IBM Support

Tivoli Federated Identity Manager 6.2.2 Fixpack 7 (6.2.2-TIV-TFIM-FP0007)

Download


Abstract

This is a cumulative Fix Pack (FP) patch for a variety of problems in the components that compose the TFIM 6.2.2 product. It upgrades a TFIM 6.2.2 installation to TFIM 6.2.2.7

Download Description

This fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager) and IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.2. It requires that Federated Identity Manager or Federated Identity Manager Business Gateway, Version 6.2.2, be installed. After installing this fix pack, your Federated Identity Manager or Federated Identity Manager Business Gateway installation will be at level 6.2.2.7.


IMPORTANT NOTICE

Potential cross-site scripting vulnerability via macros in event page template files

Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:

  • @EXAMPLE_MACRO1@
  • @EXAMPLE_MACRO2@
  • @EXAMPLE_MACRO3@

the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:

@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@

NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://www-01.ibm.com/support/knowledgecenter/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/config/reference/CustomPropsSPS.html.

Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)

The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.

Versions affected:

  • IBM WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
  • IBM WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.

Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This security alert addresses a serious security issue: CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, go into an infinite loop, and/or crash resulting in a denial of service exposure. The JRE might hang if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

The following products contain affected versions of the Java Runtime Environment:

  • IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for Distributed, i5/OS and z/OS operating systems.

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www.ibm.com/support/docview.wss?uid=swg21462019

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)

This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:

java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper

Examples of operations that can fail include:

  • Importing a keystore file
  • Loading a mapping rule

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer click here.


Fix pack contents and distribution

This fix pack package contains:

  • The fix pack zip file.
  • This README.

This fix pack is distributed as an electronic download from the IBM Support Web site.


Architecture

This fix pack package supports the same operating system releases that are listed in the Operating systems for a specific product for the product Tivoli Federated Identity Manager and the version 6.2.2.

This fix pack package supports the same software prerequisites that are listed in the Prerequisites of a specific product for the product Tivoli Federated Identity Manager and the version 6.2.2.

The Tivoli Federated Identity Manager's risk-based access feature's software requirements are listed here. Since 6.2.2-TIV-TFIM-FP0004, the list of supported databases also includes:

  • Oracle Database 10g Standard/Enterprise Editions Release 4 and future fix packs
  • Oracle Database 11g Standard/Enterprise Editions Release 1 and future fix packs.


Fix packs superseded by this fix pack

6.2.2-TIV-TFIM-FP0006

6.2.2-TIV-TFIM-LA0005

6.2.2-TIV-TFIM-FP0004

6.2.2-TIV-TFIM-FP0002


Fix pack structure

Federated Identity Manager consists of the following components that can be installed separately:

  • Administration console
  • Management service and runtime component
  • Web services security management (WSSM)
  • WS-provisioning runtime
  • Internet information services (IIS) Web plug-in
  • Apache/IBM HTTP Server Web plug-in
  • IBM Support Assistant plugin
  • Risk-based access

This fix pack applies only to the administration console, management service and runtime component, and Web Services Security Management (first three components listed above) and the Web plug-in (Internet information services, Apache/IBM HTTP Server Web plug-in) and risk-based access components. These components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components. If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.


APARs and defects fixed
Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0007

The following problems are corrected by this fix pack. For more information about the APARs listed here, see the Tivoli Federated Identity Manager support site.

IV44424


SYMPTOM: Example USC mapping rule does not validate mobile number, email, secret question answer and secret question index.

IV44425


SYMPTOM: If Redirect URI is not contained in the request to the OAuth 2.0 authorize endpoint, the default redirect URI should be read from OAUTH20.ClientRedirectUri value.

IV44426


SYMPTOM: The login button in the OTP login page should be disabled once the retry limit has been reached so that the user cannot attempt another retry which will cause exception FBTOTP313E.

IV44484


SYMPTOM: Wrong X509SKI value in digital signature.

IV44470


SYMPTOM: Unnecessary dependency on PDJRTE when configuring Web Gateway Appliance as point of contact with the tfimcfg tool.

IV44403


SYMPTOM: Attributes with colons in their names may not be specified in an XACML rules policy.

