©Copyright International Business Machines Corporation 2008, 2015. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: Monday, 29 June 2015
===========================================================================This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.1. It requires that Federated Identity Manager Business Gateway, Version 6.2.1, be installed. After installing this fix pack, your Federated Identity Manager Business Gateway installation will be at level 6.2.1.9.
Potential cross-site scripting vulnerabiltity via macros in event page template files
Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens
. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:
the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens
with the above macros added can be:
@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@
NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens
. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tivoli.fim.doc_6.2.1/reference/CustomPropsSPS.html.
Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)
The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.
Versions affected:
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This security alert addresses a serious security issue: CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, go into an infinite loop, and/or crash resulting in a denial of service exposure. The JRE might hang if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.
The following products contain affected versions of the Java Runtime Environment:
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www.ibm.com/support/docview.wss?uid=swg21462019
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)
This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:
java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.
The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway can be affected by vulnerabilities in the Websphere IBM Java Runtime Environment (CVE-2013-2407)
A unspecified vulnerability in the Websphere IBM Java Runtime Environment (JRE) component allows remote attackers to affect the confidentiality and availability of Tivoli Federated Identity Manager (TFIM) and IBM Tivoli Federated Identity Manager Business Gateway (TFIMBG) via unknown vectors related to Libraries.
The following products contain affected versions of the Java Runtime Environment:
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21644157
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
Software requirements for IBM Tivoli Federated Identity Manager Business Gateway version 6.2.1 can be found here.
6.2.1-TIV-TFIMBG-FP0006
6.2.1-TIV-TFIMBG-FP0004
6.2.1-TIV-TFIMBG-FP0002
6.2.1-TIV-TFIMBG-FP0001
Federated Identity Manager Business Gateway consists of the following components that can be installed separately:
This fix pack applies only to the administration console and management service and runtime components (first two components listed above). These two components must be at the same level. Therefore, if you install a fix pack for either the administration console component or the management service and runtime component, you must install the corresponding fix pack for the other of these two components.
If the administration console and management service and runtime components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
The following problems are corrected by this fix pack. For more information about the APARs listed here, see the IBM Tivoli Federated Identity Manager Business Gateway support site for details.
Organization
element with no OrganizationURL
element.urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
name identifier for single sign on. By default, Tivoli Federated Identity Manager will treat a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
name identifier as urn:oasis:names:tc:SAML:2.0:nameidformat:persistent
name identifier unless the default name identifier is set to another type like emailAddress
. The Single Logout operation incorrectly queries the alias service if the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
name identifier is used and the default name identifier is set to emailAddress
.javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getPlatformVersion operation on Server MBean because of insufficient or empty credentials.
Be aware of the following considerations before installing this fix pack:
Because Federated Identity Manager Business Gateway is a 32-bit application its default path when installing on Windows Server 2008 changes from
C:\Program Files\IBM\FIM
to:
C:\Program Files (x86)\IBM\FIM
NOTE: This change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files\IBM\WebSphere
changes to:
C:\Program Files (x86)\IBM\WebSphere
You can download the WebSphere Update Installer version 7.0.0.0 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.
Select the package that is appropriate for the target platform, then download the package and unzip the contents into a
target directory, typically the default WebSphere Update Installer directory, either
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
Unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component.The full list of product components is described in Fix pack structure.
Use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied.
The fixes are tested against all affected components; therefore, to minimize any possible issue that can
arise from applying a partial fix, ensure the you apply the complete set of files.
See
NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.
To obtain the fix pack:
NOTE: For z/OS platform, please contact IBM Support to obtain the fix pack.
If security is enabled on the WebSphere Application Server
where Federated Identity Manager Business Gateway is installed, you must set
the appropriate password values in the fim.appservers.properties
file before you can
apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties
file, as described below,
specify the passwords using plain text. However, at the end of the fix pack
installation process these passwords are obfuscated and are no longer be available in
plain text format.
