Tivoli Fed Id Mgr Business Gateway v6.2.0, Fix Pack 9, 6.2.0-TIV-TFIMBG-FP0009
This is a cumulative Fix Pack (FP) for a variety of problems in the
components that compose the TFIMBG 6.2.0 product. It upgrades a TFIMBG 6.2.0
installation to TFIMBG 184.108.40.206
This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.0. It requires that Federated Identity Manager Business Gateway, Version 6.2.0, be installed. After installing this fix pack, your Federated Identity Manager Business Gateway installation will be at level 220.127.116.11.
Potential cross-site scripting vulnerabiltity via macros in event page template files
Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:
the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:
NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.0%2Freference%2FCustomPropsSPS.html.
Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)
The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.
- IBM WebSphere Application Server, all platforms, Versions 8.0 through 18.104.22.168, 7.0 through 22.214.171.124, and 6.1 through 126.96.36.199, 6.0.2 through 188.8.131.52.
- IBM WebSphere Application Server Feature Pack for Web Services Versions 184.108.40.206 through 220.127.116.11.
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability may cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang may occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
The following products contain affected versions of the Java Runtime Environment:
- IBM WebSphere Application Server Versions 7.0 through 18.104.22.168 for Distributed, i5/OS and z/OS operating systems.
- IBM WebSphere Application Server Versions 6.1 through 22.214.171.124 for Distributed, i5/OS and z/OS operating systems.
- IBM WebSphere Application Server Versions 6.0 through 126.96.36.199 for Distributed, i5/OS and z/OS operating systems.
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21462019
You must use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI is not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)
This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:
java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper
Examples of operations that can fail include:
- Importing a keystore file
- Loading a mapping rule
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.
The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
Fix pack contents and distribution
This fix pack package contains:
- The fix pack zip file
- This README.
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases that are listed in the Hardware and software requirements topic for the Federated Identity Manager Business Gateway Version 6.2.0.
ATTENTION: In April 2009, FP0002 added support for WebSphere Application Server Release 7.0 Fix Pack 3 (release date March 27, 2009)
ATTENTION: In May 2009, FP0002 added support for Windows 2003 Server x86-64.
ATTENTION: In July 2009, FP0002 added support for Oracle 10g.
ATTENTION: In September 2009, FP0002 added support for Suse Linux Enterprise Server 11 (SLES 11) x86, x86-64, zSeries, pSeries. Note: Defect 91189, Webseal not configuring on SLES 11
ATTENTION: In November 2009, FP0003 added support for Internet Explorer 8 (IE8
ATTENTION: In November 2009, FP0003 added support for Windows 2008 R2 Server (x86-64). Note: 90900: GUI not thrown on GUI install for WIN2K8 R2, Workaround: -console mode is required on Windows 2008 R2 (e.g., on linux ./install_linux_x86.bin -console)
ATTENTION: In December 2009, FP0003 added support for Mozilla FireFox 3.5.
ATTENTION: In March 2010, FP0002 added support for z/OS 1.11 System z.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86-64, SUSE Linux Enterprise Server (SLES) 10.0 x86, SUSE Linux Enterprise Server (SLES) 10.0 x86-64, SUSE Linux Enterprise Server (SLES) 11.0 x86, SUSE Linux Enterprise Server (SLES) 11.0 x86-64, Windows Server 2008 Enterprise Edition x86, Windows Server 2008 Enterprise Edition x86-64, Windows Server 2008 Standard Edition x86, Windows Server 2008 Standard Edition x86-64 and Windows Server 2008 R2 Enterprise Edition x86-64 on VMware ESX 4.0.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform x86-64, SUSE Linux Enterprise Server (SLES) 10.0 x86, SUSE Linux Enterprise Server (SLES) 10.0 x86-64, SUSE Linux Enterprise Server (SLES) 11.0 x86, SUSE Linux Enterprise Server (SLES) 11.0 x86-64, Windows Server 2008 Enterprise Edition x86, Windows Server 2008 Enterprise Edition x86-64, Windows Server 2008 Standard Edition x86, Windows Server 2008 Standard Edition x86-64 and Windows Server 2008 R2 Enterprise Edition x86-64 on Red Hat Enterprise Virtualization Hypervisor (RHEV-H) / KVM 5.4.
