This README contains information about the IBM(R) WebSphere(R) Everyplace(R) Connection Manager Version 5.0.1.4 as well as any late-breaking information that was not available for printed publications. This product contains RSA encryption code. This product is supported on: o IBM AIX(R) 5.1 and 5.2 o Solaris 7, Solaris 8, Solaris 9, and Trusted Solaris 8 o Linux Red Hat 7.3, Red Hat 8.0, Red Hat Enterprise Linux ES, SuSE 7.3, SuSE 8.0, SuSE 8.1, or SuSE 8.2 To download AIX operating system fixes, see: http://www.ibm.com/servers/eserver/support/pseries _____________________________________________________________________________ Table of Contents 1.0 Product Description 2.0 Getting Help 3.0 Installing and Configuring 4.0 Late-breaking Information 5.0 Fixed Authorized Problem Analysis Reports (APARs) 6.0 Trademarks and Copyright _____________________________________________________________________________ 1.0 Product Description The IBM WebSphere Everyplace Connection Manager consists of the following components: o Connection Manager runtime environment. o Gatekeeper, a Java(TM) graphical user interface for managing and configuring the Connection Manager system and subsystems. o Access Manager used to support Gatekeeper access to the runtime environment and persistent data store. o Mobility Client, an optional interface that provides an optimized and secure IP tunnel for communication with the Connection Manager using a variety of wireless and wireline networks. _____________________________________________________________________________ 2.0 Getting Help Online help is available through the Gatekeeper and the Mobility Client. Also see the web site at: http://www.ibm.com/software/pervasive/ws_everyplace_connection_manager/support for more information and the latest updates. _____________________________________________________________________________ 3.0 Installing and Configuring 3.1 See the IBM WebSphere Everyplace Connection Manager Administrator's Guide for information about installing for the first time or applying maintenance. The guide is in portable document format (PDF) and you will need Adobe Acrobat Reader Version 3.0 or greater to display or print it. This guide is on the installation CD and is also located at http://publib.boulder.ibm.com/pvc/wecm/501/ _____________________________________________________________________________ 4.0 Late-breaking Information 4.1 If you are using Netscape Directory Server with the Connection Manager, you must configure it to store passwords as clear text to enable support for the Mobility Client for Palm OS. 4.2 If you run a Connection Manager subordinate node on Solaris 8, and if this node is part of a cluster with a principal node that is running on AIX 4.3.3, the "in use" license count is not incremented when the subordinate node requests licenses. Therefore, license use counts for the cluster will not be accurate. 4.3 If you are using Secure Hashing Algorithm (SHA) to store passwords in LDAP (the default for Netscape Directory), login sessions using the native PPP protocol and CHAP for authentication will fail. If this type of session is a requirement, use clear text for password storage. 4.4 New features for Version 5.0 o The IBM Everyplace Wireless Gateway has been enhanced, repackaged, and renamed to the IBM WebSphere Everyplace Connection Manager. o Support for the Connection Manager on Linux distributions o Connections between Mobility Client on Windows or Windows CE connecting to a Connection Manager on the AIX version 5.2 or Trusted Solaris 8 operating systems are approved for FIPS 140-2 certification. FIPS 140-2 specifies requirements for cryptographic modules to ensure protection of sensitive information in computer systems. o Windows 95 support withdrawn for the Mobility Client and Gatekeeper o Enhancement to the accounting and billing schema to generate SQL queries which return only records that match selection criteria. o Enhancements for the Mobility Client on the Windows operating systems that includes seamless cross-network roaming. o A new MNC, wireless communications transfer protocol (WCTP). o Enhancements for using other directory service servers (DSS) to store user account records. o Linux Mobility Client dial support for point-to-point protocol connections o Support for lightweight third party authentication (LTPA) and single sign-on for RADIUS and LDAP-bind authentication profiles. o Enhancements to HTTP access services that includes LTPA or Connection Manager session cookies to be added to the data stream. o Mobility Client information is documented in separate Client Guides, one for each supported platform: Linux, Palm OS, and Windows. 4.5 New features for Version 5.0.0.2 o Pocket PC 2000 support withdrawn for the Mobility Client o Mobility Client support added for Windows Mobile 2003-based Pocket PC 4.6 New features for Version 5.0.1 o Support for Solaris 9 o Support for IBM Directory version 5.1 o Support for IBM DB2(R) Universal Database(TM) Enterprise Edition version 8.1 with FixPak 2 o Lightweight third-party authentication (LTPA) support for the WAP proxy o Mobility Client for Windows Pocket PC 2002 and Windows Mobile 2003 support for Microsoft Connection Manager o You can set the maximum size of the Connection Manager message log file and you can also specify the allowable number of backup files that are saved. 