IV44405


SYMPTOM: If the policy_consent_based_registration policy is used and the user logs in on a registered device, they will be asked for consent to register again.

IV44410


SYMPTOM: If the path to a resource is different from the path to info.js, then the cookie containing the session id will not be sent when the resource is accessed. The cookie will also not be secure when using HTTPS.

IV44411


SYMPTOM: Javascript matchers based on historical user data can not be written because the historical data is not passed to the matcher.

IV44412


SYMPTOM: When RBA risk reports are enabled, traces are seen in the System.out logs.

IV43149


SYMPTOM: Risk-based access Federation First Steps Wizard does not work properly after applying TFIM 6.2.2 Fixpack 6. The panel after the panel to scan TFIM configurations is blank. After clicking next, the wizard prompts an error message.

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0006

IV37665


SYMPTOM: For modern browsers, the table rows in FIM console are misaligned.

IV37666


SYMPTOM: When using the JRE of WAS 8 and above to run tfimcfg.jar to configure a WebSEAL server, the operation fails with the following exception: FBTTAC003E An error occurred when reading or writing the file /opt/IBM/WebSphere/AppServer/java/jre/PolicyDirector/PD.properties: java.io.FileNotFoundException: /opt/IBM/WebSphere/AppServer/java/jre/PolicyDirector/PD.properties (No such file or directory)

IV37668


SYMPTOM: When creating new point of contact using CLI, the authentication policy callbacks are incorrectly configured using the configuration of the authenticate callbacks.

IV37674


SYMPTOM: When using FFS to configure Salesforce as a SaaS, the Summary page shows: When configuring the service provider settings, you may need to supply the Federated Identity Manager Endpoint URL which is ....

IV37305


SYMPTOM: When USC forgot password flow is triggered, and the user input new password that does not meet password requirements, the secret question page is redisplayed with all secret question fields set to the first question and disabled. When user fills in the answer to all secret question answer fields and resubmit, another error will be shown.

IV37675


SYMPTOM: When user runs through the USC forgotten password flow and too many failed attempts at answering secret question and answer are made, the error page is displayed using forgotid_error.html instead of forgotpassword_error.html

IV37680


SYMPTOM: WAS JRE is not configured for TAM runtime for Java if FFS is used to create domain, deploy and configure runtime.

IV36139


SYMPTOM: On OAuth 1.0 flow, when Temporary Credential Request Endpoint contains query string, Request Temp Token fail with signature mismatch.

IV37707


SYMPTOM: Cannot configure FIM to use POST only in OpenID flows.

IV38333


SYMPTOM: FFS wizards complete successfully even when there are problems configuring the junctions using tfimcfg.jar.

Problems fixed by fix pack 6.2.2-TIV-TFIM-LA0005

IV36145


SYMPTOM: OTP support fixes that include outbound HTTP proxy support, OTP retry enforcement, resending of OTP, success/failure determination of SMS delivery via HTTP response body, detailed tracing for OTP SMS Provider, updates to OTP delivery and provider modules, OTP authentication policy callback mapping rule console fix and un-authenticated OTP support.

IV36140


SYMPTOM: User Self Care session information storage.

IV36136


SYMPTOM: Some USC module configuration is not read from config and uses the default value(s) only. One example is the 'USC.AccountRecoveryValidationAttributes' configuration.

IV36153


SYMPTOM: Null pointer exception in STSLTPATokenModule when Principal name attribute type is null.

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0004

IV31640


SYMPTOM: The RelayState query string parameter provided to the IP-initiated SSO initial URL is used to populate the RelayState macro in the authentication response when the target query string parameter is empty or not provided. It should be ignored.

IV26049


SYMPTOM: The SAML 1.1 STS Token Module fails to populate the STSUU's Principal correctly when the inbound SAML Assertion contains an AuthenticationStatement with a type attribute that is set to something other than "saml:AuthenticationStatement".

IV31657


SYMPTOM: A blank page is shown during FSSO.

IV31658


SYMPTOM: Corrupted URLs in the feds.xml and sps.xml when a non-sps URL is provided for Single Sign-On Service, Single Logout Service, Soap Endpoint, Artifact Resolution Service, Assertion Consumer Service or Name ID Management Service URLs in the SAML 2.0 IP/SP Federation properties page via Management Console.