ATTENTION: In December 2010, FP0008 added support for AIX 6.1 on IBM Power7 PowerVM Hypervisor. Support for POWER 7 is dependent on the upgrade to ITDS 6.1 Fixpack 5.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 4.0 AS/ES System z, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform System z, SUSE Linux Enterprise Server (SLES) 10.0 System z, SUSE Linux Enterprise Server (SLES) 11.0 System z, z/OS 1.10 and z/OS 1.11 on IBM z/VM Hypervisor 6.1.
ATTENTION: In December 2010, FP0008 added support for Red Hat Enterprise Linux (RHEL) 4.0 AS/ES System z, Red Hat Enterprise Linux (RHEL) 5.0 Advanced Platform System z, SUSE Linux Enterprise Server (SLES) 10.0 System z, SUSE Linux Enterprise Server (SLES) 11.0 System z, z/OS 1.10 and z/OS 1.11 on IBM PR/SM z10.
ATTENTION: In December 2010, FP0008 added support for IBM Tivoli Directory Server 6.2.
ATTENTION: In December 2010, FP0008 added support for Oracle Database 11g Enterprise Edition Release 1.
ATTENTION: In December 2010, FP0008 added support for Oracle Database 11g Enterprise Edition Release 2.
ATTENTION: In March 2011, FP0008 added support for LPAR AIX 7.1. Note: WPAR is not supported for any supported version of AIX.
Fix packs superseded by this fix pack
Federated Identity Manager Business Gateway consists of the following components that can be installed separately:
- Administration console
- Management service and runtime component
- Internet information services (IIS) Web plug-in
- Apache/IBM HTTP Server Web plug-in
- IBM Support Assistant plugin
This fix pack applies only to the administration console and management service and runtime components (first two components listed above). These two components must be at the same level. Therefore, if you install a fix pack for either the administration console component or the management service and runtime component, you must install the corresponding fix pack for the other of these two components. If the administration console and management service and runtime components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
APARs and defects fixed
Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0009
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Federated Identity Manager Business Gateway support site.
SYMPTOM: ClassCastException is thrown when adding a SAML 2.0 Identity Provider as a partner. This problem happens when the metadata of the Identity Provider contains SAML attributes.
SYMPTOM: LTPA Token Module is not calculating the expiration date correctly. When a token is renewed, the expiration date is added to the userdata structure expiration array. The new expiration date is the last item added to the array. Tivoli Federated Identity Manager was incorrectly taking the first item on the array.
SYMPTOM: ClassCastException is thrown when configuring LDAP alias service using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if at least one LDAP server exists in the system.
SYMPTOM: WEBSPHERE APPLICATION SERVER POC CREATE WAS SECURITY CONTEXT WITH INSUFFICIENT UNIQUE ID.
SYMPTOM: In some SAML error circumstances, Tivoli Federated Identity Manager returns a NullPointerException when attempting to display an error page or return a SAML error to an artifact retrieval request.
SYMPTOM: Empty-valued attributes in an STSUniversalUser XML document are not preserved by the Java implementation when converting from XML to Java and back to XML.
SYMPTOM: The value of the attribute "IsDefault" of all assertion consumer services of the SAML 2.0 Service Provider partner is changed to "true" after clicking the button "OK" or "Apply" in the Partner Properties page in the IBM Tivoli Federated Identity Manager Console.
SYMPTOM: SAML 2.0 STS Module fails to validate the subject confirmation method correctly when the assertion is received as part of the SAML 2.0 Single Sign On operation. The specification requires that an assertion that is generated as part of a Single Sign On flow should at least include one of the subject confirmation methods of value urn:oasis:names:tc:SAML:2.0:cm:bearer.
