IBM Support

IBM Security Access Manager for Enterprise Single Sign-On, IMS Server Fix pack 8.2.2-ISS-SAMESSO-IMS-FP0015

Download


Abstract

Fix pack for IBM Security Access Manager for Enterprise Single Sign-On IMS Server, Version 8.2.2.

Download Description

IBM Security Access Manager for Enterprise Single Sign-On IMS Server, Version 8.2.2,  Fix Pack 15 corrects the following issues that are found in IBM Security Access Manager for Enterprise Single Sign-On IMS Server, Version 8.2.2 release.

New in this Fix Pack
IMS Server
Defect
  • Security vulnerabilities related to xstream.jar, el-ri.jar, ognl.jar, spring-webflow.jar and log4j.jar were addressed and versions were upgraded to latest recommended version for all 5 vulnerabilities.
This fix pack contains:
  • 8.2.2-ISS-SAMESSO-IMS-FP0015.pak
    This .PAK file is the Update Installer maintenance package for the IMS Server.
Note: Security vulnerabilities that are related to xstream.jar, el-ri.jar, ognl.jar, spring-webflow.jar and log4j.jar are addressed and fixed in IMS Server Version 8.2.2 only. Customers running on IMS Server Version lower than 8.2.2 must upgrade to IMS Server Version 8.2.2 first before installing IMS Fix Pack 15.

Related links
For more information about the IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2.2, see the following links:

Prerequisites

Refer to the following table before performing an upgrade to IMS Server Fix Pack 14: 

IBM Security Access Manager for Enterprise Single Sign-On Prerequisites
IMS Server Version 8.2.2 (GA version) •    Install Java version 1.8. See Switch the edition of Java used in WebSphere Application Server. 
•    IMS Server 8.2.2.0.122 (GA) 
•    WebSphere Application Server, Version 8.5.5, FP17  
•    WebSphere Update Installer, Version 7.0.0.1 or later.
Note: The Update Installer prerequisite is also applicable if you are using WebSphere Application Server Version 8.5.5.
The Update Installer is required to install the IMS Server fix pack. 
•    Copy the IMS Server installation folder to a backup directory. 
•    Download 8.2.2-ISS-SAMESSO-IMS-FP0015 from Fix Central.

IMS Server Version 8.2.2 Fix Pack 14

IMS Server Version 8.2.2 Fix Pack 13

IMS Server Version 8.2.2 Fix Pack 12

IMS Server Version 8.2.2 Interim Fix 11

IMS Server Version 8.2.2 Fix Pack 10

IMS Server Version 8.2.2 Fix Pack 9

IMS Server Version 8.2.2 Fix Pack 8

IMS Server Version 8.2.2 Fix Pack 7

IMS Server Version 8.2.2 Fix Pack 6

IMS Server Version 8.2.2 Fix Pack 5

IMS Server Version 8.2.2 Fix Pack 4

IMS Server Version 8.2.2 Fix Pack 3

IMS Server Version 8.2.2 Fix Pack 2

IMS Server Version 8.2.2 Fix Pack 1

IMS Server Version 8.2.2 (GA March 2018 refresh)
•    WebSphere Application Server, Version 8.5.5, FP17  
•    WebSphere Update Installer, Version 7.0.0.1 or later.
Note: The Update Installer prerequisite is also applicable if you are using WebSphere Application Server Version 8.5.5.
The Update Installer is required to install the IMS Server fix pack. 
•    Copy the IMS Server installation folder to a backup directory. 
•    Download 8.2.2-ISS-SAMESSO-IMS-FP0014 from Fix Central.

Installation Instructions

To install the fix pack, you must uninstall and reinstall the IMS Server in the WebSphere Application Server.

Fix pack installation overview

  1. Switch the edition of Java used in WebSphere Application Server.

    Note: You can skip this step if you are on Java version 1.8.

