IBM Support

IBM Tivoli Federated Identity Manager Business Gateway v6.2.0, Fix Pack 8, 6.2.0-TIV-TFIMBG-FP0008

Download


Abstract

This is a cumulative Fix Pack for a variety of problems in the components that compose the Tivoli Federated Identity Manager Business Gateway 6.2.0 product.

Download Description

This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.0. It requires that Federated Identity Manager Business Gateway, Version 6.2.0, be installed. After installing this fix pack, your Federated Identity Manager Business Gateway installation will be at level 6.2.0.8.

Fix pack contents and distribution

This fix pack package contains:

  • The fix pack zip file
  • This README.

This fix pack is distributed as an electronic download from the IBM Support Web Site.

IMPORTANT NOTICE

Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability may cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang may occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.

The following products contain affected versions of the Java Runtime Environment:

  • IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for Distributed, i5/OS and z/OS operating systems.
  • IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for Distributed, i5/OS and z/OS operating systems.

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21462019

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, the WUI can be downloaded from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

Architectures

This fix pack package supports the same operating system releases that are listed in the Hardware and software requirements topic for the Federated Identity Manager Business Gateway Version 6.2.0.

Fix packs superseded by this fix pack

6.2.0-TIV-TFIMBG-FP0001

6.2.0-TIV-TFIMBG-FP0002

6.2.0-TIV-TFIMBG-FP0003

6.2.0-TIV-TFIMBG-LA0004

6.2.0-TIV-TFIMBG-LA0005

6.2.0-TIV-TFIMBG-LA0006

6.2.0-TIV-TFIMBG-LA0007

Fix pack structure

Federated Identity Manager Business Gateway consists of the following components that can be installed separately:

  • Administration console
  • Management service and runtime component
  • Internet information services (IIS) Web plug-in
  • Apache/IBM HTTP Server Web plug-in
  • IBM Support Assistant plugin

This fix pack applies only to the administration console and management service and runtime components (first two components listed above). These two components must be at the same level. Therefore, if you install a fix pack for either the administration console component or the management service and runtime component, you must install the corresponding fix pack for the other of these two components. If the administration console and management service and runtime components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.

APARs and defects fixed

Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0008

The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Federated Identity Manager Business Gateway support site.

APAR IZ91581
SYMPTOM: SECURENONCEGENERATOR NOT READING THE RIGHT AMOUNT OF TIME BYTES.

APAR IZ84999
SYMPTOM: Some of TFIM Console portlet pages cannot be displayed when it is installed in WAS 7 FP 11.

APAR IZ71906
SYMPTOM: ITFIM console install fails if the wsadmin default script language is set to Jython.

APAR IZ85972
SYMPTOM: XML PARSING OF INCOMING SAML MESSAGE FAILS WHEN MACHINE LOCALE IS NOT UTF8-COMPATIBLE AND UTF-8 EXTENDED CHARACTERS APPEAR IN MSG.

APAR IZ90562
SYMPTOM: PROVIDER NAME NEEDS TO BE PART OF THE AUTHENTICATION REQUEST.

APAR IZ85971
SYMPTOM: TFIM FAILS TO LOAD SAML METADATA WITH ENTITIES DESCRIPTOR

APAR IZ85765
SYMPTOM: FEDERATION PARTNER UPDATE MODIFIES NON-ZERO ACS URL INDEX.

APAR IZ85970
SYMPTOM: SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING NOT CONFORMANT.

APAR IZ85967
SYMPTOM: CONSOLE WILL NOT SHOW LIST OF KEYS ON WEBSPHERE 7.0.0.11.

APAR IZ85968
SYMPTOM: STATE INFORMATION IN SOME FEDERATION PROTOCOLS INVALID.

APAR IZ85966
SYMPTOM: TFIM SAML 2.0 metadata is not properly formatted when TFIM is running on the latest versions of the WebSphere Application Server.

