IBM United States
Software Announcement 202-088
April 9, 2002
IBM Tivoli Access Manager for Operating Systems V3.8 Manages and Extends Access Control to UNIX and Linux Systems
At a Glance
IBM Tivoli Access Manager for Operating Systems V3.8 delivers:
For ordering, contact:
Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL (Reference: YE001).
Tivoli® Access Manager for Operating Systems, previously a component of Tivoli Security Manager, is now available as a separate product. Version 3 Release 8 (V3.8) of IBM Tivoli Access Manager for Operating Systems includes enhanced security, helps save administrative time, and lets access management be delegated to suitable administrators.
IBM Tivoli Access Manager for Operating Systems V3.8 provides:
Tivoli Access Manager for Operating Systems V3.8 provides a security server engine for UNIX and Red Hat Linux systems. This engine provides security services to one or more users of a UNIX or Red Hat Linux system.
UNIX and Red Hat Linux operating systems often form the base of major applications, both internal and Web-based. Controlling access to these operating systems can be essential for ensuring high availability to these applications. However, conventional UNIX operating-system design requires a super user ID (usually a single predefined ID, also called a root user, with a unique level of privilege that allows bypass of standard UNIX security checks) for most administrative operations. This can open the UNIX platform to vulnerabilities as a super user gains access capabilities with few, if any, restrictions. Also, with the complexity of managing access to the UNIX operating system from multiple vendors, UNIX security can become as expensive as it is risk-laden. Tivoli Access Manager for Operating Systems V3.8 offers a policy-based solution with integration into the wider security and management portfolio offered by IBM.
Tivoli Access Manager for Operating Systems V3.8 is an access enforcement engine that extends standard UNIX security to add major access control capability for every user in the operating system. It intercepts system calls and uses the accessor information to make a policy decision on whether the access should proceed. This is achieved through standard hooks into the operating system that avoid the need for kernel re-compiles or complicated install mechanisms. Once installed, Tivoli Access Manager for Operating Systems V3.8 can be switched on or off by an authorized user through a single command; or it can be operated in a warning mode where it does not enforce any policy, but tracks significant resources and logs all related access requests. Secure logging helps ensure a reliable audit trail and the watchdog capability can provide extra protection for critical files and executables by restricting access if a change is made in an unauthorized manner.
UNIX and Red Hat Linux system access control is made difficult by the super user (root) administration model. A UNIX system requires a user to operate as a root user to perform privileged functions, but then provides no distinction between the kinds of privileged functions that a root user can perform. Many vulnerabilities in a UNIX system stem from attacks that result in a user gaining root access. IBM Tivoli Access Manager for Operating Systems V3.8 protects against this in two major ways:
Applications provide their own level of access control. For example, a database application may provide table-level access controls. The ability to determine table-level access in a database is a commendable security measure, but it is ineffective if a root user can simply delete the file system on which the database resides. An unrestricted root user can also modify or destroy audit and other records that would otherwise show what had happened. Tivoli Access Manager for Operating Systems V3.8 can help prevent this kind of damage, whether malicious or accidental.
Tivoli Access Manager for Operating Systems V3.8 is based on IBM Tivoli Policy Director technology and provides a centralized administration server (known as the Access Manager management server). The access control and user account repositories for Tivoli Access Manager for Operating Systems V3.8 are maintained in this secure Access Manager management server with data cached locally in a secure manner to help ensure optimum performance and reliability. Tivoli Access Manager for Operating Systems V3.8 is supported to interact with a V3.9 management server. It updates the Access Manager management server to V3.9.
Tivoli Access Manager for Operating Systems V3.8 can provide significant performance improvements over previous IBM Tivoli UNIX solutions through a multi-threaded design. It can also utilize integration capability with IBM Tivoli Identity Director to manage UNIX system access control in a role-based environment alongside other operating systems and applications. UNIX operating system resources that can be protected are defined by resource types such as File, NetOutgoing, NetIncoming, Login, Surrogate, and TCB.
A policy can also be set to enhance the security of the login process. For example, Tivoli Access Manager for Operating Systems V3.8 can lock out a user after multiple login failures due to a bad password.
The IBM Tivoli Policy Director management server represents the core technology for IBM Tivoli security products. This sophisticated and versatile security server provides access control implementations for many environments. Examples include Web traffic, IBM MQSeries® messaging, and securing custom applications through the publication of an industry-standard Application Programming Interface (API). All components of the management server and the Web GUI required to manage IBM Tivoli Access Manager for Operating Systems V3.8 are included in Tivoli Access Manager for Operating Systems V3.8.
