Tivoli Access Manager for e-Business WebSEAL, Patch 6.1.1-TIV-AWS-FP0001

1.0 ABOUT THIS PATCH

--------------------
This patch package contains fixes for problems in the various components that
comprise the Tivoli Access Manager WebSEAL software.


1.1 Patch contents

This patch package contains:

- This README file
- Update patch packaging


1.2 Architectures

This patch package applies to the following architectures:

Platform Patch
------------ --------------------------------------------

Note: Tivoli Access Manager components for AIX are supported on
32-bit and 64-bit kernels in 32-bit compatibility mode.

AIX

5.2 - AIX Technology Level (TL) 5200-08 or above
- AIX Service Pack (SP) 5200-08-2 or above

5.3 - AIX Technology Level (TL) 5300-04 or above
- AIX Service Pack (SP) 5200-08-2 or above

6.1 - none
6.1 WPAR - none


HP-UX

The following patches are required for HP-UX.

11iv2 (B.11.23)
PA-RISC
- PHSS_33449
- PHSS_33450
- PHSS_33405

Integrity
- PHSS_34859
- PHSS_35978

11iv3 (B.11.31)
PA-RISC
- PHSS_33449
- PHSS_33450
- PHSS_33405

Integrity
- PHSS_34859
- PHSS_35978


Note: Tivoli Access Manager components for Solaris on x86-64 architecture are
supported on 64-bit AMD64 systems.

Solaris

Solaris 9

SunSparc - Recommended Patch Cluster of Dec 2007

Solaris 10

SunSparc
Global/Local Zones - Recommended Patch Cluster of Dec 2007

x86-64
Global/Local Zones - none


Note: Tivoli Access Manager components for Linux on x86-64 architecture are
supported on 64-bit AMD64/EM64T systems.


Red Hat Enterprise

Linux Server 4.0
x86 and x86-64 - Update 5

Linux Server 5.0
x86 and x86-64 - none

SUSE Linux

Enterprise Server 9
x86 and x86-64 - Service Pack 2

Enterprise Server 10
x86 and x86-64 - none


Note: Tivoli Access Manager components for Linux on zSeries are supported on
64-bit kernels in 31-bit compatibility mode.

Red Hat Enterprise

Linux Server 4.0
(zSeries) - Update 5 or above
compat-libstdc++-295-2.95.3-81.s390.rpm or higher version
compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version
Linux Server 5.0
(zSeries) - compat-libstdc++-295-2.95.3-81.s390.rpm or higher version
compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version

SUSE Linux
Enterprise Server 9
(zSeries) - Service Pack 3 or above
compat-2004.7.1-1.2.s390x.rpm or higher version
compat-32bit-9-200407011411.s390x.rpm or higher version

Enterprise Server 10
(zSeries) - compat-2006.1.25-11.2.s390x.rpm or higher version
compat-32bit-2006.1.25-11.2.s390x.rpm or higher version


Note: Tivoli Access Manager components for Windows Servers are supported
on AMD64/EM64T systems with 64-bit kernels in 32-bit compatibility mode.

Windows Server 2003
Standard & Enterprise Edition
x86 - Service Pack 2
x86-64 - Service Pack 2

Windows Server 2008
Standard & Enterprise Edition
x86 - none
x86-64 - none
_______________________________________________________________________

Virtualized Environments:

z/VM 6.1 on System z10 Processor TAM611 Fix Pack 01
Resource/Systems Manager

AIX 6.1 on POWER7 PowerVM TAM611 Fix Pack 01
for both POWER7 mode and
POWER6 compatibility mode
(Requires upgrade to ITDS 6.1
Fixpack 5 for POWER7 mode)

Red Hat Enterprise Linux Server TAM611 Fix Pack 01
5.0 Update 4 x86 on
Red Hat Enterprise Linux Server
5.0 Update 4 with
Kernel-Based Virtual Machine
(KVM) Hypervisor

Windows Server 2003 Service Pack 2 TAM611 Fix Pack 01
Standard & Enterprise Edition x86,
Windows Server 2008
Standard & Enterprise Edition x86,
Red Hat Enterprise Linux Server
4.0 Update 5 x86,
Red Hat Enterprise Linux Server
5.0 x86
on VMWare ESX and ESXi 4.0
________________________________________________________________________

1.3 Patches superseded

All patches are cumulative unless otherwise explicitly stated.

Patches superseded by this patch:
None.

1.4 Dependencies

IBM Tivoli Access Manager Base, Version 6.1.1 with patch 6.1.1-TIV-TAM-FP0001
IBM Tivoli Access Manager Web Security Runtime, Version 6.1.1
IBM Tivoli Access Manager WebSEAL, Version 6.1.1

NOTE: IBM Tivoli Access Manager Base, Version 6.1.1 patch 6.1.1-TIV-TAM-FP0001
needs to be installed on the same system where this patch will
be installed. Refer to the 6.1.1-TIV-TAM-FP0001.README for
information about how to install that patch.



