IBM Support

Urgent Apar information for IBM Security Access Manager 9.0.7.2 firmware upgrade.

Fix Readme


Abstract

Urgent and Apar information for IBM Security Access Manager 9.0.7.2 firmware upgrade.
Please read all urgent information in this document before performing any actions.

Content

Urgent information:
  1) Steps to consider before applying firmware upgrade:
      a)  Read Upgrading to the current version
      b)  Please ensure you have APAR IJ24066 installed, otherwise all snapshots created before the APAR is installed will fail
      c)  Take a snapshot and download to a local filesystem
            Please note: There is no need to create a backup partition, the partition backup will be over written during firmware update and current partition will become the backup partition

      d)  After the firmware update is applied, the external database schema updates MUST be applied via database update documentation

 
  2) The firmware update should be applied as soon as possible for FULL software support of embedded software. 
       Embedded software may require their software to be at or above a specific level for support or
       potential fixes.  At this level the firmware update satisfies their current embedded software
       support requirements.
       This includes but is not limited to the following:
          Liberty
          Java
          GSKit
          jdbc drivers
          postgresql drivers
       The non-ISAM embedded software must be applied via firmware update
 
  3) This firmware update contains the following
        Fixes:
         Security vulnerabilities
         Performance improvements
         Memory leaks
         Memory crashes
       Enhancements:
         New CLI options to generate java dumps for default or runtime profiles
         Reduced SAML 2.0 session footprint
         Reduced data stored after completion of SAML 2.0 single sign-on flow
  4) The software levels will be updated to 9.0.7.2      
  5) IBM STRONGLY recommends following Industry Best Practices by performing these steps before production rollout:
      a)  Identify all business case scenarios used
      b)  Testing all business use cases in lower test environments, identical to production if possible

      c)  Performance testing of all business use cases in identical production environment
________________________________________________________________________
IBM My Notifications
IBM strongly recommends you subscribe to My Notifications, you will be able to receive the latest urgent information of this document and feedback of IBM Products.
You find more information about My Notifications here IBM My Notifications

________________________________________________________________________
APARS fixed in ISAM 9.0.7.2 firmware upgrade
 

 

APAR

Description

IJ14029

FBTOAU227E ERROR CODE RETURNED FOR /AUTHORIZE REQUEST INCLUDING PARAMETERS IN QUERY STRING AND AS JWT

IJ14492

REST API TRUNCATES SERVER DNS WITH A COLON

IJ15318

AAC TEMPLATE PAGES USING TEMPLATE PAGE SCRIPTING (JAVASCRIPT) ARE CACHED INCORRECTLY

IJ16198

REBOOT CAUSES STATIC ROUTE LOST USING DHCP

IJ16815

DOCKER - PDWEB LOG LINK TO APPLICATION.LOG LOST ON RESTART

IJ17591

DOCKER UPGRADE FROM 9.0.6 TO 9.0.7 FAILS TO STARTS POSTGRES CONFIGDB

IJ18700

DEVICE_AUTHORIZE ENDPOINT FOR OAUTH USES DIFFERENT SEPARATOR FOR MUTLIPLE SCOPE VALUES

IJ19127

ADDING OPTIONAL SAML2.0 ATTRIBUTE "PROVIDERNAME" TO SAML REQUEST(SAMLP:AUTHNREQUEST

New boolean advanced configuration  'saml20.authn.request.provider.name.enabled' to add theProviderNameattribute to SAML2.0 AuthnRequest

IJ19666

MACOTP NOT AFFEXTED BY otp.retry.(enabled|maxNumberOfAttempts|otpRetryTimeout)

PARAMETERS INCONSISTENT WITH TOTP AND HOTP

 OTPVerify mapping rule must be turned off

 var isRetryEnforcementEnabled from true to false

 update, deploy, restart runtime

IJ19903

OTP FAILED ATTEMPTS NOT LOCKING WHEN USING EXTERNAL ORACLE HVDB

IJ20226

PARAMETER IS NOT VALID : HVDB_ADDRESS: THIS VALUE MUST BE AN IP ADDRESS OR FULLY QUALIFIED DOMAIN NAME (FQDN)