4.7 Connection Manager locale The Connection Manager runs in EN_US.UTF-8 locale if it is available. This locale exists by default or the install creates it on Linux and Solaris. On AIX, the installation will default to en_US, if EN_US.UTF-8 is not available. 4.8 New DSS schema changes for Version 5.0.1 include: The objectclass ibm-wlAuthMethod includes new attributes of: ibm-wlAuthRef - Specifies another authentication profile that can be used when the primary authentication profile cannot. For example, if the directory service server (DSS) for the primary authentication profile is not available, the backup authentication profiles are used. authtimeout - Specifies the maximum amount of time, in seconds, that the Connection Manager will wait for a response from an external authentication server before trying backup servers or the maximum amount of time, in seconds, that the Connection Manager will wait for a response from an LDAP-bind operation before ending the session. Ltpa Port - Specifies the directory service server (DSS) port number to include in the lightweight third-party authentication (LTPA) token. Default realm - Specifies the domain suffix that is appended to user IDs when no realm is specified. The domain suffix can be replaced up to the first dot after the at (@) sign. For example, if you specify a default realm of fr.mycompany.com and user klaus logs in using only the word klaus, the user ID becomes klaus@fr.mycompany.com. If the user logs in using klaus@us, the domain is extended so that the user ID becomes klaus@us.mycompany.com. The objectclass ibm-wlAuthLdap includes a new attribute of: Ldap search criteria - Specifies a text string to use in LDAP search filters as defined in "RFC 2254, A String Representation of LDAP Search Filters". This field is used in addition to the User key field. The objectclass wlCfg includes a new attribute of: maxidle - Specifies the time in seconds to maintain the external connection to the DSS or relational database (RDB) for performance reasons. 4.9 AIX Version 5.2 ML 1 If you are using AIX version 5.2 and are experiencing problems with only loopback-related transactions either to the MNI or outside of Connection Manager completely, try installing AIX 5.2 maintenance level (ML) 1. Note that ML 1 may cancel AIX 5.2 common criteria certification, which nullifies the Connection Manager FIPS 140-2 certification. 4.10 New features for Version 5.0.1.1 o Support for Red Hat Enterprise Linux ES o Support for Java runtime environment (JRE) version 1.3.1-6.0 which is required to use the IBM Key Management (gskit) software. To obtain a version of this JRE, download the version 5.0.1.1 Gatekeeper for Linux. 4.11 New features for Version 5.0.1.4 o Support for specifying a distinguished name (DN) and password to which a connection is bound when searching LDAP for a client's authentication credentials. On the LDAP tab of LDAP-bind authentication profiles, specify the DN and password when your directory service server (DSS) does not have anonymous search capability. As a result of this change, the objectclass ibm-wlAuthLdap includes new attributes of: userid - Specifies the distinguished name (DN) to which the connection is bound when searching LDAP for a client's authentication credentials. ibm-ldapPassword - Specifies the password for the distinguished name (DN) to which the connection is bound when searching LDAP for a client's authentication credentials. _____________________________________________________________________________ 5.0 Fixed Authorized Problem Analysis Reports (APARs) 5.1 APARs fixed in version 5.0.0.2 19830 - LTPA token built with wrong LDAP server address when using LDAP-bind secondary authentication 20351 - WAP header overflow for header length > 1024 bytes IY43817 - DNS host name lookups fail with 2.1.1.13 EWC for win32 IY45035 - Discrepancies between ACCTDATAINFO and ACCTDISCINFO byte counts IY46754 - Messaging gateway should fail push messages larger than the MTU IY46796 - WAP code doesn't understand a type of "images/*" IY46997 - wgated hang IY47684 - HTTPAS login form is returned out of sequence by T-Mobile. IY47105 - Gateway should reset crypto after successive failures. This APAR is prevalent in HA environments when moving back and forth between HA nodes. IY47776 - A Mobile Access Service object cannot be create when logged into Gatekeeper with an administrator ID IY48183 - wg.log configured for non-default location writes to default. IY48520 - WECM READ or DELETE ops to DB may fail if connection does not exist IY48925 - INSTALL_WG script sets the DB2FILESET variable to wrong value IY49047 - Byte ordering problems on Linux Gateway with rnc3000 MNC IY49088 - LTPA support broken when WAS and WECM LDAPs are different IY49223 - WAP proxy fails to deliver data when Content-Length token is not present IY49337 - RADIUS: WECM sending auth request to both primary and secondary radius servers IY49338 - RADIUS: Non-existent user gets logged in when configured for RADIUS authentication while primary radius server is down and secondary server rejects the request 5.2 APARs fixed in version 5.0.0.3 IY49964 - Unable to see and create resources in Gatekeeper after migration IY49966 - Can't start/stop gateway from gatekeeper IY50145 - DSS & database connections to WECM not persisted properly IY50165 - Gray out TCP transmit time to live if MNC uses Connection Profile IY50166 - Remove "Sequenced packet time to live" on MNC General tab IY50631 - Date format for wg.log is not using English when Use Message Cat is set to false IY50701 - Gateway should not send TERM_USER_OVERRIDE unless the override user DN matches the new session user DN IY50792 - WECM install fails if Oracle runtime client is not present IY63637 - WECM connection manager intermittently core dumps while processing wctp traffic. 