SYMPTOM: SAML 2.0 SPS Module is setting the Destination attribute on LogoutReponse message when the request is received through SOAP binding at the Identity Provider and there is more than one Service Provider session that was authenticated based on the Identity Provider session. The Destination field might have the url for the incorrect partner that is not the one that sent the LogoutRequest.
SYMPTOM: The Tivoli Federated Identity Manager LTPA STS module support code is not thread safe. The code uses an static instance of a JDK class that is not thread safe causing undetermined results while verifying or generating the ltpa token signature on environments with high volume of transaction.
SYMPTOM: KERBEROS STS MODULE TO ENFORCE TOKEN ONE TIME USE.
SYMPTOM: Security update for the Tivoli Federated Identity Manager Management Console.
SYMPTOM: ClassCastException is thrown when adding and modifying LDAP host using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "hostPort" is not 389, or the parameter "minConnections" is not 2, or the parameter "maxConnections" is not 10.
SYMPTOM: The SAML specification allows the Identity Provider not to include an issuer value on the SAMLResponse as long as the assertion includes the value. The Tivoli Federated Identity Manager SAML module was expecting for the issuer on the SAML Response to always be included. Such expectation was causing a Null Pointer Exception when the values was not included.
SYMPTOM: Opening a Tivoli Federated Identity Manager page or portlet from WebSphere Application Server (WAS) ISC causes a JNDI exception of the type NameNotFoundException to be logged in the WAS server log.
SYMPTOM: Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the Identity Provider does not include a Issuer value though the Issuer value is included in the assertion.
SYMPTOM: Duplicate STS chain mappings are created when adding a SAML 2.0 Service Provider as a partner. This problem happens if the metadata of the Service Provider contains at least three distinct assertion consumer services with at least three distinct URLs.
SYMPTOM: Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token.
SYMPTOM: The SAML 2.0 SPS module invokes the alias service during a Single Logout operation on the Service Provider side although the email name ID format is used to single sign on the user. While the Single Logout Operation is successful, an error is included on the logs although the alias operation is not required.
SYMPTOM: Mapping from single logout URL to protocol is deleted from the configuration file after clicking the button "OK" or "Apply" in the Federation Properties page in TFIM Console. This problem happens if the single logout bindings that are enabled are only HTTP-Redirect and SOAP. The missing mapping causes single logout operation to fail.
SYMPTOM: CommandException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "exportPrivateKey" is specified with no value or with value "true".
SYMPTOM: ChainableRuntimeException is thrown when exporting a key from a keystore using the IBM Tivoli Federated Identity Manager Console. This problem happens if the IBM Tivoli Federated Identity Manager is deployed in certain WebSphere Application Server versions (e.g., WebSphere Application Server 7 Fix Pack 11).
SYMPTOM: Security update for the Tivoli Federated Identity Manager Management Console.
SYMPTOM: Security update for the Tivoli Federated Identity Manager Runtime.
Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0008
SYMPTOM: For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values.
SYMPTOM: Tivoli Federated Identity Manager CLI Commands are not registered properly on WebSphere Application Server 7.0.
SYMPTOM: A valid WS-Trust 1.3 request fails if it includes an empty Issuer address value and the matching trust chain uses a wild card for Issuer value (e.g. with Issuer Address = *).
SYMPTOM: The username is URL decoded twice when reading the user header from WebSEAL or a generic point-of-contact.
SYMPTOM: Exception occurs when using only.alias key selection criteria and the same key appears under multiple aliases.
SYMPTOM: The Tivoli Federated Identity Manager artifact lookup routine can consume threads if the artifact received is not in the cache.
SYMPTOM: Using the Tivoli Federated Identity Manager ISC console it is possible to remove a default mapping rule after the federation has been created.
SYMPTOM: The Tivoli Federated Identity Manager SAML 2.0 SPS module throws a NullPointerException if an issuer value is not included on the SAML Response message.
SYMPTOM: When starting Tivoli Federated Identity Manager the runtime nodes report exceptions while connecting to the config repository.
SYMPTOM: The fimivt application incorrectly relies on the provider id of the Service Provider to build the TARGET url for Single Sign On.