To specify security passwords, use the following procedure:
FIM_INSTALL_DIR/etc/fim.appservers.properties
.was.security.enabled
property is present in the
fim.appservers.properties
file and is set to true
, then
you must add two password properties to the file:
was.admin.user.pwd
property with a value of the administrator
login password for the WebSphere Application Server
where Federated Identity Management Business Gateway is deployedwas.truststore.pwd
property with a value of the password for
the trust store used for client-side SSL authentication in that
WebSphere Application Serverwas.admin.user.pwd=was_admin_pw
was.truststore.pwd=truststore_pw
ewas.security.enabled
property is present in the
fim.appservers.properties
file and is set to true
, then
you must add two password properties to the file:
ewas.admin.user.pwd
property with a value of the administrator
login password for the Embedded WebSphere Application Server
where Federated Identity Management Business Gateway is deployedewas.truststore.pwd
property with a value of the password for
the trust store used for client-side SSL authentication in that Embedded
WebSphere Application Serverewas.admin.user.pwd=ewas_admin_pw
ewas.truststore.pwd=truststore_pw
fim.appservers.properties
fileC:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
C:\Program Files\IBM\WebSphere\UpdateInstaller
on
Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller
on UNIX-based systems).C:\Program Files\IBM\FIM
on Windows systems, or
/opt/IBM/FIM
on UNIX-based systems), then click Next.FIM_INSTALL_DIR/etc/version.propeties
file with a text editor.
The following list describes how to interpret the properties in the version.properties
file:
itfim.build.version.rte-mgmtsvcs=version
itfim.build.version.mgmtcon=version
itfim.build.version.wsprov=version
itfim.build.version.wssm=version
itfim.build.version.fimpi=version
Apply the fix packs to the product's components in the following order:
NOTE: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
The fix pack install automatically deploys the newly installed Federated Identity Manager Business Gateway runtime. However, you must verify that the current deployed version is 6.2.1.9 by performing the following steps
Runtime Information ---------------------------------------------- Current deployed version 6.2.1.9 [131017a]
NOTE: The number in the brackets [131017a]
might be different from this example.
If the automatic deployment fails (see Internal defect 103544), the runtime can be deployed manually using the console by performing the following steps
Then, restart the ITFIMManagementService.
After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.
Use the following procedure to re-publish the plug-ins:
The product documentation for the IBM Tivoli Federated Identity Manager, version 6.2.1, can be found in the information center for IBM Tivoli Federated Identity Manager Business Gateway.
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference, a new custom property is added. This property is:
redirecturl.validation.enabled
A string value true or false, based on which the URL validation in APAR IV64501 and IV64506 will be enabled or disabled.
Default value: false
Value type: boolean
Example value: false
Specifying allowed URLs to SAML 1.1 and SAML 2.0 at partner level
Specifying allowed URLs to SAML 1.1 and SAML 2.0 at federation level
Specifying allowed URLs to OpenID federation level
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference > Custom Properties for SAML 2.0, a new custom property is added. This property is:
SAML20.CDC.RelayStateAllowedURLs_<FEDERATIONID>
A comma-separated list of regular expressions. SAML 2.0 Identity Provider Discovery Profile common domain cookie reading and writing service of <FEDERATIONID> can redirect to a URL that matches any of the regular expressions.
Default value: SPS URL of the common domain cookie reading or writing service endpoint e.g. https://examplehost/FIM/sps/.*
Value type: string
Example value: https://examplehost/JCT/protectedresource/.*,https://examplehost2/JCT2/protectedresource2/.*
The following parameters are documented in the Command reference > manageItfimPartner > SAML partner response file reference section of the Tivoli Federated Identity Manager Administration Guide v6.2.2 and earlier:
These parameters are not relevant to the SAML partner response file and must be removed from this section.
