This README contains information about the IBM(R) WebSphere(R) Everyplace(R) Connection Manager Version 5.1.0.2 as well as any late-breaking information that was not available for printed publications. This product contains RSA encryption code. This product is supported on: o IBM AIX(R) 5.1 Maintenance Level 4 o IBM AIX 5.2 Maintenance Level 1 o July 2003 C++ Runtime PTF (xlC.aix50.rte.6.0.0.7) o Solaris 8, Solaris 9, and Trusted Solaris 8 o Linux Red Hat Enterprise Linux 3.0 ES/AS, SuSE Linux Enterprise Server 8, SuSE 8.1, SuSE 8.2, or SuSE 9.0 To download AIX operating system fixes, see: http://www.ibm.com/servers/eserver/support/pseries _____________________________________________________________________________ Table of Contents 1.0 Product Description 2.0 Getting Help 3.0 Installing and Configuring 4.0 Late-breaking Information 5.0 Fixed Authorized Problem Analysis Reports (APARs) 6.0 Trademarks and Copyright _____________________________________________________________________________ 1.0 Product Description The IBM WebSphere Everyplace Connection Manager consists of the following components: o Connection Manager runtime environment. o Gatekeeper, a Java(TM) graphical user interface for managing and configuring the Connection Manager system and subsystems. o Access Manager used to support Gatekeeper access to the runtime environment and persistent data store. o Mobility Client, an optional interface that provides an optimized and secure IP tunnel for communication with the Connection Manager using a variety of wireless and wireline networks. _____________________________________________________________________________ 2.0 Getting Help Online help is available through the Gatekeeper and the Mobility Client. Also see the web site at: http://www.ibm.com/software/pervasive/ws_everyplace_connection_manager/support for more information and the latest updates. _____________________________________________________________________________ 3.0 Installing and Configuring 3.1 See the IBM WebSphere Everyplace Connection Manager Administrator's Guide for information about installing for the first time or applying maintenance. The guide is in portable document format (PDF) and you will need Adobe Acrobat Reader Version 3.0 or greater to display or print it. This guide is on installation CD 2 and is also located at http://publib.boulder.ibm.com/pvc/wecm/51/ _____________________________________________________________________________ 4.0 Late-breaking Information 4.1 If you are using Secure Hashing Algorithm (SHA) to store passwords in LDAP (the default for Netscape Directory), login sessions using the native PPP protocol and CHAP for authentication will fail. If this type of session is a requirement, use clear text for password storage. 4.2 New features for Version 5.1 o Dynamic transport profiles allowing recognition of the network type that Mobility Clients use and automatically applying tuning characteristics to achieve optimal performance. This feature simplifies the Mobility Client configuration and enhances the seamless roaming capability by automatically switching network specific performance settings when roaming occurs. o Improved ease of use in small environments using the Linux operating system for configuring mobile network interfaces (MNI) without the need for external routing updates and subnetwork assignments. By using dynamic host configuration protocol (DHCP) and proxy-ARP (address resolution protocol) technologies, after an address is reserved by the Connection Manager, ARP and route entries are automatically added to local system tables to give the address a presence on the network. o Improved ease of installation in smaller organizations, such as proof-of-concept environments. This feature includes an installation and configuration wizard that takes advantage of new configuration options for the mobile network interface. See IBM WebSphere Everyplace Connection Manager Quick Start Guide for more information. o Improved ease of use in configuring the access for Gatekeeper administrators as Super users or restricted to an access control list (ACL) profile. An ACL profile is a collection of ACLs that you assign to administrators to define their level of access to resources. o Enhanced wg_monitor command line utility used to view the packet flow through the Connection Manager to aid in debugging and gathering real time information on the active session table in memory of the wgated process. o Improved account troubleshooting to restrict message logging and filter it to display only an individual user ID or device. o Support for user administration portlets using WebSphere Portal Server version 5.0.2.1. vii o Changed installation paths for the Connection Manager. o The Connection Manager is enabled for use by IBM Tivoli License Manager. o Removed support for account lookup as a method of validating WAP clients. o Support for IBM Tivoli Directory Server version 5.2 o Support for IBM DB2 Universal Database Enterprise Edition version 8.1 with FixPak 2 or Oracle 9i. o New configuration properties for mobile access services include: - Whether or not a single user ID is permitted to sign-on multiple times from separate devices simultaneously. - Whether the Connection Manager sends a message to Mobility Clients that their sessions are terminated before the Connection Manager shuts down. o A new network management trap message (120289) is