Tivoli Federated Identity Manager 6.2.1 Fixpack 4 (6.2.1-TIV-TFIM-FP0004)

Download Description

This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager), Version 6.2.1. It requires that Federated Identity Manager, Version 6.2.1, be installed. After installing this fix pack, your Federated Identity Manager installation will be at level 6.2.1.4.

IMPORTANT NOTICE

Potential cross-site scripting vulnerabiltity via macros in event page template files

Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:

• @EXAMPLE_MACRO1@
• @EXAMPLE_MACRO2@
• @EXAMPLE_MACRO3@

the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:

@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@

NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://www-01.ibm.com/support/knowledgecenter/SSZSXU_6.2.1/com.ibm.tivoli.fim.doc_6.2.1/reference/CustomPropsSPS.html.

Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)

The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.

Versions affected:

• IBM WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
• IBM WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.

Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This security alert addresses a serious security issue: CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, go into an infinite loop, and/or crash resulting in a denial of service exposure. The JRE might hang if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

The following products contain affected versions of the Java Runtime Environment:

• IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for Distributed, i5/OS and z/OS operating systems.
• IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for Distributed, i5/OS and z/OS operating systems.
• IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for Distributed, i5/OS and z/OS operating systems.

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www.ibm.com/support/docview.wss?uid=swg21462019

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)

This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:

java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper

Examples of operations that can fail include:

• Importing a keystore file
• Loading a mapping rule

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.

Fix pack contents and distribution

This fix pack package contains:

• The fix pack zip file
• This README.

This fix pack is distributed as an electronic download from the IBM Support Web Site.

Architecture

Software requirements for IBM Tivoli Federated Identity Manager version 6.2.1 can be found here.

Fix packs superseded by this fix pack

6.2.1-TIV-TFIM-FP0002

6.2.1-TIV-TFIM-FP0001

Fix pack structure

Federated Identity Manager consists of the following components that can be installed separately:

• Administration console
• Management service and runtime component
• Web services security management (WSSM)
• WS-provisioning runtime
• Internet information services (IIS) Web plug-in
• Apache/IBM HTTP Server Web plug-in
• IBM Support Assistant plugin

This fix pack applies only to the administration console, management service and runtime component, and Web services security management (first three components listed above). These three components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components.

If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.

APARs and defects fixed
Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0004

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

APAR IV08525

SYMPTOM: SLO fails when 2 Service Providers are authenticated using the same session index and both Service Provider federations are in the same Tivoli Federated Identity Manager domain.

APAR IV16022

SYMPTOM: Unable to customised the error page for FBTSPS061E error. When this event occurred, there is no event mapping associated with it.

APAR IV19139

SYMPTOM: Federate this account link is generated as null?RelayState= in the federations.jsp (ivtapp) of the SAML 2.0 Identity Provider.

APAR IV20677

SYMPTOM: The STSUUSER principal does not match the incoming subject name id of the assertion when there is an existing WebSEAL session.

APAR IV26723

SYMPTOM: Unable to initialize Tivoli Common Auditing and Reporting Service (CARS) audit event handler plugin when the CARS webservice URL is a HTTPS endpoint. Tivoli Federated Identity Manager shows the error CBACE0800E The required initialization property "com.ibm.cars.events.emitter.ICARSEmitterProperties.trustStore" is missing. in the trace log.

APAR IV15299

SYMPTOM: Requests to Tivoli Federated Identity Manager's WSTrust 1.3 endpoint URL using the ?WSDL parameter to get the WSDL document results in subsequent SOAP services to fail.

APAR IV13427

SYMPTOM: Certain point of contacts that use external authentication interface do not recognize the identity of the user that is set by Tivoli Federated Identity Manager in the response HTTP header (typically, "am-fim-eai-user-id"), since these point of contacts are not aware that Tivoli Federated Identity Manager URL encodes this identity. Tivoli Federated Identity Manager should not URL encode this identity.

APAR IV14481

SYMPTOM: SYMPTOM: The BASE64 encoded token generated by the IVCred STS module is split into multiple lines. This is not desirable in some cases.

APAR IV17522

SYMPTOM: No error message is reported when importing SAML 2.0 IDP or SP whose metadata contains Organization element with no OrganizationURL element.

