Download
Abstract
This is a General Availability (GA) patch containing all the fixes since the release of IBM Security Access Manager for Web 7.0.0 (WebSEAL)
Download Description
1.0 ABOUT THIS PATCH
--------------------
This patch package contains fixes for problems in Security Access Manager
Web Security software. This patch requires that Security Access Manager
Version 7.0 already be installed and configured successfully.
1.1 Patch contents
This patch package contains:
- This README file
- Updated patch packaging for Security Access Manager software.
1.2 Architectures
This patch package applies to the following architectures:
Platform Patch
------------ ------------------------------
AIX 6.1 POWER System - None
AIX 7.1 POWER System - None
________________________________________________________________________
Solaris 10 SPARC - Update 10
Solaris 11 SPARC - None
________________________________________________________________________
Red Hat Enterprise Linux (RHEL)
5 Advanced Platform x86-64 - None
Server 6 x86-64 - None
SUSE Linux Enterprise Server (SLES)
10 x86-64 - None
11 x86-64 - None
________________________________________________________________________
Red Hat Enterprise Linux (RHEL)
Server 6 System z - None
5 Advanced Platform System z - None
SUSE Linux Enterprise Server (SLES)
10 System z - None
11 System z - None
________________________________________________________________________
Windows Server 2008 - None
Enterprise Edition x86-64
Standard Edition x86-64
Windows Server 2008 R2 - None
Enterprise Edition x86-64
Standard Edition x86-64
________________________________________________________________________
1.3 Patches superseded
Patches superseded by this patch:
None.
1.4 Dependencies
IBM Security Access Manager for Web, Version 7.0
IBM Security Utilities
GSKit Version 8.0.50.3
2.0 APARS AND DEFECTS FIXED
---------------------------
Because patches are cumulative, this patch corrects all the problems
outlined in the following sections.
2.1 Problems fixed by patch 7.0.0-ISS-AWS-FP0001
Web Security Runtime
--------------------
APAR IV38313
Symptom: OBFUSCATING THE BASIC-AUTH-PASSWD USED BY A FIM SSO JUNCTION DOES
NOT CURRENTLY WORK.
If the basic-auth-passwd entry in [tfim-cluster:<cluster>] stanza
is obfuscated, no basic authentication header is sent from WebSEAL
to Tivoli Federated Identity Manager (TFIM).
APAR IV38034
Symptom: FIX EAI CDAS PROBLEM FOR ZSERIES LINUX
On zSeries linux, if you configure the eai CDAS, WebSEAL
will fail to start with the following error:
2012-11-12-12:43:43.614-05:00I----- 0x1321207B webseald ERROR \
ias general pam_handlers.cpp 394 0x20001b775c0 \
HPDIA0123E Unable to locate symbol pam_sm_authenticate in \
shared library /opt/pdwebrte/lib/libeaiauthn.so: /opt/pdwe \
brte/lib/libeaiauthn.so: undefined symbol: pam_sm_authenti \
cate. \
2012-11-12-12:43:43.614-05:00I----- 0x13212067 webseald ERROR \
ias general ivpam.c 605 0x20001b775c0 \
HPDIA0103E Unable to locate symbol in shared library. \
2012-11-12-12:43:43.614-05:00I----- 0x38CF013B webseald FATAL \
wwa server WsMgr.cpp 762 0x20001b775c0 \
DPWWA0315E Initialization of authentication layer failed: H \
PDIA0103E Unable to locate symbol in shared library.
APAR IV38036
Symptom: AZN_CREDS_H_T IS NOT CONVERTED PROPERLY ON WINDOWS
The credential might not be available in the authentication
function of a custom CDAS on Windows platforms.
WebSEAL
-------
APAR IV38312
Symptom: A JUNCTION CREATED WITH THE -W OPTION WILL NOT ALLOW ANY TILDE
For a junction (except local) created with -w option, or a
local junction on Win32, file names that might be interpreted
as Win32 file name aliases will be disallowed.
The check turns out to be over restrictive and a path
like /junction/abc~def/, which is not a Win32 8.3 alias,
is disallowed. This becomes a problem when integrating with SAP,
which generates URL paths which contain a tilde.
APAR IV38245
Symptom: ADD NEW WEBSEAL QOP CONFIGURATION STRING TO ALLOW ONE-TO-ONE
MAPPING OF CIPHERSUITE
Prior to this change an administrator was not allowed to specify
certain ciphers for QOP. The following cipher values have now
been added to the [ssl-qop-mgmt-default] stanza:
DES-56-62
DES-56-09
NULL-02
NULL-01
RC4-128-04
RC4-128-05
APAR IV38314
Symptom: UNEXPECTED SESSION CLOSE BETWEEN WEBSEAL AND BACKEND SERVER IF
CHUNK RESPONSE IS USED IN THE PREVIOUS REQUEST.
