IBM Support

Tivoli Access Manager for e-Business WebSEAL, Patch 6.1.1-TIV-AWS-FP0005

Download


Abstract

This is a General Availability (GA) patch containing all the fixes since the release of IBM Tivoli Access Manager for e-Business 6.1.1 (WebSEAL).

Download Description

1.0 ABOUT THIS PATCH

--------------------
This patch package contains fixes for problems in the various components that
comprise the Tivoli Access Manager WebSEAL software.


1.1 Patch contents

This patch package contains:

- This README file
- Update patch packaging


1.2 Architectures

Additional Certifications

Refer to the following URL for latest information on supported operating
systems and software

http://www-01.ibm.com/support/docview.wss?uid=swg27022004

Certification Platform-------Details
__________------________ ----_______________________________________

libumem.so------Solaris----------pdweb_start was modified to use
-------------------------------------------libumem.so as follows:
-------------------------------------------LD_PRELOAD_32=libumem.so




1.3 Patches superseded

All patches are cumulative unless otherwise explicitly stated.

Patches superseded by this patch:

6.1.1-TIV-AWS-FP0004
6.1.1-TIV-AWS-FP0003
6.1.1-TIV-AWS-IF0002
6.1.1-TIV-AWS-FP0001

1.4 Dependencies

IBM Tivoli Access Manager Base, Version 6.1.1 with patch 6.1.1-TIV-TAM-FP0005
IBM Tivoli Access Manager Web Security Runtime, Version 6.1.1
IBM Tivoli Access Manager WebSEAL, Version 6.1.1
IBM Tivoli GSKit Version 7.0.4.38 (32-bit)

NOTE1:
When installing patches on a particular machine, install patches for components
of IBM Tivoli Access Manager, Version 6.1.1, from patch
6.1.1-TIV-TAM-FP0005 and 6.1.1-TIV-AWS-FP0005
on the same machine.
For example, consider a machine with the following components:
(your machine may have more components installed)

IBM Tivoli Access Manager Runtime (PDRTE)
IBM Tivoli Access Manager Web Security Runtime (PDWebRTE)
IBM Tivoli Access Manager WebSEAL (PDWeb)
IBM Tivoli Security Utilities (TivSecUtl)

To patch the given machine, you must install PDRTE and TivSecUtl components from Patch
6.1.1-TIV-TAM-FP0005, PDWebRTE and PDWeb components
from Patch 6.1.1-TIV-AWS-FP0005 on the given machine.
A machine in a Tivoli Access Manager environment must have all components at the same
patch level. See the 6.1.1-TIV-TAM-FP0005.README for
information about how to install the relevant components of the
6.1.1-TIV-TAM-FP0005 patch.

NOTE2:
In a Tivoli Access Manager environment, install patches in the following order:

a) Policy Server machine: install patches for all components
as described in NOTE1.
b) Policy Proxy Server, if you have one in your Tivoli Access Manager environment
c) All other machines in the Tivoli Access Manager environment.

As described in NOTE1, install patches for all components,
on each machine. You can install patches in other
machines(category c) gradually. However, once the Policy Server is patched,
we strongly encourage that all other machines in the Tivoli Access Manager
environment have the same patch level installed as soon as
possible.


2.0 APARS AND DEFECTS FIXED
---------------------------
Because patches are cumulative, this patch corrects all the problems
outlined in the following sections.

2.1 Problems fixed by patch 6.1.1-TIV-AWS-FP0005

APAR IV00022
Symptom: WEBSEAL FAILS TO HANDLE SESSION COOKIE FROM EARLIER RELEASES

APAR IV04339
Symptom: Added new configuration option to require "referer" and
"host" headers to be present in order to allow a pkmslogout
request.

APAR IV17906
Symptom: Server Certificate message needs to omit root certificate
from certificate list. An update to GSKit was made to
provide this function, but it needed to be configurable in
Webseal.

APAR IV17912
Symptom: Webseal Performance issue. General performance is lower
than expected and CPU utilization higher than expected.

APAR IV17933
Symptom: WebSEAL, in a forward proxy role, can handle "http" request but fails to
handle "https" request properly.

APAR IV04518
Symptom: When an authentication-level POP is attached to a URI,
stepping-up to an authentication mechanism with a level higher
than the POP is not allowed by WebSEAL.

APAR IV06766
Symptom: Issue where end user is not presented with BA popup when EAI is
enabled.

APAR IV12947
Symptom: An error page is not returned from webseal when attempting to
access a resource that triggers EAI after a previous request to
a protected resource is aborted.

APAR IV17936
Symptom: Only when Webseal is configured to use both SMS and EAI
Some unauthenticated requests are logged as a user who
is currently logged in. Only happens after connectivity
with SMS is regained (after an outage)

APAR IV11164
Symptom: In TAM 6.1.1, the pdweb.wan.fsso trace componenet is no longer
visible as a valid trace component and cannot be set to debug
fsso issues.