APAR IZ76766
SYMPTOM: NPE TRYING TO LOAD CONFIG INSTANCE IN TDI MAPPING RULE.

APAR IZ85286
SYMPTOM: SAML STS MODULES CALCULATES WRONG VALIDITY PERIOD OF ASSERTION.

APAR IZ76141
SYMPTOM: Missing InResponseTo attribute in samlp:Response error responses.

APAR IZ50813
SYMPTOM: TFIM CLI Commands are not registered properly on WAS 7.0.

APAR IZ70082
SYMPTOM: Exception occurs when using only.alias key selection criteria and the same key appears under multiple aliases.

APAR IZ66147
SYMPTOM: The TFIM artifact lookup routine can consume threads if the artifact received is not in the cache.

APAR IZ61855
SYMPTOM: Using the TFIM ISC console it is possible to remove a default mapping rule after the federation has been created.

APAR IZ64190
SYMPTOM: The TFIM SAML 2.0 SPS module throws a NullPointerException if an issuer value is not included on the SAML Response message.

APAR IZ90560
SYMPTOM: The fimivt application incorrectly relies on the provider id of the Service Provider to build the TARGET url for Single Sign On.

APAR IZ69868
SYMPTOM: TFIM 6.2.0 will always sign the outgoing SAML response and SAML assertion when the HTTP/SOAP binding is used.

APAR IZ69507
SYMPTOM: The TFIM SAML 2.0 SPS Module does not create a session when the SAML AuthnRequest is received over the SOAP endpoint.

APAR IZ74720
SYMPTOM: The ITFIM console metadata support fails to validate that mandatory endpoints are included. The SPSSODescriptor requires at least one AssertionConsumerService endpoint and the IDPSSODescriptor requires at least one SingleSignOnService url.

APAR IZ74280
SYMPTOM: The ITFIM console partner properties page for a SAML 2.0 partner does not allow the user to modify the signature validation settings once set to typical or all signature settings.

APAR IZ72439
SYMPTOM: The ITFIM Alias Service fails to provide enough information to differentiate between a fatal error reading aliases and the typical alias not found return.

APAR IZ74795
SYMPTOM: ITFIM fails to send back a SOAP fault when a AuthnRequest with an invalid Issuer is received through the SOAP binding.

APAR IZ74793
SYMPTOM: The TFIM SAML SSO Module should add appropriate information on the SAMLResponse message to allow exploiters to debug the reasons for artifact resolution failures.

APAR IZ82855
SYMPTOM: Custom authorization tokens with attributes added by TAI are not processed by TFIM when creating a local token for TFIM with WebSphere point of contact.

APAR IZ82849
SYMPTOM: Chinese language page templates that contain RPT / eRPT macro blocks and any text within those blocks contains DBCS characters, the RPT block is not filled in correctly when TFIM returns the page template.

APAR IZ82851
SYMPTOM: If a service provider sends an SSO request containing the requested NameIDFormat of urn:oasis:names:tc:SAML:1.1:name-format:unspecified the IDP implementation treats this as a persistent name identifier even if the DefaultNameIDFormat parameter for the partner of the federation is set to a different name id format.

APAR IZ82866
SYMPTOM: Migration fails for federations containing custom modules.

APAR IZ82871
SYMPTOM: The TFIM Liberty SPS Module fails to serialize objects on the distribute cache.

APAR IZ82869
SYMPTOM: The SAML 2.0 SPS module fails to apply the appropriate signature policy when the AuthnRequest is received using the artifact binding.

APAR IZ82864
SYMPTOM: Wrong Target URL received at the Service Provider when doing an Identity Provider initiated Single Sign On using the Artifact Binding.

APAR IZ82865
SYMPTOM: The identity provider behind a WebSphere point of contact throws an NullPointerException upon receiving an Single Logout Request request from service provider behind WebSEAL.

APAR IZ82856
SYMPTOM: TFIM generated nonce value might have invalid characters in some situations.