2.0 APARS AND DEFECTS FIXED
---------------------------
Because patches are cumulative, this patch corrects all the problems
outlined in the following sections.

2.1 Problems fixed by patch 6.1.1-TIV-AWS-FP0001

APAR IZ90402
Symptom: If an application on a server junctioned behind WebSEAL uses
the Referer header passed to it to construct a link in a
page it returns, the link is filtered by WebSEAL to add the
junction path. If the Referer was from the same junction
server, then it is passed to the junctioned server with the
junction path already in it. Thus when WebSEAL filters the
contructed page link it adds the path for a second time which
causes an incorrect link to be returned in the page to the
browser.

APAR IZ90403
Symptom: Headers containg a content length value beginning with
leading zeros failed to load the entire document.

APAR IZ90408
Symptom: WebSEAL will not start correctly if the SMS tracing is enabled
using the trace routing file.

APAR IZ90134
Symptom: Inline java script strings which contain an embedded 'http'
string is always filtered.

APAR IZ90420
Symptom: When WebSEAL receives a quoted cookie value which contains the
semi-colon character (;), WebSEAL will incorrectly treat the
semi-colon as a terminator and truncate the cookie value.

APAR IZ86659
Symptom: The WebSEAL cookie jar does not replace cookies with the same
name. This means that if a particular cookie is received twice
the cookie jar will store this as two separate cookies.

APAR IZ91636
Symptom: WebSEAL's ability to limit threads on a per-session basis.

APAR IZ91635
Symptom: The template WebSEAL configuration file was missing information
on two new configuration items, both within the '[server]' stanza:
max-file-descriptors and disable-timeout-reduction.

APAR IZ91620
Symptom: WebSEAL security update.

IBM Global Security Toolkit (GSKit) version 7.0.4.28

Please refer to the full README available for download at the link below for complete installation instructions:

3.0 BEFORE INSTALLING THIS PATCH
--------------------------------
Before installing this patch, review the following prerequisites and
dependencies.


3.1 Back up Tivoli Access Manager data

Before applying any maintenance, be sure to back up your system. Use
the 'pdbackup' command provided with the Tivoli Access Manager product
to back up Tivoli Access Manager-specific data. Documentation for the
'pdbackup' command is located in the "IBM Tivoli Access Manager Command
Reference."




4.0 INSTALLING THIS PATCH
-------------------------

Before installing this patch, be sure that you have reviewed the
prerequisites and have completed the back up procedure in section 3.0,
"BEFORE INSTALLING THIS PATCH".

If the Tivoli Access Manager product is distributed over multiple machines,
this patch must be applied to all WebSEAL systems within a secure domain.

This README assumes that $PATCH (or %PATCH% for Windows) is the path to
your temporary directory.


4.1 Installing this patch on AIX systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

installp -a -g -X -d $PATCH <package>

where <package> is:

PDWeb.RTE
5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.2 Installing this patch on HP-UX systems


1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

swinstall -s $PATCH/<package> <patch>

where <package> and <patch> are:

<package> <patch>
------------------------------ -------------
PDWEB000611-@FIXLEVEL2@.depot PDWeb

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.3 Installing this patch on Linux systems


1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes.

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

rpm -U <patchname>

where <patchname> is one of the following:

Linux on xSeries(R)

PDWeb-PD-6.1.1-@FIXLEVEL@.i386.rpm

Linux on zSeries

PDWeb-PD-6.1.1-@FIXLEVEL@.s390.rpm

Linux on pSeries(R) and iSeries(TM)

PDWeb-PD-6.1.1-@FIXLEVEL@.ppc.rpm

Note:
If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:

rpm -U --noscripts <patchname>

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start




4.4 Installing this patch on Sun Solaris Operating Environment systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

cd $PATCH

Solaris 9:
patchadd <package>

Solaris 10 and above:
patchadd -t <package>

where <package> is:


PDWEB000611-@FIXLEVEL2@


5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start




4.5 Installing this patch on Windows systems

1. Log in to the Windows system as the Administrator.

2. Shut down the Tivoli Access Manager WebSEAL server:
a. Click 'Control Panel' > 'Services'
b. Click 'Access Manager WebSEAL Server' > 'Stop'.
c. To confirm this action, click 'Yes'.

3. Unpack the self-extracting archive into a temporary
directory. For the purpose of this README, assume that
%PATCH% points to this temporary directory.

4. Change to the patch directory and run the install command:

cd %PATCH%
@PATCHID@-WIN.exe

Note: If for any reason, you have to reboot your system to
complete this installation (for example, to overcome a
shared DLLs problem), you might subsequently encounter a
problem running the Web Portal Manager to access the console.
If this happens, confirm that the WebSphere service is
running. The WebSphere service is installed in manual startup
mode and might not be running after a reboot.

5. Restart the Tivoli Access Manager WebSEAL server:

From the Windows Start menu, click:

a. 'Settings' > 'Control Panel' > 'Administrative Tools' > 'Service'.
b. Click 'Access Manager WebSEAL Server' > 'Start'.
c. Click 'IBM WS AdminServer' > 'Start'.

N/A