©Copyright International Business Machines Corporation 2007. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: Friday, 14 September 2007
This fix pack corrects problems in IBM Tivoli Federated Identity Manager, Version 6.1.1. It requires that IBM Tivoli Federated Identity Manager, Version 6.1.1, be installed. After installing this fix pack, your Tivoli Federated Identity Manager installation will be at level 6.1.1.3.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases as the Tivoli Federated Identity Manager 6.1.1 release that are listed in the Hardware and software requirements document.
ATTENTION: In March 2007, the following versions of HP-UX Integrity on Itanium® were added to the list of supported operating systems:
If you installed Tivoli Federated Identity Manager on either of these versions, the administration console will display the version number "6.1.1.1." However, TFIMUI and a real fix pack must be installed to create the DE database, register TFIM 6.1.1 in the DE database as a deployed application, and register the fix pack as the installed level. Fix pack 1 bundles TFIMUI with it. If starting with a subsequent fix pack then TFIMUI must be downloaded from its download page and installed separately.
6.1.1-TIV-TFIM-FP0001
Tivoli Federated Identity Manager consists of three components that can be installed separately:
All components must be at the same level. Therefore, if you install a fix pack for one of the components, you must install that fix pack for the rest of the components. Components at one release level are not guaranteed to interoperate with components at a different release or fix pack level.
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager support site.
Be aware of the following considerations before installing this fix pack:
NOTE: Before installing this fix pack, be sure that you have reviewed the prerequisites in Before installing the fix pack.
After you have downloaded the fix pack, you need to perform a few steps before you can run the installation program.
jar
-xvf to unzip the file or download an unzip utility from the
HPUX Connect site.chmod +x *.sh
in the /script directory.
variables file
If security is enabled on the WebSphere Application Server
where Tivoli Federated Identity Manager is installed, you must provide
the appropriate passwords in the fix pack variables file.
If security is not enabled, you can skip this step.
If the TFIM runtime is installed on the system, then the three TFIMRuntime passwords must be specified. If the TFIM console is installed on this system then the three TFIMConsole passwords must be specified. If both the runtime and the console are anywhere on this system then both sets of passwords must be given.
The variables file contains the following
passwords:
TFIMRuntimeWASPassword=TFIMRuntimeTrustedJksPassword=TFIMRuntimeJksPassword=TFIMConsoleWASPassword=TFIMConsoleTrustedJksPassword=TFIMConsoleJksPassword=To provide the appropriate passwords:
variables in the fix
pack /script directory. ATTENTION: If you added passwords to the variables
file, as described here, the passwords are in plain text in this file.
Be sure to remove the passwords from this file to prevent a security
breach.
acsi is running, as
follows:
ps -ef|grep acsi/usr/ibm/common/acsi/bin/acsisrv.sh
-start. Then ensure the service is running./script subdirectory of the
directory where you unzipped the fix pack zip file.install.bat on Windows systems./install.sh for AIX, Solaris, Linux, or
HP-UX ATTENTION: If you added passwords to the variables
file, as described in Preparing the variables
file, the passwords are in plain text in this file. Be sure to
remove the passwords from this file to prevent a security breach.
After you have successfully installed the fix pack, you will need to redeploy the Tivoli Federated Identity Manager runtime.
This task is identical to the deployment task you completed after initial installation of the management service and runtime component. For example, in a WebSphere cluster environment you must ensure that the new runtime component is deployed to each WebSphere node.
See the Runtime node management chapter of the Tivoli Federated Identity Manager Configuration Guide. Complete the topic "Deploying the runtime as a WebSphere Application Server application."
NOTES
Runtime Information
----------------------------------------------
Current deployed version 6.1.1.3 [070406a]
Note: The number within the brackets [070406a]
might be different from this example.
If you want to return your installation to the state it was in prior to installing the fix pack, you can uninstall the fix pack.
