IBM United States
Software Announcement 202-088
April 9, 2002

IBM Tivoli Access Manager for Operating Systems V3.8 — Manages and Extends Access Control to UNIX and Linux Systems

 ENUS202-088.PDF (40KB)


At a Glance

IBM Tivoli Access Manager for Operating Systems V3.8 delivers:

  • Access controls for a variety of security-sensitive resources (such as file systems, IP services, and the switching between IDs) and for every user in the system, including the UNIX "super user" (root)
  • Tracking of sensitive files and programs with access restriction for unauthorized users
  • Auditing capabilities which include forwarding audit events to the IBM Tivoli Enterprise™ Console and/or to IBM Tivoli Risk Manager
  • Integration capability with IBM Tivoli Identity Director that provides role-based administration and centralized systems management of Tivoli Access Manager for Operating Systems V3.8
  • Integration with IBM Tivoli Access Manager for e-business that allows re-use of user credential data
  • Consistent policy definition across AIX, Solaris, HP-UX, and Red Hat Linux operating systems

For ordering, contact:

Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL (Reference: YE001).

Overview

Tivoli® Access Manager for Operating Systems, previously a component of Tivoli Security Manager, is now available as a separate product. Version 3 Release 8 (V3.8) of IBM Tivoli Access Manager for Operating Systems includes enhanced security, helps save administrative time, and lets access management be delegated to suitable administrators.

IBM Tivoli Access Manager for Operating Systems V3.8 provides:

  • Resource access control enforcement on UNIX® (including Red Hat Linux) operating systems
  • Significant access control enhancements over native UNIX and Red Hat Linux security
  • Integration capability with IBM Tivoli Access Manager for e-business, and IBM's latest provisioning solution, IBM Tivoli Identity Director
  • Controls that apply to all users, including root, to partition roles and rights
  • Secure auditing
  • Delegated administration through a Web interface
  • A stand-alone program — no prerequisite on other IBM products
  • Consistent policy definition across AIX®, Solaris, HP-UX, and Red Hat Linux operating systems

Key Prerequisites

There are no prerequisites for Tivoli Access Manager for Operating Systems V3.8.

Planned Availability Date

April 26, 2002

Description

Tivoli Access Manager for Operating Systems V3.8 provides a security server engine for UNIX and Red Hat Linux systems. This engine provides security services to one or more users of a UNIX or Red Hat Linux system.

UNIX and Red Hat Linux operating systems often form the base of major applications, both internal and Web-based. Controlling access to these operating systems can be essential for ensuring high availability to these applications. However, conventional UNIX operating-system design requires a super user ID (usually a single predefined ID, also called a root user, with a unique level of privilege that allows bypass of standard UNIX security checks) for most administrative operations. This can open the UNIX platform to vulnerabilities as a super user gains access capabilities with few, if any, restrictions. Also, with the complexity of managing access to the UNIX operating system from multiple vendors, UNIX security can become as expensive as it is risk-laden. Tivoli Access Manager for Operating Systems V3.8 offers a policy-based solution with integration into the wider security and management portfolio offered by IBM.

Tivoli Access Manager for Operating Systems V3.8 is an access enforcement engine that extends standard UNIX security to add major access control capability for every user in the operating system. It intercepts system calls and uses the accessor information to make a policy decision on whether the access should proceed. This is achieved through standard hooks into the operating system that avoid the need for kernel re-compiles or complicated install mechanisms. Once installed, Tivoli Access Manager for Operating Systems V3.8 can be switched on or off by an authorized user through a single command; or it can be operated in a warning mode where it does not enforce any policy, but tracks significant resources and logs all related access requests. Secure logging helps ensure a reliable audit trail and the watchdog capability can provide extra protection for critical files and executables by restricting access if a change is made in an unauthorized manner.

UNIX and Red Hat Linux system access control is made difficult by the super user (root) administration model. A UNIX system requires a user to operate as a root user to perform privileged functions, but then provides no distinction between the kinds of privileged functions that a root user can perform. Many vulnerabilities in a UNIX system stem from attacks that result in a user gaining root access. IBM Tivoli Access Manager for Operating Systems V3.8 protects against this in two major ways:

  • All access control capabilities can apply to the root user as well as to any other user
  • Access control checks are performed based on the original ID with which a user or application gained entry to the system regardless of whether or not they have used the UNIX switch user command (su) to change to another ID

Applications provide their own level of access control. For example, a database application may provide table-level access controls. The ability to determine table-level access in a database is a commendable security measure, but it is ineffective if a root user can simply delete the file system on which the database resides. An unrestricted root user can also modify or destroy audit and other records that would otherwise show what had happened. Tivoli Access Manager for Operating Systems V3.8 can help prevent this kind of damage, whether malicious or accidental.