APAR OA40188

SYMPTOM: The Tivoli Federated Identity Manager STS Kerberos STS module generates an ABEND when using the replay detection feature provided by the Kerbero Token Profile code embedded by Tivoli Federated Identity Manager.

APAR IV15425

SYMPTOM: The Tivoli Federated Identity Manager STS does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message. The RequestType value should be set to the value received on the request and the KeyType should be set on one of the values supported by WS-Trust based on an attribute in the STS universal structure.

APAR IV12418

SYMPTOM: The STS obtains the base security token for execution from either the base element on the RequestSecurityToken message or from the WS-Security tokens included on the soap headers. Tivoli Federated Identity Manager will take the first WS-Security token found on the soap header. After this modification the SAML STS modules will look for the appropriate token type included on the WS-Security headers when the change is enabled.

APAR IV26604

SYMPTOM: The Tivoli Federated Identity Manager Single Sign On protocol service (SPS) SAML 2.0 protocol implementation allows a customer to use the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier for single sign on. By default, Tivoli Federated Identity Manager will treat a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier as urn:oasis:names:tc:SAML:2.0:nameidformat:persistent name identifier unless the default name identifier is set to another type like emailAddress. The Single Logout operation incorrectly queries the alias service if the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier is used and the default name identifier is set to emailAddress.

APAR IV26606

SYMPTOM: The Tivoli Federated Identity Manager USC feature generates a validation email message that contains a link to complete the enrollment flow. That link is passed as a macro to the email template when generating the email. If the customer wants to modify the flow by modifying the link location, it needs to edit the email template file to point to somewhere else but it needs to add the nonce to the query string of such a link. It is difficult to achieve this because the nonce is not provided as a separate macro.

APAR IV26770

SYMPTOM: In the federation properties page in the Tivoli Federated Identity Manager Management Console, updating the default artifact resolution service unexpectedly updates the SOAP Endpoint URL value.

APAR IV26961

SYMPTOM: FIM is incorrectly processing SAML aliases with certain directory servers.

APAR IV26775

SYMPTOM: If an invalid clusterId is used when creating a domain using the Tivoli Federated Identity Manager CLI, the command succeeds but no runtime can be deployed.

APAR IV26776

SYMPTOM: All OpenID IP federations share the same Trusted Clients Manager instance.

APAR IV26777

SYMPTOM: In the scenario where an identity provider federation is created with Attribute Query enabled, if Attribute Query is disabled afterwards, adding a service provider partner still creates an Attribute Query chain.

APAR IV26804

SYMPTOM: The partner entity is not cleaned from feds.xml after removing a custom STS chain through console.

APAR IV26815

SYMPTOM: Multiple SAML 2.0 Attribute Query fixes.

APAR IV26817

SYMPTOM: Single Sign-On fails when feds.xml (partner section) contains empty value for the delegationmodule_active_delegate_id.

APAR IV26818

SYMPTOM: The activate operation in manageItfimPointOfContact CLI for WebSphere as Point of Contact does not behave correctly.

APAR IV26761

SYMPTOM: Unable to modify the encryption key transport algorithm for SAML 2.0 protocol.

APAR IV26960

SYMPTOM: The SAML 1.1 STS Token Module fails to populate the STSUU's Principal correctly when the inbound SAML Assertion contains an AuthenticationStatement with a type attribute that is set to something other than "saml:AuthenticationStatement".

APAR IV26819

SYMPTOM: The macro "@TOKEN:SPDisplayName@" in pages/C/saml20/consent_to_federate.html is incorrectly replaced with the macro "@TOKEN:SPProviderID@".

APAR IV17313

SYMPTOM: If Tivoli Federated Identity Manager is configured to generate IV Credential tokens without using pdacld and WebSEAL is configured to support failover, failover cookies do not work.

APAR IV26763

SYMPTOM: RelayState URL encoding and decoding in SAML 2.0 unsolicited SSO can only be configured at the global level. Support for federation and partner level configuration is required.

APAR IV26820

SYMPTOM: Installation of the Tivoli Federated Identity Manager fails with the following error message: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getPlatformVersion operation on Server MBean because of insufficient or empty credentials.