  2. Deploy the fix pack on WebSphere Application Server.
    1. Uninstall earlier versions of the IMS Server.
    2. Install the ISAMESSOIMSConfig application.
    3. Install the ISAMESSOIMS application.
    4. Deploy the audit file config, Ojdbc config and MSSQL config batch file.
      Note: This step is required for audit file logging, Oracle 12c and Microsoft SQL Server 2019 database.
  3. Complete post-installation configuration tasks.
  4. Optional: Upgrade IMS Server certificates from SHA1 to SHA2 by using the WebSphere Admin Console.
    This is an optional step that is required only for certificate updates from SHA1 to SHA2.
    1. Upgrade IMS Server Certificates SHA1 to SHA2 by using WebSphere admin console.
    2. Deploy updateSHACertificates.bat file.
  5. Update the deployment files in IMS Server
  6. Verify the version.
  7. Optional: Configure audit file logging parameters

Part 1: Switching the version of Java used in WebSphere Application Server

When you deployed the IMS Server, Java Technology Edition 6 was automatically installed with the required version of WebSphere Application Server Network Deployment. To stay current with the latest fixes and security updates, switch to a newer version of the WebSphere SDK, such as, WebSphere SDK Java Technology Edition version 8.0. For more information, see The end of Java SE 6: Where to go from here.

  1. Update the IBM WebSphere Java SDK. The WebSphere Java SDK is provided as a separate download with WebSphere fix packs. See Installing and uninstalling SDK Java Technology Edition Version 8.0.
  2. Switch the edition of Java that is used in the IMS Server.
    1. Display the list of all SDK names with themanagesdk -listAvailablecommand. was_home/bin/managesdk.bat -listAvailable CWSDK1003I: Available SDKs: CWSDK1005I: SDK name: 1.8_64 CWSDK1005I: SDK name: 1.6_64 CWSDK1001I: Successfully performed the requested managesdk task.
    2. If you want to switch the Java edition that is used for the command-line environment and all future profiles, run the following two commands: was_home/bin/managesdk.bat -set CommandDefault -sdkname sdk_name was_home/bin/managesdk.bat -setNewProfileDefault -sdknamesdk_name For example: was_home/bin/managesdk.bat -setCommandDefault -sdkname 1.8_64 was_home/bin/managesdk.bat -setNewProfileDefault -sdkname 1.8_64
    3. Switch the Java edition that is used for existing profiles by completing the following steps: Standalone deployment: Stop your server. Clustered deployment: Stop your deployment manager, cluster members, and all node agents, in that order. Confirm that the deployment manager server is stopped. Switch the SDK version for the profiles by running themanagesdk.bat -enableProfilecommand. was_home/bin/managesdk.bat -enableProfileAll -sdkname 1.8_64 -enableServers
  3. Validate the changes by running themanagesdk -listEnabledProfileAllcommand. was_home/bin/managesdk.bat -listEnabledProfileAll
  4. Start the server. Standalone deployment: Start the server. Clustered deployment: Start your nodes and deployment manager again (in that order).

Part 2: Deploying the fix pack

  1. Download the 8.2.2-ISS-SAMESSO-IMS-FP0015.zip file from Fix Central.
  2. Extract the contents of the 8.2.2-ISS-SAMESSO-IMS-FP0015.zip file onto your local computer.
  3. Install the fix pack with the IBM Update Installer for WebSphere Software.
    1. On Windows, click Start > All Programs > IBM WebSphere > Update Installer for WebSphere Software. The IBM Update Installer for WebSphere Software wizard is displayed.
    2. Click Next. The Product Selection page is displayed.
    3. Click Browse to select the location of the <IMS Server installation directory> and click Open. For example: C:\Program Files\IBM\ISAM ESSO\IMS Server
    4. Click Next. The Maintenance Operation Selection page is displayed.
    5. Select Install Maintenance package.
    6. Click Next. The Maintenance Package Directory Selection page is displayed.
    7. Click Browse to select the location of the 8.2.2-ISS-SAMESSO-IMS-FP0015.pak file and click Open.
    8. Click Next.
    9. Select the 8.2.2-ISS-SAMESSO-IMS-FP0015.pak file.
    10. Click Next. The Installation Summary page is displayed.
    11. Click Next. The message Success: The following maintenance package was partially installed is displayed.
    12. Click Finish.
  4. Log on to the IBM Integrated Solutions Console.

2.a: Uninstalling earlier versions of the IMS Server

  1. From the Integrated Solutions Console navigation pane, select Applications > Application Types > WebSphere enterprise applications.
  2. Select the ISAMESSOIMS and ISAMESSOIMSConfig check box.
  3. Click Uninstall.
  4. Click OK.
  5. Click Save.