When persistent connections are enabled with junctioned servers and
the junctioned server uses chunked transfer coding, randomly and
sparsely, WebSEAL closes the socket immediately after it dispatches
a request to the backend.
APAR IV38347
Symptom: WEBSEAL SERVER SYNC FAILS WHEN USING NON-DEFAULT DOMAIN.
The WebSEAL 'server sync' server task command fails when the ISAM
domain is set to something other than 'Default'.
APAR IV38317
Symptom: WEBSEAL DOES NOT READ ALL HTTP HEADER DATA FROM BACKEND
When parsing a response from a junctioned server or the CGI
output of a local junction, the maximum number of bytes that
WebSEAL will read is 64k. A user cannot configure WebSEAL to
read more.
APAR IV37805
Symptom: OPTION TO HAVE MAX-JCT-READ (INTRODUCED BY APAR IV31209) AS
PER-JUNCTION CONFIGURABLE PARAMETER
The new max-jct-read configuration paramater can now be configured
on a per-junction basis.
APAR IV38256
Symptom: CREATESESSION NETWORK ERROR RESULTS IN STALE SMS SESSIONS
If a network error occurs when sending a new session to the SMS
it can sometimes result in the creation of a session in the SMS
which never times out and lives forever.
APAR IV38246
Symptom: MISSING HEADER IN NON-PERSISTENT CONNECTIONS
WebSEAL does not send 'Connection: Close' to backend servers, even
if max-cached-persistent-connections = 0. This differs from
behavior in previous releases and has been observed to be
associated with thread congestion on certain junctioned web servers.
APAR IV38519
Symptom: ADD LOCKING IMPROVEMENTS TO JUNCTION CONNECTION POOL
WebSEAL utilises locking to protect the pool of connections to
junctioned servers from multi-threaded access. Some improvements
have been made to this locking which should improve performance
when under load.
APAR IV38319
Symptom: SNI SUPPORT
WebSEAL now supports the 'Server Name Indication' extension to
SSL. This will allow WebSEAL to serve up different server
certificates based on the host which is request by the client.
NB: The ability to serve up host-specific certificates is dependent
on a client which also supports SNI. The SNI is configured by
the new webseal-cert-keyfile-sni configuration entry within the
'[ssl]' stanza.
APAR IV38031
Symptom: ENHANCE ENCODED URL FILTERING
Not all URL encoding methods used in HTML pages by products
such as SAP can be filtered correctly by WebSEAL.
APAR IV38477
Symptom: WEBSEAL: ALLOW X-FORWARD HDRS TO BE INSERTED
WebSEAL currently has not way of forwarding certain elements from
the original request to junctioned applications. Of particular
interest are things like the original Host header (WebSEAL will
substitute this head with its own Host header). The existing
'[header-names]' configuration stanza has now been extended so that
additional headers can be created on each request.
APAR IV38479
Symptom: CLEAR SSO TOKENS ON RE-AUTHENTICATION
WebSEAL has the ability to cache SSO tokens which have been
created by TFIM for future play-back on subsequent junction
requests. These SSO tokens are not being cleared on a
re-authentication, which means that subsequent requests could
be providing obsolete SSO tokens.
Plug-in for Web Servers
-----------------------
APAR IV38297
Symptom: WEB PLUGIN "PRE-510-COMPATIBLE-TOKEN SUPPORT MISSING"
When Webseal has 'pre-510-compatible-tokens = true' and is using
WebPI as an ECSSO MAS it cannot decode the vouch for token.
Webseal will log the following error: 'DPWWA1975W Unable to decode
Vouch-For Token'. WebPI has pre-410-compatible-tokens config item
but also needs a pre-510-compatible-tokens configuration item.
APAR IV38299
Symptom: WEBPI SMS COOKIE FORMAT INCOMPATIBLE WITH WEBSEAL
Webseal changed the format of session cookie in TAM 611. The
corresponding change has not been made to WebPI. As a result
single sign-on between WebSEAL and WebPI fails in an SMS
environment.
