IBM United States
Software Announcement 201-010
January 23, 2001

Tivoli SecureWay Security Manager V3.7.1 Delivers Increased Functionality for UNIX Environments

ENUS201-010.PDF (46KB)

At a Glance

Replacing the security engine provides a number of enhancements for Tivoli SecureWay Security Manager:

Integrates with Tivoli SecureWay Policy Director, a strategic component of the Tivoli SecureWay product family
Enables you to implement new features based on Tivoli SecureWay Policy Director capabilities (such as access control list inheritance)
Eases the migration from SeOS as an engine to PDOS
Supports the resource types already found in Tivoli SecureWay Security Manager without altering the security profile
Includes all Tivoli SecureWay Policy Director components required to implement the PDOS engine — no additional purchases are required
Allows Tivoli SecureWay Policy Director to become the center for security data through expansion using Tivoli SecureWay Policy Director add-on products

Overview

New Security Engine

This release provides a major enhancement to management of UNIX^® security in the form of a new UNIX security engine. The new engine is being offered as a replacement technology to provide the Tivoli^® Access Control Facility (TACF) function. The prior security engine provided in Tivoli SecureWay^® Security Manager was based on an engine known as the Security Operating System (or SeOS) licensed from Memco Software, a Computer Associates company. The new engine is based around Tivoli SecureWay Policy Director.

Providing a security engine based on Tivoli SecureWay Policy Director allows Tivoli to make rapid future enhancements in the functions of the engine in the UNIX environment. In this release, the primary goal is to provide a functionally comparable alternative to SeOS. The new security engine provided in this release implements TACF using a component known as Policy Director for Operating Systems (PDOS).

Simplifies Migration to PDOS

Another major focus of this release is to minimize the effort required to migrate from the SeOS UNIX engine to the PDOS UNIX engine. The simplest form of migration will be the re-distribution of a security profile previously used for SeOS to a PDOS endpoint. Migration tools and additional assistance will be available for those that require them.

Planned Availability Date

February 9, 2001

Description

Tivoli SecureWay Security Manager provides a role-based, centralized mechanism for managing and implementing access control policy. Through the consistent configuration of access rights on operating systems from PC LANs to mainframes, Tivoli SecureWay Security Manager helps to ensure your own house is in order before exposing your applications to support e-business. Tivoli SecureWay Security Manager can:

Integrate with Tivoli SecureWay Policy Director for centralized management of Web access
Integrate with Tivoli SecureWay User Administration for integrated user account and user access management
Leverage the Tivoli Enterprise Console^® for centralized audit

The product user interface or the command line can be used to "teach" your policy to Tivoli SecureWay Security Manager. Various tools are included to speed up this process, such as a role-based population function which helps configure a role-based access control model based on the existing configuration of one or more users and/or groups. Tivoli SecureWay Security Manager provides a single, manageable interface to the variety of access control engines provided by different platforms, modifying native data, thus allowing local management tools to continue to operate.

For most platforms, Tivoli SecureWay Security Manager manipulates the native security system of the platform. For example we provide a single interface for managing Windows NT™ domain security, altering records in the OS/390^® Security Server (RACF^®) and so on. Native tools will show the results of modification made by Tivoli SecureWay Security Manager.

For UNIX, Tivoli SecureWay Security Manager provides a unique security engine. This engine allows us to treat all variations of UNIX in the same way. In addition, it resolves many security problems introduced by the user of a super user administrator such as root. This release provides a major enhancement to Tivoli's management of UNIX security in the form of a new UNIX security engine. The new engine is being offered as an alternative technology to provide the Tivoli Access Control Facility (TACF) function. The prior security engine provided in Tivoli SecureWay Security Manager was based on an engine known as the Security Operating System (or SeOS) licensed from Memco Software, a Computer Associates company. The new engine is based around Tivoli SecureWay Policy Director.

Another major focus of this release is to minimize the effort required to migrate from the SeOS UNIX engine to the PDOS UNIX engine. The simplest form of migration will be the redistribution of a security profile previously used for SeOS to a PDOS endpoint. Migration tools and additional assistance will be available for those that require them.