The following parameters are relevant to the SAML federation response file and are documented in the Command reference > manageItfimFederation > SAML federation response file reference section:
In the IBM Tivoli Federated Manager 6.2.1 Installation Guide, under the topic Appendix A. Upgrading to version 6.2.1->Upgrading LDAP, it states:
Other parameters are available to pass to this tool:
-reverse
performs a reverse migration.-deleteAbandonedEntries
deletes any entries that refer to a DN that no longer exists. This process occurs before the migration step.-Z
enables the SSL connection to the LDAP server.For the -reverse
parameter, it should state:
-reverse
performs a reverse migration. This does not delete entries added during migration. It ensures that the entries are compatible with versions of Tivoli Federated Identity Manager Version before 6.2.1.2 new parameters are now available to pass to this tool:
-userAttr
specifies the attribute that the alias service uses to denote the user identifier.-force
performs migration for all entries including those that have previously been migrated.There was an error in the command value used for installing the Tivoli Federated Identity Manager Business, version 6.2.1 IBM Support Assistant feature.
Replace the installation command note in the following sections of the Tivoli Federated Identity Manager Business Gateway, version 6.2.1 Installation Guide:
with the following:
NOTE: The installation is designed so that the WebSphere® Application Server deployment can listen on localhost. If it does not listen on localhost, use the parameter websphereProperties.adminClientConnectorHost on the installation command to specify the host name. For example, on Linux:
./install_linux_x86.bin -W
websphereProperties.adminClientConnectorHost=<hostname>
Back to Contents
When you use the Tivoli® Federated Identity Manager console or command line to import a JavaScript mapping rule, an empty Security Token Service Universal User (STSUU) is used as an input to validate the JavaScript.
Validating the JavaScript using an empty STUU input can cause problems. Problems occur when the JavaScript rule throws exceptions on cases that do not occur in their real federation runtime flow, but occurs when the empty STSUU is passed to the rule during validation.
If the JavaScript mapping rule throws an exception during validation, the Tivoli Federated Identity Manager console rejects it as bad syntax and does not load it.
When you use the Tivoli Federated Identity Manager console or command line to import a JavaScript mapping rule, the software runs basic JavaScript validation. The JavaScript validation process prevents the upload of a mapping rule with an invalid syntax.
When the Tivoli Federated Identity Manager console or command line validates the mapping rule, no real request exists. The variables are then populated with empty objects.
Your mapping rule might use conditional statements. The conditional statements make sense during real runtime operations, but do not work properly when empty objects are passed to it during validation.
importPackage(Packages.com.tivoli.am.fim.trustserver.sts); importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser); importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities); // Throw an STS exception if the STSUU does not contain an attribute I am expecting var attrvalue = stsuu.getAttributeValueByName("myattr"); if (attrvalue == null) { IDMappingExtUtils.throwSTSException('missing attribute');
As a workaround, create an empty-object-aware JavaScript rule to prevent it from throwing exceptions when it detects the empty STSUU.
Build a mechanism to detect the validation sequence into the rule itself and to not terminate with an exception if the rule is operating on empty objects.
The detection code varies depending on the assumptions you can make about request objects in your runtime flow. For example, an STSUU typically contains one or more attributes in the Principal, AttributeList , or ContextAttributes sections of the STSUU.
If it does not contain any attributes, it is an empty STSUU.
importPackage(Packages.com.tivoli.am.fim.trustserver.sts); importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser); importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities); var isEmptySTSUU = ( (stsuu.getPrincipalAttributeContainer().getNumberOfAttributes() == 0) && (stsuu.getAttributeContainer().getNumberOfAttributes() == 0) && (stsuu.getContextAttributesAttributeContainer().getNumberOfAttributes() == 0)); if (!isEmptySTSUU) { // rest of your normal runtime mapping rule logic goes here ....... }
Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding = true
Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true
Example for a federation with the ID https://idp/sps/fed/saml20:
SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20 = true
Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true
Example for a federation with the ID https://idp/sps/fed/saml20 and its partner with the ID https://sp/sps/fed/saml20
SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20_https://sp/sps/fed/saml20 = true
Default value: True
<FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.
When at least one of the settings is false, add the macro @TOKEN:RelayState@ to the list of comma-separated list of tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add the macro so that the RelayState is HTML-escaped in the authentication response.
