Tivoli Access Manager for e-Business WebSEAL, Patch 6.0.0-TIV-AWS-FP0022
Downloadable files
Abstract
This is a General Availability (GA) patch containing all the fixes since the release of the IBM Tivoli Access Manager for e-Business 6.0 (WebSEAL).
Download Description
*************************************************************************
* Error(s) have been reported against this maintenance vehicle that
* do not cause problems with existing function.
* Please see APAR(s) IZ49134, IZ51600, and IZ56166
* for details.
*************************************************************************
1.0 ABOUT THIS PATCH
--------------------
This patch package contains fixes for problems in the various components that
comprise the Tivoli Access Manager WebSEAL software.
1.1 Patch contents
This patch package contains:
- This README file
- Updated patch packaging
1.2 Architectures
This patch package applies to the following architectures:
This patch package applies to the following architectures:
Platform Patch
------------ -------
Note: Tivoli Access Manager components for AIX are supported on
32-bit and 64-bit kernels in 32-bit compatibility mode.
Note: Tivoli Access Manager components for HP-UX on Integrity are supported on
64-bit kernels in 32-bit compatibility mode.
HP-UX 11iv1 for PA-RISC
The following patches are required for HP-UX.
For some patches, the order is important, and some
patches will require a reboot of the system:
- Bundle 11i (B.11.11.0306.1)
- GOLDBASE11i quality pack December 2004
- GOLDAPPS11i qualify pack December 2004
- GOLDQPK11i_11.11.depot
- PHNE_27796
- PHNE_28895
- Current Transport Optional Upgrade Release (TOUR)
package found on the HP Website.
1) For these four files, first install
GOLDQPK11i_11.11.depot.
2) Then use the script inside
PHNE_27796_28895.depot.tar
to create a depot for those two patches.
3) Finally, install the current TOUR package which will
rebuild the kernel and will reboot the system.
For the Java(TM) Runtime Environment (JRE):
- Patch PHCO_29109
- HP Runtime Environment for J2SE HP-UX 11i platform,
adapted by IBM for IBM Software,
Version 1.4.2 SR2 (hpux142hybrid-20050225-sdk.tar.Z
is the IBM Java Runtime package)
For Global Security Kit (GSKit):
- PHKL_30288
- PHKL_30542
- PHNE_29887
- PHCO_29960
- PHSS_30970 (for GSKit)
For the HP-UX mount command
- PHCO_25841
- PHKL_26269
- PHKL_32035
HP-UX 11iv3 TAM Fix Pack7 or latter
HP-UX 11i v2 for Integrity
The following patches are required for HP-UX on Integrity.
- Base Quality Pack Bundle for HP-UX 11i v2, September 2006
Red Hat Enterprise
Linux Server 5 TAM Fix Pack 09 or later, original GA CD-images will not install.
(x86) NOTE: Fix Packs on Linux platforms are a full install,
so it is not necessary to install the GA version prior
to installing TAM Fix Packs on Linux platforms.
(i.e. full installation using Fix Pack 6.0.0-TIV-TAM-FP0009,
or above can be completed on Red Hat 5 systems without having
to install GA images first.)
Red Hat Enterprise - Update1
Linux Server 5.0 TAM Fix Pack 13 or later, original GA CD-images will not install.
(x86-64 AMD64) NOTE: Fix Packs on Linux platforms are a full install,
so it is not necessary to install the GA version prior
to installing TAM Fix Packs on Linux platforms.
(i.e. full installation using Fix Pack 6.0.0-TIV-TAM-FP0013,
or above can be completed on Red Hat 5 systems without having
to install GA images first.)
SUSE Linux - Service Pack 1
Enterprise Server 9
(x86)
Note: Tivoli Access Manager components for Linux(R) on zSeries(R) are supported
on 64-bit kernels in 31-bit compatibility mode.
Red Hat Enterprise
Linux Server 3.0
(zSeries) - Update 4
Red Hat Enterprise
Linux Server 4.0
(zSeries) - Linux on zSeries requires Update 1 with the following
compat rpms installed:
1. compat-libstdc++-33-3.2.3-47.3.s390.rpm
2. compat-libstdc++-295-2.95.3-81.s390.rpm
Note: DB2(R) 8.1 Fix Pack 9 is required for Red Hat
Linux 4.0.
SUSE LINUX
Enterprise Server 8
(zSeries) - Service Pack 4
Note: SPNEGO requires GLIBC 2.3.
