Tivoli Federated Identity Manager 6.2.0 Fixpack 13 (6.2.0-TIV-TFIM-FP0013)

Download Description

This fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager), Version 6.2.0. It requires that the IBM Federated Identity Manager, Version 6.2.0, be installed. After installing this fix pack, your Federated Identity Manager installation will be at version 6.2.0.13.

IMPORTANT NOTICE

Potential cross-site scripting vulnerabiltity via macros in event page template files

Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:

• @EXAMPLE_MACRO1@
• @EXAMPLE_MACRO2@
• @EXAMPLE_MACRO3@

the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:

@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@

NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://www-01.ibm.com/support/knowledgecenter/SSZSXU_6.2.0/com.ibm.tivoli.fim.doc_6.2/installconfig/reference/CustomPropsSPS.html.

Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)

The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.

Versions affected:

• IBM WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
• IBM WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536

Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.

Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, be in infinite loop, and/or crash resulting in a denial of service exposure. This same hang might occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

The following products contain affected versions of the Java Runtime Environment:

• IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for Distributed, i5/OS and z/OS operating systems.
• IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for Distributed, i5/OS and z/OS operating systems.
• IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for Distributed, i5/OS and z/OS operating systems.

The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access, see http://www-01.ibm.com/support/docview.wss?uid=swg21462019

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)

This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:

java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper

Examples of operations that can fail include:

• Importing a keystore file
• Loading a mapping rule

Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.

The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.

The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.

Fix pack contents and distribution

This fix pack package contains:

• The fix pack zip file
• This README.

This fix pack is distributed as an electronic download from the IBM Support Web Site.

Architectures

This fix pack package supports the same operating system releases that are listed in the Operating systems for a specific product for the product Tivoli Federated Identity Manager and the version 6.2.0.

This fix pack package supports the same software prerequisites that are listed in the Prerequisites of a specific product for the product Tivoli Federated Identity Manager and the version 6.2.2.

Fix packs superseded by this fix pack

6.2.0-TIV-TFIM-FP0001
6.2.0-TIV-TFIM-FP0002
6.2.0-TIV-TFIM-FP0003
6.2.0-TIV-TFIM-FP0008
6.2.0-TIV-TFIM-FP0009

Fix pack structure

Federated Identity Manager consists of the following components that can be installed separately:

• Administration console
• Management service and runtime component
• Web services security management (WSSM)
• WS-provisioning runtime
• Internet information services (IIS) Web plug-in
• Apache/IBM HTTP Server Web plug-in
• IBM Support Assistant plugin

This fix pack applies only to the administration console, management service and runtime component, and Web services security management (first three components listed above). These three components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components. If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.

APARs and defects fixed

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0013

The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager support site.

APAR IV43162

SYMPTOM: Wrong X509SKI value in digital signature.

APAR IV42940

SYMPTOM: Trace message starting with "Please ask development to consider making this class Immutable: " and ending with an exception stack trace is confusing customers who are checking the trace logs.

APAR IV40190

SYMPTOM: Unable to configure SAML Identity Provider to only sign the AuthResponse and not sign the Assertion when HTTP POST binding is used.

APAR IV09367

SYMPTOM: IBM Tivoli Federated Identity Manager is incorrectly processing SAML aliases with certain directory servers.

APAR IV24603

SYMPTOM: Some Service Providers for the WS-Federation Passive Profile do not accept RequestSecurityTokenResponse that contain certain elements. For example, Sharepoint does not accept RequestSecurityTokenResponse that contains the elements wst:Forwardable, wst:Delegatable, wst:Status and wst:Renewing. However, these elements are present in the RequestSecurityTokenResponse generated by the IBM Tivoli Federated Identity Manager Identity Provider for the WS-Federation Passive Profile.

APAR IV19689

SYMPTOM: The SAML 1.1 STS Token Module fails to populate the STSUU's Principal correctly when the inbound SAML Assertion contains an AuthenticationStatement with a type attribute that is set to something other than "saml:AuthenticationStatement".

APAR IV38244

SYMPTOM: The FBTSML227E error message is displayed incorrectly.

APAR IV23069

SYMPTOM: When no Format attribute for the NameIDPolicy element is found in the SAML 2.0 AuthnRequest message, the Identity Provider will treat the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Identity Provider should instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner, which is what it does when the Format for the NameIdPolicy element in AuthnRequest message is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".

APAR IV36844

SYMPTOM: When the Format attribute for the NameID element in the SAML 2.0 Assertion is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", the Service Provider will treat the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Service Provider should instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner.