APAR IZ66397
SYMPTOM: Key alias not used to select key for XML signature and validation.

APAR IZ82868
SYMPTOM: The ITFIM SAML 2.0 STS module is not honoring the default name id format parameter setting.

APAR IZ82867
SYMPTOM: The ITFIM SAML 2.0 SPS module requires assertion signature even when the enclosing document is signed.

APAR IZ82870
SYMPTOM: The SAML 2.0 SPS module signs the assertion in instances where the signature policy indicates that the assertion should not be signed.

APAR IZ82852
SYMPTOM: The ITFIM SAML 2.0 STS module fails to validate a SAML 2.0 Assertion containing the NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

APAR IZ82874
SYMPTOM: Recipient checking is not performed correctly by the SAML browser post support.

APAR IZ82853
SYMPTOM: Invalid URL encoding of the RelayState parameter being performed by the SAML 2.0 SPS module.

APAR IZ83543
SYMPTOM: Signed XML strings may be incorrectly encoded if the default file encoding for the operating system platform is not UTF-8 (e.g. Windows or AIX).

Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0003

APAR IZ66695
SYMPTOM: JDBC alias service is case sensitive for username.

APAR IZ40010
SYMPTOM: TFIM IDP displays blank page when initiating solicited SSO for a second time.

APAR IZ41865
SYMPTOM: The solution was to passed the relay state to the url so the customers can use the capability to override the target url using the credential attribute we already support.

APAR IZ44890
SYMPTOM: When sending a Kerberos token to the Security Token Service the following error gets returned

APAR IZ46723
SYMPTOM: When upgrading an expired validation and encryption certificate that the keystore "view keys" shows the certificate as expired

APAR IZ46765
SYMPTOM: The Where Are You From (WAYF) Cookie lifetime needs to be configurable via the gui.

APAR IZ47454
SYMPTOM: Passticket module incorrect logging verbosity.

APAR IZ47952
SYMPTOM: When using samlsso and adding a target url with query string the parameters are lost and don't make it to the SP.

APAR IZ50906
SYMPTOM: SOAP faults are returned for WS-Trust validates request types.

APAR IZ51243
SYMPTOM: The init url for unsolicited AuthnResponse has a Target query string parameter that is allowing for requester to inject javascript that will be executed when the request is sent to the service provider.

APAR IZ51457
SYMPTOM: When a runtime node is not configured a NullPointerException will be displayed in the browser when a sign-on transaction is attempted.

APAR IZ51459
SYMPTOM: An incorrect ByteArrayOutputStream class was used that is not supported on all platforms.

APAR IZ52979
SYMPTOM: TFIM Fails to enforce signature policy properly for assertion.

APAR IZ53517
SYMPTOM: When calling the artifact service and passing in an assertion to get back an artifact, if a custom module encounters an error and generates an exception stack trace that includes some special characters the Artifact service fails to include the exception on the SOAP Fault.

APAR IZ54678
SYMPTOM: SAML 2.0 Configuration objects did not implement the Serializable interface.

APAR IZ55551
SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console doesn't operate correctly.

APAR IZ56179
SYMPTOM: UPDATING THE PARTNER VIA PROPERTIES PAGE CORRUPTS THE CONFIG

APAR IZ56265
SYMPTOM: TFIM fails to split url properly if "sps" is in the hostname.

APAR IZ56459
SYMPTOM: After unlinking account, under some circumstances the Alias entry will not be removed.

APAR IZ56548
SYMPTOM: TFIM supported Oracle database for the TFIM alias service and that attempts to use Oracle displayed errors

APAR IZ60816
SYMPTOM: Federation stops at https://ecarl16.bc/fim/sps/wssoi screen

APAR IZ62620
SYMPTOM: Authorization decision query returning invalid decision query

APAR IZ62955
SYMPTOM: SAML 1.X module does not validate recipient value on response

APAR IZ63597
SYMPTOM: WS-TRUST 1.2 RequestSecurityTokenResponse message is different than TFIM 6.0.0 response message.