Main Features of this Release

Version 3.7.1 of Tivoli SecureWay Security Manager:

Utilizes the same TACF interface we have always used. The resources supported through Tivoli SecureWay Security Manager (such as FILE, TCP, PROCESS, CONNECT etc.) are all supported in the same format under PDOS. A Security Manager security profile that was previously distributed to a SeOS target system can now be distributed to a PDOS system to secure that system in the same way. The profile will require few (if any) changes to achieve this.
Provides robust and innovative UNIX security management. PDOS relies on Tivoli SecureWay Policy Director for access control data management. This provides a robust and well-established platform. At the same time, the interface to the operating system where we intercept security-relevant system calls has been built from the ground up using a multi-threaded model to provide state-of-the-art control within a UNIX operating system.
Enables tight integration with Tivoli SecureWay Policy Director, a strategic component of the Tivoli SecureWay product family. This provides benefits such as data reuse and allows new features to be developed based around the Policy Director security model (such as access control list inheritance).
Eases migration from SeOS as an engine to PDOS. The new engine can be installed using standard Tivoli mechanisms and then the simplest data migration would be the re-distribution of an existing Tivoli SecureWay Security Manager security profile.
Supports the resource types already found in Tivoli SecureWay Security Manager without altering the security profile. The same UNIX records in a security profile are used for the PDOS security engine.
Includes all Tivoli SecureWay Policy Director components required to implement the PDOS engine — no additional purchases are required.
Allows Tivoli SecureWay Policy Director to become the center for security data through expansion using Tivoli SecureWay Policy Director add-on products.
Reuses the same Tivoli SecureWay Policy Director components and data for other Tivoli SecureWay Policy Director-protected resource types by adding the relevant Tivoli SecureWay Policy Director product.
Can exploit an existing Tivoli SecureWay Policy Director implementation and share existing user data. If you are already using Tivoli SecureWay Policy Director, that implementation can be exploited and extended to support your UNIX platforms.
Makes available the Authorization Application Programming Interface (aznAPI) for your own applications. The aznAPI provides a sophisticated interface to add authorization to your own applications.

Euro Currency

This program is not impacted by euro currency.

Statement of Direction

As a future enhancement to the national language support capability of PDOS, it is the intention of Tivoli Systems to translate PDOS in the next Tivoli SecureWay Security Manager release, currently targeted for June 2001.

Reference Information

Refer to:

Software Announcement 200-017 , dated February 15, 2000.
Software Announcement 200-100 , dated April 25, 2000.

Trademarks

: SecureWay, OS/390, and RACF are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
: Windows NT is a trademark of Microsoft Corporation.
: UNIX is a registered trademark in the United States and other countries exclusively through X/Open Company Limited.
: Tivoli and Tivoli Enterprise Console are registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
: Other company, product, and service names may be trademarks or service marks of others.

Education Support

Training is available for all Tivoli^® products, Education is offered through IBM Education and Training, and through Tivoli Systems. Worldwide information about education offerings is available on the IBM Education and Training home page on the Internet at:

http://www.training.ibm.com

For current information on Tivoli Systems education, call 512-436-8000 or visit the Tivoli Systems home page on the Internet at

http://www.tivoli.com/services/education

Offering Information

Product information will be available on day of announcement through Offering Information (OITOOL) at:

http://www.ibm.com/wwoi

Publications

The following publications can be ordered immediately after planned availability.

                                                       Order
Title                                                  Number
 
 
Tivoli SecureWay(R) Security Manager
 V3.7 User's Guide                                     GC32-0706
Tivoli SecureWay Security Manager
 V3.7 Release Notes(TM)                                GI11-0802
Tivoli SecureWay Security Manager
 V3.7 Supplement for MS Windows(TM)
 2000                                                  GC32-0474
Tivoli SecureWay Security Manager
 V3.7 Supplement for AS/400(R)                         GC32-0658
Tivoli SecureWay Security Manager
 Redbook                                               SG24-5101
Tivoli SecureWay Security Manager
 Supplement for Policy Director
 V3.7.1                                                GC32-0473
Tivoli SecureWay Security Manager
 for Policy Director Release Notes
 V3.7.1                                                GI11-0759

Technical Information

Specified Operating Environment

Hardware Requirements

Tivoli Management Region Server Platforms:

Tivoli SecureWay Security Manager requires a Tivoli Management Region (TMR) Server running Tivoli Management Framework Version 3.6.3. The standard requirements for a TMR server are:

Hardware Platforms:

RS/6000^®
Sun Sparc running Solaris
HP 9000/700 or 800 Series
Intel^® x86 or Pentium™
Approximately 40MB footprint required for UNIX^® platforms, 30MB for Intel.