APAR IV26821

SYMPTOM: When connecting to an existing domain, the Point of Contact profile is reset to WebSEAL.

APAR IV24202

SYMPTOM: Tivoli Federated Identity Manager does not provide 2048 bit option as key size when generating certificate request or self-signed certificate through Management Console.

APAR IV26765

SYMPTOM:
1. When defining a text field in GUIXML, and setting its default value to a string containing a quotation mark, Tivoli Federated Identity Manager throws an exception when loading the GUIXML page saying that the XML is invalid.
2. In an STS module which has an 'init' page widget which has a multi-valued TextField, only the first value of the multiple values is displayed when viewing the module instance properties.

APAR IV26822

SYMPTOM: Update log traces in FSSO and STS.

APAR IV26825

SYMPTOM: Update deployment descriptor for the Tivoli Federated Identity Manager Management Console servlets.

APAR IV10813

SYMPTOM: Improve SAML Signature Conformance

APAR IV23430

SYMPTOM: Improve SAML signature conformance

APAR IV23442

SYMPTOM: Improve signature conformance

APAR IV23452

SYMPTOM: Improve OpenID signature conformance

APAR OA38176

SYMPTOM: NullPointerException is thrown when sending SAML 2.0 messages (e.g. Logout Request) with invalid IssueInstant attribute.

APAR IV24378

SYMPTOM: Improve XML Signature Conformance

Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0002

APAR IV10793

SYMPTOM: Improve SAML Signature Conformance

APAR IV09511
SYMPTOM: IBM Tivoli Federated Identity Manager SAML 2.0 SSO plugin will generate an "invalid_message_timestamp" error when it receives an AuthnRequest message with a IssueInstant where the second fractions are higher than 999. The following is an example of a timestamp that generates the issue: "2011-07-01T13:30:50.830773Z".

APAR IV09216

SYMPTOM: Enabling and disabling RelayState URL encoding and decoding in SAML 2.0 unsolicited authentication response.

APAR IV07933

SYMPTOM: RelayState in the authentication request sent by the SAML 2.0 Service Provider into the Identity Provider is not available as query string parameter in the redirect URL to the custom login page.

APAR IV07716

SYMPTOM: Security update for TFIM Runtime.

APAR IV06369

SYMPTOM: Configuration information related to keystore is removed from kessjks.xml when SAML 1.1 or SAML 2.0 partner is added through CLI, no metadata file is specified in the response file or metadata file specified does not contain signing and encryption key, and keystore password provided is wrong.

APAR IV07706

SYMPTOM: The STSUniversalUser java class does not preserve attributes with empty values.

APAR IV01254

SYMPTOM: In cases where a SAML validation error occurs and there is no message detail, the error page handler throws a NullPointerException.

APAR IZ96105

SYMPTOM: The TFIM SPS fails to return the appropriate page template when a HTTP GET request does not specify the content encoding. Most browsers do not send the Content-Type: header with the charset value defined for GET requests.

APAR IZ94653

SYMPTOM: Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token.

APAR IZ98683

SYMPTOM: ADD ADDITONAL TRACES FOR FBTSPS061E ERROR.

APAR IZ98685

SYMPTOM: When no Format attribute for the NameIDPolicy element is found in the SAML 2.0 AuthnRequest message, the Identity Provider will treat the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Identity Provider should instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner, which is what it does when the Format for the NameIdPolicy element in AuthnRequest message is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".

APAR IZ92518

SYMPTOM: Error message FBT0ID0029E is returned by the OpenID Provider when the Relying Party sends an authentication request with Return To URL that matches the Realm URL. This problem happens when the Return To URL has path, and the Realm URL has no path.

APAR IZ92853

SYMPTOM: The Audit Event Handler of an Audit Client Profile cannot be changed into CARSAuditClientEventHandler using IBM Tivoli Federated Identity Manager Management Console. This causes the CARSAuditClientEventHandler setting to be not displayed in the Event Handler Setting tab in the Audit Client Profile Properties page. This also causes the Audit Client Profile Properties page to be reloaded when clicking the OK button in that page, but without saving the Audit Client Profile.