IJ20406

DEFAULT TARGET URL NOT ACCEPTING RELATIVE URL WHILE CREATING SAML PARTNER

IJ20502

GEONAME_ID WITH EMPTY VALUE FOR MAXMIND GEOLOCATION DATABASE V2 CAUSING FAILURE

IJ20629

 REGENERATING OTP TOKEN DOES NOT RESET CLOCK FOR TOKEN EXPIRY

IJ20630

CANNOT EXPORT OBJECT SPACE WHEN JUNCTION HAS TRAILING FORWARD SLASH (/) IN NAME

IJ20655

UPGRADE ISAM HARDWARE APPLIANCE CORRUPTS GRUB BOOT MENU

IJ21285

PROXY INSTANCE ON DOCKER WILL STOP RESPONDING IF YOU CREATE A JUNCTION TO A SERVER WHICH IS NOT THERE

 

Reverse Proxy configuration

Added [junction] connect-timeout = 30

IJ21794

WEBSEAL INCORRECT HANDLING OF INACTIVE-TIMEOUT WITH DSC

IJ21970

WHEN ISSUE REFRESH TOKEN IS DISABLED AN INCORRECT VALUE FOR EXPIRES IN IS CALCULATED FOR THE ACCESS TOKEN

IJ22428

WHEN ISSUE REFRESH TOKEN IS DISABLED AN INCORRECT VALUE FOR EXPIRES IN IS CALCULATED FOR THE ACCESS TOKEN

IJ22528

REMOTE SYSLOG FORWARDER ABILITY TO SEND CUSTOM RUNTIME .LOG FILES FROM RUNTIME DIRECTORY

IJ22530

 MEMORY LEAK IN REVERSE PROXY CERTIFICATE MAPPING

IJ22571

ISAM SAML SP WITH LONG TARGER URL RESULTS IN HTTP 500

IJ22721

MISSING MECHANISMS IN MMFA CONFIGURATION AFTER UPGRADE WHEN USING EXTERNALIZED CONFIGURATION DATABASE

IJ22755

WEBSEAL -> MANAGING ADMINISTRATION PAGES -> IMPORT BEHAVIOR CHANGED FROM 906 TO 907

IJ22903

ERROR FBTRBA005E WHILE IMPORTING A PARTNER

IJ22997

REVERSE PROXY TRAFFIC CAN NOT SHOW OLD DATA MORE THAN AROUND 10 DAYS OLD

IJ23000

UNABLE TO SELECT “UNSPECIFIED” FOR DEFAULT NAMEID

LMI will now list urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified for default NameID format

IJ23062

ISPASSWORDVALID() FUNCTION NOT RENDERING CORRECT VALUE

IJ23104

STS CHAIN EXCEPTION HIERARCHY_REQUEST_ERR WHEN USING USERANME AND PASSWORD MODULE

New Boolean Advanced Configuration 'sts.wstrust.error.shortexception' display full STS exception stack (default:false) or display the exception message

IJ23198

SUPPORT FOR PERSISTENT TIMEOUT CONFIGURATION FOR WAS LIBERTY

IJ23488

STALE GSO CACHE ENTRIES FOR USER CANNOT BE REMOVED AT LOGIN

Reverse Proxy configuration
[gso-cache] gso-cache-login-clear-user = no

IJ23647

MMFA PUSH NOTIFICATION DOES NOT COMPLETE SUCCESFULLY

IJ23841

UNABLE TO DISABLE TLS RENEGOTIATION ON REVERSE PROXY ADMIN PORT

 

Reverse Proxy, Authorization Server, Policy Server configuration

[ssl] disable-renegotiation = false

IJ23926

FONT FILE IN AAC TEMPLATE FILES PRODUCES 404 HTTP ERROR

New string array advanced configuration 'sps.page.jsCompileFileExtensions' (default:html,json) compile extensions when retrieving pages specific to Federation flows