SUSE LINUX
Enterprise Server 9
(zSeries) - Service Pack 1 or Service Pack 2
NOTE: SUSE LINUX is one of four partner companies whose products are
based on UnitedLinux 1.0; other companies being the SCO Group,
Turbolinux, and Conectiva. When SUSE LINUX Enterprise Server (SLES)
is listed as supported, other partner companies' products based on
UnitedLinux 1.0 support is implied as well. For more information,
consult the UnitedLinux Web site.
WebSEAL, using GSKit for SSL communication and key management, provides
interface support for Cryptographic hardware.
The supported crypto cards are listed in "WebSEAL Administration Guide"
Chapter 5,
Section 1 "Cryptographic hardware for encryption and key storage"
In addition to these cards, Tivoli Access Manager for e-business WebSEAL
has certified the use of nCipher's netHSM cryptographic device for key storage
and acceleration.
Tivoli Access Manager for eBusiness (TAMeb) WebSEAL product documentation
currently lists the set of supported cryptographic hardware cards and their
associated configuration steps. Since the release of TAMeb 6.0, the product
has added support for a number of new devices, whilst not necessarily publicly
documenting that support. Hence, this support statement provides a means for
the customer to attain the dynamic up-to-date list of WebSEAL supported hardware
devices, whilst providing clarity around which WebSEAL cryptographic functions
makes use of these cards.
WebSEAL's list of supported hardware devices can now be found at the following
location:
This list is maintained by the GSKit component development team. At any one point
in time, this URL will list those devices supported by GSKit. Tivoli product development
will now provide support for any of these devices when used with WebSEAL. WebSEAL can
utilize cryptographic cards to provide hardware acceleration and secure key storage for
specific operations within the WebSEAL product, but the product documentation does not
provide specific information about which operations (and in which connections) can be
off-loaded.
The following statement clarifies the capabilities:
WebSEAL can be configured to accept SSL connection from browsers, and, create SSL
connections to back-end junctioned web/proxy servers. These SSL connections make use
of the functions enabled by configuring the following PKCS#11 settings within the WebSEAL
configuration file:
pkcs11-driver-path
pkcs11-token-label
pkcs11-symmetric-cipher-support
pkcs11-token-pwd: This password can be obfuscated using the "pdadmin> config modify"
command.
The WebSEAL server key(s) (for use with browsers via SSL) can be stored on the PKCS#11 device
as the webseal-cert-keyfile-label for the primary interface, and certificate-label for any
additional interfaces. Any keys used for Mutual Authentication (client keys) with SSL
connections to back-end junctioned/proxied servers can be stored in the PKCS#11 device.
The key label is specified on the pdadmin command when creating a junction.
The following product functions/features do not currently support cryptographic hardware
integration:
a) Symmetric key operations (including key storage) such as eCSSO, CDSSO, LTPA, as
well as any other SSL connections.
b) Any cryptographic operations (including certificate/key storage) performed in
using SSL between the TAMeb directory client and directory server.
c) Any cryptographic operations (including certificate/key storage) performed when
TAMeb components communicate as part of authorization database management.
(pdadmin or database replication).
d) Any cryptographic operations (including certificate/key storage) performed in
using SSL between WebSEAL and the TAMeb session management server.
IBM Tivoli Access Manager Base, Version 6.0 with patch 6.0.0-TIV-TAM-FP0022
IBM Tivoli Access Manager Web Security Runtime, Version 6.0
IBM Tivoli Access Manager WebSEAL, Version 6.0
GSKit Version 7.0.4.20
NOTE: IBM Tivoli Access Manager Base, Version 6.0 patch 6.0.0-TIV-TAM-FP0022
needs to be installed on the same system where this patch will
be installed. Refer to the 6.0.0-TIV-TAM-FP0022.README for
information about how to install that patch.
2.0 APARS AND DEFECTS FIXED
---------------------------
Because patches are cumulative, this patch corrects all the problems
outlined in the following sections.
2.1 Problems fixed by patch 6.0.0-TIV-AWS-FP0022
APAR IZ21164
Symptom: Webseal stability fix.
APAR IZ30092
Symptom: redirect-using-releative option does not function as
expected for directory trailing slash redirects
APAR IZ31066
Symptom: If a junction server entry is created on a nonstandard
port, but with a virtual hostname which does not include it
(such as for use with a CSS switch), the Host header sent to
the junctioned server will not include the nonstandard port.
APAR IZ37098
Symptom: When using the query_contents.sh program from a command
prompt on a UNIX server, the script fails with return
code 101; code was not checking script parameters passed as
command line arguments
Please refer to the full README available for download at the link below for complete installation instructions:
3.0 BEFORE INSTALLING THIS PATCH
--------------------------------
Before installing this patch, review the following prerequisites and
dependencies.