5.3 APARs fixed in version 5.0.1 are cumulative of all APARs fixed in 5.0.0.x 5.4 APARs fixed in version 5.0.1.1 IY50379 - Locality and State OUs are not added to CSR when using wg_cert tool IY51450 - DataDirect ODBC library not loading on Linux IY51851 - WECM does not support Organization objectclass IY51854 - Configuring SUN ONE LDAP Server instructions are inaccurate when indicating the ldapmodify command to issue IY52051 - Memory leak in Connection Manager IY52110 - Connection Manager core dumps when message logging is returned to default level IY52192 - Connection Manager log will not reset on SuSE Linux 8.2 IY52453 - Network address translation mapping is not persisted across a gateway crash IY52544 - Verisign root certificates have expired, preventing HTTP access services from establishing SSL connections IY52548 - WECM does not allow for redundant enterprise LDAP definitions IY52578 - SMS UCP is broken the WebSphere Everyplace Connection Manager IY52700 - Cannot configure SSL connection for Gatekeeper IY52780 - Cannot initialize kernel interface when in 64-bits IY53081 - Gatekeeper showing connected state of 255 or 233 for logged in users. Incorrect state shown on Connection Manager IY53156 - Mobility Client is being terminated by the Connection Manager during login attempt 5.5 APARs fixed in version 5.0.1.2 IY51880 - WAP push of SYNCHML notification and bootstrap messages is failing IY53565 - WECM Messaging service fails when attempting to deliver SMTP push messages IY53579 - WECM not resolving user accounts when configured for user DSS mode IY53633 - Messaging Services not shown as menu item for AIX and Linux IY53648 - Connection Manager status (stopped/running) not reported correctly when an error occurs during startup whil connecting to the active session database IY53685 - Connection Manager not binding to correct Application Service in a clustered environment when 2 or more Connection Managers share an LDAP directory and each has an Application Service defined with the same port. IY53792 - Add user wizard not showing organizational unit structure which allows selection of user's location in the LDAP tree IY53864 - WECM users unable to authenticate after Connection Manager deadlock while processing the active session table which results in a core dump IY53913 - Gatekeeper and wg_monitor showing different values for users. Connection Manager is not cleaning up sessions properly and eventually exhausts the pool of WECM DHCP addresses. IY54091 - Creating a NAT resource defined across a range of IP addresses causes an invalid argument exception IY54193 - NAT does not function properly if a client logs out and then logs back in IY54209 - Cannot do an overwrite install on SuSE Linux with the install_wg script IY54520 - Running the wluser50.ksh migration script may result in an "objectclass violation" error when migrating to WECM version 5 IY54606 - Connection Manager still creating accounting records when Accounting & Billing is disabled IY54689 - TCP optimization timing hole in Connection Manager IY55022 - Use of TCP-Lite may lead to dead-lock condition in lossy networks when the TCP-Lite session is activated prior to completion of the login exchange IY55023 - Use of TCP-Lite may lead to dead-lock when logging in with a user ID that is already active in the system IY55039 - Gatekeeper cannot display wg.trace if it is not in /var/adm, the default location IY55191 - WECM is unable to communicate with Outlook Web Access (OWA) via a reverse proxy server 5.6 APARs fixed in version 5.0.1.3 IY56116 - Buffer overflow in TPKDP exchange causes heap corruption and chance for random process cores. 5.7 APARs fixed in version 5.0.1.4 IY49455 - Connection Manager on Linux does not enforce user expiration IY55119 - WECM Connection Manager "Failed to add top level" if using DC= type suffix IY55614 - WECM writing to enterprise DSS when it should not be IY55618 - Mobitex MNC not being connected when running on Linux IY55623 - WECM Connection Manager exception in PacketMapper when Mobile Access is configured without an MNI IY55817 - Gatekeeper gateway log retrieval function only gets a partial Connection Manager log IY55977 - HTTP 502 from WebSphere Everyplace Connection Manager WAP proxy IY56175 - WAP gateway will core dump if the location field in an HTTP header is larger than 512 bytes IY56220 - Connection Manager on Linux fails to initialize MNI at startup due to a timing hole in the IPStack handling code IY56360 - Connection Manager can only perform an anonymous LDAP-bind IY56368 - Mobility Client connect fails if multiple cert authentication based connect attempts occur within short time period IY56552 - Cannot set SMPP optional parameters such as "callback_num" IY56743 - The character "@" is translated to 0x00 by WECM prohibiting use of WEA SIA via SMS IY56772 - Deadlock (hang) condition in Connection Manager when using TCP-Lite function IY56799 - Connection Manager is sending data packets which are too large for the DataTAC network IY56951 - Introduce a configuration option to the Connection Manager to turn off the termination acknowledgments to clients IY57136 - Memory leak in AES encryption routines may lead to a deadlock in the Connection Manager IY57169 - Connection Manager database configuration fails with DB2 8.1 Fixpak 7, DB2 8.2 IY57374 - WECM HTTP Access Services (HTTPAS) session fails if initial HTTP POST is larger than 64K IY57395 - Delayed SMS messages not received at SMSC; gateway cores IY57395f_1 Delayed SMS messages not received at SMSC; gateway cores IY57428 - After upgrading, clients are unable to login IY57455 - WECM core dump handling roam for anonymous account when session has been idled and no active session entry exists IY57589 - Connection Manager on Linux does not properly respond when a password fails to meet established policies IY57884 - WECM does not allow Device Client validation model when Key Exchange set to None IY57952 - WGATTACHD process not killing all Gateway (WGATED) processes IY58061 - Motorola VRM devices are unable to gain access to network IY58198 - WECM is not displaying the system container in Gatekeeper IY58203 - Memory leak when WECM acts as an SMS gateway IY58300 - WAP and device resolver are not writing device information to active session table for WES environment IY58302 - Connection Manager certificate authentication fails with key lengths other than 1024 bits IY58669 - WECM Connection Manager on Linux will hang up or freeze when using SSHA passwords IY58720 - NON ICMP TRAFFIC STOPS FLOWING THROUGH THE CONNECTION MANAGER IY58753 - WECM Connection Manager MNI filter update ends client connections IY58757 - Connection Manager is not properly matching RADIUS authentication requests and responses IY58949 - The /var directory is replaced with wg.log renamed to /var IY59020 - SMS messages not delivered over SMS-OIS (TCP/IP) mobile IY59126 - Connection Manager unable to complete SSL connection to OpenLDAP IY59234 - Connection Manager needs to allow disablement of auto enrollment for externally authenticated users IY59417 - Authentication failed message on first login attempt followed by successful login to WebSphere Everyplace Connection Manager IY59435 - Deadlock on Gateway due to multiple ACKs from SMS-C IY60026 - ACKs from retransmitted SMS messages cause exception IY60284 - WECM not responding to Mobitex IAS originated keepalive IY60293 - Incorrect user ID over dial up causes Gateway to disconnect IY60610 - Error in unsolicited traffic using messaging application services layer not accounting for port extension IY60611 - Password policy changes to support consecutive character restrictions and alpha, digit, and other grouping IY60788 - WGATED not cleaning congestion timers on logout. May cause core for networks that support congestion handling such and Motorola PMR. IY60792 - Connection Manager no handling User DSS lookups when key field is changed IY61003 - Connection Manager receives database errors creating index and preparing statements when under a heavy load IY61066 - If more than ten MNIs are created within a Connection Manager, the wgated process will crash IY61536 - SMS messages will be resent if wgated is restarted prior to receiving confirmations for these messages IY62053 - WECM gateway is not properly closing the WGATED.CONF file after reading it on startup IY62445 - Memory leak in WGATED - SMS messaging IY62679 - Connection Manager accounting is recording MNI address rather than the destination address for inbound packets IY62737 - External User DSS mode requires root in order to see the User DSS tree in Gatekeeper IY62770 - WGATED uses 100% of CPU time IY63090 - "Duplicate CONFREQ" error received when more than 2 routes are defined in an MNI IY63361 - Timing error in TCP-OPT retransmit after roam may cause core dump. Stack trace shows FireRetransmitAll as offending function. IY63637 - WECM Connection Manager intermittently core dumps while processing WCTP traffic IY63725 - HTTP Codec for TCP-Lite inserting "Connection: close" when "Connection" token is not present for http responses. IY63813 - WECM core dump if Mobitex MTU is greater than 512. IY64169 - Statically link in LDAP 5.1 libraries to enable advanced LDAP client function. 5.0.1.3+ failed to work with IDS 3.2.1. IY64173 - Enable WES-AST configuration in a non-WES environment IY64509 - Dynamic update for "trace" flag on user records. IY64961 - Linux gateway cores on relogin of existing session. IY65477 - GK may delete resource if update involves ldap storage failure. If the DN is changed for the resource and the change is invalid, WECM may delete the original resource. _____________________________________________________________________________ 6.0 Trademarks and Copyright AIX, DB2, DB2 Universal Database, Everyplace, IBM, and WebSphere are trademarks or registered trademarks of the IBM Corporation in the United States or other countries or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Copyright International Business Machines and others, 1994, 2004. All rights reserved.