ATTENTION -- When you remove the management service and runtime component fix pack, you will lose any configuration (domains, federations, and so on) that you added after the fix pack was installed.
acsi is running, as
follows:
ps -ef|grep acsi/usr/ibm/common/acsi/bin/acsisrv.sh
-start. Then ensure the service is running.variables
file that was used when the fix pack was installed, edit the file and
add the appropriate passwords. Then save and close the file./script directory and the type the
uninstall command:
uninstall.bat on Windows systems./uninstall.sh for AIX, Solaris, Linux, or HP-UXThe uninstall process will remove the fix pack and revert to the previous versions of files that were changed by the fix pack.
For example, if you had installed fix pack 3 onto a Tivoli Federated Identity Manager 6.1.1.0 system, then after uninstalling fix pack 3 you would see the following:
Suite Name Version
----------------------------------------------------------
Tivoli Federated Identity Manager 6.1.1.0 [050428a]
Note: If you uninstalled the fix pack on an Itanium Tivoli Federated Identity Manager 6.1.1.0 system, the version number displayed will be 6.1.1.1 even after you uninstall the fix pack.
Runtime Information
----------------------------------------------
Current deployed version 6.1.1.0 [061110a]
Note: The number within the brackets [061110a]
might be different from this example.
Note: If you uninstalled the fix pack on an Itanium Tivoli Federated Identity Manager 6.1.1.0 system, the version number displayed will be 6.1.1.1 even after you uninstall the fix pack.
The product documentation for Tivoli Federated Identity Manager, Version 6.1.1, can be found at this location .
Updates to the documentation follow:
To locate the white paper:
The TFIM Key Service manages keystores (for Signing/Encryption keys and for CA Certificates) and the keys and certificates in these keystores. However, the logical organization of the keys and certificates in keystores and the specification of keys and certificates using KeystoreName_AliasName as part of partner/federation configuration does not accurately represent how the TFIM Key Service actually manages the keys and certificates.
When the WebSphere Application Server (WAS) where the TFIM Runtime is installed is started, the TFIM Runtime will read in all keystore data as part of the initialization of the TFIM Key Service. When a new key/certificate for DN X is added via TFIM's console it is stored in the specified keystore on the disk. A WAS restart is needed for TFIM to read these keystores and build its maps of DNs and their keys/certs, making them available for use by TFIM's Key Service. The restart requirement is indicated by the message displayed, stating that a restart of the application server is necessary for the configuration changes to take effect.
When initializing the TFIM Key Service, each of the managed keystores is processed (in an unspecified order), reading in each key/cert in the keystore. Each new key/cert for a DN X is added to the DN-to-key/cert map as follows:
The keys/certificates are managed in this fashion to allow for "key rollover", which is the process that allows both a soon-to-expire key/cert and a new key/cert to reside in the keystores. Communications can occur using both keys/certificates while the new certificate is being disseminated to services that must use the certificate.
Consider the following scenario:
keystore1 (Signing/Encryption Keys)Keystores are processed in the order (first to last):
keyA1 DN:CN=A,O=Comp,C=US expires:Dec 31,2010 serial=1234
keyB1 DN:CN=B,O=Comp,C=US expires:Dec 31,2010 serial=2345
certstore1 (CA Certificates)
certA1 DN:CN=A,O=Comp,C=US expires:Dec 31,2010 serial=1234
certC1 DN:CN=C,O=Comp,C=US expires:May 31,2007 serial=4567
certC2 DN:CN=C,O=Comp,C=US expires:Dec 31,2007 serial=5678
keystore 2 (Signing/Encryption Keys)
keyB2 DN:CN=B,O=Comp,C=US expires:Dec 31,2010 serial=2345
certstore2 (CA Certificates)
certC3 DN:CN=C,O=Comp,C=US expires:Dec 31,2007 serial=5678
certstore1
keystore1
certstore2
keystore2
After the TFIM Key service processes all of the keystores, the reference for the the DN's in the example will be:
CN=A,O=Comp,C=US will map to the keystore1_keyA1
key alias, since the private/public key pair takes precedence over the
public certificate of certstore1_certA1.CN=B,O=Comp,C=US will map to the keystore1_keyB1
key alias since it was the first key found, and duplicate keystore2_keyB2
is discarded/ignored.CN=C,0=Comp,C=US will map to a chain with the certs certstore1_certC1
and certstore1_certC2. The duplicate cert certstore2_certC3
is discarded/ ignored.There are limitations with certain versions of the javax.net.ssl
shipped
with Java Secure Socket Extension (JSSE) that do not allow the
specification of a CA certificate stored
as a public/private key pair in a keystore that is for
Signing/Encryption
keys. In other words, a certificate that is to be used for validation
of a
server for an SSL connection cannot be stored as part of a
public/private
key pair in a keystore.