If you are licensed for Tivoli Security Manager and your IBM Tivoli Support or Passport Advantage Software Maintenance contract is current, you are entitled to migrate to Tivoli Access Manager for Operating Systems V3.8, at no charge. The migration must be completed by September 30, 2002, and it is for the environment that is currently licensed only. Once you migrate to Tivoli Access Manager for Operating Systems V3.8, Software Maintenance must remain in effect for entitlement to updates for Tivoli Access Manager for Operating Systems V3.8. If there is a lapse in Software Maintenance, you must order Software Maintenance after license to again be entitled to updates.
If you have IBM Tivoli Support or Passport Advantage Software Maintenance in effect, and have not yet migrated to Tivoli Access Manager for Operating Systems V3.8, you are entitled to updated code for IBM Tivoli Access Manager for Operating Systems V3.8 as it becomes available. You are entitled to use all components of Tivoli Access Manager for Operating Systems V3.8 to the extent covered in your current licensing.
For example, if you have acquired Tivoli Management Points for Tivoli Security Manager and you are current on your Tivoli Support or Passport Advantage Software Maintenance, you are entitled to use all components of Tivoli Access Manager for Operating Systems V3.8 under the existing IBM Tivoli terms and conditions of your Tivoli Security Manager licensing.
If you are licensed for Tivoli Security Manager but do not have a current IBM Tivoli Support or Passport Advantage Software Maintenance contract in effect at the time of withdrawal of IBM Tivoli Support and Passport Advantage Software Maintenance for Tivoli Security Manager, you will have to acquire a license for Tivoli Access Manager for Operating Systems to be entitled to updates.
Tivoli Security Manager will be withdrawn from ordering effective
May 9, 2002, and related Tivoli Support feature numbers and
Passport Advantage Software Maintenance part numbers for these products
will be withdrawn from ordering effective September 30, 2002.
Refer to Withdrawal Announcement
, dated April 9, 2002.
This program is not impacted by euro currency.
Training is available for many IBM Tivoli® products. Education is offered through IBM Education and Training, and through IBM Tivoli Systems. Worldwide information about education offerings is available on the IBM Education and Training home page at:
For current information on IBM Tivoli Systems education, call 512-436-8000, or visit the IBM Tivoli Systems home page at:
Product information will be available on day of announcement through Offering Information (OITOOL) at:
One copy of the following publication will be supplied with the basic machine-readable material in English and translated languages:
Order Title Number Tivoli Policy Director for Operating GI11-0896 Systems V3.8 README First
The following publications are included in English and translated languages in displayable softcopy form on a CD-ROM shipped with the product on the planned availability date.
Note: IBM Tivoli Access Manager for Operating Systems V3.8 includes the IBM Tivoli Access Manager for e-business management server and the IBM Tivoli Access Manager for e-business Web portal manager. The documentation for the management server and for the Web portal manager is also included, in U.S. English, on the product CD-ROMs and can be downloaded in other languages from the Web site shown below.
The publications listed below can be downloaded in English in softcopy from the following Web site on the planned availability date:
Order Title Number Language Tivoli Policy Director for GC32-0795 English Operating Systems V3.8 Administration Guide Tivoli Policy Director for GC32-0796 English Operating systems V3.8 Installation Guide Tivoli Policy Director for GI11-0885 English Operating Systems V3.8 Release Notes
Specified Operating Environment
Hardware platforms supporting the operating systems at the software
levels stated in the
IBM Tivoli Access Manager for Operating Systems V3.8 runs on the following operating systems:
Note: IBM Tivoli Access Manager for Operating Systems V3.8 includes the IBM Tivoli Access Manager for e-business management server. At least one management server is required in an IBM Tivoli Access Manager for Operating Systems V3.8 implementation. The IBM Tivoli Access Manager for e-business management server runs on the following operating systems:
The Web portal manager (which provides a Web management interface) is a Web server-based application that runs on the following Web servers:
Security, Auditability, and Control
IBM Tivoli Access Manager for Operating Systems V3.8 relies on the security and auditability features of the operating system software.
The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.
Passport Advantage Customer: Media Pack Entitlement Details
Customers with active maintenance or subscription for Tivoli SecureWay® Security Manager are entitled to receive the following media pack.
Part Media Pack Description Number IBM Tivoli Access Manager for BJ03DML Operating Systems V3.8 Media Pack -- Multi-lingual
Orders for new licenses will be accepted now.
Shipment will begin on the planned availability date.
Ordering Information for Passport Advantage: Passport Advantage allows you to have a common anniversary date for Software Maintenance renewals, which can simply management and budgeting for eligible new versions and releases (and for related technical support) for your covered products. The anniversary date, established at the start of your Passport Advantage Agreement, recurs on an annual basis while your Passport Advantage Agreement remains in effect. However, regardless of when Software Maintenance is acquired, the coverage period for Software Maintenance is always up to the anniversary date specified in the acquisition.