APAR IV38308

SYMPTOM: The STSUUSER principal does not match the incoming subject name id of the assertion.

APAR IV38365

SYMPTOM: Corrupted URLs in the feds.xml and sps.xml when a non-sps URL is provided for Single Sign-On Service, Single Logout Service, Soap Endpoint, Artifact Resolution Service, Assertion Consumer Service or Name ID Management Service URLs in the SAML 2.0 IP/SP Federation properties page via Management Console. Fix for this defect will include validation of the above URLs. The URL provided will be checked to ensure that it is a properly formatted URL and that it is a sps URL. If not, the same error message "The value entered for X contains an improperly formatted URL" will be shown when saving federation properties.

APAR IV38366

SYMPTOM: Blank page is shown when the session cannot be found.

APAR IV38326

SYMPTOM: Single logout fails when two Service Providers are authenticated using the same session index and both Service Provider federations are on the same IBM Tivoli Federated Identity Manager domain.

APAR IV38368

SYMPTOM: A HTML page with SOAPException message, instead of a SOAP Fault, is returned as a response to a request security token SOAP request, with invalid issuer or appliesto, sent to SAML 1.1 artifact service endpoint.

APAR IV38369

SYMPTOM: The FBTSPS061E An unexpected error has occurred with a protocol module error is displayed when a federated SSO request is received at the service provider and WebSeal is used as the point of contact.

APAR IV38370

SYMPTOM: Tivoli Access Manager WebSEAL failover cookies do not work when Tivoli Federated Identity Manager is configured to generate IV credential tokens without using PDAcld.

APAR IV38376

SYMPTOM: Certain point of contacts that use external authentication interface do not recognize the identity of the user that is set by IBM Tivoli Federated Identity Manager in the response HTTP header (typically, "am-fim-eai-user-id"), since these point of contacts are not aware that IBM Tivoli Federated Identity Manager URL encodes this identity. IBM Tivoli Federated Identity Manager should not URL encodes this identity.

APAR IV38377

SYMPTOM: The base64 encoded token generated by IVCred STS module is split into multiple lines. Some customers require that the token not to be split into multiple lines.

APAR IV38378

SYMPTOM: No error message is reported when importing SAML 2.0 Identity Provider or Service Provider whose metadata contains Organization element with no OrganizationURL element.

APAR IV38385

SYMPTOM: Requests to IBM Tivoli Federated Identity Manager WSTrust 1.3 endpoint URL using the ?WSDL parameter to get the WSDL document results in subsequent SOAP services to fail.

APAR IV38387

SYMPTOM: The string "???????? Web ??????!" is returned when accessing the URL http://hostname:9080/Info/InfoService using web browser. This problem may happen when the language of the browser is different from the language of the operating system of the server.

APAR IV38388

SYMPTOM: Security update for IBM Tivoli Federated Identity Manager Runtime.

APAR IV38389

SYMPTOM: The STS obtains the base security token for execution from either the base element on the RequestSecurityToken message or from the WS-Security tokens included on the soap headers. Tivoli Federated Identity Manager will take the first WS-Security token found on the soap header. After this modification the SAML STS modules will look for the appropriate token type included on the WS-Security headers when the change is enabled.

APAR IV38391

SYMPTOM: IBM Tivoli Federated Identity Manager doesn't provide 2048 bit option as key size when generating certificate request or self-signed certificate through console.

APAR IV38359

SYMPTOM: The IBM Tivoli Federated Identity Manager Single Sign On protocol service (SPS) SAML 2.0 protocol implementation allows a customer to use the 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier for single sign on. By default IBM Tivoli Federated Identity Manager will treat a 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' name identifier as 'urn:oasis:names:tc:SAML:2.0:nameidformat:persistent' name identifier unless the default name identifier is set to another type like emailAddress. The Single Logout operation incorrectly queries the alias service if unspecified name identifier is used and the default name identifier is set to email.

APAR IV38364

SYMPTOM:
1. When defining a text field in GUIXML, and setting its default value to a string containing a quotation mark, Tivoli Federated Identity Manager throws an exception when loading the GUIXML page saying that the XML is invalid.
2. In an STS module which has an 'init' page widget which has a multi-valued TextField, only the first value of the multiple values is displayed when viewing the module instance properties.