SYMPTOM: Tivoli Federated Identity Manager 6.2.0 will always sign the outgoing SAML response and SAML assertion when the HTTP/SOAP binding is used.
SYMPTOM: The Tivoli Federated Identity Manager SAML 2.0 SPS Module does not create a session when the SAML AuthnRequest is received over the SOAP endpoint.
SYMPTOM: The ITFIM console metadata support fails to validate that mandatory endpoints are included. The SPSSODescriptor requires at least one AssertionConsumerService endpoint and the IDPSSODescriptor requires at least one SingleSignOnService url.
SYMPTOM: The ITFIM console partner properties page for a SAML 2.0 partner does not allow the user to modify the signature validation settings once set to typical or all signature settings.
SYMPTOM: The ITFIM Alias Service fails to provide enough information to differentiate between a fatal error reading aliases and the typical alias not found return.
SYMPTOM: ITFIM fails to send back a SOAP fault when a AuthnRequest with an invalid Issuer is received through the SOAP binding.
SYMPTOM: The Tivoli Federated Identity Manager SAML SSO Module should add appropriate information on the SAMLResponse message to allow exploiters to debug the reasons for artifact resolution failures.
SYMPTOM: STS service does not start when an illegal regular expression is provided for the "applies to", "issuer" or "token type" field of the STS chain mapping.
SYMPTOM: Unable to validate SAML2.0 tokens generated through WSSM.
SYMPTOM: LTPA XML security token issued by the STS has incorrect namespace.
SYMPTOM: TAM authorization module does not work with federation scenario. The TAM authorization module should be able to consume TAM credential bytes from the STSUU or from the current STS response object in the case where an IVCred module has run in issue mode prior to the TAM Authorization module.
SYMPTOM: Custom authorization tokens with attributes added by TAI are not processed by Tivoli Federated Identity Manager when creating a local token for TFIM with WebSphere point of contact.
SYMPTOM: Chinese language page templates that contain RPT / eRPT macro blocks and any text within those blocks contains DBCS characters, the RPT block is not filled in correctly when Tivoli Federated Identity Manager returns the page template.
SYMPTOM: If a Service Provider sends an SSO request containing the requested NameIDFormat of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified the IDP implementation treats this as a persistent name identifier even if the DefaultNameIDFormat parameter for the partner or federation is set to a different name id format.
SYMPTOM: Migration fails for federations containing custom modules.
SYMPTOM: The LTPA token validate only looks on the current Element for a prefix definition.
SYMPTOM: The Tivoli Federated Identity Manager Liberty SPS Module fails to serialize objects on the distribute cache.
SYMPTOM: The SAML 2.0 SPS module fails to apply the appropriate signature policy when the AuthnRequest is received using the artifact binding.
SYMPTOM: Wrong Target URL received at the Service Provider when doing an Identity Provider initiated Single Sign On using the Artifact Binding.
SYMPTOM: The Identity Provider behind a WebSphere point of contact throws a NullPointerException upon receiving a Single Logout Request request from service provider behind WebSEAL.
SYMPTOM: Tivoli Federated Identity Manager generated nonce value might have invalid characters in some situations.
SYMPTOM: The Tivoli Federated Identity Manager SAML 2.0 SSO Module does not include enough error information on the response message to allow exploiters to debug the reasons for artifact resolution failures.
SYMPTOM: Key alias not used to select key for XML signature and validation.
SYMPTOM: The ITFIM SAML 2.0 STS module is not honoring the default name id format parameter setting.
SYMPTOM: The ITFIM SAML 2.0 SPS module requires assertion signature even when the enclosing document is signed.
SYMPTOM: The SAML 2.0 SPS module signs the assertion in instances where the signature policy indicates that the assertion should not be signed.
SYMPTOM: The ITFIM SAML 2.0 STS module fails to validate a SAML 2.0 Assertion containing the NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
SYMPTOM: Recipient checking is not performed correctly by the SAML browser post support.
SYMPTOM: Invalid URL encoding of the RelayState parameter being performed by the SAML 2.0 SPS module.