NOTE: This issue will only occur with the WAS 6.0.2.x version.
Referring to the example scenario above, this would
occur if the specification for a CA certificate was keystore1_key1
OR
certstore1_certA1, since the keystore1_key1
key would take precedence. (This
could be considered an improper configuration since a public
certificate should
only be stored as a public signer certificate in a trusted keystore
with CA
certificates, and secure communciations should not have a server,
signing with
a key, and a client, validating with a certificate, using the same DN.)
This limitation will result in an "unknown certificate" exception occuring when the TFIM runtime attempts to establish an SSL connection as part of an SSO protocol operation. The exception would be similar to the following:
[4/19/07 16:26:42:233 GMT] 00000048 HttpClientImp I com.tivoli.am.fim.soap.client.HttpClientImpl doRequest javax.net.ssl.SSLHandshakeException: unknown certificate
at com.ibm.jsse.bv.a(bv.java:67)
at com.ibm.jsse.bv.startHandshake(bv.java:163)
at com.ibm.net.ssl.www2.protocol.https.b.o(b.java:136)
at com.ibm.net.ssl.www2.protocol.https.i.connect(i.java:28)
at com.ibm.net.ssl.www2.protocol.http.bc.getOutputStream(bc.java:44)
at com.ibm.net.ssl.www2.protocol.https.l.getOutputStream(l.java:23)
at com.tivoli.am.fim.soap.client.HttpClientImpl.sendRequest(Unknown Source)
at com.tivoli.am.fim.soap.client.HttpClientImpl.doRequest(Unknown Source)
at com.tivoli.am.fim.soap.client.SOAPClientImpl.send(Unknown Source)
at com.tivoli.am.fim.saml.protocol.soap.SAMLSOAPClient.send(Unknown Source)
at com.tivoli.am.fim.saml.protocol.soap.SAMLSOAPClient.send(Unknown Source)
at com.tivoli.am.fim.saml20.types.SAML20HTTPSOAPResponseWriterImpl.sendSoapRequestMessage(Unknown Source)
at com.tivoli.am.fim.saml20.types.SAML20HTTPSOAPResponseWriterImpl.writeResponse(Unknown Source)
at com.tivoli.am.fim.saml20.protocol.actions.SAML20SendMessageAction.runProtocol(Unknown Source)
at com.tivoli.am.fim.fedmgr2.protocol.ProtocolActionChainImpl.runProtocol(Unknown Source)
at com.tivoli.am.fim.fedmgr2.proper.FederationManager.doChainAndResponseOnDelegate(Unknown Source)
at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(Unknown Source)
at com.tivoli.am.fim.fedmgr2.proper.FederationManager.processRequest(Unknown Source)
at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(Unknown Source)
at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1282)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:673)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:2965)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:221)
at com.ibm.ws.webcontainer.VirtualHost.handleRequest(VirtualHost.java:210)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1931)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:84)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminaters(NewConnectionInitialReadCallback.java:207)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:109)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:566)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:619)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:952)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1039)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1470)
To eliminate this problem, the TFIM runtime should be configured to
use IBMJSSE2
which will support the extraction of a public certificate from a
private/
public key pair. A runtime custom property value can be set for the
runtime
node that experiences the error. This is done in the TFIM
administration
console by selecting "Domain Management"->"Runtime Node Management",
selecting the "Runtime Custom Properties" button, creating a property
with
a name of "com.tivoli.am.fim.soap.client.jsse.provider"
and a value of
"IBMJSSE2", and restarting the WAS server.