IV31660


SYMPTOM: Some Service Providers for the WS-Federation Passive Profile do not accept RequestSecurityTokenResponse that contain certain elements. For example, Sharepoint does not accept RequestSecurityTokenResponse that contains the elements wst:Forwardable, wst:Delegatable, wst:Status and wst:Renewing. However, these elements are present in the RequestSecurityTokenResponse generated by the TFIM Identity Provider for the WS-Federation Passive Profile.

IV31661


SYMPTOM: The default value of the attribute that the alias service uses to denote the user identifier is "uid". The LDAP Migration Tool supports only the default value and does not work for any value other than the default value.

IV31641


SYMPTOM: SubjectConfirmationData is missing when generating a SAML 2.0 assertion with Bearer subject confirmation method and no claims is supplied in the RST.

IV27198


SYMPTOM: Missing ds in InclusiveNamespace Prefix for SAML 2.0 Assertion Signature element.

IV21668


SYMPTOM: FIM doesn't provide 2048 bit option as key size when generating certificate request or self-signed certificate through console.

IV33064


SYMPTOM: When using the manageItfimStsChainMapping CLI command to create a response file, the values of AppliesTo service name and namespace are provided in the wrong attributes appliesToPortTypeName and appliesToPortTypeNamespace.

IV32867


SYMPTOM: NULLPointerException is thrown during initial loading of configurations after starting WebSphere.

IV32874


SYMPTOM: Latitude and accuracy affect risk score in location-based matching.

IV32875


SYMPTOM: Running the CLI command manageRbaPolicy with the "update" or "create" operation generates an additional wrong message on the prompt.

IV32904


SYMPTOM: DocumentNotFound exception is thrown for "itfim/rba/rba.properties" when running the CLI command manageRbaConfiguration with the "deploy" operation.

IV32936


SYMPTOM: Device Registration Audit event shows that it is successful even though the device is not getting registered.

IV32937


SYMPTOM: Example matcher file "language.js" returns boolean instead of Enum.

Problems fixed by fix pack 6.2.2-TIV-TFIM-FP0002

IV23423


SYMPTOM: Improve SAML signature conformance.

IV23435


SYMPTOM: Improve signature conformance.

IV23451


SYMPTOM: Improve OpenID signature conformance.

IV21908


SYMPTOM: TFIM invalidates the AuthnRequest message when the Assertion Consumer Service URL doesn't exactly match the configured URL.

IV21963


SYMPTOM: The STSUUSER principal does not match the incoming subject name id of the assertion.

IV21960


SYMPTOM: The 'Federate this account link' is incorrectly generated as null?RelayState= in the ivtapp's federations.jsp page of the identity provider.

IV19945


SYMPTOM: The TFIM USC feature generates a validation email message that contains a link to complete the enrollment flow. That link is passed as a macro to the email template when generating the email. If the customizer wants to modify the flow by modifying the link location it needs to edit the email template file to point somewhere else but it needs to add the nonce to the query string of such link. With the current macros is difficult to achieve this because the nonce is not provided as a separate macro.

IV17419


SYMPTOM: The TFIM SPS is missing required HTTP methods for certain protocols to work. For example, REST protocols need at a minimum GET, POST, PUT, and DELETE. This defect will correct this issue but also ensure if previous delegates are called using previously unsupported methods the returned status code of 405 will be the same just like before the changes.

IV19827


SYMPTOM: The TFIM Single Sign On protocol service (SPS) SAML 2.0 protocol implementation allows a customer to use the 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier for single sign on. By default TFIM will treat a 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier as 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent' name identifier unless the default name identifier is set to another type like emailAddress. The Single Logout operation incorrectly queries the alias service if unspecified name identifier is used and the default name identifier is set to email.

IV19593


SYMPTOM: Unable to initialize CARS audit event handler plugin when the CARS webservice URL is an HTTPS endpoint.

IV19846


SYMPTOM: In the IBM Tivoli Federated Identity Manager Web Service Security Management Configuration Guide, a method is provided on how to associate the shared library with a server. This method cannot be used if FSSO is configured in the same WebSphere Application Server. A new method that associates the shared library with the web service provider or requester is documented. This new method does not have the same limitation.