SYMPTOM: The LTPA STS module sends an incorrect message when the token being validated is expired. The inserts on the message are on reverse order such that the expiration date is displayed where the current date field should be.
SYMPTOM: Signed XML strings may be incorrectly encoded if the default file encoding for the operating system platform is not UTF-8 (e.g. Windows or AIX).
Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0003
SYMPTOM: JDBC alias service is case sensitive for username.
SYMPTOM: Tivoli Federated Identity Manager IDP displays blank page when initiating solicited SSO for a second time.
SYMPTOM: The solution was to pass the relay state to the url so the customers can use the capability to override the target url using the credential attribute we already support.
SYMPTOM: When sending a Kerberos token to the Security Token Service the following error gets returned.
SYMPTOM: When upgrading an expired validation and encryption certificate that the keystore "view keys" shows the certificate as expired.
SYMPTOM: The Where Are You From (WAYF) Cookie lifetime needs to be configurable through the gui.
SYMPTOM: Passticket module incorrect logging verbosity.
SYMPTOM: When using samlsso and adding a target url with query string the parameters are lost and do not make it to the Service Provider.
SYMPTOM: SOAP faults are returned for WS-Trust validates request types.
SYMPTOM: A NullPointerException displays in the browser upon a sign-on transaction attempt, if a runtime node is not configured.
SYMPTOM: An incorrect ByteArrayOutputStream class that is not supported on all platforms was used.
SYMPTOM: Tivoli Federated Identity Manager fails to enforce signature policy properly for assertion.
SYMPTOM: The Artifact service fails to include the exception on the SOAP Fault under the following circumstances:
- when calling the artifact service and passing in an assertion to get back an artifact, and
- if a custom module encounters an error and generates an exception stack trace that includes some special characters.
SYMPTOM: SAML 2.0 Configuration objects did not implement the Serializable interface.
SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console does not operate correctly.
SYMPTOM: UPDATING THE PARTNER THROUGH PROPERTIES PAGE CORRUPTS THE CONFIG.
SYMPTOM: Tivoli Federated Identity Manager fails to split url properly if "sps" is in the hostname.
SYMPTOM: After unlinking account, under some circumstances the Alias entry will not be removed.
SYMPTOM: Tivoli Federated Identity Manager supported Oracle database for the TFIM alias service and that attempts to use Oracle displayed errors.
SYMPTOM: Federation stops at wssoi screen.
SYMPTOM: Authorization decision query returning invalid decision query.
SYMPTOM: SAML1.X module does not validate recipient value on response.
SYMPTOM: WS-TRUST 1.2 RequestSecurityTokenResponse message is different than Tivoli Federated Identity Manager 6.0.0 response message.
SYMPTOM: When Tivoli Federated Identity Manager returns HTTP Cookies to the browser none of the secure bits are set.
SYMPTOM: ManageNameID defederate to an Service Provider where the alias does not exist.
SYMPTOM: SAML 2.0 IDP incorrectly process unspecified nameid format and always treats unspecified as a persistent id.
SYMPTOM: SOAP Client fails to initialize if using trust store with password.
SYMPTOM: POST MESSAGE TO RETURN_TO URL SHOULD USE QUERY STRING IF POSSIBLE.
SYMPTOM: Form Post parameters should always be HTML encoded.
SYMPTOM: INTERNAL APAR FOR TIVOLI FEDERATED IDENTITY MANAGER 620 BUILD UPDATES
SYMPTOM: INTERNAL APAR FOR TIVOLI FEDERATED IDENTITY MANAGER 620 POINT OF CONTACT UPDATES
SYMPTOM: Internal APAR for SAML conformance updates
SYMPTOM: The Event Handler extension point does not have access to event trail id.
SYMPTOM: tfimcfg tool does not work correctly in a multi-TAM domain.
SYMPTOM: SAML 2.0 Service Provider cannot validate SSL certificate on a list of trusted signers.
Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0002
SYMPTOM: IDP source validation can not be done because the SAML 1.x browser-artifact does not contain the IDP source. Relying-parties must be able to check in the mapping rule that the Issuer contained in an assertion comes from the expected IDP partner. Without this capability rouge IDP's can spoof other IDP's assertion issuers.
SYMPTOM: A NullPointerException occurs when the SAML 2.0 Response does not contain an issuer.
SYMPTOM: Tivoli Federated Identity Manager prompts "invalid_message_timestamp" when it receives an AuthnRequest with a SAML 2.0 IssueInstant with the date time format of "2008-07-01T13:30:50.830773Z".
SYMPTOM: Calls to IDMappingExtUtils.AddAliasForUser (which is typically made from a mapping rule) appear to succeed for non-existent users when they actually do not succeed. No alias is added. This problem is only applicable on systems with the Tivoli Federated Identity Manager Alias service set to LDAP using TAM.
SYMPTOM: When running Tivoli Federated Identity Manager using WebSphere Application Server as the Point of Contact at the Service Provider and WebSEAL at the IDP, you will get a null pointer exception when logout is invoked from the Service Provider after a succesful single sign-on.
SYMPTOM: Routine build maintenance.
Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0001
SYMPTOM: SAML 2.0 sessions expire immediately if the Amount of time the assertion is valid property is set to 4294080 seconds or greater (49.7 days or greater).
SYMPTOM: A failure could occur while performing a SAML 2.0 single logout with the Service Provider, if the assistant name identifier was configured for the federation. The reported error was FBTSML219E.
SYMPTOM: The underlying secure protocol of an HTTPS connection created by Federated Identity Manager Business Gateway is hard-coded to be SSL.
SYMPTOM: A timestamp is embedded within a passticket, but the time value interval is only granular to a full second.
SYMPTOM: An error could occur when attempting to run the tfimcfg tool in a Sun Solaris(TM) environment. The error was seen after the WebSEAL hostname was provided. The reported error stated that HTTPS is not a recognized protocol.
SYMPTOM: A performance degradation problem could occur when a federated single sign-on is attempted using LDAP registries containing millions of federated users. Depending on system and network conditions, a single sign-on operation could fail due to timeouts. The associated error reported a bad subtree search in LDAP.
SYMPTOM: LTPA v2 issued tokens that were rejected by WebSphere Application Server versions 6.0.2 and 6.1.
SYMPTOM: Logging and tracing could not be set for identity mapping from within an XSLT rule.
SYMPTOM: An XSLT identity mapping failure occurred when using the alias server with JDBC.
SYMPTOM: The mode for LDAP Servers under Alias Service settings will always display 'Read only' upon logging into the admin console.
SYMPTOM: When an RST is sent to the STS with an empty textnode for either the AppliesTo, PortType or OperationName a null pointer exception is thrown.
SYMPTOM: The Higgins Client Jars directory adks/client/sts is missing some dependency JARs and includes unnecessary server JARs.
The following software must be installed before installing this fix pack:
- Federated Identity Management Business Gateway 6.2.0 and its prerequisites
- WebSphere Update Installer version 188.8.131.52 (see Update Installer below.)
- Enablement fix for Tivoli Federated Identity Manager (see Preinstallation enablement requirement for installing the fix pack for the first time)
Installation path specification for the Windows Server 2008 platform
This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.
Because Federated Identity Manager Business Gateway is a 32-bit application its default path when installing on Windows Server 2008 changes from
C:\Program Files (x86)\IBM\FIM
NOTE: The installation path name change also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files (x86)\IBM\WebSphere
Fix pack packaging
This Tivoli Federated Identity Manager Business Gateway 6.2.0-TIV-TFIMBG-FP0009 patch package is provided on the Tivoli Support Web site as a single downloadable zip file for each supported platform. After you select the package that is appropriate for the target platform, download the package and unzip the contents into a target directory, typically the default WebSphere Update Installer directory, either
for Windows or
You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.
You use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components; therefore, to minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.
Automatic creation of a backup directory
The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager Business Gateway files.
