IBM Security Verify Directory Integrator Version 10.0.0 Fix Pack 2 README
Abstract
Readme documentation for IBM® Security Verify Directory Integrator Version 10.0.0 Fix Pack 2 includes installation-related instructions, prerequisites and corequisites, and a list of fixes.
Readme file for: IBM® Security Directory Integrator
Product/Component Release: 10.0.0
Update Name: Fix Pack 2
Fix ID: ibm-svdi-10.0.0.2
Publication date: June 2024
Contents
Download location
Prerequisites and corequisites
Known issues
Installation information
Steps to install fixpack for all Platforms
Performing the necessary tasks after fix pack installation
Steps for rolling back the latest Security Directory Integrator version 10.0.0 fixpack
List of fixes
Copyright and trademark information
Document change history
Download location
Download IBM Security Directory Integrator Version 10.0.0 Fix Pack 2 from
http://www.ibm.com/support/fixcentral/
or access the fix from the table below.
Security Directory Integrator Documentation
IBM Security Learning Academy
- ISVDI courses from the IBM Security Learning Academy can be accessed at the Directory Integrator Courses.
- This link may also be accessed from the Help menu in the Configuration Editor.
Prerequisites and corequisites
- ISVDI 10.0.0 GA or ISVDI 10.0.0 GA with any previous fix pack. Each FixPack is cumulative and includes all of the changes and improvements of all prior FixPacks.
It is necessary only to install the most recent Fixpack to bring your ISVDI installation fully up to date.
- IBM JVM 17 is required for applying the fix pack.
Installation Information
Files Included in package: ibm-svdi-10.0.0.2-Windows.zip and ibm-svdi-10.0.0.2-Unix.tar.gz
| FileName |
Purpose |
Size |
md5 checksum |
| ibm-svdi-10.0.0.2-win32-x86_64.zip |
The file contains the fix pack install script along with fix files. |
186,029,798 |
bd37b0b784e73e91ef81308c75923753 |
| ibm-svdi-10.0.0.2-Unix.tar |
The file contains the fix pack install script along with fix files. |
188,128,778 |
9881dac1ec9110133d393a592bd79beb |
Steps to install fixpack for all Platforms.
- Shut down ISVDI.
- ISVDI Fix Pack 1 onward restricts the Java JMX agent to the localhost only. It prohibts the remote attacker from connecting to the JMX agent and monitoring and managing the Java application.
This security is added by following settings made in ibmdisrv script. It is recommended to backup ibmdisrv file within <SDI_install_dir> if you have any custom settings in it.
- -Dcom.sun.management.jmxremote=false
- -Dcom.sun.management.jmxremote.local.only=true
- -Dcom.sun.management.jmxremote.host=localhost
- It is recommended to backup any file(s) within <ISVDI_install_dir> if you have any custom settings in it. e.g. global.properties file within etc folder.
- Download the file and extract the contents in any preferred folder.
On Windows:
- Download the ibm-svdi-10.0.0.2-Windows.zip
- Execute the following command <Fix pack extracted folder>\applyUpdates.vbs <ISVDI 10.0.0.x install folder>
On Unix:
- Download the ibm-svdi-10.0.0.2-Unix.tar.gz
- Execute the following command <Fix pack extracted folder>\applyUpdates.sh <ISVDI 10.0.0.x install folder>
Performing the necessary tasks after fix pack installation
Verify Installation
- To verify the Security Directory Integrator fix pack version installed on your system. Run the following command to verify the latest fix applied to Security Directory Integrator:
- Unix/Linux: <SDI_install_dir>/bin/applyUpdates.sh -queryreg
- Windows: <SDI_install_dir>\bin\applyUpdates.bat -queryreg
- Post Install steps for Federated Directory Server (FDS).
Note: These steps are not required for standard ISVDI Installations.
- Backup files in the <ISVDI_solution_dir>\configs folder, the <ISVDI_solution_dir>\SCIM�folder, and the <ISVDI_solution_dir>\LDAPSync folder to a temporary location.
- When <ISVDI_install_dir> = <ISVDI_solution_dir>.
Copy the new LDAPSync.xml from <ISVDI_install_dir>\LDAPSync directory to <ISVDI_solution_dir>\configs directory.
- When <ISVDI_install_dir> AND <ISVDI_solution_dir> are different.
Copy the new LDAPSync.xml from <ISVDI_install_dir>\LDAPSync directory to <ISVDI_solution_dir>\configs directory.
Copy the following files from <ISVDI_install_dir>\LDAPSync to <ISVDI_solution_dir>\LDAPSync directory.
LDAPSync.xml
FDS_ISAM_Plugin.xml
FDS_ISAM_Plugin.map
container.map
QRadar.map
SNMP.map
customScript.js
IBM-FDS-MIB.txt
Copy the following files from the <ISVDI_install_dir>\SCIM to <ISVDI_solution_dir>\SCIM directory.
SCIM.xml
SCIM.properties.reference
ReadMe.txt
- To use SCIM target plugin in FDS:
Copy the FDS_Target_SCIM.xml from <ISVDI_install_dir>\LDAPSync directory to <ISVDI_solution_dir>\configs directory.
- New properties for SCIM service can be referred to in SCIM.properties.reference file. This file must be used for updating the existing SCIM.properties.
Refer <ISVDI_install_dir>\SCIM\ReadMe.txt for details about each property.
Steps for rolling back the latest IBM Security Verify Directory Integrator version 10.0.0 fixpack
- The ISVDI fix pack does not include a built-in rollback option. However, you can manually perform a rollback by following these steps:
- When you install a fix pack, the installation script (applyUpdates.sh/.vbs) automatically backs up the previously installed files in the 'maintenance\BACKUP\<version>' folder
- To initiate a rollback, copy the backed-up files from the 'maintenance\BACKUP\<version>' folder back into the origin ISVDI directory.