IV19850


SYMPTOM: A command cited in the installation documentation contains a typographical error.

IV16979


SYMPTOM: The BASE64 encoded token generated by the IVCred STS module is split into multiple lines. This is not desirable in some cases.

IV18104


SYMPTOM: No error message is reported when importing SAML 2.0 IDP or SP whose metadata contains Organization element with no OrganizationURL element.

IV16948


SYMPTOM: SLO fails when two SPs are authenticated using the same session index and both SP federations are on the same TFIM domain.

IV18112


SYMPTOM: The STS obtains the base security token for execution from either the base element on the RequestSecurityToken message or from the WS-Security tokens included on the soap headers. Tivoli Federated Identity Manager will take the first WS-Security token found on the soap header. After this modification the SAML STS modules will look for the appropriate token type included on the WS-Security headers when the change is enabled.

IV16977


SYMPTOM: Certain point of contacts that use external authentication interface do not recognize the identity of the user that is set by Tivoli Federated Identity Manager in the response HTTP header (typically, "am-fim-eai-user-id"), since these point of contacts are not aware that the TFIM URL encodes this identity. In such cases, TFIM should not URL encode this identity.

IV16994


SYMPTOM: Requests to Tivoli Federated Identity Manager's WSTrust 1.3 endpoint URL using the ?WSDL parameter to get the WSDL document results in subsequent SOAP services to fail.

IV17595


SYMPTOM: NullPointerException is thrown when sending SAML 2.0 messages (e.g., Logout Request) with invalid IssueInstant attribute.

IV17871


SYMPTOM: The Tivoli Federated Identity Manager STS does not support the RequestType and KeyType elements on the RequestSecurityTokenResponse message. The RequestType value should be set to the value received on the request and the KeyType should be set on one of the values supported by WS-Trust based on an attribute in the STS universal structure.

IV17875


SYMPTOM: Tivoli Federated Identity Manager is incorrectly processing SAML aliases with certain directory servers.

IV17870


SYMPTOM: Unable to customize the error page for error FBTSPS061E as there is no event mapping associated with this event.

IV17609


SYMPTOM:
1. When creating an identity provider federation, the OAuth 1.0 and OAuth 2.0 options are erroneously displayed.
2. OAuth 1.0 and OAuth 2.0 federations do not provide identity information to the STS for use in mapping rules.
3. Macro replacement is not available on OAuth 1.0 or OAuth 2.0 pages.
4. POST is not supported at OAuth authorize endpoints.
5. Tivoli Access Manager config utility (tfimcfg.jar) does not set '-b ignore' flag for OAuth 2.0 federations.
6. Updating OAuth 2.0 endpoints in the federations configuration panel can lead to UndeterminableProtocolException at runtime.
7. When an OAuth 1.0 client requests a temporary token without specifying a realm, uses that temporary token to obtain an access token, and then uses that access token and specifies a realm, Tivoli Federated Identity Manager throws a realm validation exception.

IV17409


SYMPTOM: The AuthenticatingAuthority sub-element in the SAML AuthnContext is not available in Tivoli Federated Identity Manager.

IV17413


SYMPTOM: RelayState URL encoding and decoding in SAML 2.0 unsolicited SSO can only be configured at the global level. Support for federation and partner level configuration is required.

IV17403


SYMPTOM: The sample TDI mapping rule is missing the AuthenticatingAuthority attribute.

IV17412


SYMPTOM: Tivoli Access Manager WebSEAL failover cookies do not work when Tivoli Federated Identity Manager is configured to generate IV credential tokens without using PDAcld.

IV17180


SYMPTOM: The manageItfimPointOfContact CLI does not update the runtime custom properties when deploying Tivoli Federated Identity Manager runtime without providing the point of contact settings override response file.

IV17411


SYMPTOM:
1. When defining a text field in GUIXML, and setting its default value to a string containing a quotation mark, Tivoli Federated Identity Manager throws an exception when loading the GUIXML page saying that the XML is invalid.
2. In an STS module which has an 'init' page widget which has a multi-valued TextField, only the first value of the multiple values is displayed when viewing the module instance properties.