APAR IZ63967
SYMPTOM: When TFIM returns HTTP Cookies to the browser none of the secure bits are set.

APAR IZ47754
SYMPTOM: ManageNameID defederate to an SP where the alias does not exist

APAR IZ48248
SYMPTOM: SAML 2.0 IDP incorrectly process unspecified nameid format and always treats unspecified as a persistent id.

APAR IZ49157
SYMPTOM: OpenID Caches are not per-federation

APAR IZ48258
SYMPTOM: OpenID relying-party association cache indexing error

APAR IZ48262
SYMPTOM: SOAP Client fails to initialize if using trust store with password

APAR IZ66903
SYMPTOM: HMAC-SHA256 ASSOC TYPE FAILS WITH NO-ENCRYPTION SESSION TYPE

APAR IZ66905
SYMPTOM: INCORRECT HANDLING OF LOST ASSOCIATION

APAR IZ66908
SYMPTOM: POST MESSAGE TO RETURN_TO URL SHOULD USE QUERY STRING IF POSSIBLE

APAR IZ66770
SYMPTOM: Form Post parameters should always be HTML encoded.

APAR IZ66771
SYMPTOM: INTERNAL APAR FOR TFIM 620 BUILD UPDATES

APAR IZ66772
SYMPTOM: INTERNAL APAR FOR TFIM 620 POINT OF CONTACT UPDATES

APAR IZ66773
SYMPTOM: Internal apar for SAML conformance updates

APAR IZ52557
SYMPTOM: The Event Handler extension point does not have access to event trail id.

APAR IZ52563
SYMPTOM: tfimcfg tool doesn't work correctly in a multi-TAM domain

APAR IZ48249
SYMPTOM: SAML 2.0 Service Provider cannot validate SSL certificate on a list of trusted signers

Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0002

APAR IZ48044
SYMPTOM: IDP source validation can not be done because the SAML 1.x browser-artifact doesn't contain the IDP source. Relying-parties must be able to check in the mapping rule that the Issuer contained in an assertion comes from the expected IDP partner. Without this capability rouge IDP's can spoof other IDP's assertion issuers.

APAR IZ48047
SYMPTOM: A NullPointerException occurs when the SAML 2.0 Response does not contain an issuer.

APAR IZ48049
SYMPTOM: TFIM complains "invalid_message_timestamp" when it receives an AuthnRequest with a SAML 2.0 IssueInstant with the date time format of "2008-07-01T13:30:50.830773Z".

APAR IZ48052
SYMPTOM: Calls to IDMappingExtUtils.AddAliasForUser (which is typically made from a mapping rule) appear to succeed for non-existent users when they actually do not succeed. No alias is added. This problem is only applicable on systems with the TFIM Alias service set to LDAP using TAM.

APAR IZ48054
SYMPTOM: When running TFIM using WAS as the Point of Contact at the SP and WebSEAL at the IDP you will get a null pointer exception when logout is invoked from the Service Provider after successfully SSO.

APAR IZ48217
SYMPTOM: Routine build maintenance

Problems fixed by fix pack 6.2.0-TIV-TFIMBG-FP0001

APAR IZ32487
SYMPTOM: SAML 2.0 sessions expire immediately if the Amount of time the assertion is valid property is set to 4294080 seconds or greater (49.7 days or greater).

APAR IZ29211
SYMPTOM: A failure could occur while performing a SAML 2.0 single logout with the Service Provider, if the assistant name identifier was configured for the federation. The reported error was FBTSML219E.

APAR IZ29167
SYMPTOM: The underlying secure protocol of an HTTPS connection created by Federated Identity Manager Business Gateway is hard-coded to be SSL.

APAR IZ30074
SYMPTOM: A timestamp is embedded within a passticket, but the time value interval is only granular to a full second.