Software Platforms:

AIX^® 4.2.1, 4.3, 4.3.1, 4.3.2, 4.3.3
Sun Solaris Version 2.6.x, 7, 8
HP-UX 10.20, 11.0
Windows NT™ 4.0 SP3, SP4, SP5, SP6

Tivoli Gateway Platforms:

Tivoli SecureWay Security Manager exploits the capabilities of a Tivoli Gateway. Depending on the configuration, the Gateway may be the same system as the TMR server or it can be a standalone system. The requirements for a Tivoli Gateway are the same as for a TMR Server, plus approximately 25 MB for gateway files.

Supported Targets (Tivoli Client Hardware/Software Platforms):

Client space requirements vary — see Release Notes for specific details.

IBM OS/390^® Security Server (RACF^®) (support available as a separate MLIC)
IBM OS/400^® V4R3, V4R4 running on IBM AS/400
Windows NT 4.0 SP3, SP4, SP5, SP6 running on Intel x86 or Pentium
Windows 2000 running on Intel x86 or Pentium
Novell NetWare 4.10, 4.11, 4.2, 5.0 running on Intel x86 or Pentium
Workspace on Demand R2 V3, R2 V4, R Win 32, Warp Server SMP V3, V4, OS/2^® Warp Server V3, V4, Warp Connect V3, V4, Warp Server for e-business, Warp Server for e-business SMP feature running on Intel x86 or Pentium

Tivoli SecureWay Policy Director V3.7

Tivoli SecureWay Security Manager V3.7.1 can manage components of Tivoli SecureWay Policy Director V3.7 (such as NetSEAL, WebSEAL and Policy Director for Operating Systems).

Tivoli SecureWay Security Manager requires the use of a Tivoli Managed Node as a proxy station for managing Tivoli SecureWay Policy Director. Depending on the configuration the Tivoli Managed Node may be the same system as the TMR Server or a Tivoli gateway, or it may be the Policy Director management server, or it may be a standalone system. If a standalone system is used it will have the same hardware and software requirements as a TMR Server.

Tivoli SecureWay Security Manager has no other specific requirements for managing Tivoli SecureWay Policy Director and can manage Policy Director running on IBM RS/6000 running AIX, Sun SPARC running Solaris, HP 9000/700 and 800 running HP-UX and Intel x86 or Pentium systems running Windows NT.

For detailed requirements for a Policy Director Management Server refer to Software Announcement 200-404 , dated November 14, 2000.

As of V3.7.1 of Tivoli SecureWay Security Manager, the management of UNIX targets is performed using a Tivoli SecureWay Policy Director extension called Policy Director for Operating Systems (PDOS).

PDOS requires a Tivoli SecureWay Policy Director Management Server (provided with Tivoli SecureWay Security Manager) which has the standard requirements of Tivoli SecureWay Policy Director (see above).

The UNIX platforms that can be managed by Tivoli SecureWay Security Manager v3.7.1 using PDOS are:

IBM RS/6000 running AIX 4.3.1, 4.3.2, or 4.3.3
Sun SPARC running Solaris Version 2.6 (with patch 105181-23), 7, or 8
HP 9000/700 and 800 series running HP-UX 11.0 at level 47 and above

Planning Information

Direct Customer Support: Direct customer support is provided by the Tivoli Support Center. This fee service enhances customers' productivity by providing voice and electronic access into the IBM support organization. The Tivoli Support Center will help answer questions pertaining to usage, and suspected software defects for eligible products.

Packaging: Tivoli SecureWay Security Manager is distributed with:

International Program License Agreement (Z125-3301)
License Information document (LC23-4474)
Nine CDs and seven publications

Security, Auditability, and Control

Tivoli SecureWay Security Manager uses the security and auditability features of the operating system software and Tivoli Management Framework.