IV17485


SYMPTOM: The Tivoli Federated Identity Manager Single Sign On protocol service (SPS) collects the HTTP Request information to route the single sign on flow. That information is used to send the request to the appropriate delegate protocol, to generate the response on the appropriate locale, to authenticate the user, etc. The HTTP request information is successfully consumed by the SPS but is never made available to the Secure Token Service (STS).

IV17421


SYMPTOM: The Tivoli Federated Identity Manager HTTP server Web Plugins do not support the latest versions of IIS or Apache/IHS on new operating systems.

IV17422


SYMPTOM: After migrating to Tivoli Federated Identity Manager 6.2.2 from previous version, OAuth event mappings are not shown in the Event pages. Hence, the customization of template pages are not available.

IV15372


SYMPTOM: The Tivoli Federated Identity Manager Kerberos Delegation STS module does not support running in 64bit JVMs on 64bit versions of Windows.

Prerequisites

You must have the following software installed to install this fix pack:

  • Federated Identity Manager 6.2.2 and its prerequisites
  • IBM WebSphere Update Installer version 7.0.0.17 (see Update Installer below.)

Installation Instructions


Be aware of the following considerations before installing this fix pack:

WARNING: It is strongly suggested that you backup existing one-time password pages if you meet the following conditions:

  • You are currently on TFIM 6.2.2 Fix Pack 4
  • You have modified the HTML pages located in FIM_INSTALL_DIR/pages/locale/otp directory
The 6.2.2 fix pack 7 installation overwrites the existing one-time password pages if you are upgrading from Fix Pack 4. If you want to use the existing one-time password pages, you will have to migrate them to the new format.

Installation path specification for the Windows Server 2008 platform


This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.

Tivoli Federated Identity Manager is a 32-bit application. Therefore, its default path when installing on Windows Server 2008 changes from

C:\Program Files\IBM\FIM

to:

C:\Program Files (x86)\IBM\FIM

NOTE: Changing the installation path name affects a 32-bit WebSphere Application Server on Windows Server 2008.

C:\Program Files\IBM\WebSphere

changes to:

C:\Program Files (x86)\IBM\WebSphere

Runtime and management service


The runtime and management service component requires WebSphere® Application Server to be installed. The following list provides descriptions for various versions of WebSphere Application Server that are compatible with Tivoli® Federated Identity Manager, version 6.2.2.

Install one of the following versions of WebSphere Application Server:

  • Embedded WebSphere Application Server Version 6.1. No preconfiguration is required.
  • WebSphere Application Server Network Deployment Version 6.1 with a minimum level of fix pack 23.

NOTE: If you use WebSphere Application Server fix pack 29 or fix pack 31, you must also apply the fix for the WebSphere Application Server APAR PM10357.
  • WebSphere ApplicationServer Network Deployment Version 7.0 with fix pack 17.
  • WebSphere ApplicationServer Network Deployment Version 8.0 with fix pack 1.

Update Installer
This fix pack requires the use of the IBM WebSphere Update Installer version 7.0.0.17 or later. Ensure that you have installed the correct version of the IBM WebSphere Update Installer on each computer where you will install the fix pack. You can download the IBM WebSphere Update Installer version 7.0.0.17 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.

Fix pack packaging


This Tivoli Federated Identity Manager 6.2.2-TIV-TFIM-FP0007 patch package is provided on the Tivoli Support Web site as a single downloadable zip file for each supported platform. After you select the appropriate package for the target platform, download the package and unzip the contents into a target directory. Typically, the default IBM WebSphere Update Installer directory is either of the following:

C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

for Windows or

/opt/IBM/WebSphere/UpdateInstaller/maintenance

for Unix/Linux

Unzip the downloaded file before you apply the patch. The unzipped contents contain one or more .pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The list of product components is included in Fix pack structure.

Use the IBM WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that your installation requires to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components. To minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.

Automatic creation of a backup directory


The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager files.

Installing the fix pack

NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.


Downloading the fix pack

To obtain the fix pack:


1. Go to the IBM Tivoli Federated Identity Manager Support Web site.
2. Click Download. The fix pack (6.2.2-TIV-TFIM-FP0007) should be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.2-TIV-TFIM-FP0007" in the Search field to access the link to the download window.
3. In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
4. Select the platform that corresponds to the target platform where you must apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, configure your browser to use Java security. Click What is DD? for configuration instructions.