APAR IV10801

SYMPTOM: Improve SAML Signature Conformance

APAR IV23431

SYMPTOM: Improve SAML signature conformance

APAR IV23445

SYMPTOM: Improve signature conformance

APAR IV23792

SYMPTOM: Enabling and disabling RelayState URL encoding and decoding in SAML 2.0 unsolicited authentication response.

APAR OA39921

SYMPTOM: NullPointerException is thrown when sending SAML 2.0 messages (e.g., Logout Request) with invalid IssueInstant attribute.

APAR IV24381

SYMPTOM: Improve XML Signature Conformance

APAR IV26034

SYMPTOM: The RelayState query string parameter provided to the IP-initiated SSO initial URL is used to populate the RelayState macro in the authentication response when the target query string parameter is empty or not provided. It should be ignored.

APAR IV26826

SYMPTOM: Update deployment descriptor for the Tivoli Federated Identity Manager Management Console servlets.

APAR IV26823

SYMPTOM: Update log traces in FSSO and STS.

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0009

APAR IV01293

SYMPTOM: ClassCastException is thrown when adding a SAML 2.0 Identity Provider as a partner. This problem happens when the metadata of the Identity Provider contains SAML attributes.

APAR IV01314

SYMPTOM: LTPA Token Module is not calculating the expiration date correctly. When a token is renewed, the expiration date is added to the userdata structure expiration array. The new expiration date is the last item added to the array. The IBM Tivoli Federated Identity Manager was incorrectly taking the first item on the array.

APAR IV01819

SYMPTOM: ClassCastException is thrown when configuring LDAP alias service using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if at least one LDAP server exists in the system.

APAR IV01295

SYMPTOM: THE WEBSPHERE APPLICATION SERVER POC CREATE WAS SECURITY CONTEXT WITH INSUFFICIENT UNIQUE ID.

APAR IV01254

SYMPTOM: In some SAML error circumstances, the IBM Tivoli Federated Identity Manager would return a NullPointerException when attempting to display an error page or return a SAML error to an artifact retrieval request.

APAR IV01190

SYMPTOM: Empty-valued attributes in an STSUniversalUser XML document are not preserved by the Java implementation when converting from XML to Java and back to XML.

APAR IV01822

SYMPTOM: The value of the attribute "IsDefault" of all assertion consumer services of the SAML 2.0 Service Provider partner is changed to "true" after clicking the button "OK" or "Apply" in the Partner Properties page in the IBM Tivoli Federated Identity Manager Console.

APAR IV01319

SYMPTOM: SAML 2.0 STS Module fails to validate the subject confirmation method correctly when the assertion is received as part of the SAML 2.0 Single Sign On operation. The specification requires that an assertion that is generated as part of a Single Sign On flow should at least include one of the subject confirmation methods of value urn:oasis:names:tc:SAML:2.0:cm:bearer.

APAR IV01315

SYMPTOM: SAML 2.0 SPS Module is setting the Destination attribute on LogoutReponse message when the request is received through SOAP binding at the Identity Provider and there is more than one service provider session that was authenticated based on the Identity Provider session. The Destination field might have the url for the incorrect partner that is not the one that send the LogoutRequest.

APAR IV01318

SYMPTOM: The IBM Tivoli Federated Identity Manager LTPA STS module support code is not thread safe. The code uses an static instance of a JDK class that is not thread safe causing undetermined results while verifying or generating the ltpa token signature on environments with high volume of transaction.

APAR IV03231

SYMPTOM: KERBEROS STS MODULE TO ENFORCE TOKEN ONE TIME USE.

APAR IV03050

SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV01824

SYMPTOM: ClassCastException is thrown when adding and modifying LDAP host using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "hostPort" is not 389, or the parameter "minConnections" is not 2, or the parameter "maxConnections" is not 10.

APAR IZ03616

SYMPTOM: The SAML specification allows for the Identity Provider not to include an issuer value on the SAMLResponse as long as the assertion includes the value. The IBM Tivoli Federated Identity Manager SAML module was expecting for the issuer on the SAML Response to always be included. Such expectation was causing a Null Pointer Exception when the values was not included.

APAR IZ72928

SYMPTOM: Opening a Tivoli Federated Identity Manager page or portlet from the WebSphere Application Server ISC causes a JNDI exception of the type NameNotFoundException to be logged in the WAS server log.

APAR IZ91976

SYMPTOM: The IBM Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the Identity Provider does not include a Issuer value though the Issuer value is included in the assertion.

APAR IZ92245

SYMPTOM: Duplicate STS chain mappings are created when adding a SAML 2.0 Service Provider as a partner. This problem happens if the metadata of the Service Provider contains at least three distinct assertion consumer services with at least three distinct URLs.