APAR IV38320
Symptom: WRONG ERROR MESSAGE DISPLAYED IF THE WRONG SSL KEYFILE PASSWORD IS
SUPPLIED TO THE WEBPI CONFIGURATION PROGRAM
When configuring the ISAM Plug-in for Web servers using the
pdconfig utility, if a wrong password value is supplied for
the ssl key file, the configuration program displays the following
inappropriate error message:
HPDAC0923E An invalid LDAP server SSL keyfile was specified. \
Enter the LDAP SSL client key file password
Prerequisites
Installation Instructions
3.0 BEFORE INSTALLING THIS PATCH
--------------------------------
Before installing this patch, review the following prerequisites and
dependencies.
3.1 Back up Security Access Manager data
Before applying any maintenance, be sure to back up your system. Use
the pdbackup command provided with the Security Access Manager product
to back up Security Access Manager-specific data. Documentation for the
pdbackup command is located in the "IBM Security Access Manager for Web,
Version 7.0, Command Reference".
The patch installation installs the pdweb_start script as pdweb_start.fixpack.
This name prevents your current pdweb_start script from being overwritten
during the installation. If you are installing the fix pack on an AIX,
Linux, or Solaris system or you have customized your pdweb_start
script, consider making a backup copy of the pdweb_start script before you
install the fix pack. Depending on your use of the script, consider merging
the content of your customized script with the content of the
pdweb_start.fixpack script.
3.2 Upgrade GSKit to Version 8.0.50.3
Note:
IBM Global Security Toolkit (GSKit) version 7.0.4.33 and higher supports
RFC 5746 (TLS Renegotiation Indication Extension). Therefore, the security
exposure CVE-2009-3555 (TLS/SSL Protocol Vulnerability) is not applicable
to these versions of GSKit.
Upgrade the IBM Global Security Toolkit (GSKit) to version 8.0.50.3
before installing the Tivoli Access Manager packages in this patch.
The updated GSKit installation packages may be downloaded at the URL:
http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Global+Security+Kit&release=8.0.50.3&platform=All&function=all&source=fc
Instructions for installing GSKit may be found in the IBM Security Access Manager
for Web Installation Guide, under the section "Chapter 4. Installing and configuring
component prerequisites > Installing the IBM Global Security Kit (GSKit)".
4.0 INSTALLING THIS PATCH
-------------------------
NOTE: Before installing this patch, be sure that you have reviewed the
prerequisites and have completed the backup procedure in section 3.0,
"BEFORE INSTALLING THIS PATCH".
If the Security Access Manager product is distributed over multiple machines,
this patch must be applied to all Security Access Manager systems within a
secure domain.
The patch images for Windows platforms are self-extracting executables.
For AIX, Linux, and Solaris platforms, the patch image is a compressed tar
file that can be untarred by a command like the following:
zcat Compressed-Patch-tar-Image | tar -xvf -
This README assumes that $PATCH (or %PATCH% for Windows) is the path to
your temporary directory.
4.1 Installing this patch on an AIX, Linux, or Solaris system
1. Log in to the system as root.
2. Extract the archive into a temporary directory. For the purpose of this
README, assume that the symbol $PATCH points to this temporary directory.
3. Stop the Security Access Manager processes.
a. Stop the Security Access Manager Base and WebSEAL processes:
/opt/PolicyDirector/bin/pd_start stop
4. At the command prompt, enter the following command to install the patch:
On AIX systems:
- installp -a -g -X -d $PATCH <package>
where <package> is one of the following:
PDWeb.RTE Specifies the Security Access Manager Web Security
Runtime
PDWeb.Web Specifies the Security Access Manager WebSEAL
PDWeb.ADK Specifies the Security Access Manager Web Security ADK
PDSMS.CLI Specifies the Session Management Server Command Line
Interface
PDSMS.SMS Specifies the Session Management Server
PD.WPI Specifies the Security Access Manager Plug-in for Web
Servers
PD.WPIIHS Specifies the Security Access Manager Plug-in for IBM
HTTP Server
PD.WPIApache Specifies the Security Access Manager Plug-in for Apache
Web Server
On Linux systems:
- rpm -U <patchname>
where <patchname> is one of the following:
Linux on x86-64
PDWebRTE-PD-7.0.0-1.x86_64.rpm
PDWebADK-PD-7.0.0-1.x86_64.rpm
PDWeb-PD-7.0.0-1.x86_64.rpm
