Creating a Highly Secure IBM Tivol Monitoring Agent Configuration

This page has not been liked. Updated 5/3/13 1:18 PM by NikolaVoukTags:

 

Creating a Highly Secure ITM Agent Configuration

 

Download the PDF for pictures and diagrams.

Table of Contents

 

  1. Introduction

 

ITM agents running in autonomous or centrally managed modes present new additional options for highly secure deployments of monitoring agents. With a few small post-installation environment configuration steps, customers can achieve exceptionally secure monitoring agent deployments in highly constrained environments like DMZ’s.

 

The Autonomous agent deployment model is similar to the standard centrally managed ITM agent deployment model where agents communicate with their infrastructure over secure connections and agents use local configuration files that administrators may manage.

 

In a secure environment, the agents are invisible to outside network traffic, minimize their communication pathways and lock down access to the agent files on the file system. A highly secure configuration also ensures strong authenticated encryption on any communication pathways.

 

This whitepaper enumerates the steps required to lock down open-by-default network connections and verify the installation is secure from within.

  1. Secure Configuration Security Profile

 

  1. Anonymous Network Status

     

The aim is to provide no accessible external network trace of the SNMP agent and/or ITM Agent.

    1. This entails disabling the normal agent service console ports that follow 1918+x*4096 and 3660+x*4096 (for SSL) on IPv4 and IPv6. Disabling these listener ports does not reduce functionality, but requires the agents to connect to the external TEMS or SNMP Server instead of allowing them to query the agent directly on their own.

    2. General well-known Service console ports are opened on Port 1920 and 3661 for easy remote access. Disabling this port prevents the service console from being enabled. Configuration may only occur from the CLI or GUI thereafter.

    3. There are two more ports opened on a per-agent basis for the agent-specific service console that is referenced from the 1920 and 3661 ports.

    4. Disable IPv6 or IPv4 to exclusively use one or the other in order to reduce the network exposure profile.

       

  1. Secure File Permissions



    To prevent insider unauthorized access to the encryption keys, certificates or logs, the file permissions of ITMHOME and all subdirectories must be locked down to well known user ids and group ids that are auditable and world read/write/execute access must be removed.

 

  1. Secure and Confidential Inter-Component Communication/Authentication



    Authenticate that components are members of the same trusted certificate authority by using TLS certificate validation that provides confidentiality, data integrity and a limited form of authentication.

 

 

  1. Deployment Scenarios

 

The scenarios targeted here is an agent running in a DMZ: protected by a firewall on the left and blocked by a firewall on the right from the management infrastructure. The firewall is not required for configuration of the agents in secure mode.

 

  1. Managed ITM Agent

 

A highly-secure managed ITM infrastructure offers two different configurations depending on whether the customer wishes for the agents to initiate connections to the ITM infrastructure servers or the ITM infrastructure connects to the ITM agents. The difference impacts firewall configuration on the customer’s part and whether the agents themselves have open ports for a connection to be initiated by a TEMS.

 

 

 

This agent configuration is intended to:

 

  1. Deliver alerts, heartbeats and attribute data to TEMS and TEP users.

  2. Deliver alerts and heartbeats to an event management system (IBM Tivoli Netcool/OMNIbus in this example),

  3. optionally, upload data to the Tivoli Data Warehouse components of ITM. Authenticate all possible connections.

 

 

The standard deployment scenario closes all open ports opened by the ITM agents (primarily the service console ports). The ITM agents listen to no ports and only make outgoing connections to the ITM infrastructure or event servers.

 

The intranet firewall must be configured to allow outgoing connections from the agents to the configured intranet management servers.

 

  1. UNIX/Linux Configuration Steps:

 

  1. Configure the agent to use the Firewall-Gateway mode for allowed proxy servers. Follow the ITM Firewall-Gateway configuration guide for details. This step is optional.