The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.

Ordering Information

Basic License: Current licensees of Tivoli SecureWay Security Manager will be sent a program reorder form that can be returned directly to IBM Software Delivery and Fulfillment (SDF).

Reorder forms are scheduled to be mailed after planned availability. Reorder forms returned to SDF will be processed within 10 days of receipt. When V3.7.1 is available, V3.7.0 will no longer be available.

For program 5698-SEC, customers must ensure that they have previously ordered adequate Tivoli Management Points to add this product to the customer environment.

If additional Tivoli Management Points are required for this product, also specify the OTC feature number for Tivoli Management Points in the quantity desired.

New Licensees

Orders for new licenses will be accepted now.

Shipment will begin on the planned availability date.

New users should specify:

Program Number: 5698-SEC

Program Name: Tivoli SecureWay Security Manager

To order a basic license, specify the program number, feature number 9001 for asset registration, and the feature number of the desired distribution medium. Also, specify the one-time charge feature number from the table below in the quantity desired (maximum quantity of 250 per feature number).

The quantity of Tivoli Management Points is based on servers.

Use the following table to order the program products listed below.

                                      Tivoli Management Points
Product
Number       Product Name               Qty 1        Qty 250
 
5698-SEC     Tivoli SecureWay           0039         0040
              Security Manager

Tivoli Systems Support

Although the first year of support is included in the product price, a no-charge order must be placed using program number 5698-SPT specifying feature number 9001 for asset registration and the appropriate First Year Standard Support — No Charge feature number. This 5698-SPT order establishes entitlement records worldwide. If a 5698-SPT order is not placed, the customer will not be entitled to support even during the first year of a license.

Prior to the end of the first 12 months support period, customers will be notified of their support renewal options. Unless the customer notifies IBM/Tivoli to discontinue or alter the level of support currently being received, support will automatically be renewed for annual billing at the same level as selected in the first year. Once the subsequent year support feature numbers are in place, renewals are automatic and billed annually unless support is cancelled by the customer.

Tivoli Systems offers a variety of support options in response to diverse customer requirements. The table below summarize these offerings.

                                                 Standard
Support Categories                    Standard   24        Select
 
Support Coverage via                  Normal     7 x 24    7 x 24
 Web, Phone, Fax and e-mail           Bus Hrs
 
Web Support Tools (TIPS, FAQs,        Yes        Yes       Yes
 White papers, Tools, Patch
 downloads)
 
Maintenance and Upgrades              Yes        Yes       Yes
 
Support News                          Yes        Yes       Yes
 
Escalation Process                    Yes        Yes       Yes
 
Initial "Tivoli Select" Support       No         No        Yes
 Review (one customer location
 and one review per contract)
 
Heightened Responsiveness
 Severity 1  -- 1 hour                No         No        Yes
 Severity 2  -- 2 hour                No         No        Yes
 Severity 3  -- 4 hour                No         No        Yes
 Severity 4  -- 4 hour                No         No        Yes
 
Fast Path to "Tivoli Select"          No         No        Yes
 Level 2 Engineer
 
Heightened Resolution Priority        No         No        Yes
 
Proactive Tivoli Management           No         No        Yes
 Notification
 
Onsite when Required                  No         No        Yes
 (two trips per year not to exceed
 six days in total)
 
"Tivoli Select" Support review        No         No        Quarterly
 and recommendations
 (customer to identify single
 point of control site)
 
Minimum of 40,000 renewable Tivoli    No         No        Yes
 Management points required in
 aggregate

