IBM Support

Tivoli Access Manager for e-Business WebSEAL, Patch 6.1.0-ISS-AWS-IF0010

Download


Abstract

This is a General Availability (GA) patch containing all the fixes since the release of IBM Tivoli Access Manager for e-Business 6.1.0 (WebSEAL)

Download Description

1.0 ABOUT THIS PATCH

--------------------
This patch package contains fixes for problems in the various components that
comprise the Tivoli Access Manager WebSEAL software.


1.1 Patch contents

This patch package contains:

- This README file
- Updated patch packaging for Tivoli Access Manager WebSEAL software.


1.2 Architectures

This patch package applies to the following architectures:


Platform Patch
------------ --------------------------------------------

Note: Tivoli Access Manager components for AIX are supported on
32-bit and 64-bit kernels in 32-bit compatibility mode.

AIX 5.2 - AIX Technology Level (TL) 5200-08 or above
- AIX Service Pack (SP) 5200-08-2 or above

AIX 5.3 - AIX Technology Level (TL) 5300-04 or above
- AIX Service Pack (SP) 5200-08-2 or above

AIX 6.1 - none
AIX 6.1 WPAR - none
AIX 7.1 - none
AIX 7.1 WPAR - none

________________________________________________________________________

HP-UX

The following patches are required for HP-UX.

11iv2 (B.11.23)

PA-RISC

- PHSS_33449
- PHSS_33450
- PHSS_33405


Integrity

- PHSS_34859
- PHSS_35978

11iv3 (B.11.31)

PA-RISC

- PHSS_33449
- PHSS_33450
- PHSS_33405


Integrity

- PHSS_34859
- PHSS_35978

________________________________________________________________________


Note: Tivoli Access Manager components for Solaris on x86-64 architecture are
supported on 64-bit AMD64 systems.


Solaris 9

SunSparc - Recommended Patch Cluster of Dec 2007

Solaris 10

SunSparc
Global/Local Zones - Recommended Patch Cluster of Dec 2007

x86-64
Global/Local Zones - none



________________________________________________________________________


Note: Tivoli Access Manager components for Linux on x86-64 architecture are
supported on 64-bit AMD64/EM64T systems.


Red Hat Enterprise
Linux Server 4.0
x86 and x86-64 - Update 5

Red Hat Enterprise
Linux Server 5.0
x86 and x86-64 - none


SUSE Linux
Enterprise Server 9
x86 and x86-64 - Service Pack 2

SUSE Linux
Enterprise Server 10
x86 and x86-64 - none

SUSE Linux
Enterprise Server 11
x86 and x86-64 - none


________________________________________________________________________


Note: Tivoli Access Manager components for Linux on zSeries are supported on
64-bit kernels in 31-bit compatibility mode.

Red Hat Enterprise
Linux Server 4.0
(zSeries) - Update 5 or above
compat-libstdc++-295-2.95.3-81.s390.rpm or higher version
compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version

Red Hat Enterprise
Linux Server 5.0
(zSeries) - compat-libstdc++-295-2.95.3-81.s390.rpm or higher version
compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version
compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version

SUSE Linux
Enterprise Server 9
(zSeries) - Service Pack 3 or above
compat-2004.7.1-1.2.s390x.rpm or higher version
compat-32bit-9-200407011411.s390x.rpm or higher version

SUSE Linux
Enterprise Server 10
(zSeries) - compat-2006.1.25-11.2.s390x.rpm or higher version
compat-32bit-2006.1.25-11.2.s390x.rpm or higher version

SUSE Linux
Enterprise Server 11
(zSeries) - none


________________________________________________________________________


Note: Tivoli Access Manager components for Linux on POWER are supported on
64-bit kernels in 32-bit compatibility mode.