APAR IZ97199

SYMPTOM: ClassCastException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "exportPrivateKey" is not specified, or is specified with value "false". CommandException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "exportPrivateKey" is specified with no value, or is speficied with value "true". ClassCastException is thrown when importing a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "trustedKeystore" is not specified, or is specified with value "false".

APAR IZ97766

SYMPTOM: ChainableRuntimeException is thrown when exporting a key from a keystore using the IBM Tivoli Federated Identity Manager Management Console. This problem happens if the IBM Tivoli Federated Identity Manager is deployed in certain WebSphere Application Server versions (e.g., WebSphere Application Server 7 Fix Pack 11).

APAR IV00810

SYMPTOM: String "???????? Web ??????!" is returned when accessing the URL http://hostname:9080/Info/InfoService using web browser. This problem might happen when the language of the browser is different from the language of the operating system where IBM Tivoli Federated Identity Manager Runtime is installed.

APAR IV01646

SYMPTOM: Error message FBTCON366E is displayed when importing JavaScript mapping rule using IBM Tivoli Federated Identity Manager Management Console. This problem happens when the mapping rule contains statements that throw exception.

APAR IV03152

SYMPTOM: Security update for IBM Tivoli Federated Identity Manager Runtime.

APAR IV07710

SYMPTOM: The IBM Tivoli Federated Identity Manager LTPA STS module support code is not thread safe. The code uses an static instance of a JDK class that is not thread safe causing undetermined results while verifying or generating the ltpa token signature on environments with high volume of transaction.

APAR IV07696

SYMPTOM: KERBEROS STS MODULE TO ENFORCE TOKEN ONE TIME USE.

APAR IV07684

SYMPTOM: The CBEXMLAuditEvent audit profile event handler is not setting the sequence number and global instance id on the audit records.

APAR IV07712

SYMPTOM: The IBM Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the Identity Provider does not include a Issuer value though the Issuer value is included in the assertion.

APAR IV07708

SYMPTOM: SAML 2.0 SPS Module is setting the Destination attribute on LogoutReponse message when the request is received through SOAP binding at the Identity Provider and there is more than one service provider session that was authenticated based on the Identity Provider session. The Destination field might have the url for the incorrect partner that is not the one that send the LogoutRequest.

APAR IV07694

SYMPTOM: SAML 2.0 STS Module fails to validate the subject confirmation method correctly when the assertion is received as part of the SAML 2.0 Single Sign On operation. The specification requires that an assertion that is generated as part of a Single Sign On flow should at least include one of the subject confirmation methods of value urn:oasis:names:tc:SAML:2.0:cm:bearer.

APAR IV07713

SYMPTOM: The SAML 2.0 SPS module, during a Single Logout operation on Service Provider side, invokes the alias service even if the email name id format was used to single sign on the user. While the Single Logout Operation is successful, an error is included on the logs though the alias operation is not required.

APAR IV07704

SYMPTOM: In the 'Configure Key Service' -> 'Hardware Cryptographic Device' panel in the TFIM Management Console, the checkbox for 'Use hardware cryptographic device' does not remain selected 2-3 seconds after it is selected.

APAR IV07689

SYMPTOM: LDAP ALIASES NOT DELETED FOR SAML 20 DEFEDERATE OPERATION

APAR IZ95850

SYMPTOM: TFIM Management Service and Runtime fail to start on WAS 6.0.2. The following is observed in the logs: javax.management.MBeanException: null nested exception is javax.management.ServiceNotFoundException: Cannot find ModelMBeanOperationInfo for operation getInternalClassAccessMode

APAR IV07705

SYMPTOM: The STSMapDefault module in the sts.modules package allows the following global variables to be available to Javascript mapping rules: - stsuu (The STSUniversalUser), - stsrequest (the entire STSRequest object), and - stsresponse (the entire STSResponse object). The validation of the javascript fails if the javascript mapping rule references stsrequest and/or stsresponse.

APAR IV07701

SYMPTOM: When the Format attribute for the NameID element in the SAML 2.0 Assertion is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", the Service Provider treats the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Service Provider must instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner.