APAR IZ94653

SYMPTOM: Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token.

APAR IV01175

SYMPTOM: The SAML 2.0 SPS module during a Single Logout operation on Service Provider side is invoking the alias service regardless if email name id format was used to single sign on the user. While the Single Logout Operation is successful, an error is included on the logs though the alias operation is not required.

APAR IZ96477

SYMPTOM: Mapping from single logout URL to protocol is deleted from the configuration file after clicking the button "OK" or "Apply" in the Federation Properties page in TFIM Console. This problem happens if the single logout bindings that are enabled are only HTTP-Redirect and SOAP. The missing mapping causes single logout operation to fail.

APAR IV01201

SYMPTOM: CommandException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "exportPrivateKey" is specified with no value or with value "true".

APAR IV01202

SYMPTOM: ChainableRuntimeException is thrown when exporting a key from a keystore using the IBM Tivoli Federated Identity Manager Console. This problem happens if the IBM Tivoli Federated Identity Manager is deployed in certain WebSphere Application Server versions (e.g., WebSphere Application Server 7 Fix Pack 11).

APAR IV03048

SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.

APAR IV03074

SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Runtime.

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0008

APAR IZ84999

SYMPTOM: Some of the IBM Tivoli Federated Identity Manager Console portlet pages cannot be displayed when it is installed in WebSphere Application Server 7 FP 11.

APAR IZ74691

SYMPTOM: For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values.

APAR IZ50813

SYMPTOM: IBM Tivoli Federated Identity Manager CLI Commands are not registered properly on WebSphere Application Server 7.0.

APAR IZ74511

SYMPTOM: A valid WS-Trust 1.3 request fails if it includes an empty Issuer address value and the matching trust chain uses a wild card for Issuer value (e.g. with Issuer Address = *).

APAR IZ73144

SYMPTOM: NullPointerException when creating a new STS chain that is not on Validate mode.

APAR IZ68018

SYMPTOM: When reading the user header from WebSEAL or a generic point-of-contact, the username is URL decoded twice.

APAR IZ70082

SYMPTOM: Exception occurs when using only.alias key selection criteria and the same key appears under multiple aliases.

APAR IZ66147

SYMPTOM: The IBM Tivoli Federated Identity Manager artifact lookup routine can consume threads if the artifact received is not in the cache.

APAR IZ61855

SYMPTOM: Using IBM Tivoli Federated Identity Manager ISC console makes it possible to remove a default mapping rule after the federation has been created.

APAR IZ64190

SYMPTOM: The IBM Tivoli Federated Identity Manager SAML 2.0 SPS module throws a NullPointerException if an issuer value is not included on the SAML Response message.

APAR IZ42265

SYMPTOM: When starting IBM Tivoli Federated Identity Manager the runtime nodes report exceptions while connecting to the config repository.

APAR IZ39501

SYMPTOM: The fimivt application incorrectly relies on the provider id of the Service Provider to build the TARGET url for Single Sign On.

APAR IZ69868

SYMPTOM: The IBM Tivoli Federated Identity Manager 6.2.0 will always sign the outgoing SAML response and SAML assertion when the HTTP/SOAP binding is used.

APAR IZ69507

SYMPTOM: The IBM Tivoli Federated Identity Manager SAML 2.0 SPS Module does not create a session when the SAML AuthnRequest is received over the SOAP endpoint.

APAR IZ74720

SYMPTOM: The ITFIM console metadata support fails to validate that mandatory endpoints are included. The SPSSODescriptor requires at least one AssertionConsumerService endpoint and the IDPSSODescriptor requires at least one SingleSignOnService url.

APAR IZ74280

SYMPTOM: The ITFIM console partner properties page for a SAML 2.0 partner does not allow the user to modify the signature validation settings once set to typical or all signature settings.

APAR IZ72439

SYMPTOM: The ITFIM Alias Service fails to provide enough information to differentiate between a fatal error reading aliases and the typical alias not found return.

APAR IZ74795

SYMPTOM: ITFIM fails to send back a SOAP fault when a AuthnRequest with an invalid Issuer is received through the SOAP binding.

APAR IZ74793

SYMPTOM: The Tivoli Federated Identity Manager SAML SSO Module should add appropriate information on the SAMLResponse message to allow exploiters to debug the reasons for artifact resolution failures.

APAR IZ80240

SYMPTOM: STS service does not start when an illegal regular expression is provided for the "applies to", "issuer" or "token type" field of the STS chain mapping.