IJ23960

REFRESHING TOKENS (USING HASHED REFRESH TOKENS) FAILS AT 9071

IJ24035

OAUTH RELATED DB ARTIFACTS ARE NOT ALWAYS CLEANED UP AFTER USE

IJ24036

OAUTH TEMPLATE PAGE'S ERROR CODE MACRO VALUE CHANGES WHEN THE PAGE IS CUSTOMISED WITH SCRIPTING

IJ24066

ISAM SNAPSHOTS WHEN APPLIED FAILS WITH ERROR

IJ24151

GRANT MANAGEMENT NOT WORKING AT 9070

IJ24271

ISAM REVERSE PROXY 907 EDITING WEBSEAL CONFIGURATION VIA LMI CHANGES DEFAULT LANG

IJ24277

DOCKER: ISAM_CLI SHUTDOWN NO LONGER WORKS AFTER V9.0.7.1

IJ24300

REST API DOES NOT VALIDATE DUPLICATE HOST ENTRIES

IJ24874

REMOTE SYSLOG AGENT HIGH CPU ONLY RESOLVED BY RESTART

IJ25189

THE PASSWORD SETTINGS IN THE [ITIM] STANZA ARE NOT OBFUSCATED

IJ25439

AN ACCESS POLICY USING PROTOCOLCONTEXT.GETFEDERATIONNAME() RETURNS COMPANY NAME

IJ25575

REST_API: EXPORT ADMINISTRATION PAGES ROOT AS A .ZIP FILE RESULTS IN "405 METHOD NOT ALLOWED"

IJ25718

METHOD TO DELETE HASHED TOKENS FROM MAPPING RULE

IJ25850

METHOD TO DELETE HASHED TOKENS FROM MAPPING RULE

IJ25850

CANNOT DELETE CONTENTS OF DEFAULT LOCATION FOR POLICY SERVER AUDITING

IJ25865

OIDC 'FBTOIC106E Invalid state' OBSERVED

IJ25898

CANNOT USE LARGE TOKENS WITH IBM DB2 AS HVDB

IJ26004

CANNOT USE LARGE TOKENS WITH IBM DB2 AS HVDB

IJ26004

THE STATE PARAMETER IS NOT URLENCODED ON OAUTH STS RESPONSE

IJ26025

AAC AUDIT LOG SHOWS ACCESS TOKEN

IJ26092

INTERNAL REDIRECT FROM VIRTUAL HOST JUNCTION FAILS TO RESOURCES ON STANDARD JUNCTION

IJ26119

SPACE CHARACTERS ARE ENCODED AS PLUS SIGNS IN POC ATTRIBUTES WITH URL.ENCONDING.ENABLED=TRUE

IJ26125

REST API TO RETRIEVE WEBSEAL CONFIGURATION DOES NOT SHOW EMPTY VALUES

IJ26146

ISAM 9.0.7.0 UPGRADE CHANGES SERVER LOG (MSG_WEBSEALD-XXX.LOG) '--' SEPARATOR TO 'NEW LINE' SEPARATOR 

Reverse Proxy configuration
[logging] server-log-single-line = True

IJ26175

HOW EFFECTIVELY CHANGE THE SPNAMEQUALIFIER FROM IDP MAPPING RULE

IJ26345

IN-PLACE TRUSTEER PIP IS OVERWRITTEN DURING FIRMWARE UPGRADE

IJ26399

RSA CONFIG: JAVA.LANG.NOCLASSDEFFOUNDERROR COM.RSA.AUTHAGENT.AUTHAPI.CONFIG.AGENTPROPERTIES (INITIALIZATION FAILURE)