available for when the mobile session has roamed to a new device. o The device adapter name is now stored as a session database field. o Removed support for Microsoft Windows 98, Windows Me, and Windows NT for Gatekeeper and Mobility Clients. o Removed support for Mobility Clients using Handheld Pocket PC. o Added support for Symbian OS Mobility Clients using Sony Ericsson P900 devices. o Added support for Mobility Clients using Windows Mobile 2003 Second Edition. o The Mobility Client can be configured to check that certain programs are running, like antivirus or personal firewall software, before allowing the connection to start. This feature is not available on Palm OS or on the Sony Ericsson P900 device. o The Mobility Client can be configured to automatically start one or more programs after the initial connection successfully completes. On Palm OS, only one program can be configured to automatically start. This feature is not available on the Sony Ericsson P900 device. o Mobility Client configuration files can be exported and imported which gives an administrator the ability to set or change Mobility Client options, then distribute the new configuration to the client. The user imports the new configuration and accepts the changes. This feature is not available on the Sony Ericsson P900 device. o To aid in problem determination, Mobility Clients can automatically collect troubleshooting information during a connection attempt. This information aids in first failure data capture. This feature is not available on the Sony Ericsson P900 device. o The Mobility Client trace viewer is a free-standing window that displays trace messages and can be configured to close after the connection is successfully completed. This feature is not available on the Palm OS or on the Sony Ericsson P900 device. o Enhancements that enable WebSphere Everyplace Access version 5.0 clients to seamlessly start connections to the Connection Manager during the synchronization process. 4.3 Connection Manager locale The Connection Manager requires requires the English UTF-8 locale: on AIX it is EN_US.UTF-8, on Solaris it is en_US.UTF-8, and on Linux it isen_US.utf8. On the AIX operating system, obtain the English UTF-8 locale from the AIX installation media. 4.4 New DSS schema changes for Version 5.1 include: The objectclass wlUser has been changed to ibm-wlUser and the attributes renamed correspondingly: wlUser ibm-wlUser ------------------------------------------- oldpasswords -> passwordHistList trace -> ibm-wlIpTrace authreq -> ibm-wlAuthRequired ipaddr -> ipAddress lastfail -> ibm-wlLastFailed lastchg -> ibm-wlLastModified expire -> ibm-wlUserExpires locked -> isLocked admchg -> ibm-wlForceChange failed -> unsuccessfulLoginCount addresstype -> ibm-wlAssignmentType addresspool -> ibm-wlDhcpGroupRef devicepool -> ibm-wlDeviceRef mncauth -> ibm-wlMncRef ibm-deviceIdVerify -> ibm-wlVerifyDeviceID The following attributes were removed from wlUser and added to ibm-wlWapUser which is only attached if WAP is turned on and a non-default setting is needed: wlUser ibm-wlWapUser ------------------------------------------- hproxyauth -> ibm-wlproxyauth hproxyuserid -> ibm-wlproxyuserid hproxypassword -> ibm-wlproxypassword httpproxyport -> ibm-wlproxyport httpproxyaddr -> ibm-wlproxyaddr defwaphomepage -> ibm-wldefwaphomepage The new objectclass ibm-wlTransProfile includes new attributes of: cn Common name ibm-wlOtherOu Additional Organizational Units description Description tcpopt TCP protocol optimization ibm-wlEnableCompr Compress data ibm-wlReduceIpHdr Reduce IP headers retransttl TCP retransmit suppression timer ibm-wlBurstRate Packet burst rate minwindowsize Minimum TCP window size maxwindowsize TCP receive window size ibm-wlMaxPktSize Maximum TCP packet size ibm-wlMaxRetransmit Maximum number of retransmits ibm-wlsarbalance Balance size of PDU fragments fragttl Fragment time to live ibm-wltransmitdelay Outbound transmission delay (ms) ibm-wlbuffersize Maximum size of a multi-packet buffer ibm-wlminfree Minimum free space required to load packets ibm-wlpTcpSrvRef TCP-Lite service ibm-wlNegMTU Maximum Transmission Unit ibm-wlTransmitMTU Default MTU ibm-wlReceiveMTU Client MTU ibm-wlSpeed Data throughput rate ibm-wlFilterOther Filter other ports (protocol/port) ibm-wlFilterKnown Filter well-known ports ibm-wlLcpEcho WLP-LCP keepalive timer ibm-wlClientMP Enable client-side multi-packet buffering ibm-wlServerMP Enable server-side multi-packet buffering ibm-wlIpStackMtu Client IP stack MTU ibm-wlTcpInitialRTT TCP SYN retransmit interval (sec) ibm-wlackdelay TCP ACK delay (ms) ibm-wlIpForward Allow IP forwarding keywords Key words and phrases to match on These objectclasses: wlCm, ibm-wlWapServer, ibm-wlHttpService, ibm-wlApplService, and ibm-wlPassthruService include new attributes of: ibm-wlSSLFIPSMode Only use FIPS 140-2 approved ibm-wlSSLFIPSV3Ciphers V3 Ciphers ibm-wlSSLFIPSTLSCiphers TLS Ciphers ibm-wlSSLV2Ciphers V2 Ciphers ibm-wlSSLV3TLSCiphers V3 and TLS Ciphers A new objectclass named ibm-wlIpDataProfile which is derived from ibm-wlDataProfile and includes new attributes of: cn Common name ibm-wlOtherOu Additional Organizational Units description Description version Version hdrreduction Protocol header reduction keyrotation Enable encryption key rotation allowpppneg Allow generic PPP negotiation authenticationtype Key exchange algorithm keyinterval Key rotation