  2. Enable agent to use ephemeral ports and not static listening ports

  1. Modify the <agent product code>.ini file or <agent product code>ENV configuration file in the agent configuration directory to Disable HTTP Server, Disable Agent-Specific Service Consoles, Disable non-SSL HTTP servers

 

  1. Add the Following to the configuration file (All one line)
    1. KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0

  2. Disable IPv6

    1. Set the variable ‘KDEB_INTERFACELIST_IPV6=-‘ (no quotes) in the custom agent environment file to disable IPv6

    2. There is no way to currently disable Ipv4 connections.

 

  1. Configure the agent according to the directions in the “ITM Certificate Authentication” technical note to authenticate the Tivoli Data Warehouse Proxy Agent.

  2. Repeat for every agent installed steps 1 through 6

 

bash-3.00# pwd

/opt/IBM/ITM/config

bash-3.00# tail ux.ini

KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0

KDEB_INTERFACELIST_IPV6=-

bash-3.00#

Sample 3 - Secure Custom Managed Agent Configuration File

 

 2. Windows Agent Configuration

 

Manage Tivoli Enterprise Monitoring Services Configuration

 

Windows OS agents differ in that their runtime configuration may be stored in the local KxxENV file in the ITM home directory or stored in the Windows registry. To properly override these configuration options, you must use “Manage Tivoli Enterprise Monitoring Services” (MTEMS).

 

Open Manage Tivoli  Monitoring Services :

 

 

 

For each agent you would like to reconfigure, right click on the agent and then select ‘Advanced’ and ‘Edit Variables…”.

 

Note: The agent must already have been configured to before this option is available.

“Add…” a new variable and select “KDC_FAMILIES” from the pull-down menu. Set the ‘Value:’ to:

@Protocol@ EPHEMERAL=Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0

 

Select ‘OK’ and then ‘OK” to save the variable.

 

 

 

 

 

The agent is now configured to not bring up any listening ports.

 

Windows Registry (Alternative configuration method)

 

As a last option, you may directly edit the Windows Registry though any changes to the registry will be lost after any upgrades.

 

Open the Windows Registry with RegEdit:

 

  1. ITM configuration variables are under:

    My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Candle\KXX

  2. For each Agent (Not KHD [Warehouse Proxy Agent], KMS [TEMS], KFW [TEPS])

    1. If KDC_FAMILIES key is defined, modify it to the following:



      IP.SPIPE EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N PORT:3660 IP use:n SNA use:n IP.PIPE use:n


       
    2. Create key KDC_FAMILIES, if it is not defined.



      If the key KDE_TRANSPORT is defined, modify it to the same value instead of KDC_FAMILIES.



      KDE_TRANSPORT will override KDC_FAMILIES.

 

The Windows Registry settings override any environment file values.

 

 

 

 

 Omegamon (z/OS) Configuration Steps:

 

  1. Configure the agent to use the Firewall-Gateway mode for allowed proxy servers. Follow the ITM Firewall-Gateway configuration guide for details. This step is optional.

  2. Enable agent to use ephemeral ports and not static listening ports

  3. Modify the "<agent product code>ENV" configuration file in your ITM RKANPARU PDS to Disable HTTP Server, Disable Agent-Specific Service Consoles, Disable non-SSL HTTP servers.

 

  1. Update the KDE_TRANSPORT in each configuration file. Yours may differ slightly. On z/OS you will need to use the continuation character '\' to continue the line as it approaches 72 characters.  
  2. Add the parameters:  EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0
    1.  KDE_TRANSPORT=EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0\