APAR IZ71991

SYMPTOM: Unable to validate SAML2.0 tokens generated through WSSM.

APAR IZ73880

SYMPTOM: LTPA XML security token issued by the STS has incorrect namespace.

APAR IZ82872

SYMPTOM: TAM authorization module does not work with federation scenario. The TAM authorization module should be able to consume TAM credential bytes from the STSUU or from the current STS response object in the case where an IVCred module has run in issue mode prior to the TAM Authorization module.

APAR IZ82855

SYMPTOM: Custom authorization tokens with attributes added by TAI are not processed by the IBM Tivoli Federated Identity Manager when creating a local token for TFIM with WebSphere point of contact.

APAR IZ82849

SYMPTOM: Chinese language page templates that contain RPT / eRPT macro blocks and any text within those blocks contains DBCS characters, the RPT block is not filled in correctly when the IBM Tivoli Federated Identity Manager returns the page template.

APAR IZ82851

SYMPTOM: If a service provider sends an SSO request containing the requested NameIDFormat of urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified the IDP implementation treats this as a persistent name identifier even if the DefaultNameIDFormat parameter for the partner or federation is set to a different name id format.

APAR IZ82866

SYMPTOM: Migration fails for federations containing custom modules.

APAR IZ82846

SYMPTOM: The LTPA token validate only looks on the current Element for a prefix definition.

APAR IZ82871

SYMPTOM: The IBM Tivoli Federated Identity Manager Liberty SPS Module fails to serialize objects on the distribute cache.

APAR IZ82869

SYMPTOM: The SAML 2.0 SPS module fails to apply the appropriate signature policy when the AuthnRequest is received using the artifact binding.

APAR IZ82864

SYMPTOM: Wrong Target URL received at the Service Provider when doing an Identity Provider initiated Single Sign On using the Artifact Binding.

APAR IZ82865

SYMPTOM: The identity provider behind a WebSphere point of contact throws an NullPointerException upon receiving an Single Logout Request request from service provider behind WebSEAL.

APAR IZ82856

SYMPTOM: The IBM Tivoli Federated Identity Manager generated nonce value might have invalid characters in some situations.

APAR IZ74793

SYMPTOM: The IBM Tivoli Federated Identity Manager SAML 2.0 SSO Module does not include enough error information on the response message to allow exploiters to debug the reasons for artifact resolution failures.

APAR IZ67423

SYMPTOM: The ITFIM Authorization STS module connection pool deadlocks if connections are mark for removal.

APAR IZ66397

SYMPTOM: Key alias not used to select key for XML signature and validation.

APAR IZ82868

SYMPTOM: The ITFIM SAML 2.0 STS module is not honoring the default name id format parameter setting.

APAR IZ82867

SYMPTOM: The ITFIM SAML 2.0 SPS module requires assertion signature even when the enclosing document is signed.

APAR IZ82870

SYMPTOM: The SAML 2.0 SPS module signs the assertion in instances where the signature policy indicates that the assertion should not be signed.

APAR IZ82852

SYMPTOM: The ITFIM SAML 2.0 STS module fails to validate a SAML 2.0 Assertion containing the NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

APAR IZ82874

SYMPTOM: Recipient checking is not performed correctly by the SAML browser post support.

APAR IZ82853
SYMPTOM: Invalid URL encoding of the RelayState parameter being performed by the SAML 2.0 SPS module.

APAR IZ83544

SYMPTOM: The LTPA STS module sends an incorrect message when the token being validated is expired. The inserts on the message are on reverse order so the expiration date is displayed where the current date field should be.

APAR IZ83543

SYMPTOM: Signed XML strings may be incorrectly encoded if the default file encoding for the operating system platform is not UTF-8 (e.g. Windows or AIX).

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0003

APAR IZ66695

SYMPTOM: JDBC alias service is case sensitive for username.

APAR IZ40010

SYMPTOM: The IBM Tivoli Federated Identity Manager IDP displays blank page when initiating solicited SSO for a second time.

APAR IZ41865

SYMPTOM: The solution was to pass the relay state to the url so the customers can use the capability to override the target url using the credential attribute we already support.

APAR IZ44890

SYMPTOM: When sending a Kerberos token to the Security Token Service the following error gets returned.

APAR IZ46723

SYMPTOM: When upgrading an expired validation and encryption certificate that the keystore "view keys" shows the certificate as expired.

APAR IZ46765

SYMPTOM: The Where Are You From (WAYF) Cookie lifetime needs to be configurable through the gui.