Setting the WebSphere Application Server security passwords

NOTE: The information provided below is only required for instances where the WebSphere Application Server administrator credentials have been changed since Tivoli Federated Identity Manager was installed. The WebSphere Application Server administrator credentials are retained by the installer so that Federation First Steps works immediately after installation.

If security is enabled on the WebSphere Application Server where Federated Identity Manager is installed, set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.

If security is not enabled, you can skip this step.

NOTE: If you add passwords to the fim.appservers.properties file, as described below, specify the passwords using plain text. However, at the end of the fix pack installation process the passwords are obfuscated and are no longer available in plain text format.

To specify security passwords, use the following procedure:


1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
  • the was.admin.user.pwd property with a value of the administrator login password for the WebSphere Application Server where Federated Identity Management is deployed
  • the was.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that WebSphere Application Server
For example,
  • was.admin.user.pwd=was_admin_pw
  • was.truststore.pwd=truststore_pw
3. If the ewas.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
  • the ewas.admin.user.pwd property with a value of the administrator login password for the Embedded WebSphere Application Server where Federated Identity Management is deployed
  • the ewas.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that Embedded WebSphere Application Server
For example,
  • ewas.admin.user.pwd=ewas_admin_pw
  • ewas.truststore.pwd=truststore_pw
4. Save and close the fim.appservers.properties file

Applying the fix pack
1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default IBM WebSphere Update Installer's maintenence directory,
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

for Windows, or

/opt/IBM/WebSphere/UpdateInstaller/maintenance

for Unix/Linux.


2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component is running.
3. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
4. Start the appropriate IBM WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
5. In the Welcome window click Next. Federated Identity Manager is not listed, but is supported.
6. Specify the path to the installation directory for Federated Identity Manager (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
7. Select Install maintenance in the dialog.
8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
9. Determine which product components are installed on the system that you are updating. You should install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:

itfim.build.version.rte-mgmtsvcs=version


Specifies that the management service and runtime component is installed at the level specified by version.
itfim.build.version.mgmtcon=version
Specifies that the administration console component is installed at the level specified by version.
itfim.build.version.wsprov=version
Specifies that the WS-provisioning runtime component is installed at the level specified by version.
itfim.build.version.wssm=version
Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
itfim.build.version.fimpi=version
Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.

Apply the fix packs to the product's components in the following order:


1. Management service and runtime and administration console
2. Other components

NOTE: If a domain is not created before application of Tivoli Federated Identity Manager fix pack, the fix pack installation completes successfully with a "Partially Successful" message.


10. Compare the list of installed components to the list of pak files in the IBM WebSphere Update Installer and select the pak files that correspond to the installed components, then click Next.

NOTE: The IBM WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than needed, you can separately uninstall any fix packs for components that are not installed on the target system.


11. If needed (for example, if you need to install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.

NOTE: If you are using the Kerberos Delegation STS module, you need to do the following to ensure the Kerberos Delegation DLL is not loaded in the Java Virtual Machine when it is replaced during runtime component deployment:


1. Restart all the runtime nodes.
2. Do not make any requests to the STS chain that invokes the Kerberos Delegation STS module.
3. Deploy the runtime component. See Deploying the fix pack runtime component for details.

Deploying the fix pack runtime component

After you install the fix pack, redeploy the Tivoli Federated Identity Manager runtime. This task is identical to the deployment task you completed after the initial installation of the management service and runtime components. In a WebSphere cluster environment, you must ensure that the new runtime component is deployed to each WebSphere node.

The initial deployment steps are described in Creating and deploying a new domain in the Configuring Guide. The specific instructions for deploying the runtime begin in step 16.

NOTES:

  • You do not have to re-configure the runtime into Tivoli Access Manager. The Tivoli Access Manager configuration is retained when the fix pack is applied.
  • During redeployment of the runtime in a cluster environment, you might receive errors, such as, "ClassNotFoundException" in the WebSphere SystemOut.log files. Any such errors should stop after you restart the cluster.

