Name: PK38585
=============
 
Summary:
   Cumulative WebSphere Member Manager (WMM) Fix including all
   previous WMM 5.1 released fixes.  This fix supercedes:
    PK02062
    PK04173
    PK05259
    PK06255
    PK08018
    PK09847
    PK11193
    PK12731
    PK14914
    PK18481
    PK23132
    PK27672
    PK31590
    PK34283


Problem Description:
   The following new problems are fixed by this interim fix package:
- Support WMMUR return unique DN  as securityName
- Fix WAS variable resolving problem
- UUID are not unique in some sample files

  
Problem Solution:
   Code changes required to correct these problems.
 
Failing Module(s):
   WMM
 
Affected Users:
   All
 
Version Information:
    Portal Version(s): 5.1.0.4
     Pre-Requisite(s): ---
      Co-Requisite(s): ---
    Portal Version(s): 5.1.0.3
     Pre-Requisite(s): ---
      Co-Requisite(s): ---
    Portal Version(s): 5.1.0.2
     Pre-Requisite(s): ---
      Co-Requisite(s): ---
    Portal Version(s): 5.1.0.1
     Pre-Requisite(s): ---
      Co-Requisite(s): ---
    Portal Version(s): 5.1.0
     Pre-Requisite(s): ---
      Co-Requisite(s): ---
 
Platform Specific:
   This fix applies to all platforms.

Installation:
   NOTE:  YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO INSTALL A FIX.
          The Portal Update Installer can be downloaded from the following link:
          http://www.ibm.com/software/genservers/portal/support
 
   1. Create temporary "fix" directory to store the jar file.
   2. Copy jar file to this directory.
   3. Shutdown WebSphere Portal.
   4. Follow the fix installation instructions that are packaged with
      the Portal Update Installer on how to install the fix.
   5. Restart WebSphere Portal.
   6. The temporary directory may be removed.
 
Un-Installation:
   NOTE:  FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED.  DO NOT REMOVE
          A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED.
          YOU MAY REAPPLY ANY REMOVED FIX.
 
   1. Shutdown WebSphere Portal.
   2. Follow the instructions that are packaged with the
      Portal Update Installer on how to uninstall the fix.
   3. Restart WebSphere Portal.
    
======================================================================================

Trademarks

The following terms are trademarks of the International Business Machines
Corporation in the United States, or other countries, or both:

AIX
DATABASE 2
DB2
DB2 Universal Database
EIP
IBM
WebSphere
CM
IBM CM

Microsoft, Windows, Windows NT, and the Windows logo are registered
trademarks of Microsoft Corporation.

UNIX is a registered trademark in the United States and other countries
licensed exclusively through X/Open Company Limited.

Sun, Sun Microsystems, the Sun logo, Java and all Java-based trademarks 
and logos are trademarks or registered trademarks of Sun Microsystems, 
Inc. in the United States and other countries.

Other company, product, and service names may be trademarks or service
marks of others.

THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF  ANY KIND. IBM
DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT 
LIMITATION, THE  IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE
AND MERCHANTABILITY WITH RESPECT TO THE INFORMATION IN THIS DOCUMENT. BY
FURNISHING THIS DOCUMENT, IBM GRANTS NO LICENSES TO ANY PATENTS OR 
COPYRIGHTS.

(C) Copyright IBM Corporation 2003-2005. All rights reserved.

======================================================================================

All Fixed Problems

- The search on wmmDB String attribute is always case sensitive.
	Steps to change attribute(s) to case insensitive:
	1. Go to <PortalServer>/config/work/wmm/bin directory and open WMMAttributeModification.bat or WMMAttributeModification.sh 
	   file based on your platform.
	2. Replace the following parameters with corresponding values:
		@WAS_HOME@: your WAS install root.
		@DB_DRIVER_LOCATION@: Database JDBC driver location. See comments chart in the file.
		@DB_DRIVER@: JDBC driver class.
		@DB_JDBC_URL@: database jdbc URL.
		@DB_USER@: database user ID.
		@DB_PASSWORD@: database password.
	3. Add proper values to the following parameters:
		CS_HOME: Cloudscape database home if you use cloudscape database.
		ATTR_NAMES: The attribute name(s) you want to change to case insensitive. Seperated by semi-colon.
		REPOS_TYPE: db or la. db for wmmDB. la for lookaside.
	4. Save the changes.
	5. Open a command window and run WMMAttributeModification.bat/sh.
	6. Restart server if it's running.

- wrong constant value for "dbMemberRetrievalLimit" parameter.

- Allow caller to retrieve groupMember if it is requested.

- UR-returned groups were filtered out

- wmm_LDAP_LA.xml specifies SSL=true by default 

- no need to access lookaside if no la attr required 

- Incorrect locking in WMM connection pool

- Unexpected WMM exception log in SystemErr 

- add "transient attribute" concept for the CMR decorator pattern

- ByteArray datatype caused problem when returnedAttribute is set

- If the user choose ibm-appUUId as extid, WMM automatically set wmmGenerateExtId to true and add ibm-appUUIAux to the object classes of all member types.

