IBM Tivoli Identity Manager, ver 5.1, Interim Fix 5.1.0.12-ISS-TIM-IF0043

General Description:

Contains accumulated fixes for problems encountered in IBM Tivoli Identity Manager (ITIM) Version 5.1.
The APAR numbers for all fixes included are listed under "Problems Fixed". Refer to the specific APAR descriptions for more detail.
This and other featured documents for IBM Tivoli Identity Manager can be found at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Problems Fixed:

APAR: IV27041
Symptom: ITIM's LDAP connection pool is not cleared as expected.
Note: ServiceUnavailableException exception is thrown when attempting to communicate with a directory server when that service is not available. It might be unavailable for different reasons; eg. the server might be too busy to service the request, the server might not be registered to service any requests, etc.. Sometimes this exception gets thrown when a firewall drops the connection, because the connection is idle longer than the firewall timeout. To avoid such a scenario, ideally, the "enrole.connectionpool.timeout" value should be set to a value less than the firewall idle connection timeout, so that connections which are idle for longer than the timeout value will be automatically removed from the pool by ITIM/WAS.
A new property, "enrole.connectionpool.retryCountForSUException" has been introduced in $ITIM_HOME/data/enRole.properties file. This property will enable the admin to specify the number of times ITIM will retry a LDAP operation when it encounters ServiceUnavailableException. ITIM will use a new LDAP connection from the pool during each retry. A copy of the 'enRole.properties' file with this update and description has been provided along with this maintenance package as an example for your reference. Please uncomment the property and specify appropriate retry count to use this property.

APAR: IV27559
Symptom: If an identity policy containing multi-byte characters in a rule definition is exported and then imported, the imported policy may contain invalid or garbage text.

APAR: IV27658
Symptom: When the ITIM Self Service UI help is launched, clicking any links on the help pages results in "http 500 error" or "page cannot be displayed" error. This occurs only if SSUI is deployed in a WebSphere 7 clustered environment.

APAR: IV27930
Symptom: A Service name with a special character like ampersand, (&), in it is displayed with the escaped value on the 'Request Submitted: Request Account' page of SSUI.

APAR: IV29874
Symptom: When an account modify request is submitted without modifying any attribute of the account object, then ITIM does not prompt a message to the requester indicating that the request is not submitted since no changes have been made to the account. The account modify request gets submitted successfully. In ITIM 4.6, the following error message was being displayed when a user tried to submit such request and ITIM did not allow the request to be submitted:
"CTGIMI026I The request for an account modification is not submitted due to no change".
Note: A new property, "enrole.modifyAccount.ignoreRequestWithoutChanges" has been introduced in $ITIM_HOME/data/enRole.properties file. This property, when set to 'true', will prevent account modify request from being submitted when the account object does not contain any modifications. The above error message will be displayed on the UI and account modify API will throw appropriate exception. A copy of the 'enRole.properties' file with this update and description has been provided along with this maintenance package as an example for your reference. To enable this feature, please add the new property in enRole.properties file with the value true.

APAR: IV30444
Symptom: Add a new option to the enhancement provided via APAR IV27212 to control the default account selection on the change password page.
Note: A new property, "ui.passwordManagement.defaultSelection.deselectAllAccounts" has been introduced in $ITIM_HOME/data/ui.properties file. This property will decide whether the account(s) on the Change Password page of the admin console will be selected by default or not. A copy of the 'ui.properties' file with this update and description has been provided along with this maintenance package as an example for your reference.

Old Problems Fixed from prior Interim Fixes:

APAR: IV25355
Symptom: The Data values of a DropDown Box (Custom values) are treated as case-sensitive although the attribute is defined as case insensitive in LDAP.
Note: After applying this fix, while comparing the values of a DropDown Box, ITIM will honor the matching rules defined in LDAP for that attribute. By default, if no matching rule is defined in LDAP, the comparison is case-insensitive.

APAR: IV25413
Symptom: When submitting a suspend request for a person, along with accounts, via either UI or API for a future date, ITIM immediately removes the "erpswdlastchanged" attribute from that Person.

APAR: IV25434
Symptom: If a user has authenticated an ITIM SSUI session and someone invokes the Logoff URL,http://<hostname>:<port>/itim/self/Login/Logoff.do, from outside the SSUI application, then the valid SSUI session will also be logged off.
Note: As part of this fix, a new property 'ui.logoff.validateSession' has been introduced in $ITIM_HOME/data/SelfServiceUI.properties file. Setting this property to true will prevent a valid SSUI session from being logged off through scripts or CSRF attacks. Execute the additional steps listed in step 1 in the 'COMMON TASKS' section at the end of the README to enable this feature.