Use the following procedure to deploy the updated Federated Identity Manager runtime:
1. Log in to the Integrated Solutions Console.
2. Select Domain Management-> Runtime Node Management.
3. Ensure that the new runtime (version 6.2.2.7) is displayed as available.
4. Click Deploy Runtime.
5. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion...
6. If the domain was not created before application of Tivoli Federated Identity Manager fix pack, click Publish Plug-ins.
7. Verify that the currently deployed version is now 6.2.2.7 as follows:
1. Navigate to the Runtime Node Management window.
2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel and review the runtime information.

Example:

Runtime Information
----------------------------------------------
Current deployed version 6.2.2.7 [130613a]

NOTE: The number within the brackets [130613a] might be different from this example.


8. Repeat the previous step for each node in a WebSphere cluster environment.
9. Restart WebSphere® Application Server where the Tivoli Federated Identity Manager management service is installed.

Publish the fix pack plug-ins to the runtime and reload the configuration

After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.

Use the following procedure to re-publish the plug-ins:


1. Log in to the administration console.
2. Select Domain Management -> Runtime Node Management.
3. Click Publish Plugins.
4. After the plug-ins are published, reload the runtime configuration.

[{"INLabel":"6.2.2-TIV-TFIM-FP0007.README.html","INLang":"English","INSize":"200465","INURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm/Tivoli/IBM+Tivoli+Federated+Identity+Manager&release=All&platform=All&function=fixId&fixids=6.2.2-TIV-TFIM-FP0007&includeSupersedes=0"}]

Download Package

N.A.

On
[{"DNLabel":"6.2.2-TIV-TFIM-FP0007-AIX","DNDate":"01 Jul 2013","DNLang":"English","DNSize":"278890495","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm/Tivoli/IBM+Tivoli+Federated+Identity+Manager&release=All&platform=All&function=fixId&fixids=6.2.2-TIV-TFIM-FP0007&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.2-TIV-TFIM-FP0007-Linux","DNDate":"01 Jul 2013","DNLang":"English","DNSize":"278890495","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm/Tivoli/IBM+Tivoli+Federated+Identity+Manager&release=All&platform=All&function=fixId&fixids=6.2.2-TIV-TFIM-FP0007&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.2-TIV-TFIM-FP0007-Solaris","DNDate":"01 Jul 2013","DNLang":"English","DNSize":"278890495","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm/Tivoli/IBM+Tivoli+Federated+Identity+Manager&release=All&platform=All&function=fixId&fixids=6.2.2-TIV-TFIM-FP0007&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.2-TIV-TFIM-FP0007-Windows","DNDate":"01 Jul 2013","DNLang":"English","DNSize":"278890495","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm/Tivoli/IBM+Tivoli+Federated+Identity+Manager&release=All&platform=All&function=fixId&fixids=6.2.2-TIV-TFIM-FP0007&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.2-TIV-TFIM-FP0007-HPUX","DNDate":"01 Jul 2013","DNLang":"English","DNSize":"278890495","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm/Tivoli/IBM+Tivoli+Federated+Identity+Manager&release=All&platform=All&function=fixId&fixids=6.2.2-TIV-TFIM-FP0007&includeSupersedes=0","DNURL_FTP":" ","DDURL":null}]
[{"Product":{"code":"SSZSXU","label":"Tivoli Federated Identity Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"}],"Version":"6.2.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Problems (APARS) fixed
IV37665;IV37666;IV37668;IV37674;IV37305;IV37675;IV37680;IV36139;IV37707;IV36145;IV36140;IV36136;IV36153;IV21908;IV21963;IV21960;IV19945;IV17419;IV19827;IV19593;IV19846;IV19850;IV16979;IV18104;IV16948;IV18112;IV16977;IV16994;IV17595;IV17871;IV17875;IV17870;IV17609;IV17409;IV17413;IV17403;IV17412;IV17180;IV17411;IV17485;IV17421;IV17422;IV15372;IV23423;IV23435;IV23451;IV31640;IV26049;IV31657;IV31658;IV31660;IV31661;IV31641;IV27198;IV21668;IV33064;IV32867;IV32874;IV32875;IV32904;IV32936;IV32937;IV44424;IV44425;IV44426;IV44484;IV44470;IV44403;IV44405;IV44410;IV44411;IV44412;IV43149

Document Information

Modified date:
15 June 2018

UID

swg24035214