©Copyright International Business Machines Corporation 2008. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: Tuesday, 18 November 2008
This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.0. It requires that Federated Identity Manager Business Gateway, Version 6.2.0, be installed. After installing this fix pack, your Federated Identity Manager Business Gateway installation will be at level 6.2.0.1.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases that are listed in the Hardware and software requirements topic for the Federated Identity Manager Business Gateway Version 6.2.0.
None.
Federated Identity Manager Business Gateway consists of the following components that can be installed separately:
This fix pack applies only to the administration console and management service and runtime components (first two components listed above). These two components must be at the same level. Therefore, if you install a fix pack for either the administration console component or the management service and runtime component, you must install the corresponding fix pack for the other of these two components. If the administration console and management service and runtime components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Federated Identity Manager Business Gateway support site.
Be aware of the following considerations before installing this fix pack:
Because Federated Identity Manager Business Gateway is a 32-bit application its default path when installing on Windows Server 2008 changes from
C:\Program Files\IBM\FIM
to:
C:\Program Files (x86)\IBM\FIM
Note that this change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files\IBM\WebSphere
changes to:
C:\Program Files (x86)\IBM\WebSphere
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure. You use WebSphere Update Installer to apply the fixes of each
pak file to the target component on the system that you are updating. Apply
all of the pak files that are required by your installation to ensure
that the software levels in your environment are identical for all of
the components for which a pak file is supplied. The fixes are
tested against all affected components; therefore, to minimize any
possible issue that can arise from applying a partial fix, ensure the
you apply the complete set of files. See
If this is the first time you are applying the fix pack to Federated Identity Manager Business Gateway, you must download and install the enablement fix for Tivoli Federated Identity Manager Business Gateway.
NOTE: Perform the following steps only if this is the first time you are applying a fix pack. You will not need to perform these steps for subsequent product updates.
jar -xvf
to unzip
the file or download an unzip utility from the HPUX Connect site.
NOTE: If you are prompted to overwrite existing files, accept it so that the target files are overwritten.
NOTE: Before installing this fix pack, be sure that you have reviewed the prerequisites in Before installing the fix pack.
To obtain the fix pack:
If security is enabled on the WebSphere Application Server
where Federated Identity Manager Business Gateway is installed, you
must set
the appropriate password values in the fim.appservers.properties
file before you can
apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties
file, as described below,
you specify these passwords using plain text. However, at the end of
the fix pack
installation process these passwords are obfuscated and will no longer
be available in
plain text format.
To specify security passwords, use the following procedure:
FIM_INSTALL_DIR/etc/fim.appservers.properties
.was.security.enabled
property is present in
the fim.appservers.properties
file and is set to true
then you must add two password properties to the file:
was.admin.user.pwd
property with a value of
the administrator login password for the WebSphere Application Server
where Federated Identity Management Business Gateway is deployedwas.truststore.pwd
property with a value of
the password for the trust store used for client-side SSL
authentication in that WebSphere Application Serverwas.admin.user.pwd=was_admin_pw
was.truststore.pwd=truststore_pw
ewas.security.enabled
property is present in
the fim.appservers.properties
file and is set to true
then you must add two password properties to the file:
ewas.admin.user.pwd
property with a value
of the administrator login password for the Embedded WebSphere
Application Server where Federated Identity Management Business Gateway
is deployedewas.truststore.pwd
property with a value
of the password for the trust store used for client-side SSL
authentication in that Embedded WebSphere Application Serverewas.admin.user.pwd=ewas_admin_pw
ewas.truststore.pwd=truststore_pw
fim.appservers.properties
fileC:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows.or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
C:\Program Files\IBM\WebSphere\UpdateInstaller
on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller
on UNIX-based systems).C:\Program
Files\IBM\FIM
on Windows systems, or /opt/IBM/FIM
on UNIX-based systems), then click Next.FIM_INSTALL_DIR/etc/version.propeties
file with a text editor. The following list describes how to interpret
the properties in the version.properties
file:
itfim.build.version.rte-mgmtsvcs=version
itfim.build.version.mgmtcon=version
itfim.build.version.wsprov=version
itfim.build.version.wssm=version
itfim.build.version.fimpi=version
The recommended order for applying fix packs to the product's components is:
Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
The fix pack install automatically deploys the newly installed Federated Identity Manager Business Gateway runtime. However, you should verify that the current deployed version is 6.2.0.1.
Runtime Information
----------------------------------------------
Current deployed version 6.2.0.1 [080922a]
Note: The number within the brackets [080922a]
might be different from this example.
The product documentation for Federated Identity Manager Business Gateway, Version 6.2.0, can be found on the information center for IBM Tivoli Federated Identity Manager Business Gateway.
The TFIM 6.1.1 documentation lists the supported user registries in the "User Registry support" section of the "Hardware and Software Requirements" document.