Tivoli Access Manager for Operating Systems V3.8 is based on IBM Tivoli Policy Director technology and provides a centralized administration server (known as the Access Manager management server). The access control and user account repositories for Tivoli Access Manager for Operating Systems V3.8 are maintained in this secure Access Manager management server with data cached locally in a secure manner to help ensure optimum performance and reliability. Tivoli Access Manager for Operating Systems V3.8 is supported to interact with a V3.9 management server. It updates the Access Manager management server to V3.9.

Tivoli Access Manager for Operating Systems V3.8 can provide significant performance improvements over previous IBM Tivoli UNIX solutions through a multi-threaded design. It can also utilize integration capability with IBM Tivoli Identity Director to manage UNIX system access control in a role-based environment alongside other operating systems and applications. UNIX operating system resources that can be protected are defined by resource types such as File, NetOutgoing, NetIncoming, Login, Surrogate, and TCB.

A policy can also be set to enhance the security of the login process. For example, Tivoli Access Manager for Operating Systems V3.8 can lock out a user after multiple login failures due to a bad password.

The IBM Tivoli Policy Director management server represents the core technology for IBM Tivoli security products. This sophisticated and versatile security server provides access control implementations for many environments. Examples include Web traffic, IBM MQSeries® messaging, and securing custom applications through the publication of an industry-standard Application Programming Interface (API). All components of the management server and the Web GUI required to manage IBM Tivoli Access Manager for Operating Systems V3.8 are included in Tivoli Access Manager for Operating Systems V3.8.

Migration

If you are licensed for Tivoli Security Manager and your IBM Tivoli Support or Passport Advantage Software Maintenance contract is current, you are entitled to migrate to Tivoli Access Manager for Operating Systems V3.8, at no charge. The migration must be completed by September 30, 2002, and it is for the environment that is currently licensed only. Once you migrate to Tivoli Access Manager for Operating Systems V3.8, Software Maintenance must remain in effect for entitlement to updates for Tivoli Access Manager for Operating Systems V3.8. If there is a lapse in Software Maintenance, you must order Software Maintenance after license to again be entitled to updates.

If you have IBM Tivoli Support or Passport Advantage Software Maintenance in effect, and have not yet migrated to Tivoli Access Manager for Operating Systems V3.8, you are entitled to updated code for IBM Tivoli Access Manager for Operating Systems V3.8 as it becomes available. You are entitled to use all components of Tivoli Access Manager for Operating Systems V3.8 to the extent covered in your current licensing.

For example, if you have acquired Tivoli Management Points for Tivoli Security Manager and you are current on your Tivoli Support or Passport Advantage Software Maintenance, you are entitled to use all components of Tivoli Access Manager for Operating Systems V3.8 under the existing IBM Tivoli terms and conditions of your Tivoli Security Manager licensing.

If you are licensed for Tivoli Security Manager but do not have a current IBM Tivoli Support or Passport Advantage Software Maintenance contract in effect at the time of withdrawal of IBM Tivoli Support and Passport Advantage Software Maintenance for Tivoli Security Manager, you will have to acquire a license for Tivoli Access Manager for Operating Systems to be entitled to updates.

Note: Tivoli Security Manager will be withdrawn from ordering effective May 9, 2002, and related Tivoli Support feature numbers and Passport Advantage Software Maintenance part numbers for these products will be withdrawn from ordering effective September 30, 2002. Refer to Withdrawal Announcement 902-083 , dated April 9, 2002.

Euro Currency

This program is not impacted by euro currency.

Reference Information

Refer to:

  • Software Announcement 201-272 , dated September 25, 2001
  • Software Announcement 202-088 , dated April 9, 2002

Trademarks

 
Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
UNIX is a registered trademark is a registered trademark of the Open Company in the United States and other countries.
 
Tivoli Enterprise is a trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
AIX and MQSeries are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Other company, product, and service names may be trademarks or service marks of others.