As of Patch 2, the TFIM runtime will use the IBMJSSE2 provider as
the default.
The runtime custome property com.tivoli.am.fim.soap.client.jsse.provider
can be used to specify IBMJSSE as the provider if desired.
The documentation for the TFIM staging tools that ship with the TFIM 6.1 and later releases has limited information about the valid properties that can be specified in the properties files that are passed as parameters to the staging utilitites. To address this issue, the TFIM Staging Utilities Reference white paper has been written to document the valid properties that can be specified in a properties file used with the TFIM staging utilitites. It can also be found under White Papers on the Tivoli Federated Identity Manager support site,
It is not possible to query the status of the FIM runtime
from the eWAS console. The following wsadmin commands
show how
to query the FIM runtime's
status as well as how to start and stop the FIM runtime from the
command line.
These commands assume the WAS server instance is named "server1".
wsadmin>$AdminApp listwsadmin>$AdminControl queryNames
type=Application,process=server1,name=ITFIMRuntime,*wsadmin>set appManager [$AdminControl queryNames
type=ApplicationManager,process=server1,*]wsadmin>$AdminControl invoke $appManager
stopApplication ITFIMRuntimewsadmin>set appManager [$AdminControl queryNames
type=ApplicationManager,process=server1,*]wsadmin>$AdminControl invoke $appManager
startApplication ITFIMRuntimelppchk -v
error on AIX (IY99366)The ISMP version used for fix pack 1 has a defect that can cause
AIX's
lppchk -v command to report the following kind of error:
# lppchk -v
lppchk: The following filesets need to be installed or corrected to bring
the system to a consistent state:
FIMLic 6.1.1.1 (COMMITTED)
This error reports an inconsistent update of the ODM database by ISMP. It does not affect the functioning of TFIM at all. A new version of the ISMP is being used as of fix pack 2 that will no longer make this error. However the error made by earlier installs will still remain.
The following script will eliminate the lppchk -v
error
by removing the offending fileset from the ODM database. It takes a
single
argument, the fileset name the lppchk -v complained
about,
e.g., FIMLic in the example above.
#!/bin/ksh
#echo "Removing LPP $1: Are you sure?" 1>&2
#read foo
#
#case "$foo" in
#yes|y)
# ;;
#*)
# exit 1
#esac
#
LPPID=`ODMDIR=/usr/lib/objrepos odmget -q "name = $1" lpp | grep lpp_id | awk '{print $3}'`
echo "
Removing files of LPP $1..."
lslpp -fcq $1 | awk '(FS = ":") {print "rm -f",$3}' | sh -x 2>&1
echo "
Removing $1 from ODM (inventory,product,history,lpp,vendor)"
ODMDIR=/usr/lib/objrepos odmdelete -o inventory -q "lpp_id = $LPPID"
ODMDIR=/usr/lib/objrepos odmdelete -o product -q "lpp_name = $1"
ODMDIR=/usr/lib/objrepos odmdelete -o history -q "lpp_id = $LPPID"
ODMDIR=/usr/lib/objrepos odmdelete -o lpp -q "name = $1"
ODMDIR=/usr/lib/objrepos odmdelete -o vendor -q "lpp_id = $LPPID"
ODMDIR=/etc/objrepos odmdelete -o inventory -q "lpp_id = $LPPID"
ODMDIR=/etc/objrepos odmdelete -o product -q "lpp_name = $1"
ODMDIR=/etc/objrepos odmdelete -o history -q "lpp_id = $LPPID"
ODMDIR=/etc/objrepos odmdelete -o lpp -q "name = $1"
ODMDIR=/etc/objrepos odmdelete -o vendor -q "lpp_id = $LPPID"
ODMDIR=/usr/share/lib/objrepos odmdelete -o inventory -q "lpp_id = $LPPID"
ODMDIR=/usr/share/lib/objrepos odmdelete -o product -q "lpp_name = $1"
ODMDIR=/usr/share/lib/objrepos odmdelete -o history -q "lpp_id = $LPPID"
ODMDIR=/usr/share/lib/objrepos odmdelete -o lpp -q "name = $1"
ODMDIR=/usr/share/lib/objrepos odmdelete -o vendor -q "lpp_id = $LPPID"
The behavior demonstrated when a session has timed out
during an SSO operation has been modified. Previously,
a blank page was returned when the session had expired.