- Only return ancestors up to the node level

- Fix null toString problem in trace

- Fix memory leak in DirContextPool

- NullPointerException during initialization due to invalid member type setting

- Cross repositories unassign member from group fails

- Update Member got NullPointerException due to update null value attribute

- Ignore group outside of group search bases

- Initilazation of wmmdb failed on turkish system  

- WMM couldn't start properly if using a non-default JNDI datasource name

- Wrong i charactor reading on Turkish machine

- WMM Lookaside adapter cannot update ByteArray attribute problem

- Do not return group member attribute when requested attribute names is null

- Use case insensitive match to filter out the groups not under WMM scope

- getGroupMembers throws NullPointerException when extId is null

- using WMMUR directLDAP on zOS nodeAgent failed to get userSecurityName

- WMMUR failed to authenticate user with root DN

- Need to escape special chars in getGroupsForMember filter  

- Custom Registry exception not passed through WMM CUR  

- Remove ex.printStatckTrace() to avoid printout in system.err  

- Lookaside didn't return OBJECT attribute value  

- Add support for using WAS SSL Socket Factory  (See Configuration details in Section 5.0)

	*SSL Configuration Parameters
		
	Following parameters are used for configuring SSL in WMM LDAP Repository.
	sslEnabled: 	This parameter needs set to true to enable SSL. If this parameter is set to false or not presented, SSL is not 
			enabled. If this parameter is true, a JNDI environment property: java.naming.security.protocol=ssl is added to 
			the environment properties which WMM uses for creating LDAP connection. This has the same effect as adding 
			java.naming.security.protocol="ssl" in ldapRepository tag in WMM5.0.x. The old way of enabling SSL 
			(java.naming.security.protocol="ssl") continues to work.
	ldapPort: 	Parameter ldapPort may need to change to the SSL port (for example 636).
	sslLocalScope:	If this parameter is set to false or this parameter is not specified, WMM will use JSSE system properties to set 
			the location of the stores and their password:
				javax.net.ssl.trustStore
				javax.net.ssl.trustStorePassword
				javax.net.ssl.keyStore
				javax.net.ssl.keyStorePassword
			*Important: JSSE system properties are applied to the whole JVM. It may affect other applications which also use 
				JSSE system properties. To avoid conflict settings, set sslLocalScope to true is recommended.
			If this parameter is set to true, WMM will use WAS LdapSSLSocketFactory to set the location of the stores and 
			their password. These settings are only applied to WMM itself and will not affect other applications.
	sslTrustStore: 	Specifying the location (absolute path) and the name of the truststore used for storing the LDAP server certificate 
			in server authentication. If absolute path is specified, WMM will use the specified absolute path. If only file 
			name is specified, WMM will look the trust store file under <WAS_HOME>\AppServer\etc directory.
			For example, if sslTrustStore is set to: sslTrustStore="DummyServerTrustFile.jks"
			WMM will look up the trust store from location: C:\WebSphere\AppServer\etc\DummyServerTrustFile.jks
	sslTrustStorePassword: Specifying the password of the truststore specified in sslTrustStore. The value of sslTrustStorePassword 
				is used to check the integrity of the data in the truststore before opening it.This parameter is mandatory 
				if sslLocalScope is set to true and sslTrustStore is specified. Although clear text password is accepted, 
				it is highly recommended that the password should be encrypted for security reason.To encrypt the key, you 
				can use wmm_encrypt.bat utility located under wmm\bin directory:wmm_encrypt.bat <text needed to encrypt>
	sslKeyStore:	Specifying the location (absolute path) and the name of the keystore. Keystore is needed if wan to enable client 
			authentication.If absolute path is specified, WMM will use the specified absolute path. If only file name is 
			specified, WMM will look the trust store file under <WAS_HOME>\AppServer\etc directory.
			For example, if sslKeyStore is set to: sslKeyStore="DummyServerKeyFile.jks"
			WMM will look up the key store from location: C:\WebSphere\AppServer\etcDummyServerKeyFile.jks
	sslKeyStorePassword: Specifying the password of the sslTrustStore. This parameter is mandatory if sslLocalScope is set to true and 
				sslKeyStore is specified.Although clear text password is accepted, , it is highly recommended that the 
				password should be encrypted for security reason. To encrypt the key, you can use wmm_encrypt.bat utility 
				located under wmm\bin directory:wmm_encrypt.bat <text needed to encrypt>
		
	*Default Trust Store and Key Store
	
	If both trust store and key store are not specified, WMM will use the default trust store and key store:
	If the file <WAS_HOME>/appserver/java/jre/lib/security/jssecacerts exists, that file is used. Otherwise, file 
	<WAS_HOME>/appserver /java/jre/lib/security/cacerts is used.
	