APAR: IV27029
Symptom: When SSL is enabled, the fixpack update installer and the runconfig utility update the ldap connection properties incorrectly.

APAR: IV27189
Symptom: ITIM throws AuthorizationException while trying to update ACIs for a container using the OrganizationalContainerMO.update() method.
Note: The published API, AccessControlListManager contains all methods required to perform any operation on ACIs. All methods of this class perform an appropriate authorization check before executing any ACI related operation. To perform any ACI related operation from the apps layer, customers should use the methods of the AccessControlListManager class and not OrganizationalContainerMO.update(). The methods, DirectoryObject.setAccessRights() and DirectoryObject.getAccessRights() should only be used while performing ACI related operations using the dataservices API, e.g., OrganizationalContainerEntity.update(), in which case no authorization check is performed.
The documentation for the DirectoryObject class in $ITIM_HOME/extensions/5.1/api/com/ibm/itim/dataservices/model/DirectoryObject.html has been updated with this information. Please refer to the DirectoryObject.html shipped with this maintenance package for the updated documentation of setAccessRights (Collection) method. Execute the additional steps listed in step 2 in the 'COMMON TASKS' section at the end of the README to replace the updated file.

APAR: IV29631 ROUTE OF IV26262 R68013
Symptom: While restoring a person via an HR feed a random password gets generated if:
1. There is a "password rule" applied with " Repeated history length" set to some positive number.
2. The property "account.restore.skip.password.validation" is set to TRUE in enRole.properties.

APAR: IV29632 C39610 R67935
Symptom: When using Manage Recertification Policies, the Calendar widget remains open even after navigating to the next page.

Architecture(s): Windows, Solaris, AIX and Linux.

Fixes superseded: ITIM Interim Fix, 5.1.0.12-ISS-TIM-IF0042.

Dependencies: ITIM 5.1 Fixpack 5.1.0.12-ISS-TIM-FP0012.

Database Changes: NONE

JMS (Java Messaging Service) Changes: NONE

LDAP Changes: NONE

Files Replaced or Added or Modified by this Interim fix:

ITIM ear, home, and updi files (embedded inside the *.pak file)

Patch Contents:
- This README file
- 5.1.0.12-ISS-TIM-IF0043.pak
- DirectoryObject.html
- enRole.properties
- SelfServiceUI.properties
- toolbar.jsp
- ui.properties

MD5 Checksums:
07f905137ad743c5e4ff29a14b5bc3d5 5.1.0.12-ISS-TIM-IF0043.zip
44c5b0f943426718b6707634582dfb18 5.1.0.12-ISS-TIM-IF0043.pak
1138fbaa512cc0acf6fa89d2bfb8c80c DirectoryObject.html
16a7b197b4f8c27ebe2380abeff077cd enRole.properties
0ad00117b834dda5290eba678768f31f SelfServiceUI.properties
8b131cc404385f43d38963c5207c4ae9 toolbar.jsp
2208a991c50991a1d97419cb73322d86 ui.properties

5.1.0.12-ISS-TIM-FP0012

Applying the Patch:

1) Extract the Interim Fix zip file to a temporary directoryputty on your hard drive:

# jar xvf 5.1.0.12-ISS-TIM-IF0043.zip

NOTE: You may also use any unzip equivalent to unpack the zip file.
Back-level versions of jar, FastJar or PKZIP may report errors. Use the jar executable supplied with java or another zip utility to uncompress the file.

2) Copy the file(s) to the appropriate directory. The following is a typical example. Yours may be different.
/opt/IBM/WebSphere/UpdateInstaller/maintenance/

NOTE: *************************************************************************
Always BACKUP your old files in a safe place in case an unforeseen event occurs. It is recommended to backup ITIM_HOME/data directory. Especially, be sure to backup any configuration files you may have modified such as properties or xml files.
NOTE: *************************************************************************
When performing this Interim Fix installation on a slower system the deployment could take a long time.
We have seen times in the 30 to 60 minute range or higher. It is recommended to extend the WebSphere SOAP Request Timeout value from 180 to 1800 seconds or higher as needed.
Configuration file:
WAS_HOME/profiles/PROFILE_NAME/properties/soap.client.props
Property to change:
com.ibm.SOAP.requestTimeout=1800 (30 minutes)
NOTE: com.ibm.SOAP.requestTimeout=0 will provide an infinite timeout.