APAR IV17937
Symptom: The WebSEAL server does not set the iv_server_name header
forping requests.

APAR IV16142
Symptom: WebSEAL closes a backend session before receiving a response
from backend server when cached session was used.

APAR IV19485
Symptom: In Solaris, if LD_PRELOAD_32 is set in the environment then
it ignore LD_PRELOAD, so pdweb_script should be updated and
occurrences of LD_PRELOAD should be replaced with LD_PRELOAD_32.

APAR IV17968
Symptom: Only When WebSEAL is configured to use SMS WebS
EAL crashes in AMWSMSReplicaSetClient::idleTimeout trying to
dereference null pointer.

APAR IV06622
Symptom: When an ampersand character appears in the client ssl
certificate WebSEAL client certificate mapping mechanism using
amwcertmapauthn.dll reads it and run into XML error. An
ampersand should be escaped in xml document.

APAR IV11584
Symptom: WebSEAL 6.1.1 client certificate user mapping with Active
Directory results in error rspi_initialize : RSPI_CON FIG_INVALID.

APAR IV17940
Symptom: Webseal doesnot terminate the tcp connection after
receiving the response to the ping requset sent to TFIM to check
availaibility of the TFIM cluster.IV1

[{"PRLabel":"IBM Global Security Toolkit (GSKit) version 7.0.4.38","PRLang":"US English","PRSize":"1111111","PRPlat":{"label":"All Platforms","code":""},"PRURL":"https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt"}]

Installation Instructions

3.0 BEFORE INSTALLING THIS PATCH
--------------------------------
Before installing this patch, review the following prerequisites and
dependencies.

3.1 Back up Tivoli Access Manager data

Before applying any maintenance, be sure to back up your system. Use
the 'pdbackup' command provided with the Tivoli Access Manager product
to back up Tivoli Access Manager-specific data. Documentation for the
'pdbackup' command is located in the "IBM Tivoli Access Manager Command
Reference."

Patch installation for PDWeb component should not over-write the existing
pdweb_start script but still it is highly recommended to backup pdweb_start
script in UNIX systems, specially if any customizations are made on this script.
Patch for PDWeb component will install pdweb_start script as pdweb_start.fixpack
so that if any update or fix made to pdweb_start script is available to Customers
to incorporate into their customized pdweb_start script.

3.2 Upgrade GSKit to Version 7.0.4.38 or later

Note:
IBM Global Security Toolkit (GSKit) version 7.0.4.38 and higher supports
RFC 5746 (TLS Renegotiation Indication Extension ) so the Security
Exposure CVE-2009-3555 (TLS/SSL Protocol Vulnerability ) will not be
applicable to these versions of GSKit. Every
customer using versions of GSKit prior to 7.0.4.38 must upgrade to a
later version immediately.

Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.38
BEFORE installing the Tivoli Access Manager packages in this patch. The 32-bit
version must be used regardless of system architecture.

The updated GSKit installation packages may be downloaded at the URL:

https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt

Instructions for installing GSKit may be found in the IBM Tivoli Access Manager
for e-business Installation Guide, under the section "Reference information >
Installing prerequisite products".


4.0 INSTALLING THIS PATCH
-------------------------

Before installing this patch, be sure that you have reviewed the
prerequisites and have completed the back-up procedure in section 3.0,
"BEFORE INSTALLING THIS PATCH".

If the Tivoli Access Manager product is distributed over multiple machines,
this patch must be applied to all WebSEAL systems within a secure domain.

If the user needs the special character support for remote filenames offered by
IV03925, they must redeploy query_contents.sh manually. See the IBM Tivoli
Access Manager Administration Guide for details.

This README assumes that $PATCH (or %PATCH% for Windows) is the path to
your temporary directory.


4.1 Installing this patch on AIX systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

installp -a -g -X -d $PATCH <package>

where <package> is:

PDWeb.RTE Specifies the Access Manager Web Security Runtime
PDWeb.ADK Specifies the Access Manager Web ADK package
PDWeb.Web Specifies the Access Manager Webseal Server

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.2 Installing this patch on HP-UX systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

swinstall -s $PATCH/<package> <patch>

where <package> and <patch> are:

<package> <patch>
------------------------------ -------------
PDWebRTE000611-05.depot PDWebRTE
PDWebADK000611-05.depot PDWebADK
PDWeb000611-05.depot PDWeb

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.3 Installing this patch on Linux systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes.