APAR IZ30083
SYMPTOM: An error could occur when attempting to run the tfimcfg tool in a Sun Solaris(TM) environment. The error was seen after the WebSEAL hostname was provided. The reported error stated that HTTPS is not a recognized protocol.

APAR IZ30053
SYMPTOM: A performance degradation problem could occur when a federated single sign-on is attempted using LDAP registries containing millions of federated users. Depending on system and network conditions, a single sign-on operation could fail due to timeouts. The associated error reported a bad subtree search in LDAP.

APAR IZ30076
SYMPTOM: LTPA v2 issued tokens that were rejected by WebSphere Application Server versions 6.0.2 and 6.1.

APAR IZ30078
SYMPTOM: Logging and tracing could not be set for identity mapping from within an XSLT rule.

APAR IZ30080
SYMPTOM: An XSLT identity mapping failure occurred when using the alias server with JDBC. See IZ30080 for more information.

APAR IZ34568
SYMPTOM: The mode for LDAP Servers under Alias Service settings will always display 'Read only' upon logging into the admin console.

APAR IZ34570
SYMPTOM: When an RST is sent to the STS with an empty textnode for either the AppliesTo, PortType or OperationName a null pointer exception is thrown.

APAR IZ34572
SYMPTOM: The Higgins Client Jars directory adks/client/sts is missing some dependency JARs and includes unnecessary server JARs.

Prerequisites

You must have the following software installed in order to install this fix pack:

Installation Instructions

Be aware of the following considerations before installing this fix pack:

Installation path specification for the Windows Server 2008 platform
This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.

Because Federated Identity Manager Business Gateway is a 32-bit application its default path when installing on Windows Server 2008 changes from

C:\Program Files\IBM\FIM

to:

C:\Program Files (x86)\IBM\FIM

Note that this change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:

C:\Program Files\IBM\WebSphere

changes to:

C:\Program Files (x86)\IBM\WebSphere

Update Installer
This fix pack requires the use of the WebSphere Update Installer version 7.0.0.0. Ensure that you have installed the correct version of the WebSphere Update Installer on each computer where you will install the fix pack. You can download the WebSphere Update Installer version 7.0.0.0 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.

Fix pack packaging
This Tivoli Federated Identity Manager Business Gateway 6.2.0-TIV-TFIMBG-FP0008 patch package is provided on the Tivoli Support Web site as a single downloadable zip file for each supported platform. After you select the package that is appropriate for the target platform, download the package and unzip the contents into a target directory, typically the default WebSphere Update Installer directory, either

C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

for Windows or

/opt/IBM/WebSphere/UpdateInstaller/maintenance

for Unix/Linux

You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.

You use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components; therefore, to minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.

Automatic creation of a backup directory
The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager Business Gateway files.

Preinstallation enablement requirement for installing the fix pack for the first time

If this is the first time you are applying the fix pack to Federated Identity Manager Business Gateway, you must download and install the enablement fix for Tivoli Federated Identity Manager Business Gateway.

NOTE: Perform the following steps only if this is the first time you are applying a fix pack. You will not need to perform these steps for subsequent product updates.

  1. Download the enablement fix into the Federated Identity Manager Business Gateway installation directory (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems) by clicking here.
  2. Use the unzip option of the zip program for your operating system to unzip the file. On HP-UX, either use jar -xvf to unzip the file or download an unzip utility from the HPUX Connect site.

    NOTE: If you are prompted to overwrite existing files, accept it so that the target files are overwritten.


Installing the fix pack

Once the above pre-installation instructions have been followed you are ready to actually install the fix pack..

Downloading the fix pack

To obtain the fix pack:

  1. Go to the IBM Tivoli Federated Identity Manager Business Gateway Support Web site.
  2. Click Download. The fix pack (6.2.0-TIV-TFIMBG-FP0008) should be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.0-TIV-TFIMBG-FP0008" in the Search field to access the link to the download window.
  3. In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
  4. Select the platform that corresponds to the target platform where you will apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, you will need to configure your browser to use Java security. Click What is DD? for configuration instructions.

