+-----------------------------------------------------+ Interim Fix 7.1.1-TIV-TDI-LA0036 README Tivoli Directory Integrator 7.1.1 ( Also applicable to Security Directory Integrator 7.2.0 and Tivoli Directory Integrator 7.1.0 ) LA Interim Fix 36 (All platforms) JRE Level: Java 7 Service Refresh 10 Fix pack 10 Date: Nov 2017 +-----------------------------------------------------+ COPYRIGHT STATEMENT ==================== Nov 2017 References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM program product in this publication is not intended to state or imply that only IBM's program product may be used. Any functionally equivalent program may be used instead. IBM is a trademark of the International Business Machines Corporation. Copyright International Business Machines Corporation 2017. All rights Reserved. Fix For ======== APAR - NA PMR - NA General Description: ==================== Upgrading to Java 7 Service Refresh 10 Fix pack 10 because of multiple Java vulnerabilities. Details: ======== This Limited Availability Interim Fix contains JRE fix for multiple vulnerabilities. Refer link for details :- http://www-01.ibm.com/support/docview.wss?uid=swg22009492 Prerequisites: ============== Security Directory Integrator v7.2.0 with or without any fix pack must be installed. Tivoli Directory Integrator v7.1.1 with or without any fix pack must be installed. Tivoli Directory Integrator v7.1.0 with or without any fix pack must be installed. Platforms: ========== All supported Platforms Downloading the Fix: ==================== - Under the Download options section, Click on the "Change Download options" link. - Set the "Include prerequisites and co-requisite fixes (you can select the ones you need later)" checkbox to true. Applying the Fix: ================= - Shutdown TDI. - Unzip the fix package to a temporary directory. The LA contains platform specific JRE's, copy the .zip or the .tar.gz to respective platforms. - Extract the .zip /.tar.gz files into temp directory. - Backup/rename the existing \\jre directory and content as a sub-directory to the \jvm directory. - Apply command 'chmod -R 755 jre' for non windows platform. Changes to the Java policy file for Derby server to start ================================================ - Derby server does not start as the new JVM does not grant permissions by default. - Resolve by using either option: * To give all permissions to all files in the TDI install dir, add the following in the \jvm\jre\lib\security\java.policy grant codeBase "file://-" { permission java.security.AllPermission; }; Note : The ending minus, "-", in the path. It means that all files in all folders, recursively, under the TDI install dir will be given this permission. * To give permission to derby port to listen, add the following line in the \jvm\jre\lib\security\java.policy , under the default permissions granted to all domains section. permission java.net.SocketPermission "localhost:-", "listen"; For example : permission java.net.SocketPermission "localhost:1527-", "listen"; Note: 1527 is the derby port in this example. Refer the adjacent link for additional information. http://www-01.ibm.com/support/docview.wss?uid=swg21450475 Confirming the Fix has been applied successfully: ================================================= JAVA vulnerability will be resolved.