Preinstallation enablement requirement for installing the fix pack for the first time
If this is the first time you are applying the fix pack to Federated Identity Manager Business Gateway, you must download and install the enablement fix for Tivoli Federated Identity Manager Business Gateway.
NOTE: Perform the following steps only if this is the first time you are applying a fix pack. You will not need to perform these steps for subsequent product updates.
1. Download the enablement fix into the Federated Identity Manager Business Gateway installation directory (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems) by clicking here.
2. Use the unzip option of the zip program for your operating system to unzip the file. On HP-UX, either use jar -xvf to unzip the file or download an unzip utility from the HPUX Connect site.
NOTE: If you are prompted to overwrite existing files, accept it so that the target files are overwritten.
NOTE: Before installing this fix pack, be sure that you have reviewed the prerequisites in Before installing the fix pack.
To obtain the fix pack:
1. Go to the IBM Tivoli Federated Identity Manager Business Gateway Support Web site.
2. Click Download. The fix pack (6.2.0-TIV-TFIMBG-FP0009) should be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.0-TIV-TFIMBG-FP0009" in the Search field to access the link to the download window.
3. In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
4. Select the platform that corresponds to the target platform where you will apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, you will need to configure your browser to use Java security. Click What is DD? for configuration instructions.
Setting the WebSphere security passwords
If security is enabled on the WebSphere Application Server where Federated Identity Manager Business Gateway is installed, you must set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties file, as described below, you specify these passwords using plain text. However, at the end of the fix pack installation process these passwords are obfuscated and will no longer be available in plain text format.
To specify security passwords, use the following procedure:
1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
- the was.admin.user.pwd property with a value of the administrator login password for the WebSphere Application Server where Federated Identity Management Business Gateway is deployed
- the was.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that WebSphere Application Server
- the ewas.admin.user.pwd property with a value of the administrator login password for the Embedded WebSphere Application Server where Federated Identity Management Business Gateway is deployed
- the ewas.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that Embedded WebSphere Application Server
Applying the fix pack
1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default WebSphere Update Installer's maintenence directory,
2. Ensure that the WebSphere Application Server that hosts the Federated Identity Management Business Gateway runtime and management service component is running.
3. Ensure that the WebSphere Application Server that hosts the Federated Identity Management Business Gateway console component is running.
4. Start the appropriate WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
5. In the Welcome window click Next. Federated Identity Management Business Gateway will not be listed, but is supported.
6. Specify the path to the installation directory for Federated Identity Management Business Gateway (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
7. Select Install maintenance in the dialog.
8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
9. Determine which product components are installed on the system that you are updating. You should install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:
Specifies that the management service and runtime component is installed at the level specified by version.
Specifies that the administration console component is installed at the level specified by version.
Specifies that the WS-provisioning runtime component is installed at the level specified by version.
Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.
Apply the fix packs to the product components in the following order:
1. Management service and runtime and administration console>
2. Other components
10. Compare the list of installed components to the list of pak files in the WebSphere Update Installer and select the pak files that correspond to the installed components, then click Next.
Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
11. If needed (for example, if you need to install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.
Deploying the fix pack runtime component
The fix pack install automatically deploys the newly installed Federated Identity Manager Business Gateway runtime. However, you should verify that the current deployed version is 184.108.40.206.
1. Log in to the console and click Tivoli Federated Identity Manager-> Manage Configuration-> Domain Properties. The details of the components installed in the domain are listed.
2. Review the Runtime Information.
Current deployed version 220.127.116.11 [080922a]
Note: The number within the brackets [080922a] might be different from this example.
|Download||RELEASE DATE||LANGUAGE||SIZE(Bytes)||Download Options
What is Fix Central(FC)?
|6.2.0-TIV-TFIMBG-FP0009||10 Aug 2011||English||99945124||FC|
Problems (APARS) fixed
More support for:
Tivoli Federated Identity Manager Business Gateway
Software version: 6.2
Operating system(s): AIX, HP-UX on Itanium, Linux iSeries, Linux pSeries, Linux zSeries, Platform Independent, Solaris, Windows
Reference #: 4029498
Modified date: 23 June 2013