This document lists support for Novell eDirectory 8.6.x and Novell eDirectory 8.7.x. This section does not list Novell eDirectory 8.8.x, because eDirectory 8.8 was not available at the time and the TAM Base product did not claim support for this level yet. However, TAM claimed support for Novell eDirectory 8.8 in the TAM Base 6.0.0 FP0009 README.
Based upon this information, it would seem that TFIM would support eDirectory 8.8.x as a user registry. Support for eDirectory 8.8.x was verified, but in the process it was found that additional configuration steps for eDirectory were required in order to be used by TFIM successfully. These configuration steps are not in the current documentation, so a Tech Note has been written and published that documents the required actions to configure the Novell eDirectory to be a supported TFIM user registry.
The TechNote entitled "Configuration of Novell eDirectory v8.8 required to be a supported TFIM v6.1.1 user registry" has been published and is publicly available on the TFIM support site.
This TechNote MUST be consulted and followed before attempting to use the Novell eDirectory as a TFIM user registry.
It is not possible to query the status of the FIM runtime
from the eWAS console. The following wsadmin
commands
show how
to query the FIM runtime's
status as well as how to start and stop the FIM runtime from the
command line.
These commands assume the WAS server instance is named "server1
".
wsadmin>$AdminApp list
wsadmin>$AdminControl queryNames
type=Application,process=server1,name=ITFIMRuntime,*
wsadmin>set appManager [$AdminControl queryNames
type=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager
stopApplication ITFIMRuntime
wsadmin>set appManager [$AdminControl queryNames
type=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager
startApplication ITFIMRuntime
A limitation of the z/OS platform can cause TFIM actions to hang and fail. This has been observed with the deployment of the TFIM runtime, and can be diagnosed by examining the WAS log file and looking for a WARNING message such as the following:
Trace: 2008/02/20 15:30:48.909 01 t=9BE748 c=UNK key=P8 (13007002)
ThreadId: 00000044
FunctionName: com.ibm.ws.runtime.component.ThreadMonitorImpl
SourceId: com.ibm.ws.runtime.component.ThreadMonitorImpl
Category: WARNING
ExtendedMessage: BBOO0221W: WSVR0605W: Thread "WebSphere:ORB.thread.pool t=009c22b8"
(00000022) has been active for 181010 milliseconds and may be hung.
There is/are 1 thread(s) in total in the server that may be hung.
To resolve this problem, a WAS environment variable must be defined that increases an essential thread pool size.
To define the environment variable for a standalone application server from the WebSphere administration console, browse to: "Servers" -> "Application servers" -> server_name -> "Server Infrastructure" -> "Administration" -> "Custom properties".
Add the property private_bboo_internal_work_thread_pool_size
with the value of 5.
To define the environment variable for a network deployment configuration from the WebSphere administration console, browse to: "System Administration" -> "Deployment manager" -> "Administration services" -> "Custom properties".
As in the standalone environment, add the property
private_bboo_internal_work_thread_pool_size
with the value of 5.
Restart the WAS server that has had the environment changed. To verify that the new value has taken effect, when the server starts look for this message in the output of the server:
BBOM0001I private_bboo_internal_work_thread_pool_size: 5.
These failures have currently only been reported on the deployment of the TFIM runtime, and the value of 5 has resolved the issue. However, if similar error messages are seen performing other TFIM activities, the pool size environment variable should be increased to resolve the problem.
The default secure protocol for HTTPS connections created by Federated
Identity Manager Business Gateway is SSL_TLS. To change (override) the
default protocol, specify the
following runtime custom property in the fim.appservers.properties
file:
com.tivoli.am.fim.soap.client.ssl.protocol= PROTOCOL
where the value of PROTOCOL can be any of the following values: SSL_TLS, SSL, SSLv2, SSLv3, TLS or TLSv1
A timestamp is embedded within a passticket, but the time value interval is only granular to a full second. If two passtickets are generated for the same object (user, target app, secret-key) within one second, then the two passtickets will be identical; that is, the passtickets will look to the validator like a "replay attack." To manage this problem, RACF allows "disable replay detection," and this APAR enables Federated Identity Manager Business Gateway to support this functionality.
To disable replay, you can set either or both of the following custom runtime properties:
passticket.disable.replay.check.[chainid_uuid]=true
passticket.disable.replay.check=true
where chainid_uuid is the value of the Chain UUID. For example:
passticket.disable.replay.check.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true
To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.
http://www.ibm.com/websphere/appserver/tokentype/5.0.2#LTPA
http://www.ibm.com/websphere/appserver/tokentype#LTPAv2
ltpa.enable.compat.mode.[chainid_uuid]=true
ltpa.enable.compat.mode=true
where chainid_uuid is the value of the Chain UUID. For example:
ltpa.enable.compat.mode.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true
When authoring XSLT rules for identity mapping, there is no mechanism to log or trace statements for debugging purposes. This APAR adds an extension that enables you to generate debugging statements to XSLT rules.