APAR IZ47454

SYMPTOM: Passticket module incorrect logging verbosity.

APAR IZ47952

SYMPTOM: When using samlsso and adding a target url with query string the parameters are lost and do not make it to the Service Provider.

APAR IZ50906

SYMPTOM: SOAP faults are returned for WS-Trust validates request types.

APAR IZ51243

SYMPTOM: The init url for unsolicited AuthnResponse has a Target query string parameter that is allowing for requester to inject javascript that will be executed when the request is sent to the service provider.

APAR IZ51457

SYMPTOM: When a runtime node is not configured a NullPointerException will be displayed in the browser when a sign-on transaction is attempted.

APAR IZ51459

SYMPTOM: An incorrect ByteArrayOutputStream class was used that is not supported on all platforms.

APAR IZ52979

SYMPTOM: The IBM Tivoli Federated Identity Manager fails to enforce signature policy properly for assertion.

APAR IZ53517

SYMPTOM: When calling the artifact service and passing in an assertion to get back an artifact, if a custom module encounters an error and generates an exception stack trace that includes some special characters the Artifact service fails to include the exception on the SOAP Fault.

APAR IZ54678

SYMPTOM: SAML 2.0 Configuration objects did not implement the Serializable interface.

APAR IZ55551

SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console doesn't operate correctly.

APAR IZ56179

SYMPTOM: UPDATING THE PARTNER THROUGH PROPERTIES PAGE CORRUPTS THE CONFIG.

APAR IZ56265

SYMPTOM: IBM Tivoli Federated Identity Manager fails to split url properly if "sps" is in the hostname.

APAR IZ56459

SYMPTOM: After unlinking account, under some circumstances the Alias entry will not be removed.

APAR IZ56548

SYMPTOM: IBM Tivoli Federated Identity Manager supported Oracle database for the TFIM alias service and that attempts to Use Oracle displayed errors.

APAR IZ60816

SYMPTOM: Federation stops at https://hostname/fim/sps/wssoi screen.

APAR IZ62620

SYMPTOM: Authorization decision query returning invalid decision query.

APAR IZ62955

SYMPTOM: SAML 1.X module does not validate recipient value on response.

APAR IZ63597

SYMPTOM: WS-TRUST 1.2 RequestSecurityTokenResponse message is different than the IBM Tivoli Federated Identity Manager 6.0.0 response message.

APAR IZ63967

SYMPTOM: When THE IBM Tivoli Federated Identity Manager returns HTTP Cookies to the browser none of the secure bits are set.

APAR IZ47754

SYMPTOM: ManageNameID defederate to an Service Provider where the alias does not exist.

APAR IZ48248

SYMPTOM: SAML 2.0 IDP incorrectly process unspecified nameid format and always treats unspecified as a persistent id.

APAR IZ49157

SYMPTOM: OpenID Caches are not per-federation.

APAR IZ48258

SYMPTOM: OpenID relying-party association cache indexing error.

APAR IZ48262

SYMPTOM: SOAP Client fails to initialize if using trust store with password.

APAR IZ66903

SYMPTOM: HMAC-SHA256 ASSOC TYPE FAILS WITH NO-ENCRYPTION SESSION TYPE.

APAR IZ66905

SYMPTOM: INCORRECT HANDLING OF LOST ASSOCIATION.

APAR IZ66908

SYMPTOM: POST MESSAGE TO RETURN_TO URL SHOULD USE QUERY STRING IF POSSIBLE.

APAR IZ66770

SYMPTOM: Form Post parameters should always be HTML encoded.

APAR IZ66769

SYMPTOM: INTERNAL APAR FOR STS CONFORMANCE UPDATES.

APAR IZ66771

SYMPTOM: INTERNAL APAR FOR TFIM 620 BUILD UPDATES.

APAR IZ66772

SYMPTOM: INTERNAL APAR FOR TFIM 620 POINT OF CONTACT UPDATES.

APAR IZ66773

SYMPTOM: Internal apar for SAML conformance updates.

APAR IZ52557

SYMPTOM: The Event Handler extension point does not have access to event trail id.

APAR IZ52563

SYMPTOM: tfimcfg tool doesn't work correctly in a multi-TAM domain.

APAR IZ48249

SYMPTOM: SAML 2.0 Service Provider cannot validate SSL certificate on a list of trusted signers.

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0002

APAR IZ41018

SYMPTOM: When triggering MNIDS operation, user does not have an alias stored in LDAP alias repository causes WebSEAL to return a server error.