Changes made under the APAR IY97194 have changed this
behavior so that an error page, generated from the HTML
template page protocol_error.html, will be returned that
will display an exception indicating that a session
timeout has occured.
The default error page returned would display like shown here:
An error occurred fulfulling the current request to
http://www.myidp.com:9080/sps/saml20Fed/saml20/auth.
This error was caused by an internal/unexpected error on the invoked
protocol module leading to the exception displayed below.
com.tivoli.am.fim.fedmgr2.exception.DelegateRuntimeExceptionWrapperException: +SessionTimeoutException
com.tivoli.am.fim.fedmgr2.exception.FMProcessingException: com.tivoli.am.fim.fedmgr2.exception.DelegateRuntimeExceptionWrapperException: +SessionTimeoutException
at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:353)
at com.tivoli.am.fim.fedmgr2.proper.FederationManager.processRequest(FederationManager.java:265)
at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(SSOPSServletBase.java:111)
at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServlet.doGet(SSOPSServlet.java:130)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:989)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:501)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:464)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3168)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:254)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:811)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1433)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:96)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:394)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:274)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:152)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:213)
at com.ibm.io.async.AbstractAsyncFuture.fireCompletionActions(AbstractAsyncFuture.java:195)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:194)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:741)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:863)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469)
Caused by: com.tivoli.am.fim.fedmgr2.exception.DelegateRuntimeExceptionWrapperException: +SessionTimeoutException
at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:351)
... 26 more
Caused by: java.lang.RuntimeException: SessionTimeoutException
at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:338)
... 26 more
The SAML claims should be part of the STS Universal User so that
they can be referenced from the XSLT mapping modules but are not. The
fix to this defect corrects this oversight. The claims are made
available by defining the TFIM custom runtime property sts.add.saml.claims.
This is done in the TFIM administration console by selecting "Domain
Management"->"Runtime Node Management", selecting the "Runtime
Custom Properties" button, creating a property with a name of "sts.add.saml.claims"
and a value of "true", and restarting the WAS server.
Due to interactions between assumptions made by the fix pack installer and the operation of the Deployment Engine component embedded in it, the standard instructions for applying a fix pack do not work when patching the 2nd-Nth TFIM 6.1.1 or TFIM 6.1.0 instance on a system. To simplify the wording, the following work-around describes patching just the 2nd instance of TFIM 6.1.1, but the instructions apply equally well to patching the 2nd-Nth instances of either TFIM 6.1.1 or TFIM 6.1.0. Also, the following two italicized words are used below as abbreviations for the following two directory paths:
TFIMUI-dir2nd-TFIM-dirThe following steps
must be executed in order to apply a fixpack to the 2nd TFIM 6.1.1
instance on a system.
Steps (7) and (12) apply to a Unix/Linux installation where the 2nd
TFIM instance's
WAS application server did not use localhost but
used a separate,
unique IP address instead.
Note that if the WAS application server of the first TFIM instance
to be patched
did not use localhost but used a separate,
unique IP address instead then the manipulation of localhost
described by
step (7) must be performed before
running the update installer
and
step (12) must be performed after
running the update installer.
On Windows, replace the .sh file extension in these
steps with .bat.
Find the file TFIMUI-dir/DE/test/selectedfeatures.
Add/remove selectedFeature lines in this file
until there's one for each feature in the 2nd TFIM. Check the 2nd-TFIM-dir/etc/version.properties
file for a definitive list of the 2nd TFIM's features.
Each feature line in the 2nd-TFIM-dir/etc/version.properties
file is of the form
itfim.build.version.featurename=6.1.1.n
where featurename is one of the choices in the first column of the table below and n is the installed fix pack number.