Tivoli Standard Support
This offering provides:
- Technical support via Web, telephone, fax, and e-mail during normal IBM/Tivoli business hours Monday through Friday, except local holidays
- Corrections (PTFs) or patches that fix substantial deviations of unmodified Tivoli products from the then-current code, publications, and/or informal documentation (that is, release notes and memos)
- Software product updates that are improvements, extensions, or other changes which IBM/Tivoli, at its discretion, deems to be reasonable
- Customer Self-Help Options available via Web 24x7 including:
  - Support Procedures — Maintenance renewal information and registration for access to support
  - Product-Specific Support Pages
  - Technical Documentation — including FAQs, Quick Solution Hints and Tips, Product Certification Information, Release Notes, Installation Guides, Redbooks, White Papers, and Fix READMEs
  - Knowledge Base — Search engine providing answers to many technical questions; databases include APARs, FAQs and Fix READMEs
  - Education and Training
  - Support Services — Databases allowing customers to download code fixes and report or update problems
  - Links to Support Contacts — providing the Tivoli Support phone number nearest the customer
Tivoli Standard-24 Support
This offering provides:
- All components offered in Tivoli Standard Support
- In addition, Tivoli Standard-24 Support provides enhanced features including
  - Technical support via Web, telephone, fax, and e-mail, 7x24 including holidays
  - Off-shift and holiday support provided on Severity 1 issues only
Tivoli Select Support
This offering provides:
- All components offered in Tivoli Standard-24 Support
- In addition, Tivoli Select provides enhanced features including:
  - Initial Tivoli Select support review
  - Heightened responsiveness
- Fast path to Tivoli Select Level-2 Engineers
- Heightened Resolution Priority
- Proactive Tivoli Management Notification
- Customer Initiated On-Site Support available up to twice per contract period
- Tivoli Select Support review and recommendations
- Support provided in English only
A minimum purchase/installation of 40,000 renewable points of Tivoli products in aggregate is required to acquire this support option.

Support Upgrade

During the first year of a license, the customer may upgrade to the Tivoli Standard-24 or Tivoli Select Support option by ordering the applicable one-time charge (OTC) feature number from the table below. The OTC feature numbers may be specified on the initial order or later via an MES during the first year only. Ordering this OTC feature will not result in an extension of the no-charge support period.

In subsequent years, if a customer wants to upgrade to the Tivoli Standard-24 or Tivoli Select Support option, an MES order must be entered to discontinue the existing support option feature number and to add the feature number for the desired options After an MES order is entered, the support will be renewed and billed annually at that support level unless support is cancelled by the customer.

5698-SPT — First-Year Support Options

Use the following table to order support (5698-SPT) for the program products listed below.

           Upgrade
                                                   Upgrade   from
                                        Upgrade    from      1st Year
                                        from       1st Year  Std-24
                                        1st Year   to        to
                              1st Year  to Std-24  Select    Select
                              Support   Support    Support   Support
Support                       No        One-Time   One-Time  One-Time
for                           Charge    Charge     Charge    Charge
Program    Support for        Feature   Feature    Feature   Feature
Number     Program Name       Number    Number     Number    Number
 
5698-SEC   Tivoli SecureWay
           Security Manager
           Qty of 1           0629      0617       0618      0619
           Qty of 250         0630      0620       0621      0622

5698-SPT — Subsequent Year Options

Use the following table to order support (5698-SPT) for the program products listed below.

 
                                  Standard      Std-24       Select
                                  Support       Support      Support
Support                           Annual        Annual       Annual
for                               Charge        Charge       Charge
Program    Support for            Feature       Feature      Feature
Number     Program Name           Number        Number       Number
 
5698-SEC   Tivoli SecureWay
           Security Manager
            Qty of 1              0623          0624         0625
            Qty of 250            0626          0627         0628

The Standard Support option, Standard-24 Support option and Select Support option are not transferable among the Tivoli Enterprise products. If support is desired, support option feature numbers must be ordered for each licensed product. The quantity of the billable feature numbers for support must be equal to the quantity of Tivoli Management Points for a licensed product.

Customers with support contracts may access the latest product information(including migration tool updates) at:

http://www.tivoli.com/support/Prodman/html/AB.html#Security

(This site requires a support login ID)

End of Support: Tivoli support for V3.7.0 will be discontinued 12 months after the general availability of V3.7.1.

Basic Machine-Readable Material

                                   Feature          Distribution
Language                           Number           Medium
 
English                            5809             CD-ROM
French                             5819             CD-ROM
Brazilian Portuguese               5839             CD-ROM
German                             5849             CD-ROM
Spanish                            5859             CD-ROM
Italian                            5869             CD-ROM
Japanese                           5829             CD-ROM
Simplified Chinese                 5879             CD-ROM
Traditional Chinese                5899             CD-ROM
Korean                             5889             CD-ROM

Customization Options: Select the appropriate feature numbers to customize your order with delivery options desired. These features can be specified on the initial or MES orders.