Configuration example:
SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding = true
Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true
Example for a federation with the ID https://sp/sps/fed/saml20:
SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20 = true
Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true
Example for a federation with the ID https://sp/sps/fed/saml20 and its partner with the ID https://idp/sps/fed/saml20:
SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20_https://idp/sps/fed/saml20 = true
Default value: True
<FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.
The SAML STS Modules validates that the token provided on the STS request is the correct type. The STS obtains the input token from either the Base element of the RequestSecurityToken message or from the WS-Security headers included on the SOAP envelope.
If multiple security headers are included on the SOAP envelop, Tivoli Federated Identity Manager selects the very first one that it finds even if the STS module configured to consume the token can handle the token type retrieved.
To enable the SAML STS modules to notify the STS of the expected token type so that the correct token is retrieved from the SOAP envelop headers, enable the following custom property:
sts.multiple.tokens.security.header.enabled=true
Back to Contents
The Tivoli Federated Identity Manager Security Trust Service (STS) chain does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message.
The RequestType value must be set to the value received on the request. The KeyType must be set to one of the values supported by WS-Trust based on an attribute on the STSUU structure.
To enable the ability to set the KeyType use the following sample xsl fragment:
<xsl:template match="//stsuuser:ContextAttributes"> <stsuuser:ContextAttributes> <!-- Add the key type to the Request Security Token Response generated by the SAML module --> <stsuuser:Attribute name="RequestSecurityTokenResponse.KeyType" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</stsuuser:Value> </stsuuser:Attribute> </stsuuser:ContextAttributes> </xsl:template>The new property RequestSecurityTokenResponse.KeyType allows the administrator to set the KeyType on theRequestSecurityTokenResponse.
In this scenario, the KeyType is set to: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey.
For more information about other valid values, see the WS-Trust specification from the OASIS Website.
Back to ContentsThe Trust Service custom property must add the new custom property.
Default value: True
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing an Authentication Login Form for Single Sign On, under the sub-section Supported Macros for Customizing an Authentication Login Form, the following new row is added into Table 2 (Supported SAML Protocol Macros) as the third row:
Macro |
Query String Parameter Name |
Description |
---|---|---|
%SPRELAYSTATE% |
SPRelayState |
Supported for SAML 2.0 only |
The Point of Contact implementations shipped by Tivoli Federated Identity Manager rely on some state information populated on the HTTP session object.
In some instances, the customers improperly setup their Tivoli Federated Identity Manager environments where the HTTP session information is not accessible by the TFIM code. This is primarily caused by:
When the HTTP session information is not accessible, the error FBTSPS061E occurs when the browser is redirected to /wssoi for authentication during a single sign-on flow.
The fix for this APAR is to add traces that includes some of the above debug pointers to help troubleshooters identity the cause of the issue.
Back to ContentsThe IvCred STS Module has been enabled to consume and validate ivcred tokens that corresponds to an unauthenticated user. The modification done as part of this fix will allow for two modes of operation.
For behavior #1 (Default), the STS module generates an error if a token received corresponds to an unauthenticated user. The error is the following:
FBTSTS015E The IV-Cred binary token is invalid or not present.
For Behavior #2 the IvCred STS Module can be configured to map the unauthenticated user token to a special user account that can be configured. The user account selected must be considered as a low entitlements or guest account.
The IVCRED STS module adds an unauthenticated user name to the universal user structure.
To enable behavior #2 add the following custom property:
ivcred.unauthenticated.user.name=myusername
where myusername
is the user name value to use for mapping.
The following additional properties can also be provided to describe the user account to map to when using behavior #2:
ivcred.unauthenticated.user.registry.id
ivcred.unauthenticated.user.uuid
ivcred.unauthenticated.user.registry.id
is used to include the registry id of the account and ivcred.unauthenticated.user.uuid
to indicate the unique id for the user account.
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties, the sub-section Custom Properties Reference, and the sub-sub-section Custom Property for the Trust Service, the following new custom property is added:
STS.validateMappingRules
Specifies whether the mapping rule is validated when it is imported using the console or the command line interface. If the STS.validateMappingRules parameter is specified, and the value is equal to the string "false", ignoring the case, then the mapping rule is not validated. Otherwise, the mapping rule is validated.