Education Support

Training is available for many IBM Tivoli® products. Education is offered through IBM Education and Training, and through IBM Tivoli Systems. Worldwide information about education offerings is available on the IBM Education and Training home page at:

For current information on IBM Tivoli Systems education, call 512-436-8000, or visit the IBM Tivoli Systems home page at:

Offering Information

Product information will be available on day of announcement through Offering Information (OITOOL) at:

and through the Passport Advantage Web site at:

Publications

One copy of the following publication will be supplied with the basic machine-readable material in English and translated languages:

                                             Order
Title                                        Number
 
Tivoli Policy Director for Operating         GI11-0896
Systems V3.8 README First

The following publications are included in English and translated languages in displayable softcopy form on a CD-ROM shipped with the product on the planned availability date.

  • Tivoli Policy Director for Operating Systems V3.8 Administration Guide
  • Tivoli Policy Director for Operating Systems V3.8 Installation Guide
  • Tivoli Policy Director for Operating Systems V3.8 Release Notes

Note: IBM Tivoli Access Manager for Operating Systems V3.8 includes the IBM Tivoli Access Manager for e-business management server and the IBM Tivoli Access Manager for e-business Web portal manager. The documentation for the management server and for the Web portal manager is also included, in U.S. English, on the product CD-ROMs and can be downloaded in other languages from the Web site shown below.

The publications listed below can be downloaded in English in softcopy from the following Web site on the planned availability date:

                                   Order
Title                              Number         Language
 
Tivoli Policy Director for         GC32-0795      English
 Operating Systems V3.8
 Administration Guide
Tivoli Policy Director for         GC32-0796      English
 Operating systems V3.8
 Installation Guide
Tivoli Policy Director for         GI11-0885      English
 Operating Systems V3.8
 Release Notes

Technical Information

Specified Operating Environment

Hardware Requirements

Hardware platforms supporting the operating systems at the software levels stated in the Software Requirements section.

Software Requirements

IBM Tivoli Access Manager for Operating Systems V3.8 runs on the following operating systems:

  • AIX® 4.3.1, 4.3.2, 4.3.3, or 5.1
  • HP-UX 11.0 or 11i
  • Solaris 2.6, 2.7, or 2.8
  • Red Hat Linux uniprocessor or multiprocessor 6.2 (2.2.14-5.0 or 2.2.19-6.2.7 kernel) or 7.1 (2.4.2-2 kernel)

Note: IBM Tivoli Access Manager for Operating Systems V3.8 includes the IBM Tivoli Access Manager for e-business management server. At least one management server is required in an IBM Tivoli Access Manager for Operating Systems V3.8 implementation. The IBM Tivoli Access Manager for e-business management server runs on the following operating systems:

  • AIX 4.3.3
  • Solaris 2.7 or 2.8
  • HP-UX 11
  • Windows NT® 4.0
  • Windows® 2000 Advanced Server with Service Pack 1

The Web portal manager (which provides a Web management interface) is a Web server-based application that runs on the following Web servers:

  • Windows NT 4.0
  • Windows 2000 Advanced Server with Service Pack 1

Planning Information

Packaging: IBM Tivoli Access Manager for Operating Systems V3.8 is distributed with:

  • International Program License Agreement (Z125-3301)
  • License Information document (GC23-4479)
  • CD-ROMs
  • Publications (refer to the Publications section)

Security, Auditability, and Control

IBM Tivoli Access Manager for Operating Systems V3.8 relies on the security and auditability features of the operating system software.

The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.

Ordering Information

Passport Advantage Customer: Media Pack Entitlement Details

Customers with active maintenance or subscription for Tivoli SecureWay® Security Manager are entitled to receive the following media pack.

                                             Part
Media Pack Description                       Number
 
IBM Tivoli Access Manager for                BJ03DML
 Operating Systems V3.8
 Media Pack -- Multi-lingual

New Licensees

Orders for new licenses will be accepted now.

Shipment will begin on the planned availability date.

Basic License

Ordering Information for Passport Advantage: Passport Advantage allows you to have a common anniversary date for Software Maintenance renewals, which can simply management and budgeting for eligible new versions and releases (and for related technical support) for your covered products. The anniversary date, established at the start of your Passport Advantage Agreement, recurs on an annual basis while your Passport Advantage Agreement remains in effect. However, regardless of when Software Maintenance is acquired, the coverage period for Software Maintenance is always up to the anniversary date specified in the acquisition.