3.1 Back up Tivoli Access Manager data
Before applying any maintenance, be sure to back up your system. Use
the pdbackup command provided with the Tivoli Access Manager product
to back up Tivoli Access Manager-specific data. Documentation for the
pdbackup command is located in the "IBM Tivoli Access Manager Command
Reference, Version 6.0."
3.2 Upgrade GSKit to Version 7.0.4.20
Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.20
BEFORE installing the Tivoli Access Manager packages in this patch.
The updated GSKit installation packages may be downloaded at the URL:
After downloading the updated GSKit installation packages, use the
instructions located in the 6.0.0-TIV-TAM-FP0022.README to install the upgraded
GSKit packages.
4.0 INSTALLING THIS PATCH
-------------------------
Before installing this patch, be sure that you have reviewed the
prerequisites and have completed the back up procedure in section 3.0,
"BEFORE INSTALLING THIS PATCH".
If the Tivoli Access Manager product is distributed over multiple machines,
this patch must be applied to all WebSEAL systems within a secure domain.
This README assumes that $PATCH (or %PATCH% for Windows) is the path to
your temporary directory.
4.1 Installing this patch on AIX systems
1. Log in to the system as root.
2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.
3. Stop the Tivoli Access Manager processes:
/opt/pdweb/bin/pdweb_start stop
4. At the command prompt, enter the following command for each package
installed on the system:
installp -a -g -X -d $PATCH <package>
where <package> is one of the following:
PDWeb.RTE Specifies the Access Manager Web Security Runtime
PDWeb.ADK Specifies the Access Manager Web ADK package
PDWeb.Web Specifies the Access Manager Webseal Server
5. Restart the Tivoli Access Manager processes:
/opt/pdweb/bin/pdweb_start start
4.2 Installing this patch on HP-UX systems
1. Log in to the system as root.
2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.
3. Stop the Tivoli Access Manager processes:
/opt/pdweb/bin/pdweb_start stop
4. At the command prompt, enter the following:
swinstall -s $PATCH/<package> <patch>
where <package> and <patch> are one of the pairs
from the following table:
Note:
If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:
rpm -U --noscripts <patchname>
5. Restart the Tivoli Access Manager processes:
/opt/pdweb/bin/pdweb_start start
4.4 Installing this patch on Sun Solaris Operating Environment systems
1. Log in to the system as root.
2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.
3. Stop the Tivoli Access Manager processes:
/opt/pdweb/bin/pdweb_start stop
4. At the command prompt, enter the following:
cd $PATCH
For Solaris 8 and 9:
patchadd <package>
For Solaris 10 and above:
patchadd -t <package>
where <package> is one of the following:
PDWEBRTE000600-22 Specifies the Access Manager Web Security Runtime
PDWEBADK000600-22 Specifies the Access Manager Web ADK package
PDWEB000600-22 Specifies the TAM WebSEAL Server
5. Restart the Tivoli Access Manager processes:
/opt/pdweb/bin/pdweb_start start
4.5 Installing this patch on Windows systems
1. Log in to the Windows system as the Administrator.
2. If running Webseal, shut down the Tivoli Access Manager WebSEAL
server:
a. From Control Panel -> Services click Access Manager
WebSEAL Server and then click Stop.
b. To confirm this action, click Yes.
3. Unpack the self-extracting archive into a temporary directory
It will unpack under the sub-folder name 6.0.0-TIV-AWS-FP0022
For the purpose of this README, assume that %PATCH% points to this
temporary directory including the 6.0.0-TIV-AWS-FP0022 sub-folder.
4. Change to the patch directory and run the install command:
cd %PATCH%
6.0.0-TIV-AWS-FP0022-WIN.exe
For each component to apply service to, run the following command:
<component directory>/Disk Images/Disk1/setup.exe
List of component directory names.
PDWebRTE Specifies the Access Manager Web Security Runtime
PDWebADK Specifies the Access Manager Web ADK package
PDWeb Specifies the TAM WebSEAL Server
Note: If, for any reason, you have to reboot your system to
complete this installation (for example, to overcome a
shared DLLs problem), you might subsequently encounter a
problem running the Web Portal Manager to access the console.
If this happens, confirm that the WebSphere service is
running. The WebSphere service is installed in manual startup
mode and might not be running after a reboot.
5. Restart the Tivoli Access Manager WebSEAL server (if applicable):
From the Windows Start menu, click:
a. Settings -> Control Panel -> Administrative Tools -> Services
b. Click Access Manager WebSEAL Server -> Start
c. Click IBM WS AdminServer -> Start
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