Refer to the IBM International Passport Advantage Agreement and to the IBM Software Maintenance Handbook for specific terms relating to, and a more complete description of, technical support provided through Software Maintenance.
The quantity to be specified for the Passport Advantage part numbers in the following table is per processor. To order for Passport Advantage, specify the desired part number and quantity.
Part Description Number IBM Tivoli Access Manager for D512TLL Operating Systems License and Software Maintenance 1st Anniversary IBM Tivoli Access Manager for D512ULL Operating Systems License and Software Maintenance 2nd Anniversary IBM Tivoli Access Manager for E009QLL Operating Systems Software Maintenance Renewal to Anniversary Date IBM Tivoli Access Manager for D512VLL Operating Systems Software Maintenance after License to Anniversary Date
To order a media pack for Passport Advantage, specify the part number in the desired quantity from the following table:
Part Description Number IBM Tivoli Access Manager for BJ03DML Operating Systems V3.8 Media Pack -- Multi-lingual
In addition, IBM Tivoli Access Manager for Operating Systems V3.8 is available for download from Passport Advantage on April 26, 2002.
Ordering Information for 5698-PDO: To order a basic license, specify the program number and the feature number of the desired distribution medium. Also, specify the one-time charge feature number in the quantity desired (maximum quantity of 250).
The quantity to be specified for the features in the following table is per processor.
Use the following table to order the program products listed below:
Product Product Processors Number Name Qty 1 Qty 250 5698-PDO IBM Tivoli Access Manager 2803 2804 for Operating Systems V3.8
This software license includes Software Maintenance, previously referred to as Software Subscription and Technical Support.
Extending coverage for a total of three years from date of acquisition may be elected. Order the program number, feature number, and quantity to extend coverage for your software licenses. If maintenance has expired, specify the after license feature number.
IBM Tivoli Access Manager for Operating Systems V3.8
Maintenance IASP PID 1 Year: 5698-DO1
Feature Feature Number Number Description Qty 1 Qty 250 Use authorizations (to be ordered in quantity): Software Maintenance No Charge Registration 2845 2846 Software Maintenance 1 Year Renewal 2795 2796 Software Maintenance 1 Year After License 2797 2798
Maintenance IASP PID 3 Year: 5698-DO3
Feature Feature Number Number Description Qty 1 Qty 250 Use authorizations (to be ordered in quantity): Software Maintenance 3 Year Registration 2789 2790 Software Maintenance 3 Year Renewal 2791 2792 Software Maintenance 3 Year After License 2793 2794
Software Maintenance is included with each product authorization acquired. Software Maintenance provides an easy and effective way by which you have access, during the coverage period, to eligible new versions and releases and to remote technical support for your covered products.
The technical support included in Software Maintenance provides remote support during normal business hours in your country or location as well as access to escalation management 24 hours a day, 7 days a week, for mission-critical (severity 1) problems.
With Software Maintenance, you receive the following technical support benefits:
Software Maintenance renewals offer you favorable pricing to continue your coverage without interruption.
Basic Machine-Readable Material: The distribution media features in the following table apply to program numbers 5698-PDO, 5698-DO1, and 5698-DO3. To order, select the distribution medium feature for the desired program number.
Feature Distribution Language Number Medium English 5809 CD-ROM
Terms and Conditions
Agreement: For orders under 5698-PDO: IBM International Program License Agreement (IPLA), IBM International Agreement for Acquisition of Programs and Support (IIAAPS) and the IBM Attachment for Support, IBM Agreement for Acquisition of Support (IAAS), IBM Addendum for Support (Software Maintenance) for Selected Programs (Z125-6495), and an Order Form.
For orders under Passport Advantage: IBM International Program License Agreement (IPLA), IBM International Passport Advantage Agreement (PAA), and an IBM International Passport Advantage Agreement Enrollment Form.
Program Services and End of Support: Program services for an IBM Tivoli program are one year from the date IBM or your Business Partner makes the program available to you. The program services duration period shall be less than one year for programs acquired after the announcement of a program's end-of-support (EOS) date.
EOS for programs or versions/releases of programs will be announced 12 months prior to the effective date.
Software Maintenance for IBM Tivoli Products and Passport Advantage
11400 Burnet Road
Austin, TX 78758
Attention: Product Development
Use Priority/Reference Code: YE001 Phone: 800-IBM-CALL Fax: 800-2IBM-FAX Internet: firstname.lastname@example.org Mail: IBM Atlanta Sales Center Dept. YE001 P.O. Box 2690 Atlanta, GA 30301-2690
You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU.
Note: Shipments will begin after the planned availability date.