APAR IZ35877

SYMPTOM: A NullPointerException occurs when the SAML 2.0 Response does not contain an issuer.

APAR IZ47906

SYMPTOM: The IBM Tivoli Federated Identity Manager complains "invalid_message_timestamp" when it receives an AuthnRequest with a SAML 2.0 IssueInstant with the date time format of "2008-07-01T13:30:50.830773Z"

APAR IZ44577

SYMPTOM: STSMessageLogger does not work with multiple custom extensions. If two different chains utilize the STSMessageLogger, each with its own custom extension, only one of the extensions is used, and it is used by both chains.

APAR IZ44576

SYMPTOM: STSMessageLogger does not work with Information Card IDP trust chain. When the STSMessageLogger is used as the first element in a trust chain for an Information Card IDP federation, and a card is used at a RP, the retrieval of a security token from the IDP fails. The IDP's WebSphere log shows the exception com.ibm.ws.webservices.engine.InternalException java.lang.IllegalArgumentException.

APAR IZ44575

SYMPTOM: STSMessageLogger leaves open files locked on every IBM Tivoli Federated Identity Manager single-sign-on. When the STSMessageLogger is used in a trust chain for federated single sign-on, a new message logger file is created on every request. This rapidly results in file handle starvation.

APAR IZ44573

SYMPTOM: When using the STSMessageLogger in a trust chain, a new file is created each time the "Reload Configurations" operation is performed (i.e. an OSGi runtime restart). These file handles are left open until WebSphere is restarted.

APAR IZ44572

SYMPTOM: STSMessageLogger does not work when using WS-Trust 1.3 requests to the Tivoli Federated Identity Manager(TFIM) Security Token Service.

APAR IZ44571

SYMPTOM: If an OP returns an OP-Identifier as the claimed identifier then the Relying-Party does not reject the login and allows authentication to succeed. The Replying-Party should reject the login. This issue affects only OpenID relying-party configurations during OP-identifier login.

APAR IZ44569

SYMPTOM: OpenID Identity Provider hangs for long time when the relying-party sends an empty association handle. This results in a 30-second login time from this type of relying-party.

APAR IZ44567

SYMPTOM: Some OpenID relying-party logins fail if an empty OpenID invalidate_handle value is sent in the login response. This problem is discovered when testing with WebSphere sMash.

APAR IZ44562

SYMPTOM: If any page template that contains repeatable replacements is called with a replacement string that contains a single backslash or a dollar sign ($) then the replacement will not function correctly and will cause an IllegalArgumentException.

APAR IZ44560

SYMPTOM: When tracing is turned on for the class com.tivoli.am.fim.infocard.delegates.InfoCardSTSDelegate and username/password information card is presented at the IDP to exchange for a SAML assertion, the user's password is exposed in clear text in trace.

APAR IZ44570

SYMPTOM: OpenID Identity Provider SREG Namespace handling is broken. This problem is discovered when testing with WebSphere sMash. The OpenID identity provider should return the same SREG namespace as it received.

APAR IZ44555

SYMPTOM: If a user trusts an OpenID relying party site, then deletes the trust from the site manager, and re-accesses the site, the consent-to-authenticate page is not being displayed when it should. This affects OpenID identity provider installations.

APAR IZ44557

SYMPTOM: The OpenID 2.0 flows are non-conformant with the specification regarding a claimed identifier of identifier_select.

APAR IZ44559

SYMPTOM: The closing macro delimiter, @OPTIONAL_ATTRIBUTE@, is missing from the consent.html template file for the label for optional SREG attributes. This only applies to OpenID identity provider federations.

APAR IZ44563

SYMPTOM: OpenID RP in white-list scenario has severely slow performance.

APAR IZ35057

SYMPTOM: The SAML Assertion token generator was not issuing Assertions correctly with SubjectConfirmation methods of holder-of-key and sender-vouches.

APAR IZ47911

SYMPTOM: The publish plugins MBean action requires a domain to be passed in which causes a problem on systems where an IBM Tivoli Federated Identity Manager fix pack is applied before TFIM is configured.

APAR IZ47912

SYMPTOM: Calls to IDMappingExtUtils.AddAliasForUser (which is typically made from a mapping rule) appear to succeed for non-existent users when they actually do not succeed. No alias is added. This problem is only applicable on systems with the IBM Tivoli Federated Identity Manager Alias service set to LDAP using TAM.