IJ26413

LMI SSL CERTIFICATE UPDATE IS NOT GUARANTTEED TO BE SUCCESSFUL ALL THE TIME

IJ26416

DISALLOW PATH IN POLICY SERVER AUDITLOG SETTING

Also enforces audit log file name must end in .log

IJ26474

OAUTH JWKS FILE MISSING "ALG" FIELD

IJ26646

MAKE PRE ISAM 9.0.7.0 UNAUTHENTICATED LOGOUT CONFIGURABLE

Backward compatibility to restore pre-IJ15386 behavior
[acnt-mgt] disable-unauth-session-logout = false

IJ26710

RUNTIME LOGGING FALSE FBTSPS134E MESSAGES

IJ26833

IGNORES CLIENT ID MISMATCH BETWEEN HEADER AND BODY FOR TOKEN EXCHANGE

New Boolean 'isva.oauth20.ignoreClientIdMismatch' if set to true ignores client ID mismatch between header and body for token exchange of a non-confidential client

IJ26936

REMOTE SYSLOG FORWARDER STOPS SENDING EVENTS WHEN LOG FILE IS CLEARED

Note: When any files are cleared the rsyslogd will reload and may resend portion of the log

IJ26968

UNABLE TO CONNECT TO EXTERNAL POSTGRESQL 12 WITH SSL

IJ27141

FEDERATION 30 SECOND DELAY ON DSC FAILOVER

IJ27143

WEBSEAL ABENDS ON STARTUP WHEN APPLYING ENVIRONMENT VARIABLES

IJ27306

ONLY WEBSEAL SERVERS SHOWN IN LMI DISTRIBUTED SESSION CACHE SERVERS SCREEN

IJ27321

REDUCE DATABASE DEPENDENCY FOR SAML 2.0

IJ27326

SAML PERSISTENT NAMEID ENTRY CORRUPTION DUE TO UNHANDLED LDAP EXCEPTION

IJ27360

SCIM DEMO THROWS NPE IN 9071

IJ27362

SNIPPET-FILTER SHOULD NOT INSERT SNIPPETS INTO MANAGEMENT PAGES SERVED

IJ27707

AVOID AAC RUNTIME CONTENTION WHICH CAUSE DISRUPTION/HANG

Disable OAuth token cleanup thread via new REST API endpoint  oauth20.tokenCache.cleanupWait to "-1"

Restore OAuth token cleanup thread after work is completed via new REST API endpoint oauth20.tokenCache.cleanupWait > 0 (original setting)

IJ27822

PAGE.SETVALUE BEHAVIOUR WITH INFOMAP IS DIFFERENT BETWEEN AUTHSVC AND APIAUTHSVC

IJ27847

REVERSE PROXY ABENDS WHEN DESERIALIZING DSC SESSION DATA

IJ27926

ISAM ON DOCKER SHOULD SHOW FIXPACK ON DASHBOARD AND UNDER FIXPACKS

IJ27927

UPDATE TO MULTIPLE DEPENDENT SOFTWARE PRODUCTS

              GSKit  8.0.55.17

              Java Runtime             8.0.6.11
              Liberty                       20.0.0.6
              Postgresql drivers     42.2.14
              bash                          4.2.46-28
              commons-fileupload  1.4
              db2 jdbc drivers        11.5
              gawk                         4.0.2-4
              httpclient                   4.5.9
              icu                             6.71
              idsldap-clt                 6.4.0-18
              isfs                            2.1.0
              jackson                     2.10.1
              libpcap                     1.5.3.11
              log4j                         2.13.2
              nss-softokn              3.44.0.8
              nss-util                     3.44.0.4
              sqlite                        3.26.0-3
              tcpdump                  4-9.2.4
              tzdata                      2018ix

 

IJ28180

UPDATE IBM SECURITY ACCESS MANAGER DOCKER TO USE UBI 8

IV91645

TFIM SESSION LIFETIME HAS A MAX OF 24.8 DAYS

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSQRZH","label":"IBM Security Access Manager Appliance"},"ARM Category":[{"code":"a8m0z0000001f7fAAA","label":"Access Manager->Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0.7"}]

Document Information

Modified date:
09 October 2020

UID

ibm16339189