To invoke debug statements for identity mapping, add entries in the
XSLT rules using the
following syntax:
<xsl:variable name="variablename" select="mapping-ext:traceString('debug string')">
This APAR fixes an XSLT identity mapping failure that occurred when using the alias server with JDBC. An XSLT identity mapping that links accounts from a JDBC configure-alias service would fail with the following exception:
com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc
init javax.naming.NoInitialContextException: Need to specify class name
in environment or system property,
or as an applet parameter, or in an application resource file:
java.naming.factory.initial
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:657)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:259)
at
javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:296)
at javax.naming.InitialContext.lookup(InitialContext.java:363)
at com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc.
at com.tivoli.am.fim.identity.service.client.jdbc.IdServiceJdbcClient.
at java.lang.Class.newInstanceImpl(Native Method)
at java.lang.Class.newInstance(Class.java:1301)
at
org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:170)
When creating a Federated Identity Manager domain (or a connection to a domain), if you specify inaccurate information in the security settings panel, WebSphere Application Server might have to be restarted.
If you enter correct data and the Federated Identity Manager console successfully connects to the management service (use Test Connection to test the connection), you do not need to reconnect to WebSphere Application Server. If the Federated Identity Manager console cannot connect to the Management Service, even if correct security information is supplied, then you need to restart WebSphere Application Server.
This APAR fixes an error exception that can occur when posting artifacts for a single sign-on operation in WebSphere Application Server version 6.1.0.17 or version 6.1.0.19. When using WebSphere Application Server version 6.1.0.17 or 6.1.0.19, the POST artifacts for single sign-on operation can sometimes fail with the following exception text:
[9/4/08 10:59:44:143 CDT] 0000002b MultibrokerDo E CWWDR0008E:
Runtime exception occurred :
Unable to locate Replication Domain.
[9/4/08 10:59:44:148 CDT] 0000002b CacheServiceI I DYNA1001I: WebSphere
Dynamic Cache
instance named itfim/distributedmaps/ssops_plugins initialized
successfully.
[9/4/08 11:00:08:532 CDT] 0000002b SRTServletReq E SRVE0133E: An error
occurred while parsing
parameters. java.io.IOException: SRVE0216E: post body contains less
bytes than specified by content-length
at
com.ibm.ws.webcontainer.servlet.RequestUtils.parsePostData(RequestUtils.java:301)
at
com.ibm.ws.webcontainer.srt.SRTServletRequest.parseParameters(SRTServletRequest.java:1623)
at
com.ibm.ws.webcontainer.srt.SRTServletRequest.getParameterMap(SRTServletRequest.java:2153)
at
com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.logRequest(SSOPSServletBase.java:203)
at
com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(SSOPSServletBase.java:97)
It is not possible to query the status of the Federated Identity
Manager Business Gateway runtime
from the eWAS console. The following wsadmin
commands
show how
to query the Federated Identity Manager Business Gateway runtime's
status as well as how to start and stop the Federated Identity Manager
Business Gateway runtime from the command line.
These commands assume the WebSphere Application Server instance is
named "server1
".
wsadmin>$AdminApp list
wsadmin>$AdminControlqueryNamestype=Application,process=server1,name=ITFIMRuntime,*
wsadmin>setappManager[$AdminControlqueryNamestype=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager
stopApplication ITFIMRuntime
wsadmin>setappManager[$AdminControlqueryNamestype=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager
startApplication ITFIMRuntime
The fix pack installation of the Federated Identity Manager Business
Gateway runtime must
connect to a WebSphere Application Server SOAP port in order to deploy
the runtime. The fix pack installer acquires its SOAP port value from
the following line
in the
/<TFIM-installation-directory>/etc/fim.appservers.properties
file
of the Federated Identity Manager Business Gateway instance being
patched:
was.soap.port=8880
OR
ewas.soap.port=8880
This value is set in the file when the Federated Identity Manager Business Gateway instance is installed.
For the connection to be successful, the WebSphere Application Server instance to which it is being deployed must still be using that SOAP port. If it is not, then the Federated Identity Manager Business Gateway fix pack installation fails in the WebSphere Application Server UPDI and the error is reported as:
Prerequisite checking has failed. Click Back to select a
different package, or click Cancel to exit.
Associated failure messages are:
The WebSphere server does not seem to be listening in host
localhost port 8881 as specified
in
/opt/IBM/FIM/etc/fim.appservers.properties
. Make sure
the server is running and that the specified
port and host are correct.
If the specified port is different than the actual SOAP port used,
then change the value in the
fim.appservers.properties
file to agree with the port
being used by WebSphere Application Server and
reapply the fix pack.
None.
None.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
AIX
IBM
IBM logo
iSeries
pSeries
S/390
Tivoli
Tivoli logo
xSeries
zSeries
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.