Example: If publications are not desired for the initial order, specify feature number 3470 to ship media only. For future updates, specify feature number 3480 to ship media updates only. If, in the future, publication updates are required, order an MES to remove feature number 3480; then, the publications will ship with the next release of the program.

                                                    Feature
Description                                         Number
 
Initial Shipments
 
Serial Number Only (suppresses shipment             3444
 of media and documentation)
 
Ship Media Only (suppresses initial                 3470
 shipment of documentation)
 
Ship Documentation Only (suppresses                 3471
 initial shipment of media)
 
Update Shipments
 
Ship Media Updates Only (suppresses                 3480
 update shipment of documentation)
 
Ship Documentation Only (suppresses                 3481
 update shipment of media)
 
Suppress Updates (suppresses update                 3482
 shipment of media and documentation)
 
                                                    Feature
Description                                         Number
 
Expedite Shipments
 
Local IBM Office Expedite                           3445
 (for IBM use only)
 
Customer Expedite Process Charge                    3446
 ($30 charge for each product)

Expedite shipments will be processed to receive 72-hour delivery from the time SDF receives the order. SDF will then ship the order via overnight air transportation.

Terms and Conditions

Agreement: IBM International Program License Agreement (IPLA), IBM International Agreement for Acquisition of Programs and Support (IIAAPS), IBM Agreement for Acquisition of Support (IAAS), with the Attachment for Support and its Addendum for Tivoli Systems, and an Order Form

Transferable: Applies except when Support is in effect

Limited Warranty Applies: Yes

Guarantee: Two months

Getting Started Period: Not applicable

Usage Restriction: Yes. Usage is limited to the quantity of Tivoli Management Points acquired for a one-time charge.

Educational Allowance Available: Yes, to qualified educational institutional customers

Percentage: 15%

Volume Orders: Not applicable

Upgrade Protection Applies: Covered as long as Support remains in effect

Licensed Program Materials Availability: Object Code only

Entitled Upgrade for Current Upgrade Protection Licensees: As announced for each program

Tivoli Support:

Support Center applies: Yes
                        Access is available through the
                        Tivoli Support Center,
                        800-TIVOLI8 (848-6548)
 
 
Availability:           The first year of Tivoli Support is available
                         at no additional charge.  The first year
                         starts when the product is shipped to the
                         customer.  Subsequent years of Tivoli
                         Support are available for a fee as the
                         IAAS, IIAAPS, or any equivalent agreement
 
Available until
 the product is
 discontinued:          Twelve months after written notice of product
                         discontinuance (that is, end-of-life (EOL))
 
Applicable for:         The current release
                        The immediate previous release level for
                         twelve months after the general
                         availability of the current release
 
APAR Mailing Address:   Tivoli Systems Inc.
                        9442 Capital of Texas Highway
                        Austin, TX 78759
                        USA
                        Attention: Product Development

Support Line: No

Product Web Site: A complete list of products, terminology definitions, and licensing documents are available at the following Web site:

http://www.tivoli.com/products/licensing/

Prices

The prices provided in this announcement are suggested retail prices for the U.S. only and are provided for your information only. Dealer prices may vary, and prices may also vary by country. Prices are subject to change without notice. For additional information and current prices, contact your local IBM representative.

Customer Financing: IBM Global Financing offers attractive financing to credit-qualified commercial and government customers and Business Partners in more than 40 countries around the world. IBM Global Financing is provided by the IBM Credit Corporation in the United States. Offerings, rates, terms, and availability may vary by country. Contact your local IBM Global Financing organization. Country organizations are listed on the Web at:

http://www.financing.ibm.com

Prices are based on Tivoli Management points. The prices per Tivoli Management point are unaffected by this announcement.

Refer to the following announcements for pricing information:

Software Announcement 200-017 , dated February 15, 2000
Software Announcement 200-100 , dated April 25, 2000