Red Hat Enterprise
Linux Server 4.0
(POWER) - Update 5 or above

Red Hat Enterprise
Linux Server 5.0
(POWER) - none

SUSE Linux
Enterprise Server 9
(POWER) - Service Pack 1

SUSE Linux
Enterprise Server 10
(POWER) - none

SUSE Linux
Enterprise Server 11
(POWER) - none


________________________________________________________________________


Note: Tivoli Access Manager components for Windows Servers are supported
on AMD64/EM64T systems with 64-bit kernels in 32-bit compatibility mode.


Windows Server 2003
Standard & Enterprise Edition
x86 - Service Pack 2

Windows Server 2003
Standard and Enterprise Edition
x86-64 - Service Pack 2

Windows Server 2008
Standard & Enterprise Edition
x86 - none

Windows Server 2008
Standard and Enterprise Edition
x86-64 - none

Windows Server 2008
R2 Server
x86-64 - none


________________________________________________________________________

Note: Tivoli Access Manager components for Windows Clients are supported
on AMD64/EM64T systems with 64-bit kernels in 32-bit compatibility mode.

Windows XP
(x86) - Professional version Service Pack 2

Windows Vista
x86 & x86-64 - none



Notes:
None


_______________________________________________________________________

Virtualized Environments:

z/VM 6.1 on System z10 Processor TAM610 Fix Pack 04
Resource/Systems Manager

AIX 6.1 on POWER7 PowerVM TAM610 Fix Pack 04
for both POWER7 mode and
POWER6 compatibility mode
(Requires upgrade to ITDS 6.1
Fixpack 5 for POWER7 mode)

Red Hat Enterprise Linux Server TAM610 Fix Pack 04
5.0 Update 4 x86 on
Red Hat Enterprise Linux Server
5.0 Update 4 with
Kernel-Based Virtual Machine
(KVM) Hypervisor

Windows Server 2003 Service Pack 2 TAM610 Fix Pack 04
Standard & Enterprise Edition x86,
Windows Server 2008
Standard & Enterprise Edition x86,
Red Hat Enterprise Linux Server
4.0 Update 5 x86,
Red Hat Enterprise Linux Server
5.0 x86
on VMWare ESX and ESXi 4.0

________________________________________________________________________

Additional Certifications:

Windows Server 2008/2003 Active Directory TAM610 Fix Pack 05
(Mixed Mode)

ITDS 6.3 (server Only) TAM610 Fix Pack 05

AIX 7.1 on Power 7 System TAM610 Fix Pack 05

IBM Lotus Domino 8.5 Server TAM610 Fix Pack 02

Oracle Directory Server TAM610 Fix Pack 05
Enterprise Edition 7.0 (DSEE 7.0)

Windows Server 2008 Active Directory TAM610 Fix Pack 03
Domain Service (ADDS)

Internet Explorer 7.0 (IE 7.0) TAM610 Fix Pack 04

Internet Explorer 8.0 (IE 8.0) TAM610 Fix Pack 03

________________________________________________________________________

Cryptographic Hardware Support:
(IZ44092)

WebSEAL, using GSKit for SSL communication and key management, provides
interface support for Cryptographic hardware.

The list of supported hardware devices can be found at the following location:

http://www.ibm.com/developerworks/tivoli/library/t-gsk7/index.html

At any one point in time, this URL will list those devices supported by GSKit.
Support is provided for any of these devices when used with WebSEAL.
WebSEAL can utilize cryptographic cards to provide hardware acceleration and
secure key storage for specific operations within the WebSEAL product,
but the product documentation does not provide specific information about
which operations (and in which connections) can be off-loaded.The following
DeveloperWorks article explains how to use Cryptographic card with WebSEAL:

http://www.ibm.com/developerworks/tivoli/library/t-sslwebseal/

________________________________________________________________________


1.3 Patches superseded

All patches are cumulative unless otherwise explicitly stated.