	*Configuration Samples
	 
	    Using default trust store and key store
	        <ldapRepository name="wmmLDAP"
	           UUID="LDAP1"
	           adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl"
	           supportDynamicAttributes="false"
	           configurationFile="xml/mmLDAPAttributes_IDS.xml" 
	           supportGetPersonByAccountName="true"               
	           profileRepositoryForGroups="LDAP1"
	           supportTransactions="false"
	           adminId="cn=root"
	           adminPassword="xxxxxx"
	           ldapHost="localhost"
	           ldapPort="636"
	           ldapTimeOut="6000"
	           ldapAuthentication="SIMPLE"
	           ldapType="0"
	           sslEnabled="true">
		In this setting, SSL is enabled but there are no trust store or key store defined. WMM will look up certificate of LDAP 
		server in either <WAS_HOME>/appserver/java/jre/lib/security/jssecacerts or <WAS_HOME>/appserver /java/jre/lib/security/cacerts.
	
	    Specifying stores at JVM scope
	        <ldapRepository name="wmmLDAP"
	           UUID="LDAP1"
	           adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl"
	           supportDynamicAttributes="false"
	           configurationFile="xml/mmLDAPAttributes_IDS.xml" 
	           supportGetPersonByAccountName="true"               
	           profileRepositoryForGroups="LDAP1"
	           supportTransactions="false"
	           adminId="cn=root"
	           adminPassword="xxxxxx"
	           ldapHost="localhost"
	           ldapPort="636"
	           ldapTimeOut="6000"
	           ldapAuthentication="SIMPLE"
	           ldapType="0"
	           sslEnabled="true">
	           sslTrustStore="D:\WSAD512\runtimes\base_v51\etc\DummyServerTrustFile.jks">
		Since sslLocalScope is not defined, WMM will use JVM-wide JSSE system properties to set the location of the store. Also, if 
		the password is the default password, there is not need to specify the password. Note that sslTrustStore can also be set to 
		sslTrustStore="DummyServerTrustFile.jks"
	
	    Specifying stores at local scope (recommended)
	        <ldapRepository name="wmmLDAP"
	           UUID="LDAP1"
	           adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl"
	           supportDynamicAttributes="false"
	           configurationFile="xml/mmLDAPAttributes_IDS.xml" 
	           supportGetPersonByAccountName="true"               
	           profileRepositoryForGroups="LDAP1"
	           supportTransactions="false"
	           adminId="cn=root"
	           adminPassword="xxxxxx"
	           ldapHost="localhost"
	           ldapPort="636"
	           ldapTimeOut="6000"
	           ldapAuthentication="SIMPLE"
	           ldapType="0"
	           sslEnabled="true"
	           sslLocalScope="true"
	           sslKeyStore="DummyServerKeyFile.jks"
	           sslKeyStorePassword="4eIrkiVIT78="
	           sslTrustStore="DummyServerTrustFile.jks"
	           sslTrustStorePassword="4eIrkiVIT78=">
		Since sslLocalScope is set to true, the settings of stores and password are only applied to WMM. Note that the passwords 
		of the stores are mandatory if sslLocalScope is set to true.
	
- Avoid duplicate dyna member attributes.  

- WMMUR direct access DB mode getUniqueGroupId not working 

- Decode DN if it is LDAP referral

- Dynamic group is not added to Group Cache

- Clear text password is printed out in the trace

- French password in UTF-8 setting failed to logon

- Update jpegPhoto attribute failed in wmmDB repository

- Using WAS ParserFactory instead of directoy calling Xerces Parser

- Domino LDAP jpegPhoto can not be returned

- Honor the case info of search bases in wmm.xml  

- Turkish I/i problem when reading wmmLDAPServerAttribute.xml

- getGroupMemberIds does not return nested members with space

- getMembersRecursively should return top member once

- Object attribute does not work in SQLServer

- Lookaside adapter needs to handle extId=DistinguishedName case

- WasVariableResolver supports the behavior changes in WAS

- FileRegistry caching capability in cluster environment

- Scope of member attribute map is not read correctly

- getMembersRecursively should return top member once

- Object attribute does not work in SQLServer

- Lookaside adapter needs to handle extId=DistinguishedName case

- WasVariableResolver supports the behavior changes in WAS

- FileRegistry caching capability in cluster environment

- Scope of member attribute map is not read correctly

- Format LDAP DN retrieved from memberof or member attribute

- support 30 languages

- solve groupcache timeout issue

- solve WMM version can't be determined problem

- Implement getUniqueGroupId for WAS

- Get nested dyanmic groups a member belongs to

- List all members of a group which is both static and dynamic

- consider wildcare '_' in SQL

- groupMemberURL mapping is not set in wmmLDAPAttributes.xml

- Fix problem about whitespace existing in attribute name

- WMM MemberService does hide the information about the root Excep

- WMM UR does write trace info to system.out on zOS

- WMMUR does not support SSL on localmode LDAP

- WMM dbclean.sql for db2 on zOS should add ? in from of the Drop

- DN treted inconsistently by WMM

- Fix performance problem of getGroupsForMember()

- To support MemberIdentifier datatype on LA

- Failed to retrieve memberidentifier from LA

- Make WMMUR use bindDN instead of serverId to bind LDAP

- Support WMMUR return unique DN  as securityName

- Fix WAS variable resolving problem

- UUID are not unique in some sample files