Refer to the IBM International Passport Advantage Agreement and to the IBM Software Maintenance Handbook for specific terms relating to, and a more complete description of, technical support provided through Software Maintenance.

The quantity to be specified for the Passport Advantage part numbers in the following table is per processor. To order for Passport Advantage, specify the desired part number and quantity.

                                             Part
Description                                  Number
 
IBM Tivoli Access Manager for                D512TLL
 Operating Systems License
 and Software Maintenance
 1st Anniversary
IBM Tivoli Access Manager for                D512ULL
 Operating Systems License
 and Software Maintenance
 2nd Anniversary
IBM Tivoli Access Manager for                E009QLL
 Operating Systems Software
 Maintenance Renewal to
 Anniversary Date
IBM Tivoli Access Manager for                D512VLL
 Operating Systems Software
 Maintenance after License to
 Anniversary Date

To order a media pack for Passport Advantage, specify the part number in the desired quantity from the following table:

                                             Part
Description                                  Number
 
IBM Tivoli Access Manager for                BJ03DML
 Operating Systems V3.8
 Media Pack -- Multi-lingual

In addition, IBM Tivoli Access Manager for Operating Systems V3.8 is available for download from Passport Advantage on April 26, 2002.

Ordering Information for 5698-PDO: To order a basic license, specify the program number and the feature number of the desired distribution medium. Also, specify the one-time charge feature number in the quantity desired (maximum quantity of 250).

The quantity to be specified for the features in the following table is per processor.

Use the following table to order the program products listed below:

Product    Product                           Processors
Number     Name                           Qty 1     Qty 250
 
5698-PDO   IBM Tivoli Access Manager      2803      2804
           for Operating Systems V3.8

This software license includes Software Maintenance, previously referred to as Software Subscription and Technical Support.

Extending coverage for a total of three years from date of acquisition may be elected. Order the program number, feature number, and quantity to extend coverage for your software licenses. If maintenance has expired, specify the after license feature number.

IBM Tivoli Access Manager for Operating Systems V3.8

Maintenance IASP PID 1 Year: 5698-DO1

                                                 Feature    Feature
                                                 Number     Number
Description                                      Qty 1      Qty 250
 
Use authorizations (to be ordered in quantity):
 Software Maintenance No Charge Registration     2845       2846
 Software Maintenance 1 Year Renewal             2795       2796
 Software Maintenance 1 Year After License       2797       2798

Maintenance IASP PID 3 Year: 5698-DO3

                                                 Feature    Feature
                                                 Number     Number
Description                                      Qty 1      Qty 250
 
Use authorizations (to be ordered in quantity):
 Software Maintenance 3 Year Registration        2789       2790
 Software Maintenance 3 Year Renewal             2791       2792
 Software Maintenance 3 Year After License       2793       2794

Software Maintenance

Software Maintenance is included with each product authorization acquired. Software Maintenance provides an easy and effective way by which you have access, during the coverage period, to eligible new versions and releases and to remote technical support for your covered products.

The technical support included in Software Maintenance provides remote support during normal business hours in your country or location as well as access to escalation management 24 hours a day, 7 days a week, for mission-critical (severity 1) problems.

With Software Maintenance, you receive the following technical support benefits:

  • Telephone access and/or electronic access via the Web to an IBM Customer Support Center.
  • Support for routine, short duration installation and usage (how-to) questions and code-related problems.
  • Support during normal country business hours; namely, prime shift hours, Monday through Friday, excluding national or statutory holidays.
  • Support for mission-critical (severity 1) problems during non-prime shift hours; namely, all hours outside normal country business hours including national and/or statutory holidays.
  • Two hour response time objective during prime shift for voice and electronic submission. The response objective for critical/emergency problems during offshift is also two hours.
  • Access to hints, tips, and frequently asked questions.
  • Access to escalation management 24 hours a day, 7 days a week.
  • Open Authorized Technical Caller list to submit problems to IBM Support Centers on your behalf. Open to any number of technical specialists within your IS organization. Each caller must be registered through the IBM problem submission Web site in order to submit problems. Problem submission is handled by the Site Technical Contact as listed on the Passport Advantage enrollment form.
  • eCare for Software is an initiative designed to enhance your electronic support experience by providing the following advantages:
    • Single view of IBM distributed software that includes easy/integrated access to the following information and functions:
    • Comprehensive electronic (via the Web) self-help capabilities available 24 hours a day, 7 days a week
    • Advanced search capabilities
    • A single interface to the IBM problem submission/management system for IBM distributed software

Software Maintenance renewals offer you favorable pricing to continue your coverage without interruption.