PDSMS-CLI-7.0.0-1.x86_64.rpm
PDSMS-PD-7.0.0-1.x86_64.rpm
PDWPI-PD-7.0.0-1.x86_64.rpm
PDWPI-Apache-7.0.0-1.x86_64.rpm
PDWPI-IHS-7.0.0-1.x86_64.rpm
Linux on System z
PDWebRTE-PD-7.0.0-1.s390x.rpm
PDWebADK-PD-7.0.0-1.s390x.rpm
PDWeb-PD-7.0.0-1.s390x.rpm
PDSMS-CLI-7.0.0-1.s390x.rpm
PDSMS-PD-7.0.0-1.s390x.rpm
PDWPI-PD-7.0.0-1.s390x.rpm
PDWPI-Apache-7.0.0-1.s390x.rpm
PDWPI-IHS-7.0.0-1.s390x.rpm
On Solaris SPARC Operating Environment systems
For Solaris SPARC 10:
- cd $PATCH
patchadd -t -G <patch-pkg>
Note: If an error occurs (for example, "The -t or -C options cannot
be used with -G option"), while installing the patch on Solaris
10 with zones, use the following command:
/usr/lib/patch/patchadd -G <patch-pkg>
where <patch-pkg> is one of the following in the patch-pkg column:
<patch-pkg> <package>
--------------------------- ---------
PDWEBRTE000700-01 PDWebRTE
PDWEBADK000700-01 PDWebADK
PDWEB000700-01 PDWeb
PDSMSCLI0007000-01 PDSMSCLI
PDSMS000700-01 PDSMS
PDWPI000700-01 PDWPI
PDWPIIHS000700-01 PDWPIihs
PDWPIAPA000700-01 PDWPIapa
For Solaris SPARC 11:
- cd $PATCH
cd <patch-pkg>
where <patch-pkg> is one of the following in the patch-pkg column:
<patch-pkg> <package>
--------------------------- ---------
PDWEBRTE000700-01 PDWebRTE
PDWEBADK000700-01 PDWebADK
PDWEB000700-01 PDWeb
PDSMSCLI0007000-01 PDSMSCLI
PDSMS000700-01 PDSMS
PDWPI000700-01 PDWPI
PDWPIIHS000700-01 PDWPIihs
PDWPIAPA000700-01 PDWPIapa
pkgadd -G -d . <package>
where <package> is the corresponding package listed above in the
patch-pkg directory.
5. Restart the Security Access Manager processes:
/opt/PolicyDirector/bin/pd_start start
4.2 Installing this patch on a Windows system
1. Log in to the Windows system as the Administrator.
2. Stop all Security Access Manager services.
If the Web plug-in is being used:
a. Click:
Start->Settings->Control Panel->Administrative Tools->Services
Right-click Security Access Manager Plug-in Servers,
and then click Stop.
b. To confirm your action, click Yes.
c. Stop the IIS server using the Internet Services Manager.
From the Windows Desktop, click:
Start->Settings->Control Panel->Administrative Tools->Services,
right-click the service name, and then click Stop.
Repeat this for each Security Access Manager service.
3. Unpack the self-extracting archive into a temporary directory.
For the purpose of this README, assume that %PATCH% points to this
temporary directory.
4. Change to the patch directory:
cd %PATCH%
For each component to apply service to, run the following command:
<component directory>/Disk Images/Disk1/setup.exe
List of component directory names:
PDWebRTE
PDWebADK
PDWeb
PDSMSCLI
PDSMS
PDWebPI
5. Restart Security Access Manager services:
From the Windows Desktop, click:
Start -> Settings -> Control Panel -> Administrative Tools -> Services,
right-click the service name, and then click Start.
Repeat this for each Security Access Manager service.
If the Web Plug-in is being used:
a. Click Security Access Manager Plug-in Servers -> Start.
b. Start the IIS server using the Internet Services Manager.
6. Restart the processes associated with other Security Access Manager
products that were stopped in step 2.
4.3 Configuring SMS Server Patch
The PDSMS installation places 2 files in the ear subdirectory of the SMS
install location which are required to update the DSess and DessConfig
Websphere Applications. Once the updates are configured in Websphere,
there is no way to unconfigure them.
The configuration steps are
1. Login to the Websphere Admin Console
2. Go to the Application list (Applications->Enterprise Applications)
3. Select the DSess application and click on the update button.
4. Select the "partial application" option and local filesystem. and browse
to the DSess-update.zip file in the ear subdirectory and click Next
5. Click OK
6. Save changes to the Master Configuration
7. Go to the Application list (Applications->Enterprise Applications)
8. Select the DSessConfig application and click on the update button.
9. Select the "partial application" option and local filesystem. and browse
to the TAMSMSConfig-update.zip file in the ear subdirectory and click Next
10. Click OK
11. Save changes to the Master Configuration
12. Go to the Application list (Applications->Enterprise Applications)
13. Stop and start both DSess and DSessConfig applications (ie select both
and click stop/start)
Download Package
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24034652