Patches superseded by this patch:

6.1.0-TIV-AWS-FP0009
6.1.0-TIV-AWS-FP0008
6.1.0-TIV-AWS-FP0007
6.1.0-TIV-AWS-FP0005
6.1.0-TIV-AWS-FP0004
6.1.0-TIV-AWS-FP0003
6.1.0-TIV-AWS-FP0002
6.1.0-TIV-AWS-FP0001


1.4 Dependencies

IBM Tivoli Access Manager Base, Version 6.1 with patch 6.1.0-ISS-TAM-FP0009
IBM Tivoli Access Manager Web Security Runtime, Version 6.1
IBM Tivoli Access Manager WebSEAL, Version 6.1

NOTE1:
When installing patches on a particular machine, install patches for components
of IBM Tivoli Access Manager, Version 6.1, from patch
6.1.0-ISS-TAM-FP0009 and 6.1.0-ISS-AWS-IF0010
on the same machine.
For example, consider a machine with the following components:
(your machine may have more components installed)

IBM Tivoli Access Manager Runtime (PDRTE)
IBM Tivoli Access Manager Web Security Runtime (PDWebRTE)
IBM Tivoli Access Manager WebSEAL (PDWeb)
IBM Tivoli Security Utilities (TivSecUtl)

To patch the given machine, you must install PDRTE and TivSecUtl components from Patch
6.1.0-ISS-TAM-FP0009, PDWebRTE and PDWeb components
from Patch 6.1.0-ISS-AWS-IF0010 on the given machine.
A machine in a Tivoli Access Manager environment must have all components at the same
patch level. See the 6.1.0-ISS-TAM-FP0009.README for
information about how to install the relevant components of the
6.1.0-ISS-TAM-FP0009 patch.

NOTE2:
In a Tivoli Access Manager environment, install patches in the following order:

a) Policy Server machine: install patches for all components
as described in NOTE1.
b) Policy Proxy Server, if you have one in your Tivoli Access Manager environment
c) All other machines in the Tivoli Access Manager environment.

As described in NOTE1, install patches for all components,
on each machine. You can install patches in other
machines(category c) gradually. However, once the Policy Server is patched,
we strongly encourage that all other machines in the Tivoli Access Manager
environment have the same patch level installed as soon as
possible.


2.0 APARS AND DEFECTS FIXED
---------------------------
This patch corrects problems
outlined in the following sections.


2.1 Problems fixed by patch 6.1.0-ISS-AWS-IF0010

APAR IV30727
Symptom: update to RSA client code.

APAR IV31973
Symptom: A vulnerability has been identified in the GSKIT component
utilitized by Tivoli Access Manager for e-business (TAM).
Remediation for this issue is avaiable by upgrading affected
GSKIT 7 versions to version 7.0.4.42 or higher.

APAR IV31980
Symptom: A vulnerability has been identified in the GSKIT component
utilitized by Tivoli Access Manager for e-business (TAM).
Remediation for this issue is avaiable by upgrading affected
GSKIT 7 versions to version 7.0.4.42 or higher.

Prerequisites

IBM Global Security Toolkit (GSKit) version 7.0.4.42

[{"PRLabel":"GSKit version 7.0.4.42","PRLang":"US English","PRSize":"1111111","PRPlat":{"label":"Platform Independent","code":"PF025"},"PRURL":"https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt"}]

Installation Instructions

3.0 BEFORE INSTALLING THIS PATCH
--------------------------------
Before installing this patch, review the following pre-requisites and
dependencies.



3.1 Back up Tivoli Access Manager data

Before applying any maintenance, be sure to back up your system. Use
the 'pdbackup' command provided with the Tivoli Access Manager product
to back up Tivoli Access Manager-specific data.
See the "IBM Tivoli Access Manager Command Reference" guide
for information on the 'pdbackup' command.

Patch installation for PDWeb component should not over-write the existing
pdweb_start script but still it is highly recommended to backup pdweb_start
script in UNIX systems, specially if any customizations are made on this script.
Patch for PDWeb component will install pdweb_start script as pdweb_start.fixpack
so that if any update or fix made to pdweb_start script is available to Customers
to incorporate into their customized pdweb_start script.