APAR IV03083

SYMPTOM: Provider ID and assertion consumer service URL of an existing partner of a SAML2 federation are not updated after changing the partner using a response file through the command modifyItfimPartner with the operation 'modify'.

APAR IV00695

SYMPTOM: When TFIM is deployed on eWAS, and USC (User Self Care) is configured, USC operations enrollment, forgotten ID and forgotten password fail with the exception that an object cache instance (e.g. itfim/distributedmaps/usc_accountcreate) cannot be fetched.

APAR IV07690

SYMPTOM: WS-Federation 1.1 Passive profile SignOut operation fails when Identity Provider is using WebSEAL as POC.

APAR IV07681

SYMPTOM: When adding a SAML2.0 Identity Provider federation as a partner to a Service Provider federation through CLI, although signing key identifier is specified, a "FBTADM072E A key with alias 'null' was not found in the keystore ''" appears and prevents the user from adding the partner.

APAR IV06765

SYMPTOM: Property doIntrospection of STS chain mapping is set to false after updating the STS chain mapping by using the CLI.

APAR IV07683

SYMPTOM: The value of the attribute "IsDefault" of all assertion consumer services of the SAML 2.0 Service Provider partner is changed to "true" after clicking the OK or Apply button in the Partner Properties page in the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03048

SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03050

SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03038

SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Runtime.

APAR IV05549

SYMPTOM: An HTML page, instead of a SOAP Fault, is returned as a response when sending Request Security Token SOAP request to SAML 1.1 Artifact Service endpoint. This problem happens when the request has invalid "Issuer" or "AppliesTo".

APAR IV07725

SYMPTOM: Duplicate STS chain mappings are created when adding a SAML 2.0 Service Provider as a partner. This problem happens if the metadata of the Service Provider contains at least three distinct assertion consumer services with at least three distinct URLs.

APAR IV07714

SYMPTOM: Mapping from single logout URL to protocol is deleted from the configuration file after clicking the OK or Apply button in the Federation Properties page in Tivoli Federated Identity Manager Management Console. This problem happens if the single logout bindings that are enabled are only HTTP-Redirect and SOAP. The missing mapping causes single logout operation to fail.

APAR IV07700

SYMPTOM: ClassCastException is thrown when adding or modifying LDAP host using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "hostPort" is 389, or the parameter "minConnections" is 2, or the parameter "maxConnections" is 10, or the parameter "hostOrder" is -1.

APAR IV07715

SYMPTOM: Security update for IBM Tivoli Federated Identity Manager Runtime.


Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0001

APAR IZ91383

SYMPTOM: SECURENONCEGENERATOR NOT READING THE RIGHT AMOUNT OF TIME BYTES

APAR IZ91412

SYMPTOM: PASSWORDS NOT OBSCURED IN TRACE

APAR IZ86962

SYMPTOM: TFIMCFG TOOL FAILS WHEN FIPS IS ENABLED.

Internal defect 101608

SYMPTOM: Several USC operations are very slow. These include: user ID existence check, enrollment and password recovery.

APAR IZ91342

SYMPTOM: TAM AUTHORIZATION MODULE DOES NOT WORK WITH FEDERATION SCENARIO

APAR IZ91348

SYMPTOM: NPE TRYING TO LOAD CONFIG INSTANCE IN TDI MAPPING RULE.

APAR IZ91413

SYMPTOM: CONSOLE WILL NOT SHOW LIST OF KEYS ON WEBSPHERE 7.0.0.11.

APAR IZ91349

SYMPTOM: SAML1.1 ARTIFACT RESOLUTION FAILURE NEEDS ERROR INFO IN MSG.

Internal defect 100956

SYMPTOM: NPE MODIFYING XSLT MAP MODULE IN CUSTOM TRUST CHAIN

APAR IZ91350

SYMPTOM: Missing InResponseTo attribute in samlp:Response error responses.

Internal defect 102832

SYMPTOM: DEFAULT NAMEID FORMAT NOT WORKING WHEN NO CLAIMS PASSED.

Internal defect 102551

SYMPTOM: OPENID AUTHENTICATION WITH HTML DISCOVERY FAILS.

Internal defect 101623

SYMPTOM: NPE in console editing mapping rule.