      IP6.PIPE PORT:25003 USE:N\

      IP6.UDP PORT:25003 USE:N\

      IP6.SPIPE PORT:3660 USE:N\

      IP.PIPE PORT:25003 USE:N\

      IP.UDP PORT:25003 USE:N\

      IP.SPIPE PORT:3660\

      SNA.PIPE PORT:135

  3.    File  Edit  Edit_Settings  Menu  Utilities  Compilers  Test  Help            
     sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
     EDIT       TIVOLI.ITM.TVT5053.RKANPARU(KN3ENV) - 01.00     Member KN3ENV saved 
     ****** ***************************** Top of Data ******************************
     ==MSG> -Warning- The UNDO command is not available until you change            
     ==MSG>           your edit profile using the command RECOVERY ON.              
     ==MSG> -CAUTION- Profile is set to STATS ON. Statistics did not exist for      
     ==MSG>           this member, but will be generated if data is saved.          
     000001 KDE_TRANSPORT=\                                                         
     000002     EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0\                    
     000003     IP.UDP PORT:1918 USE:N\                                             
     000004     IP6.PIPE PORT:1918 USE:N\                                           
     000005     IP6.UDP PORT:1918 USE:N\                                            
     000006     IP6.SPIPE PORT:3660 USE:N\                                          
     000007     IP.PIPE PORT:1918\                                                  
     000008     IP.SPIPE PORT:3660\                                                 
     000009     SNA.PIPE PORT:135                                                   
     000010 KDCFC_ALIAS=CTDN3NC                                                     
     000011 KDCFC_MODE=CANCTDCS                                                     
     000012 KBB_RAS1=ERROR                                                          
     000013 KDC_DEBUG=N                                                                                                  
     Command ===>                                                  Scroll ===> PAGE 
      F1=Help      F2=Split     F3=Exit      F5=Rfind     F6=Rchange   F7=Up        
      F8=Down      F9=Swap     F10=Left     F11=Right    F12=Cancel                 

     

  4. Disable IPv6

    1. Set the variable ‘KDEB_INTERFACELIST_IPV6=-‘ (no quotes) in the custom agent environment file to disable IPv6

    2. There is no way to currently disable Ipv4 connections.

 

  1. Configure the agent according to the directions in the “ITM Certificate Authentication” technical note to authenticate the Tivoli Data Warehouse Proxy Agent.

  2. Repeat for every agent installed steps 1 through 6

 

bash-3.00# pwd

/opt/IBM/ITM/config

bash-3.00# tail ux.ini

KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0

KDEB_INTERFACELIST_IPV6=-

bash-3.00#

Sample 3 - Secure Custom Managed Agent Configuration File

 

Managed ITM Agents using Firewall Gateway

 

Configuration of agents connecting through a firewall gateway is the same as the standard managed configuration except for the additional configuration requirement for the Warehouse Proxy Agent.



When configuring agents behind a firewall-proxy gateway, ensure that you configure the KPX_WAREHOUSE_LOCATION if the Warehouse Proxy agent is not co-located with the RTEMS the agent is connected to.

 

For more information on historical warehousing behind a firewall gateway, refer to the ITM installation guide appendix on Firewalls

(http://publib.boulder.ibm.com/infocenter/tivihelp/v15r1/index.jsp?topic=/com.ibm.itm.doc_6.2.2fp2/ephemeral_pipe.htm ).

 

 

 

 

This agent configuration is intended to:

 

  1. Deliver alerts, heartbeats and attribute data to TEMS and TEP users.

  2. Deliver alerts and heartbeats to an event management system (IBM Tivoli Netcool/OMNIbus in this example),

  3. optionally, upload data to the Tivoli Data Warehouse components of ITM.

  4. Allow the IT administrator to force the TEMS to connect to authorized agents

  5. Authenticate all network connections

 

An alternative deployment scenario some customers may choose utilizes the ITM Firewall-Gateway mechanism to proxy communications between ITM agents in a DMZ and the management infrastructure behind a firewall. Choosing this option reduces the number of ports that must be forwarded from the DMZ to the intranet through the intranet management firewall from three to two but does require that each of the agents have their service consoles active.

 

  1. Autonomous ITM Agent

 

 

 

This agent configuration is intended to:

 

  1. Deliver its alerts and heartbeats to an event management system (IBM Tivoli Netcool/OMNIbus in this example),

  2. Authenticate all possible connections.

  3. optionally, upload data to the Tivoli Data Warehouse components of ITM.

 

Heart beating to the event management system is a standard way for the agent to be monitored from a central location to ensure timely notification of system or agent failures. The steps detailed below include on-box monitoring of the agent through Agent Management Services, a local watchdog that ensures the agent(s) are operational and working within allotted CPU and memory bounds.

 

In this deployment model, the agent is configured entirely with local configuration files. IT administrators would need to allow the ITM agents to access the event management system and optionally the Tivoli Data Warehouse.