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

rpm -U <patchname>

where <patchname> is one of the following:

Linux on xSeries(R)

PDWebRTE-PD-6.1.1-5.i386.rpm
PDWebADK-PD-6.1.1-5.i386.rpm
PDWeb-PD-6.1.1-5.i386.rpm

Linux on zSeries

PDWebRTE-PD-6.1.1-5.s390.rpm
PDWebADK-PD-6.1.1-5.s390.rpm
PDWeb-PD-6.1.1-5.s390.rpm

Note:
If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:

rpm -U --noscripts <patchname>

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.4 Installing this patch on Sun Solaris Operating Environment systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

cd $PATCH

Solaris 9:
patchadd <package>

Solaris 10 and above:
patchadd -t <package>

where <package> is:

PDWEBRTE000611-05 Specifies the Access Manager Web Security Runtime
PDWEBADK000611-05 Specifies the Access Manager Web ADK package
PDWEB000611-05 Specifies the Tivoli Access Manager WebSEAL Server

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.5 Installing this patch on Windows systems

1. Log in to the Windows system as the Administrator.

2. Shut down the Tivoli Access Manager WebSEAL server:
a. Click 'Control Panel' > 'Services'
b. Click 'Access Manager WebSEAL Server' > 'Stop'.
c. To confirm this action, click 'Yes'.

3. Unpack the self-extracting archive into a temporary
directory. For the purpose of this README, assume that
%PATCH% points to this temporary directory.

4. Change to the patch directory:

cd %PATCH%

For each component to apply service to, run the following command:

<component directory>/Disk Images/Disk1/setup.exe

List of component directory names.

PDWebRTE Specifies the Access Manager Web Security Runtime
PDWebADK Specifies the Access Manager Web ADK package
PDWeb Specifies the Tivoli Access Manager WebSEAL Server


Note: If you must to reboot your system to
complete this installation, you might subsequently encounter a
problem running the Web Portal Manager to access the console. An example
of a reboot situation is to overcome a shared DLLs problem.
If this happens, confirm that the WebSphere service is
running. The WebSphere service is installed in manual startup
mode and might not be running after a reboot.

5. Restart the Tivoli Access Manager WebSEAL server:

From the Windows Start menu, click:

a. 'Settings' > 'Control Panel' > 'Administrative Tools' > 'Service'.
b. Click 'Access Manager WebSEAL Server' > 'Start'.
c. Click 'IBM WS AdminServer' > 'Start'.

[{"INLabel":"6.1.1-TIV-AWS-FP0005.README","INLang":"US English","INSize":"1111111","INURL":"http://www.ibm.com/support/fixcentral"}]
On
[{"DNLabel":"6.1.1-TIV-AWS-FP0005-AIX.tar.Z","DNDate":"4 May 2012","DNLang":"English","DNSize":"16419195","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-AIX&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-TIV-AWS-FP0005-HP-IA64.tar.Z","DNDate":"4 May 2012","DNLang":"English","DNSize":"15976115","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-HP-IA64&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-TIV-AWS-FP0005-HP.tar.Z","DNDate":"4 May 2012","DNLang":"English","DNSize":"11530947","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-HP&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-TIV-AWS-FP0005-LIN.tar.Z","DNDate":"4 May 2012","DNLang":"English","DNSize":"7595246","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-LIN&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-TIV-AWS-FP0005-S390.tar.Z","DNDate":"4 May 2012","DNLang":"English","DNSize":"6762136","DNPlat":{"label":"Linux on zSeries","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-S390&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-TIV-AWS-FP0005-SOL-X86.tar.Z","DNDate":"4 May 2012","DNLang":"English","DNSize":"9398323","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-SOL-X86&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-TIV-AWS-FP0005-SOL.tar.Z","DNDate":"4 May 2012","DNLang":"English","DNSize":"9240041","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-SOL&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-TIV-AWS-FP0005-WIN.zip","DNDate":"4 May 2012","DNLang":"English","DNSize":"15571262","DNPlat":{"label":"Windows Server 2003","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=6.1.1.0&function=fixId&fixids=6.1.1-TIV-TAM-FP0005-WIN&includeRequisites=1&includeSupersedes=1","DNURL_FTP":" ","DDURL":null}]
[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSEAL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Problems (APARS) fixed
IV00022;IV04339;IV17906;IV17912;IV17933;IV04518;IV06766;IV12947;IV17936;IV11164;IV17937;IV16142;IV19485;IV17968;IV06622;IV11584;IV17940;IV17903;IV08746;IV17934;IV05945 ;IV00714;IV00002;IV00005;IV00645;IV10064;IV10067;IV10070;IV10085;IV10087;IV10095;IV03904;IV03909;IV03915;IV03917;IV03919;IV03925;IV03941;IV03951;IZ82713;IZ86659;IZ88109;IZ88202;IZ89027;IZ89792;IZ90134;IZ90402;IZ90403;IZ90408;IZ90420;IZ91620;IZ91635;IZ91636;IZ91919;IZ92253;IZ92259;IZ93838;IZ95304;IZ95934

Document Information

Modified date:
15 June 2018

UID

swg24032593

Page Feedback