Setting the WebSphere security passwords

If security is enabled on the WebSphere Application Server where Federated Identity Manager Business Gateway is installed, you must set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.

If security is not enabled, you can skip this step.

NOTE: If you add passwords to the fim.appservers.properties file, as described below, you specify these passwords using plain text. However, at the end of the fix pack installation process these passwords are obfuscated and will no longer be available in plain text format.

To specify security passwords, use the following procedure:

  1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
  2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
    • the was.admin.user.pwd property with a value of the administrator login password for the WebSphere Application Server where Federated Identity Management Business Gateway is deployed
    • the was.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that WebSphere Application Server
    For example,
    • was.admin.user.pwd=was_admin_pw
    • was.truststore.pwd=truststore_pw
  3. If the ewas.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
    • the ewas.admin.user.pwd property with a value of the administrator login password for the Embedded WebSphere Application Server where Federated Identity Management Business Gateway is deployed
    • the ewas.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that Embedded WebSphere Application Server
    For example,
    • ewas.admin.user.pwd=ewas_admin_pw
    • ewas.truststore.pwd=truststore_pw
  4. Save and close the fim.appservers.properties file

Applying the fix pack

  1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default WebSphere Update Installer's maintenence directory,
    C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance

    for Windows.or

    /opt/IBM/WebSphere/UpdateInstaller/maintenance

    for Unix/Linux

  2. Ensure that the WebSphere Application Server that hosts the Federated Identity Management Business Gateway runtime and management service component is running.
  3. Ensure that the WebSphere Application Server that hosts the Federated Identity Management Business Gateway console component is running.
  4. Start the appropriate WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
  5. In the Welcome window click Next. Federated Identity Management Business Gateway will not be listed, but is supported.
  6. Specify the path to the installation directory for Federated Identity Management Business Gateway (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
  7. Select Install maintenance in the dialog.
  8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
  9. Determine which product components are installed on the system that you are updating. You should install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:

    itfim.build.version.rte-mgmtsvcs=version
    Specifies that the management service and runtime component is installed at the level specified by version.
    itfim.build.version.mgmtcon=version
    Specifies that the administration console component is installed at the level specified by version.
    itfim.build.version.wsprov=version
    Specifies that the WS-provisioning runtime component is installed at the level specified by version.
    itfim.build.version.wssm=version
    Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
    itfim.build.version.fimpi=version
    Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.

    The recommended order for applying fix packs to the product's components is:

    1. Management service and runtime and administration console>
    2. Other components

    Note: If a domain is not created before application of TFIM fix pack, the fix pack installation completes successfully with a "Partially Successful" message.

  10. Compare the list of installed components to the list of pak files in the WebSphere Update Installer and select the pak files that correspond to the installed components, then click Next.

    Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.

  11. If needed (for example, if you need to install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.

Deploying the fix pack runtime component

The fix pack install automatically deploys the newly installed Federated Identity Manager Business Gateway runtime. However, you should verify that the current deployed version is 6.2.0.8.

  1. Log in to the console and click Tivoli Federated Identity Manager-> Manage Configuration-> Domain Properties. The details of the components installed in the domain are listed.
  2. Review the Runtime Information.
    For example: 
        Runtime Information
    ----------------------------------------------
    Current deployed version       6.2.0.8 [101117a]

    Note: The number within the brackets [101117a] might be different from this example.

Publish the fix pack plug-ins to the runtime and reload the configuration

After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.

Use the following procedure to re-publish the plug-ins:

  1. Log in to the administration console.
  2. Select Domain Management -> Runtime Node Management.
  3. Click Publish Plugins.
  4. After the plug-ins are published, reload the runtime configuration.