 

  1. UNIX/Linux Configuration Steps:

 

The directions below apply to UNIX/Linux configurations which rely on the configuration files in $ITMHOME/config directory for all agent configuration. Windows agents

 

 

  1. Enable agent to use ephemeral ports and not static listening ports

    1. Create a new <agent name>.environment file or edit an existing custom configuration file in the agent configuration directory

  2. Disable HTTP Server, Disable Agent-Specific Service Consoles, Disable non-SSL HTTP servers

    1. Add the Following to the configuration file (All one line)

      KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0

  3. Disable IPv6

    1. Set the variable ‘KDEB_INTERFACELIST_IPV6=-‘ (no quotes) in the custom agent environment file to disable IPv6

    2. There is no way to currently disable Ipv4 connections.

 

  1. Configure SNMPv3 to use SHA-1 and DES encryption

     

  2. Configure the agent according to the directions in the “ITM Certificate Authentication” technical note to authenticate the Tivoli Data Warehouse Proxy Agent.

     

  3. Repeat for every agent installed steps 1 through 6

 

Note that there should be only be one KDC_FAMILIES entry in each configuration file.

 

bash-3.00# pwd

/opt/IBM/ITM/config

bash-3.00# cat 1b.environment

KDC_FAMILIES=$NETWORKPROTOCOL$ EPHEMERAL:Y HTTP_CONSOLE:N HTTP_SERVER:N HTTP:0

KDEB_INTERFACELIST_IPV6=-

bash-3.00#

Sample 1 - Secure Custom Autonomous Configuration File

 

 

    1. Windows Agent Configuration

Windows OS agent configuration is the same as managed ITM agents described earlier.

 

  1. Verification

 

Once agents are configured in ephemeral mode and the HTTP servers are disabled, you may verify that there are no listening ports by any ITM components using the ‘netstat’ command.

 

ITM Allocates ports for its agent communication using the following algorithm:

 

1918 + 4096*X where 0 <= X <= 15

3660 + 4096*X where 0 <= X <= 15

 

There are additional ports opened for any HTTP applications (service console, service interface, soap server, index page):

 

1920 and 3661 used by the HTTP server for the index page by the first agent that starts up and additional ports are dynamically allocated by additional agents. These ports are chosen by the system dynamically and requests are automaticatlly redirected to them from the 1920/3661 ports so they may not show up in the standard ‘netstat’ scan.

 

  1. Verify that the Index Page is no longer being generated:

Browse to http://<server>:1920/ and https://<server>:3661/ .

An error that the destination server is not found should be generated.

 

    1. ‘netstat –an | egrep “1918|3660” should come back clean with no entries.

      If any of the installed applications have a service console or other HTTP process started, then they will register on this port first.

    2. The full grep shown below tests for all predictable port values for IP.PIPE/IP.SPIPE and HTTP/HTTPS listening sockets.



      If configuration was successful, there should be no sockets listening on IPv4 as well as IPv6.

 

 

netstat -an |egrep "1918|6014|10110|14206|18302|22398|26494|30590|34686|38782|42878|46974|51070|55166|59262|63358|67454|3660|7756|11852|15948|20044|24140|28236|32332|36428|40524|44620|48716|52812|56908|61004|65100|69196|

 

Example: This example shows that not all servers were shutdown

 

[root ~]# netstat -an |egrep "1918|6014|10110|14206|18302|22398|26494|30590|34686|38782|42878|46974|51070|55166|59262|63358|67454|3660|7756|11852|15948|20044|24140|28236|32332|36428|40524|44620|48716|52812|56908|61004|65100|69196"

tcp4 0 0 *.1920 *.* LISTEN

tcp4 0 0 X.X.X.X.58294 Y.Y.Y.Y.1918 ESTABLISHED

tcp4 0 0 *.3661 *.* LISTEN

tcp4 0 0 *.6014 *.* LISTEN

 

[root ~]#

 

 

 

  1. File Permission

 

An important consideration should be access control to the installed agent files and active processes to prevent unauthorized modification of files and limit exposure.

 

Be aware that ITM 6.2.3 provides this lock down support as part of the installer. The user will need to ensure the group already exists prior to execution.

 

Configuration Steps

 

  1. Designate and create a user and group for the exclusive use of ITM agents (e.g. itm/itm).

  2. run secureMain –g ITMGROUP to lock down most of the permissions

  3. Change to ITMHOME directory and run “chmod -R o-rwx” to remove any third party access. Remove group write access to the keyfiles and certificates. ‘chmod –R g-w keyfiles’.