Notes about updates made in ISVDI Fix Pack 1
- Added support of Windows Server 2019 Datacenter operating system.
- RXA 2.3 jars shipped in ISVDI have been updated to the RXA fix pack version 2.3.0.16.
- If Configuration Editor is updated then you can see the updated ISVDI CE version under the Help menu. If CE is not updated in the fixpack, previously updated ISVDI CE version is displayed under the Help menu.
Notes about updates made in ISVDI Fix Pack 2
- JNDI Connector shipped in ISVDI have been fixed.
- By default ActiveMQ is restricted to use with localhost only for security reason. You need to modify the setting in activemq.xml to use it remotely.
- Configuration Editor will display the updated ISVDI CE version under the Help menu.
- 3rd party component like ActiveMQ and Apache Derby are upgraded to version 5.16.7 and 10.16.1000002.1917736 respectively.
TADDM Connector and log4j
- The TADDM Connector depends on TADDM SDK.
- The TADDM API JAR files are not shipped with IBM Security Verify Directory Integrator and must be installed separately.
- The TADDM API jar files depend on log4j v1. This may not interoperate with ISVDI, which is using log4j v2.
Properties
- The property com.ibm.di.suppressSchema=true will not save schema items in the configuration file.
- The schema items are mainly used for building the solution. When an attempt is made to transfer with RMI an ISVDI configuration file having a large number of schema items, a stack overflow error may be thrown.
- This could happen e.g. between the Configuration Editor and the server.
- See http://www.ibm.com/support/docview.wss?uid=swg21623396. for description.
## ----------------------------------
## Suppress Schema
## ----------------------------------
com.ibm.di.suppressSchema=true
The property com.ibm.di.SSLProtocols and com.ibm.di.SSLServerProtocols will enable only those protocols mentioned against these properties.
- Setting these property to TLSv1.2, TLSv1.3 will ensure that TLS protocol cannot be negotiated down to SSL. These properties should be added to the existing solution.properties.
- For maximum security, only TLS1.3 should be used, if possible.
## ----------------------------------
## Protocols to use for SSL
## ----------------------------------
com.ibm.di.SSLProtocols=TLSv1.2, TLSv1.3
com.ibm.di.SSLServerProtocols=TLSv1.2, TLSv1.3
The property named com.ibm.di.logging.close is a boolean type. Its value can be true or false. Following is the description of when to use it.
- If there are no logging-related issues, it is unnecessary to add the property com.ibm.di.logging.close to the etc/global.properties file found in Fix pack 11 onwards. The default value for this property is false.
- In a scenario where a single logger is consistently used by a single assembly line (AL) running under the ISVDI server instance at any given time, if the AL explicitly closes this logger before adding a new one, including the line com.ibm.di.logging.close=true in the etc/global.properties file will result in the ISVDI shutting down the currently opened single logger.
## ----------------------------------
## Logging close property
## ----------------------------------
com.ibm.di.logging.close=true
## ----------------------------------
- If there are multiple loggers used by either multiple or single AL(s) running under the ISVDI server instance, it is advisable to append the line com.ibm.di.logging.close=false in the etc/global.properties file. By adding this property, ISVDI will ensure the logger(s) are shutdown during the JVM shutdown process.
## ----------------------------------
## Logging close property
## ----------------------------------
com.ibm.di.logging.close=false
## ----------------------------------
List of fixes
APAR fixes included in Fix Pack 1
| APAR No. |
Sev. |
Abstract |
| Security Fixes |
High |
Fixed FEDERATED DIRECTORY SERVER |
| DT247588 |
High |
Logging was not working properly |
| Security Fixes |
Medium |
Enhanced existing password encryption method in the password synchronization plugin |
| DT240782 |
Medium |
{solution_directory}/etc/log4j2.xml is not recognized |
| DT237908 |
Medium |
ISVDI can't establish a connection to Maximo 7.6.1.3 |
| JVM README |
Medium |
Derby fails to start |
| DT237747 |
Medium |
Delta store has naming issues when invalid characters in the delta store name |
| DT272034 |
Medium |
Error while connecting to Maximo using TPAE IF connector |
| DT271991 |
Medium |
Fixed HTTPParser |
APAR fixes included in Fix Pack 2
| APAR No. |
Sev. |
Abstract |
| Security Fixes |
High |
Fixed FEDERATED DIRECTORY SERVER |
| Security Fixes |
High |
Modified ActiveMQ setting |
| DT260035 |
Medium |
The JNDIConnector fails to initialize |
| DT240791 |
Medium |
ibmdiservice.exe prints wrong OS version in log |
| DT390107 |
Medium |
Set 'com.ibm.di.logging.close=false' as default |
| DT379155 |
Medium |
Problems with log4j2 configuration in AIX system |
| DT379992 |
Medium |
Modifications pertaining to file TDI0701.SYS2 |
| DT380558 |
Medium |
Items mistakenly removed from 'Components Installed' list |
| DT390130 |
Medium |
Address Vulnerabilities in Apache ActiveMQ and Apache Derby |
Copyright and trademark information
http://www.ibm.com/legal/copytrade.shtml
Notices
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION
The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.
Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:
- the Excluded Components are provided on an "AS IS" basis
- IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- IBM will not be liable to you or indemnify you for any claims related to the Excluded Components
- IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.
Document change history
| Change Date |
Reason |
Modified by |
| June 2024 |
Create initial ibm-svdi-10.0.0.2 |
ISVDI L3 |
End of Document