3.2 Upgrade GSKit to Version 7.0.4.42

Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.42
BEFORE installing the Tivoli Access Manager packages in this patch.

The updated GSKit installation packages may be downloaded at the URL:

https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt

After downloading the updated GSKit installation packages, use the
instructions located in the 6.1.0-ISS-TAM-FP0009.README to install the upgraded
GSKit packages.



4.0 INSTALLING THIS PATCH
-------------------------

Before installing this patch, be sure that you have reviewed the
pre-requisites and have completed the backup procedure in section 3.0,
"BEFORE INSTALLING THIS PATCH".

If the Tivoli Access Manager product is distributed over multiple machines,
this patch must be applied to all WebSEAL systems within a secure domain.

If the special character support for remote filenames offered by IZ91061
is needed, redeploy query_contents.sh manually (IV06260)
See the IBM Tivoli Access Manager for e-business Administration Guide for details.

This README assumes that $PATCH (or %PATCH% for Windows) is the path to
your temporary directory.


4.1 Installing this patch on AIX systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

installp -a -g -X -d $PATCH <package>

where <package> is:

PDWeb.RTE Specifies the Access Manager Web Security Runtime
PDWeb.ADK Specifies the Access Manager Web ADK package
PDWeb.Web Specifies the Access Manager WebSEAL Server

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.2 Installing this patch on HP-UX systems


1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

swinstall -s $PATCH/<package> <patch>

where <package> and <patch> are:

<package> <patch>
------------------------------ -------------
PDWebRTE000610-10.depot PDWebRTE
PDWebADK000610-10.depot PDWebADK
PDWeb000610-10.depot PDWeb

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.3 Installing this patch on Linux systems


1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes.

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

rpm -U <patchname>

where <patchname> is one of the following:

Linux on xSeries(R)

PDWebRTE-PD-6.1.0-7.i386.rpm
PDWebADK-PD-6.1.0-7.i386.rpm
PDWeb-PD-6.1.0-7.i386.rpm

Linux on zSeries

PDWebRTE-PD-6.1.0-7.s390.rpm
PDWebADK-PD-6.1.0-7.s390.rpm
PDWeb-PD-6.1.0-7.s390.rpm

Note:
If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:

rpm -U --noscripts <patchname>

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start




4.4 Installing this patch on Sun Solaris Operating Environment systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

cd $PATCH

Solaris 9:
patchadd <package>

Solaris 10 and above:
patchadd -t <package>

where <package> is:


PDWEBRTE000610-10 Specifies the Access Manager Web Security Runtime
PDWEBADK000610-10 Specifies the Access Manager Web ADK package
PDWEB000610-10 Specifies the Tivoli Access Manager WebSEAL Server


5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start




4.5 Installing this patch on Windows systems

1. Log in to the Windows system as the Administrator.

2. Shut down the Tivoli Access Manager WebSEAL server:
a. Click 'Control Panel' > 'Services'
b. Click 'Access Manager WebSEAL Server' > 'Stop'.
c. To confirm this action, click 'Yes'.

3. Unpack the self-extracting archive into a temporary
directory. For the purpose of this README, assume that
%PATCH% points to this temporary directory.

4. Change to the patch directory:

cd %PATCH%

For each component to apply service to, run the following command:

<component directory>/Disk Images/Disk1/setup.exe

List of component directory names.

PDWebRTE Specifies the Access Manager Web Security Runtime
PDWebADK Specifies the Access Manager Web ADK package
PDWeb Specifies the Tivoli Access Manager WebSEAL Server

Note: If you must reboot your system to
complete this installation, you might subsequently encounter a
problem running the Web Portal Manager to access the console. For example,
you might need a system reboot to overcome a shared DLLs problem.
If this happens, confirm that the WebSphere service is
running. The WebSphere service is installed in manual startup
mode and might not be started after a reboot.