Each feature line in the TFIMUI-dir/DE/test/selectedfeatures
file is of the form
selectedFeature\#RootIUTypeID[cc05dc31804627bba6e6661c48bf1a81,6.1.1.0]1\featurename=true
where featurename is one of the choices in the second column of the table below.
The mappings from the 2nd-TFIM-dir/etc/version.properties
feature names to the TFIMUI-dir/DE/test/selectedfeature
feature names are as follows:
2nd-TFIM-dir/etc/version.propertiesfeature name |
TFIMUI-dir/DE/test/selectedfeaturesfeature name |
|---|---|
| ewas | #FIMEwasFeat |
| fimpi | #FIMIISPlugFeat |
| mgmtcon | #FIMConsoleFeat |
| rte-mgmtsvcs | #RunTimeAndManagementFeat |
| wsprov | #WSProvisioningFeat |
| wssm | #FIMWssmFeat |
Fixup the last line in the TFIMUI-dir/DE/test/selectedfeatures
file. This line looks like
Variable\#RootIUTypeID[cc05dc31804627bba6e6661c48bf1a81,6.1.1.0]\#InstallLocation=some-TFIM-dir
Replace the existing some-TFIM-dir with the
installation directory path of the 2nd TFIM instance.
Change the -r option in the last line of the TFIMUI-dir/DE/test/install.sh
file from whatever TFIM installation directory is there (/opt/IBM/FIM
initially) to the installation directory path of the 2nd TFIM instance.
On Unix/Linux, execute the following command: chmod a+x TFIMUI-dir/DE/test/*.sh.
Execute TFIMUI-dir/DE/test/install.sh to
register the 2nd TFIM in the DE database.
If the WebSphere application server hosting the TFIM component
is not listening on localhost, then
/etc/hosts file, moving localhost
to the line that defines the IP address used by the 2nd TFIM's WAS
application server (or create such a line).acsi service.Go to the unzipped fix pack's files, find the script/
directory.
Change the -r option in the last line of the script/install.sh
file from whatever TFIM installation directory is there (/opt/IBM/FIM
initially) to the installation directory path of the 2nd TFIM instance.
Fixup the passwords in the script/variables file
to be those of the 2nd TFIM.
Execute the script/install.sh file to apply the
fix pack to the 2nd TFIM.
If the WebSphere application server hosting the TFIM component
is not listening on localhost, then
/etc/hosts file made in
step (7).acsi service.
The installer sets the wrong com.tivoli.am.fim.was.home
value when the product
is installed on Windows. Here is an example of an incorrect entry in
the
software.properties file (the file is installed in the
directory
/<TFIM installation directory>/pkg):
com.tivoli.am.fim.was.home=C:\Program FilesIBMWebSphereAppServer
The value should be:
com.tivoli.am.fim.was.home=C:/Program Files/IBM/WebSphere/AppServer
The TFIM runtime can be successfully deployed, but users are never
able to select the
runtime to configure it from the runtime node management panel of the
TFIM administration
console. The software.properties file must be manually
edited to fix the
incorrect entry so that it has the correct slashes ('/') in the path
value.
If you install a Tivoli Federated Identity Manager component to the system after the fix pack has been applied, you must reinstall the fix pack on that system, so that all components are at the same level.
To re-apply the fixpack:
<TFIM UPDATE INSTALLER>/DE/test/
<TFIM UPDATE INSTALLER> is the directory
where the update installer was installed../addconsolefeat.sh on AIX, Linux, Solaris,
or HP-UXaddconsolefeat.bat on Windows./addmgmtfeat.sh on AIX, Linux, Solaris, or
HP-UXaddmgmtfeat.bat on Windows./addwssmfeat.sh on AIX, Linux, Solaris, or
HP-UXaddwssmfeat.bat on Windows./addwspfeat.sh on AIX, Linux, Solaris, or
HP-UX addwspfeat.bat on WindowsNone.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
AIX
IBM
IBM logo
iSeries
pSeries
S/390
Tivoli
Tivoli logo
xSeries
zSeries
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.