating the SAML assertion timestamps. To disable the 60 seconds by default, add the following custom property:

    saml.use.legacy.clockskew.default = false

    Back to Contents




    Tivoli Federated Identity Manager SAML 2.0 metadata is not properly formatted when TFIM is running on the latest versions of the WebSphere Application Server. (IZ91416)

    The Tivoli Federated Identity Manager running on some of the latest version of the WebSphere Application Server might produce metadata that is not properly formatted for the SAML 2.0 single sign on profile. The EncryptionMethod element on the metadata will define a namespace prefix that has been already defined on the document.

    Back to Contents




    SAML 2.0 STS MODULE NOT READING THE DEFAULT NAMEID FORMAT PARAMETER. (IZ91419)

    The Tivoli Federated Identity Manager SAML 2.0 SPS Module allows the customer to specify a default name id format to use when one is not specified. At the Service Provider that value is use to determine the type of treatment that will be done to a unspecified name id format that is received on a SAML assertion.

    By default, TFIM treats an unspecified name id format as persistent name id. The SAML 2.0 STS module processes the assertion name identifier with a unspecified name id format according to the value configured on the default name id format configuration selection.

    Back to Contents




    Some of TFIM Console portlet pages cannot be displayed when it is installed in WAS 7 FP 11. (IZ84999)

    This workaround ensures that Tivoli Federated Identity Manager Management Console portlet pages can be displayed when the Management Console is installed in WebSphere Application Server 7 Fix Pack 11.

    Back to Contents




    For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values. (IZ91418)

    This fix ensures that the WS-Trust v1.3 response returned for a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule has only 1 status code that contains a URI value belonging to the WS-Trust v1.3 specification.

    Back to Contents




    CLI throws a StringIndexOutOfBoundsException when adding a SAML 2.0 service provider partner to a SAML 2.0 federation. (102338)

    StringIndexOutOfBoundException error is handled when invalid ValidationKeyIdentifier or EncryptionKeyIdentifier is specified in the create partner response file.

    Back to Contents




    Fixpack installer fails to automatically deploy the runtime on WebSphere Application Server Network Deployment cluster. (103544)

    Automatic deployment of runtime during fixpack installation is only applicable on WAS Standalone, and fails on WAS ND Cluster, causing the fixpack installation to report partial success. Manually deploy runtime on WAS ND Cluster after applying the fixpack.

    Back to Contents




    TFIM Configuration Guide does not describe the steps to enable certificate revocation list checking for certificates that are used for XML message signing, verification, encryption, and decryption. (IV07711)

    From the updated Tivoli Federated Identity Manager Configuration Guide, the steps are:

    1. Login to the Console, and click Tivoli Federated Identity Manager > Domain Management > Runtime Node Management. The Runtime Node Management panel is displayed.
    2. Click Runtime Custom Properties. The Runtime Custom Property panel is displayed.
    3. Click Create. A list item is added to the list of properties with the name of new key and a value of new value.
    4. Select the newly created placeholder property.
    5. Type kessjksservice.revocation.enabled in the Name field.
    6. Type true in the Value field.
    7. Click OK to apply the changes that you have made and exit from the panel.

    Back to Contents




    Software limitations

    None.


    Known problems and workarounds

    Patch installation fails when Federal Information Processing Standard (FIPS) is enabled for WebSphere Application Server

    Issue:

    Patch installation fails when FIPS is enabled for WebSphere Application Server where Tivoli Federated Identity Management Business Gateway is deployed.

    Workaround:

    Before installing the patch, disable FIPS for WebSphere Application Server where Tivoli Federated Identity Management Business Gateway is deployed.


    Notices

    This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

    IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

    IBM Director of Licensing
    IBM Corporation
    North Castle Drive
    Armonk, NY 10504-1785
    U.S.A.

    For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

    Intellectual Property Licensing
    Legal and Intellectual Property Law
    IBM Japan, Ltd.
    1623-14, Shimotsuruma, Yamato-shi
    Kanagawa 242-8502 Japan

    The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

    INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

    Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

    Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

    IBM Corporation
    2Z4A/101
    11400 Burnet Road
    Austin, TX 78758
    U.S.A.

    Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

    The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

    Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

    Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

    All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

    This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.


    Trademarks

    IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

    Adobe®, Acrobat, PostScript® and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

    IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

    Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

    Linux® is a trademark of Linus Torvalds in the United States, other countries, or both.

    Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

    ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

    UNIX® is a registered trademark of The Open Group in the United States and other countries.

    Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.

    Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

    Other company, product, and service names may be trademarks or service marks of others.

      End of the IBM® Tivoli® Federated Identity Manager Business Gateway 6.2.1-TIV-TFIMBG-FP0006.README file.