Value type: boolean
Example value: false
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties, the sub-section Custom Properties Reference, and the sub-sub-section Custom Property for Transport Security Protocol, the list of supported protocols is updated. The following sentence:
where the value of PROTOCOL can be any of the following values: SSL_TLS, SSL, SSLv2, SSLv3, TLS or TLSv1.
is updated into:
where PROTOCOL refers to one of the protocols supported by the Java Secure Socket Extension used by the underlying WebSphere Application Server. Examples: SSL, TLS, and SSL_TLS. NOTE: The protocol examples might not necessarily be supported.
In the IBM Tivoli Federated Identity Manager Configuration Guide, under the topic Sample identity mapping rules for SAML
federations > Mapping a local identity to a SAML 2.0 token using an alias, the following entry is added to Table 21. STSUUSER entries used to generate a SAML token (using an alias):
[STSUU Element] Attribute: AudienceRestriction
[SAML Token Information] The audience of the audience restriction condition.
[Required] Optional
Under the same topic, it states:
3. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners.
It must state:
3. Setting the audience of the audience restriction condition to the value of the STSUU element "AudienceRestriction". If this STSUU element is not present, the audience is set to the Provider ID of the federation partner.
4. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that makes use of information that is to be transmitted between federation partners
In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules > Modifying trust service chain properties > About this task, the following note is added:
NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.
In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules > Modifying chain module properties > About this task, the following note is added:
NOTE: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.
In the IBM Tivoli Federated Manager Configuration Guide, under the topic SAML 2.0 > Profiles > Web browser single sign-on > Message initiation, it states:
The message flow can be initiated from the identity provider or the service provider.
It must state:
The message flow can be initiated from the identity provider or the service provider. When the message flow is initiated from the identity provider, a RelayState parameter can be provided in the unsolicited response delivered by the identity provider to the service provider. This parameter will contain the URL encoded value of the Target element provided in the single sign-on service initial URL (identity provider).
In the IBM Tivoli Federated Manager Configuration Guide, under the topic URLs for initiating SAML single sign-on actions > SAML 2.0 profile initial URLs > Single sign-on service initial URL (identity provider) >
Syntax for initiating single sign-on at the identity provider states:
https://provider_hostname:port_number/sps/federation_name/saml20/logininitial?RequestBinding=RequestBindingType&&PartnerId=target_partner_provider_ID&NameIdFormat=NameIDFormatType&AllowCreate=[true|false]
It must state:
https://provider_hostname:port_number/sps/federation_name/saml20/logininitial?RequestBinding=RequestBindingType&PartnerId=target_partner_provider_ID&NameIdFormat=NameIDFormatType&AllowCreate=[true|false]&Target=target_application_location
Another element will also be added to Elements in the same topic
Target: This will be URL encoded and set as the value of the RelayState parameter provided in the unsolicited response delivered by the identity provider to the service provider. A Tivoli Federated Identity Manager Service Provider interprets this value as the URL of the application that a user can log in to using single sign-on.
Back to Contents
If a TDI configuration instance could not be loaded by the TDI mapping module (for any reason), a NullPointerException exception was thrown. This APAR causes failures to be reported gracefully and adds more tracing capability to help determine the root cause of configuration instance loading issues.
Back to Contents
Attempts to use Oracle database for TFIM alias service displayed errors like:
com.ibm.ws.ejbpersistence.utilpm.PersistenceManagerException: PMGR1012E: The current backend id DB2UDBNT_V8_1, does not match the datasource connected to.To fix this, you must perform additional steps after installing the Fix Pack (assume on UNIX-based system):
If you receive subsequent fixpacks, or anything that alters the deployed itfim.ear, you must do step 1 again.
Back to ContentsA new English-only message has been added to include more request information in the error log when a SAML artifact resolution failure occurs. This message will only be enabled if the following runtime custom property is set:
SAML.AllowDebugMessages=true
SAML 1.x artifact resolution error responses will now include the InResponseTo attribute if a correctly formatted request that is received contains a request ID.