interval (minutes) allowuseridneg Client validation model encrypttype Minimum level of encryption ibm-wlAuthRef Authentication profile compresstype Compression algorithm ibm-wlMaxThreads Maximum number of processing threads ibm-wlSarDelay Transmission delay between fragments ibm-wlTransProfileRef Transport profile(s) ibm-wlDfltTransProfileRef Default transport profile The objectclass wlmni includes new attributes of: eTargetAdapter Network interface adapter to bind ibm-wlNatAddresses Number of NAT addresses to request The objectclass ePasswordPolicy includes new attributes of: ibm-wlConsecChar Maximum consecutive characters ibm-wlMinCharGroup Minimum characters from 2 of 3 groups (alpha, numeric, other) The objectclass ibm-wlWlpServer includes new attributes of: ibm-wlMultiSignon Allow multiple sessions per user ID ibm-wlSendTermAck Send terminate message on shutdown 4.5 AIX Version 5.2 ML 1 If you are using AIX version 5.2 and are experiencing problems with only loopback-related transactions either to the MNI or outside of Connection Manager completely, try installing AIX 5.2 maintenance level (ML) 1. Note that ML 1 may cancel AIX 5.2 common criteria certification, which nullifies the Connection Manager FIPS 140-2 certification. 4.6 Maximum limit of MNIs for each mobile access services The maximum number of mobile network interfaces (MNIs) that you can add to mobile access services is 1024. 4.7 Reboot after installation on AIX The AIX kernel extension modifications that address potential message queue overflows and lockups require a system reboot when upgrading to the Connection Manager version 5.1. After you install the Connection Manager on an AIX system, be sure to reboot the machine before starting the Connection Manager. 4.8 Recreate all LDAP-bind authentication profiles Because of modifications to made to the LDAP-bind authentication profile, recreate all LDAP-bind authentication profiles after upgrading to Connection Manager version 5.1 from a prior release. 4.9 New features in version 5.1.0.1 o Added support for limiting the Mobility Clients that are permitted to log on to the Connection Manager by device class. This capability is a security feature of the connection profile that is assigned to the mobile network connection (MNC) to which the client logs in. 4.9 New features in version 5.1.0.2 o Added support for the Mobility Clients on the CE .NET operating system using Psion 7535 devices. o Added support for DB2(R) Universal Database(TM) Express Edition - Before completing the configuration of version 5.1.0.2, there is a setupDB script that requires changing. Edit the file: AIX /usr/opt/wecm/bin/setupDB Linux or Solaris /opt/IBM/wecm/bin/setupDB Inside the Make_V8_ResponseFile() function at line 233, add this line: echo "PROD=UDB_EXPRESS_EDITION" >> $(DB2RSPFILE) Save the file, then begin the configuration. _____________________________________________________________________________ 5.0 Fixed Authorized Problem Analysis Reports (APARs) 5.2 APARs fixed in version 5.1.0.1 IY57169 - Connection Manager database configuration fails with DB2 8.1 Fixpak 7, DB IY63090 - "Duplicate CONFREQ" error received when more than 2 routes are defined in an MNI IY63361 - Timing error in TCP-OPT retransmit after roam may cause core dump. Stack trace shows FireRetransmitAll as offending function. IY63725 - HTTP codec for TCP-Lite inserting "Connection: close" when "Connection" token is not present for http responses IY63813 - WECM coredump if Mobitex MTU is greater than 512. IY62737 - External User DSS mode requires root inorder to see the User DSS tree in Gatekeeper. IY64173 - Add configuration attributes to support WES-AST in a non WES environment. These attributes are available only from the command line. IY64509 - Allow dynamic update of trace flag for VPN users. IY64839 - LDAP Schema error when adding Connection Profiles at install time IY64961 - Linux gateway cores on relogin of existing session. 5.3 APARs fixed in version 5.1.0.2 IY64173 Add 3 attributes to the Connection Manager resource to allow the configuration of an AST in a non-WES environment IY64961 WGATED core dump on Linux IY65357 - Schema file for IDS (ibm-wecm.ldif) missing attributes: authreq, personalid, httpproxyaddr, devicepool, defwaphomepage IY65477 - GK may delete resource if update involves LDAP storage failure. If the DN is changed for the resource and the change is invalid, WECM may delete the original resource. IY66154 - MNI intermittently fails to initialize on Linux IY66415 - Unable to add users in User DSS mode. GK will not display the correct primary OU tree in the make/properties panels. IY66650 - LDAP-bind with single sign on (SSO) using HTTP access services fails to create LDAP record and returns a 503 to the HTTP client IY66870 - Add configuration option to SMS-SMPP MNC to allow override of the "replace_if_present" flag. IY67255 - HTTP Access with Ldap bind or radius authentication fails to create shadow user account with ldap schema error message. _____________________________________________________________________________ 6.0 Trademarks and Copyright AIX, DB2, DB2 Universal Database, Everyplace, IBM, and WebSphere are trademarks or registered trademarks of the IBM Corporation in the United States or other countries or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Copyright International Business Machines and others, 1994, 2005. All rights reserved.