Basic Machine-Readable Material: The distribution media features in the following table apply to program numbers 5698-PDO, 5698-DO1, and 5698-DO3. To order, select the distribution medium feature for the desired program number.

                         Feature             Distribution
Language                 Number              Medium
 
English                  5809                CD-ROM

Terms and Conditions

Agreement: For orders under 5698-PDO: IBM International Program License Agreement (IPLA), IBM International Agreement for Acquisition of Programs and Support (IIAAPS) and the IBM Attachment for Support, IBM Agreement for Acquisition of Support (IAAS), IBM Addendum for Support (Software Maintenance) for Selected Programs (Z125-6495), and an Order Form.

For orders under Passport Advantage: IBM International Program License Agreement (IPLA), IBM International Passport Advantage Agreement (PAA), and an IBM International Passport Advantage Agreement Enrollment Form.

Transferable: Yes, except for programs acquired at a discount or allowance

Limited Warranty Applies: Yes

Guarantee: 30 day money-back guarantee

Usage Restriction: Yes. Usage is limited to the quantity of processors licensed.

Volume Offering (IVO): No

Upgrade Protection Applies: Covered as long as Software Maintenance is in effect

Educational Allowance Available: Yes, 15% to qualified education institution customers.

Licensed Program Materials Availability:

  • Restricted Materials of IBM: None
  • Non-Restricted Source Materials: None
  • Object Code Only (OCO): All

Maintenance Applies:

  • Software Maintenance under Passport Advantage: Yes
  • Software Maintenance for IBM Tivoli products: Yes

Complementary Introductory Support: Not available

Program Services and End of Support: Program services for an IBM Tivoli program are one year from the date IBM or your Business Partner makes the program available to you. The program services duration period shall be less than one year for programs acquired after the announcement of a program's end-of-support (EOS) date.

EOS for programs or versions/releases of programs will be announced 12 months prior to the effective date.

Software Maintenance for IBM Tivoli Products and Passport Advantage

Support Center applies:: Yes. Access is available through the IBM Support Center, 800-237-5511.

Support Web Site for Problem Reporting:

Availability of Software Maintenance:

  • The first year of Software Maintenance is included with the license at no additional charge. The first year starts when the product is shipped to the customer. For a fee, Software Maintenance can be extended until 3 years from the date of license acquisition.
  • Software Maintenance is available for a 1 year and 3 year renewal for a fee as part of the IAAS, IIAAPS, or any equivalent agreement.

Availability of Passport Advantage Software Maintenance:

  • Passport Advantage Software Maintenance is provided at no additional charge for each eligible program acquired until the first anniversary date. For an additional fee, a license can be acquired with maintenance to the second anniversary date.
  • Passport Advantage Software Maintenance is provided for renewal for a fee at each anniversary date. Customers who do not renew their Software Maintenance will have to purchase the Maintenance after License option to renew their maintenance agreement when they require a new level of software code or remote technical support.

Software Maintenance and Passport Advantage Software Maintenance are available until: Twelve months after announcement of product discontinuance, (that is, end of life (EOL))

Software Maintenance and Passport Advantage Software Maintenance are applicable to:

  • The current release
  • The immediate previous release for twelve months after the general availability of the current release

APAR Mailing Address:

    Tivoli Systems Inc.
    11400 Burnet Road
    Austin, TX 78758
    Attention: Product Development

IBM Operational Support Services — Support Line: No

Product Web Site: A complete list of products, terminology definitions, and licensing documents are available at the following Web site:

Prices

Contact your IBM representative for charges information for this announcement.

Order Now

 Use Priority/Reference Code: YE001
 
 Phone:     800-IBM-CALL
 Fax:       800-2IBM-FAX
 Internet:  ibm_direct@vnet.ibm.com
 Mail:      IBM Atlanta Sales Center
            Dept. YE001
            P.O. Box 2690
            Atlanta, GA  30301-2690

You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU.

Note: Shipments will begin after the planned availability date.

Trademarks

 
Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
AIX and SecureWay are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Windows NT and Windows are registered trademarks of Microsoft Corporation.
 
Other company, product, and service names may be trademarks or service marks of others.