Back to ContentsThis fix addresses a problem with validating SAML assertions that do not contain a NameID Format attribute.
Back to ContentsThis fix addresses a NullPointerException that can occur in the Tivoli Federated Identity Manager console if the XSLT mapping module is selected for a federation but no mapping rule is specified.
Back to ContentsIf the SAML metadata of your partner contains service URLs that begin with a non-zero index, Tivoli Federated Identity Manager will now preserve the index that was used for the URL as contained in the original partner's metadata.
Back to ContentsThis fix allows Tivoli Federated Identity Manager to receive SAML browser-POST messages for either SAML 1.x or SAML 2.0 even if the locale of the locale machine is not a UTF-8 compatible character set.
Back to ContentsThis fix corrects erroneous behaviour caused by invalid object caching in user session or distributed maps.
Back to ContentsFor SAML 2.0 service providers setups to enable the ProviderName on the AuthnRequest, set the following custom property:
SAML20.authn.request.provider.name.enabled = true
Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the identity provider contains a SAML Assertion that does not include a Issuer value.
Back to ContentsAfter the installation of the Tivoli Federated Identity Manager Management Console the fixpack install seems to complete but the console does not function correctly. This problem is not common but has occurred on some systems. Some of the symptoms are:
For SAML 2.0 identity provider scenarios, or other STS scenarios which issue SAML 2.0 assertions you can now override the Recipient attribute in SubjectConfirmationData for bearer subject confirmation method by setting an Attribute in the ContextAttributes section of the STSUniversalUser in your mapping rule. An example of this attribute will look like:
SAML2.AlwaysValidateBearerSubjectConfirmationData = true
The Tivoli Federated Identity Manager, by default, adds a clock skew of 60 seconds when validating the SAML assertion timestamps. To disable the 60 seconds by default, add the following custom property:
saml.use.legacy.clockskew.default = false
The Tivoli Federated Identity Manager running on some of the latest version of the WebSphere Application Server might produce metadata that is not properly formatted for the SAML 2.0 single sign on profile. The EncryptionMethod element on the metadata will define a namespace prefix that has been already defined on the document.
Back to ContentsThe Tivoli Federated Identity Manager SAML 2.0 SPS Module allows the customer to specify a default name id format to use when one is not specified. At the Service Provider that value is use to determine the type of treatment that will be done to a unspecified name id format that is received on a SAML assertion.
By default, TFIM treats an unspecified name id format as persistent name id. The SAML 2.0 STS module processes the assertion name identifier with a unspecified name id format according to the value configured on the default name id format configuration selection.
Back to ContentsThis workaround ensures that Tivoli Federated Identity Manager Management Console portlet pages can be displayed when the Management Console is installed in WebSphere Application Server 7 Fix Pack 11.
Back to ContentsThis fix ensures that the WS-Trust v1.3 response returned for a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule has only 1 status code that contains a URI value belonging to the WS-Trust v1.3 specification.
Back to ContentsStringIndexOutOfBoundException error is handled when invalid ValidationKeyIdentifier or EncryptionKeyIdentifier is specified in the create partner response file.
Back to ContentsAutomatic deployment of runtime during fixpack installation is only applicable on WAS Standalone, and fails on WAS ND Cluster, causing the fixpack installation to report partial success. Manually deploy runtime on WAS ND Cluster after applying the fixpack.
Back to ContentsFrom the updated Tivoli Federated Identity Manager Configuration Guide, the steps are:
None.
Issue:
Patch installation fails when FIPS is enabled for WebSphere Application Server where Tivoli Federated Identity Management Business Gateway is deployed.Workaround:
Before installing the patch, disable FIPS for WebSphere Application Server where Tivoli Federated Identity Management Business Gateway is deployed.This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe®, Acrobat, PostScript® and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux® is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX® is a registered trademark of The Open Group in the United States and other countries.
Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Other company, product, and service names may be trademarks or service marks of others.
End of the IBM® Tivoli® Federated Identity Manager Business Gateway 6.2.1-TIV-TFIMBG-FP0009.README file.