  4. Some agents, such as the DB2 or Domino agents, require running with alternative user identities. Add the user identities into the chosen ITMGROUP group so they may also write into the ITM HOME tree.

 



 

bash-3.00# pwd

/opt/IBM/ITM

bash-3.00# useradd itm

bash-3.00# groupadd itm.

bash-3.00# chown -R itm:itm .

bash-3.00# gpasswd -a db2inst1 itm ; # use system-specific mechanism to add to group

bash-3.00# gpasswd -a domino itm # use system-specific mechanism to add to group

bash-3.00# cd bin

bash-3.00# ./secureMain -g itm lock

Enter the root password if prompted

== baseSecureLock

== xxSecureLock 1b

== xxSecureLock 1d

== SecureSkip ax

== xxSecureLock gs

== xxSecureLock ux

== SetPerm -a

bash-3.00# cd ..

bash-3.00# chmod -R o-rwx .

bash-3.00# ls -l

total 28

drwxr-x--- 2 itm itm 1024 Nov 24 14:28 bin

drwxrwx--- 5 itm itm 1536 Nov 24 14:28 config

drwxr-x--- 2 itm itm 512 Nov 24 14:28 keyfiles

drwxr-x--- 3 itm itm 512 Nov 24 14:28 licenses

drwxrwx--- 9 itm itm 512 Nov 24 14:28 localconfig

drwxrwx--- 2 itm itm 1536 Nov 24 14:44 logs

drwxr-x--- 2 itm itm 512 Nov 24 14:41 registry

-rw------- 1 itm itm 0 Nov 24 14:41 samples

drwxr-x--- 5 itm itm 512 Nov 24 14:28 sol286

drwxr-x--- 3 itm itm 512 Nov 24 14:28 sol296

drwxr-x--- 5 itm itm 512 Nov 24 14:28 tmaitm6

drwxrwx--- 2 itm itm 1536 Nov 24 14:28 tmp

bash-3.00# chmod –R g-w keyfiles

bash-3.00# ls -l keyfiles/

total 280

-rw-r----- 1 itm itm 48 Nov 24 14:28 KAES256.ser

-rw-r----- 1 itm itm 88 Nov 24 14:28 keyfile.crl

-rw-r----- 1 itm itm 125088 Nov 24 14:28 keyfile.kdb

-rw-r----- 1 itm itm 88 Nov 24 14:28 keyfile.rdb

-rw-r----- 1 itm itm 129 Nov 24 14:28 keyfile.sth

Sample 2 - Secure Permission Setting

  1. TLS Communication Configuration (IP.SPIPE)

Following the prior steps will ensure that only Transport Layer Security (TLS) ports are opened by the TEMS server, and that any non-TLS ports are disabled. ITM calls TLS IP.SPIPE.

 

The next step is to ensure that all your ITM components (TEP, TEPS, TEMS, Agents) are communicating using only TLS (IP.SPIPE). This section will be only concerned with the main communication pathways as well as LDAP communication. Please refer to the ITM  Installation Guide and Administrator's guide for details on how to configure IP.SPIPE.

 

  1. Additional Considerations

 

  1. The SNMP stack currently implements RFC’s 3411-3418. The encryption methods detailed in this set of specifications (MD5/SHA1/DES) are not FIPS 140-2 compliant.

 

  1. The agents are completely passive with no network accessible ports. The agents must be configured using the local system account configured for managing ITM.

 

  1. Configuration with Symmetric Certificate Authentication requires careful management of certificates and certificate databases. Please refer to the Technical Note “Enabling ITM Symmetric Certificate Authentication” for further details on configuring your environment and components to utilizes both client and server certificate validation.

 

 

  1. Conclusions

 

Following the standards recommended in this Technical Note, deployed agents become invisible to external network entities and communicate using secure techniques while still remaining completely functional.

 

 

 

Notices
 
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information is for planning purposes only. The information herein is subject to change before the products described become available.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM‘s application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.
Other company, product, or service names may be trademarks or service marks of others.