APAR IZ91352

SYMPTOM: FEDERATION PARTNER UPDATE MODIFIES NON-ZERO ACS URL INDEX.

Internal defect 100942

SYMPTOM: Reverse migration fails if the user's TAM LDAP DN is more than one search level below the LDAP suffix where they reside.

APAR IZ91414

SYMPTOM: XML PARSING OF INCOMING SAML MESSAGE FAILS WHEN MACHINE LOCALE IS NOT UTF8-COMPATIBLE AND UTF-8 EXTENDED CHARACTERS APPEAR IN MSG.

APAR IZ91343

SYMPTOM: STATE INFORMATION IN SOME FEDERATION PROTOCOLS INVALID.

APAR IZ91344

SYMPTOM: PROVIDER NAME NEEDS TO BE PART OF THE AUTHENTICATION REQUEST.

APAR IZ91347

SYMPTOM: NULL EXCEPTION OCCURS DURING CLAIMS PROCESSING.

APAR IZ91258

SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console does not operate correctly.

APAR IZ91415

SYMPTOM: SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING NOT CONFORMANT.

Internal defect 102886

SYMPTOM: TFIMCFG TOOL FAILS WHEN FIPS IS ENABLED.

APAR IZ91355

SYMPTOM: TDI STS MAP MODULE FAILS TO CACHE CORRECTLY CONFIG INFO

Internal defect 102057

SYMPTOM: STS LTPA TOKEN MODULE READING THE EXPIRATION DATE INCORRECTLY

APAR IZ91356

SYMPTOM: SAML STS MODULES CALCULATES WRONG VALIDITY PERIOD OF ASSERTION.

APAR IZ91357

SYMPTOM: UNABLE TO MODIFY SIGNATURE POLICY SETTINGS FOR SAML 2.0 PARTNER

APAR IZ91358

SYMPTOM: SAML20 SSO FAILS TO DETECT FATAL ERRORS WHILE READING ALIAS

APAR IZ91359

SYMPTOM: NON XML RESPONSE FOR BAD SAML 2.0 AUTHNREQUEST

APAR IZ81005

SYMPTOM: FIM CONSOLE FAILS TO DISPLAY SAML2 PROPS PAGE IF NO ARTIFACT

Internal defect 102887

SYMPTOM: Attribute Query request messages are not reporting timestamp validation errors.

APAR IZ91416

SYMPTOM: Tivoli Federated Identity Manager SAML 2.0 metadata is not properly formatted when TFIM is running on the latest versions of the WebSphere Application Server.

APAR IZ91419

SYMPTOM: SAML 2.0 STS MODULE NOT READING THE DEFAULT NAMEID FORMAT PARAM.

APAR IZ91417

SYMPTOM: TFIM FAILS TO LOAD SAML METADATA WITH ENTITIES DESCRIPTOR

APAR IZ84999

SYMPTOM: Some of Tivoli Federated Identity Manager Console portlet pages cannot be displayed when it is installed in WAS 7 FP 11.

APAR IZ91360

SYMPTOM: FIM CONSOLE INSTALL SHOULD SET JACL LANG WHEN CALLING WSADMIN

APAR IZ91418

SYMPTOM: For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values.

Internal defect 100723

SYMPTOM: New domain created in 6.2.1 does not have all custom properties. Namely ADMIN.validateFederationName and STS.showUSCChains are missing.

Internal defect 102338

SYMPTOM: CLI throws a StringIndexOutOfBoundsException when adding a SAML 2.0 service provider partner to a SAML 2.0 federation.

Internal defect 102339

SYMPTOM: ClassCastException is thrown when configuring LDAP alias service using Tivoli Federated Identity Manager Command Line. This problem happens if at least one LDAP server exists in the system.

APAR IZ91351

SYMPTOM: Tivoli Federated Identity Manager supported Oracle database for the Tivoli Federated Identity Manager alias service and that attempts to use Oracle displayed errors.

Internal defect IV07711

SYMPTOM: Tivoli Federated Identity Manager Configuration Guide does not describe the steps to enable certificate revocation list checking for certificates that are used for XML message signing, verification, encryption, and decryption.