[{"INLabel":"6.2.0-TIV-TFIMBG-FP0008.README.html","INLang":"US English","INSize":"83950","INURL":"http://www.ibm.com/support/fixcentral/quickorder?brandid=4&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixes=6.2.0-TIV-TFIMBG-FP0008"}]

Download Package

N/A

On
[{"DNLabel":"6.2.0-TIV-TFIMBG-FP0008-AIX","DNDate":"1/6/2011","DNLang":"US English","DNSize":"99939909","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixids=6.2.0-TIV-TFIMBG-FP0008","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.0-TIV-TFIMBG-FP0008-HPUX","DNDate":"1/6/2011","DNLang":"US English","DNSize":"99939909","DNPlat":{"label":"HP-UX on Itanium","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixids=6.2.0-TIV-TFIMBG-FP0008","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.0-TIV-TFIMBG-FP0008-LinuxP","DNDate":"1/6/2011","DNLang":"US English","DNSize":"99939909","DNPlat":{"label":"Linux pSeries","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixids=6.2.0-TIV-TFIMBG-FP0008","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.0-TIV-TFIMBG-FP0008-LinuxX","DNDate":"1/6/2011","DNLang":"US English","DNSize":"99939909","DNPlat":{"label":"Linux xSeries","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixids=6.2.0-TIV-TFIMBG-FP0008","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.0-TIV-TFIMBG-FP0008-LinuxZ","DNDate":"1/6/2011","DNLang":"US English","DNSize":"99939909","DNPlat":{"label":"Linux zSeries","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixids=6.2.0-TIV-TFIMBG-FP0008","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.0-TIV-TFIMBG-FP0008-Solaris","DNDate":"1/6/2011","DNLang":"US English","DNSize":"99939909","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixids=6.2.0-TIV-TFIMBG-FP0008","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.2.0-TIV-TFIMBG-FP0008-Windows","DNDate":"1/6/2011","DNLang":"US English","DNSize":"99939909","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM+Tivoli+Federated+Identity+Manager+Business+Gateway&vrmf=6.2.0&fixids=6.2.0-TIV-TFIMBG-FP0008+","DNURL_FTP":" ","DDURL":null}]
[{"Product":{"code":"SS4J57","label":"Tivoli Federated Identity Manager Business Gateway"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2","Edition":"","Line of Business":{"code":null,"label":null}}]

Product Synonym

TFIMBG;FIMBG

Problems (APARS) fixed
IZ66695 IZ40010 IZ41865 IZ44890 IZ46723 IZ46765 IZ47454 IZ47952 IZ50906 IZ51243 IZ51457 IZ51459 IZ52979 IZ53517 IZ54678 IZ55551 IZ56179 IZ56265 IZ56459 IZ56548 IZ60816 IZ62620 IZ62955 IZ63597 IZ63967 IZ47754 IZ48248 IZ49157 IZ48258 IZ48262 IZ66903 IZ66905 IZ66908 IZ66770 IZ66771 IZ66772 IZ66773 IZ52557 IZ52563 IZ48249 IZ32487 IZ29211 IZ29167 IZ30074 IZ30083
IZ30053 IZ30076 IZ30078 IZ30080 IZ34568 IZ34570 IZ34572 IZ34548 IZ34557 IZ34560 IZ33916 IZ37209 IZ37278 IZ37210 IZ48044 IZ48047 IZ48049 IZ48052 IZ48054 IZ48217 IZ84999 IZ71906 IZ85972 IZ90562 IZ85971 IZ85765 IZ85970 IZ85967 IZ85968 IZ85966 IZ76766 IZ85286 IZ76141 IZ50813 IZ70082 IZ66147 IZ61855 IZ64190 IZ90560 IZ69868 IZ69507 IZ74720 IZ74280 IZ72439 IZ74795 IZ74793 IZ82855 IZ82849 IZ82851 IZ82866 IZ82871 IZ82869 IZ82864 IZ82865 IZ82856 IZ66397 IZ82868 IZ82867 IZ82870 IZ82852 IZ82874 IZ82853 IZ83543 IZ91581

Document Information

Modified date:
15 June 2018

UID

swg24025909

Page Feedback