5. Restart the Tivoli Access Manager WebSEAL server:

From the Windows Start menu, click:

a. 'Settings' > 'Control Panel' > 'Administrative Tools' > 'Service'.
b. Click 'Access Manager WebSEAL Server' > 'Start'.
c. Click 'IBM WS AdminServer' > 'Start'.

[{"INLabel":"6.1.0-TIV-AWS-IF0010.README","INLang":"US English","INSize":"1111111","INURL":"http://www-933.ibm.com/support/fixcentral/"}]
On
[{"DNLabel":"6.1.0-ISS-AWS-IF0010-AIX.tar.Z","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"14824729","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-AIX","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0-ISS-AWS-IF0010-HP-IA64.tar.Z","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"13806451","DNPlat":{"label":"Platform Independent","code":"PF025"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-HP-IA64","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0-ISS-AWS-IF0010-HP.tar.Z","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"10222269","DNPlat":{"label":"Platform Independent","code":"PF025"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-HP","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0-ISS-AWS-IF0010-LIN.tar.Z","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"6926256","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-LIN","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0-ISS-AWS-IF0010-S390.tar.Z","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"6136865","DNPlat":{"label":"z/OS","code":"PF035"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-S390","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0-ISS-AWS-IF0010-SOL-X86.tar.Z","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"8290381","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-SOL-X86","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0-ISS-AWS-IF0010-SOL.tar.Z","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"8389234","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-SOL","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.0-ISS-AWS-IF0010-WIN.zip","DNDate":"7 Dec 2012","DNLang":"US English","DNSize":"17725470","DNPlat":{"label":"Windows Server 2003","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Access+Manager+for+e-business&vrmf=6.1.0&fixids=6.1.0-ISS-TAM-IF0010-WIN","DNURL_FTP":" ","DDURL":null}]
[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSEAL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF025","label":"Platform Independent"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Problems (APARS) fixed
IV30727;IV31973;IV31980;IV22987;IV13101;IV22991;IV22957;IV22959;IV03634;IV12457;IZ95126;IV07287;IV22961;IV18038;IV23012;IV22962;IV23010;IV11822 IV15325 IV15101;IV22992;IV00004;IV02743;IV06254;IV06255;IV06265;IV06266;IV06256;IZ94786;IV06257;IZ96573;IZ97177;IV02723;IZ96041;IV06246;IV01861;IV06247;IZ89810;IZ90880;IV06248;IZ95842;IV06249;IZ97217;IZ83465;IZ83762;IZ77972;IZ83454;IZ83449;IZ65458;IZ52070;IZ68603;IZ67382;IZ80213;IZ68844;IZ80224;IZ80226;IZ80227;IZ83458;IZ80228;IZ75098;IZ66293;IZ68131;IZ80229;IZ66834;IZ80215;IZ74309;IZ66220;IZ66219;IZ66218;IZ66214;IZ66202;IZ66127;IZ66125;IZ66111;IZ54630;IZ54630;IZ54248;IZ53257;IZ52357;IZ52071;IZ52070;IZ52068;IZ52067;IZ52065;IZ52050;IZ52049;IZ52032;IZ52027;IZ52013;IZ51708;IZ50888;IZ50888;IZ50241;IZ49672;IZ49672;IZ48497;IZ48497;IZ46991;IZ44092;IZ43734;IZ43559;IZ43553;IZ41884;IZ40137;IZ39320;IZ30161;IZ28996;IZ26925;IZ25866;IZ18736;IZ16593;IZ10008;IZ06757;IZ06581;IZ06041;IZ96623;IZ96636;IZ96639;IZ96638;IZ75862;IZ96534;IZ81392;IZ96644;IZ87576;IZ89678;IZ91061;IZ96647

Document Information

Modified date:
15 June 2018

UID

swg24033715