If you encounter a timeout problem you may see the following entries in the update installer logs:
WASX7017E: Exception received while running file
"/opt/IBM/itim/properties/version/nif/config/install/was/updateEar.py";
exception information: com.ibm.websphere.management.exception.ConfigServiceException
com.ibm.websphere.management.exception.ConnectorException
org.apache.soap.SOAPException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Read timed out;
targetException=java.net.SocketTimeoutException: Read timed out]

You may also see other errors indicating an error during the deployment of the ear.
NOTE: *************************************************************************
You must use the WebSphere Update Installer Version V6.1.0.13 or newer. You may download the latest version and get more information about the WebSphere Update Installer here:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg24012718
NOTE: *************************************************************************
Interim Fix Installation procedure

NOTE*** For Installing on a Cluster:
Perform the procedure starting at step 2 first on the NDM and then on every node in the cluster.
Do not perform Step 1. on a Cluster.
Before starting Fixpack Installation on cluster:
A. Ensure all node agents are up and can communicate with the NDM.
B. Ensure ITIM application cluster and ITIM Messaging cluster are stopped.
C. If the DM node and a cluster member are in the same host, perform this procedure only once.
NOTE*** For Installing on a Cluster end.
1. Stop WebSphere using your normal procedures, e.g.
$WAS_HOME/profiles/AppSrv01/bin/stopServer.sh server1
Or if you wish to submit userid and password when WAS admin security is used:
$WAS_HOME/profiles/AppSrv01/bin/stopServer.sh server1 -username xxxx -password yyyy
Proceed to step 2, only after the stop confirmation is displayed.

2. Execute the WebSphere Update Installer, e.g.
/opt/IBM/WebSphere/UpdateInstaller/update.sh
C:\Program Files\IBM\WebSphere\UpdateInstaller\update.bat

3. When the update installer asks for Product Selection, specify your ITIM_HOME directory, typically, /opt/IBM/itim. Later steps will prompt for the location of the fix deliverable (.pak file). When you go forward in the update installer panels, you should see the Interim Fix listed in the "Available Maintenance Package to Install" panel.

4. Select the Next Button and confirm in the next panel by selecting the Next button.

5. After the Maintenance Installation is complete, you may exit the Update Installer.

6. Perform the COMMON TASKS listed below these instructions.

7. After you are done with the COMMON TASKS, then:

8. You may now begin using ITIM. The Update Installer automatically restarts the WebSphere AppServer.

NOTE: *********************************************************************************
The following are COMMON TASKS that you need to perform prior to restarting the AppServer or Cluster.
NOTE: *********************************************************************************
1. OPTIONAL: Required additional steps for IV25434.
As part of this fix, a new property 'ui.logoff.validateSession' has been introduced in $ITIM_HOME/data/SelfServiceUI.properties file and the 'toolbar.jsp' has also been modified. Since the Update Installer does not automatically apply the changes to these files, please execute the following steps to manually apply the changes.
a. Stop the application server.
b. Take a back up of following files:
$ITIM_HOME/data/SelfServiceUI.properties.
$WAS_HOME/profiles/$PROFILE_NAME/installedApps/$NODE_NAME/ITIM.ear/itim_self_service.war/custom/toolbar.jsp.
c. Open $ITIM_HOME/data/SelfServiceUI.properties in any text editor and add the following property at the end. A copy of 'SelfServiceUI.properties' file with this update and description has been provided along with this maintenance package as an example for your reference.
ui.logoff.validateSession=true
d. Copy the toolbar.jsp file provided with this maintainance package to $WAS_HOME/profiles/$PROFILE_NAME/installedApps/$NODE_NAME/ITIM.ear/itim_self_service.war/custom folder. Please note that you will have to redo any additional customizations that might have been done in this file.
e. Restart the application server.
f. In a clustered installation, repeat the above steps on each node of the cluster.

2. OPTIONAL: Required additional steps for IV27189.
As part of the APAR, the documentation of setAccessRights() method of the DirectoryObject class in $ITIM_HOME/extensions/5.1/api/com/ibm/itim/dataservices/model/DirectoryObject.html is updated. Please execute the following steps to replace this file:
a. Take a backup of $ITIM_HOME/extensions/5.1/api/com/ibm/itim/dataservices/model/DirectoryObject.html file.
b. Replace the file with the new version of DirectoryObject.html file shipped along with this maintenance package.
c. For a clustered environment, execute the above steps on each node of the cluster.

END OF COMMON TASKS

5.1.0.12-ISS-TIM-IF0043