APAR IZ35742

SYMPTOM: IDP source validation can not be done because the SAML 1.x browser-artifact doesn't contain the IDP source. Relying-parties must be able to check in the mapping rule that the Issuer contained in an assertion comes from the expected IDP partner. Without this capability rouge IDP's can spoof other IDP's assertion issuers.

APAR IZ47913

SYMPTOM: When making STS requests to the WS-T 1.3 endpoint and authentication is enabled the requestor is not challenged to authenticate. This is because the WS-T 1.3 endpoint is missing the security constraint definition.

APAR IZ47917

SYMPTOM: When uninstalling a fixpack, the process might fail at the very end. The UPDI log shows that the backup pak file for the fixpack could not be removed from the system. The problem affects only Windows platform.

APAR IZ47918

SYMPTOM: The authentication data used during authentication callback is not made available when WebSeal is the PoC. The authentication mechanism being used for WebSeal PoC will not work because the authentication information such as the federation name, federation id, etc is not available.

APAR IZ47919

SYMPTOM: When running the IBM Tivoli Federated Identity Manager using WebSphere Application Server as the Point of Contact at the Service Provider and WebSEAL at the IDP you will get a null pointer exception when logout is invoked from the Service Provider after successfully SSO.

APAR IZ48040

SYMPTOM: The mapping rule example file ip_saml_20_email_nameid.xml is missing the namespace definition.

APAR IZ48041

SYMPTOM: Routine build maintenance.

Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0001

APAR IZ32487

SYMPTOM: SAML 2.0 sessions expire immediately if the Amount of time the assertion is valid property is set to 4294080 seconds or greater (49.7 days or greater).

APAR IZ31416

SYMPTOM: The WSSM trust client inserts erroneously a wsse namespace declaration into the wst:Base element when building requests to the trust service.

APAR IZ25784

SYMPTOM: When running in a WebSphere 6.0.2.x environment, an error could occur when importing or upgrading a Federated Identity Manager 6.1.1.x domain, if custom token modules were developed for it.

APAR IZ29211

SYMPTOM: A failure could occur while performing a SAML 2.0 single logout with the Service Provider, if the assistant name identifier was configured for the federation. The reported error was FBTSML219E.

APAR IZ29167

SYMPTOM: The underlying secure protocol of an HTTPS connection created by Tivoli Federated Identity Manager is hard-coded to be SSL.

APAR IZ30074

SYMPTOM: A timestamp is embedded within a passticket, but the time value interval is only granular to a full second.

APAR IZ30083

SYMPTOM: An error could occur when attempting to run the tfimcfg tool in a Sun Solaris(TM) environment. The error was seen after the WebSEAL hostname was provided. The reported error stated that HTTPS is not a recognized protocol.

APAR IZ30053

SYMPTOM: A performance degradation problem could occur when a federated single sign-on is attempted using LDAP registries containing millions of federated users. Depending on system and network conditions, a single sign-on operation could fail due to timeouts. The associated error reported a bad subtree search in LDAP.

APAR IZ30060

SYMPTOM: A potential problem could occur with the use of the OpenId Provider local identifier. When using OpenID 2.0, the Relying Party should differentiate between Claimed Identifiers and OP-Local Identifiers. The Federated Identity Manager implementation used the OP-Local identifier, if present, for both values. This APAR fixes this problem by ensuring compliance with the OpenID 2.0 specification.

APAR IZ30061

SYMPTOM: The OpenID Claimed Identifier was incorrectly normalized during HTML discovery. While performing an OpenID HTML discovery, the default action in the OpenID Relying Party was to follow redirections automatically which prevented the proper canonicalization of the final Claimed Identifier (claimed_id) URL.

APAR IZ30076

SYMPTOM: LTPA v2 issued tokens that were rejected by WebSphere Application Server versions 6.0.2 and 6.1.

APAR IZ30078

SYMPTOM: Logging and tracing could not be set for identity mapping from within an XSLT rule.

APAR IZ30080

SYMPTOM: An XSLT identity mapping failure occurred when using the alias server with JDBC.

APAR IZ34569

SYMPTOM: When an RST is sent to the STS with an empty textnode for either the AppliesTo, PortType or OperationName a null pointer exception is thrown.

APAR IZ34571

SYMPTOM: The Higgins Client Jars directory adks/client/sts is missing some dependency JARs and includes unnecessary server JARs.

APAR IZ34573

SYMPTOM: In an OpenID exchange the RP cannot display an appropriate login identifier on the screen to end users if the OP-identifier was used to login.