2.b: Installing the ISAMESSOIMSConfig application

  1. Open the command prompt. To open a command prompt, click Start, click All Programs, click Accessories, and then click Command Prompt.
  2. From the command prompt, browse to the \bin directory. For example: C:\Program Files\IBM\ISAM ESSO\IMS Server\bin.
  3. Run deployIsamessoImsConfig.bat. For example: deployIsamessoImsConfig.bat <WAS Admin user ID> <password>

2.c: Installing the ISAMESSOIMS application

1. On the Integrated Solutions Console left navigation pane, select Applications > Application Types > WebSphere enterprise applications.
2. Click Install.
3. Under Path to the new application, select between Local file system and Remote file system.
4. Under Path, click Browse. The com.ibm.tamesso.ims-delhi.deploy.isamessoIms.ear file is located by default in C:\Program Files\IBM\ISAM ESSO\IMS Server\.
5. Click Next. The Preparing for the application installation page is displayed.
6. Select Fast Path - Prompt only when additional information is required.
7. Click Next. The Install New Application page is displayed. Retain the default values under Select installation options.
8. Click Next.
9. Click Select All.
10. Select all entries in the Clusters and servers field.
11. Click Apply. The list is updated with the selected clusters and servers.
12. Click Next.
13. Click Finish. The installation is successful.
14. Click Save.

2.d: Deploy the audit file config, Ojdbc Config and MSSQL Config batch file

  1. From First steps, stop the WebSphere Application Server.
  2. Open the command prompt with administrator privileges.
  3. In the command prompt, from the IMS installation directory, browse to the bin folder and locate the deployAuditConfigOjdbcMSSqlConfig.bat file.
  4. Run the deployAuditConfigOjdbcConfigMSSqlConfig.bat file script.
  5. From First Steps, start the WebSphere Application Server.

What to do next

  • Do the post installation configurations.
  • Verify the IMS Server version.

Part 3.a: Post installation configuration

If you are using WebSphere Application Server Network Deployment, complete the following tasks.

  1. In the WebSphere administrative console navigation pane, click Applications>Application types>WebSphere enterprise applications.
  2. Click ISAMESSOIMS.
  3. Under Web Module Properties, click Session management.
  4. Under General Properties, select Override session management.
  5. Click Apply.
  6. In the Messages box, click Save. The ISAMESSOIMS application is stopped.
  7. Configure session management override for AccessAdmin.
    1. In the Enterprise Applications page, click ISAMESSOIMS.
    2. Under Modules, click Manage Modules.
    3. Click the ISAM ESSO IMS Server AccessAdmin <version number> link.
    4. Under Additional Properties, click Session management.
    5. Select the Override session management check box.
    6. Click OK.
    7. Click Save.
  8. Resynchronize the nodes.
    1. Click System administration>Nodes.
    2. Select the check box for each corresponding node.
    3. Click Full Resynchronize.
  9. Start the cluster.

If you are using WebSphere Application Server stand-alone, start the IMS Server.

  1. On the Integrated Solutions Console left navigation pane, select Applications> Application Types> WebSphere enterprise applications.
  2. Select the ISAMESSOIMS check box.
  3. Click Start.

Part 3.b: If you are planning to enable reset password in AccessAssistant/Web Workplace in a non-SSL Active Directory environment

For standalone deployments:

  1. Go to WebSphere administrative console.
  2. Go to Servers > Server Types > WebSphere application servers > <host_name> > [Container Settings] Container Services > Transaction Service.
  3. Under General Properties > External WS-Transaction HTTP(S) URL Prefix, select the Prefix to be https://<host_name_or_IP>:<port> (WCInboundDefaultSecure)
  4. Apply and save your changes.
  5. Restart your server.

For Network Deployment:

  1. Edit server.xmlwhich is located at: <dmgr_profile_folder>\config\cells\<cell_name>\nodes\<cell_manager_name>\servers\dmgr, For example: C:\WASProfile\Dmgr01\config\cells\ibm-svr1Cell01\nodes\ibm-svr1CellManager01\servers\dmgr
  2. Search for the httpsProxyPrefixattribute.
  3. For the httpsProxyPrefix, specify the value in the following format
    https://<host_name>:<port>.
    For example: httpsProxyPrefix="https://imsserver:9443"
  4. Save your changes.
  5. Restart the deployment manager.
  6. Resynchronize the nodes.
    1. Click System administration>Nodes.
    2. Select the check box for each corresponding node.
    3. Click Full Resynchronize.
  7. Restart the cluster.

Part 4.a : Upgrading the IMS Server certificates from SHA1 to SHA2 by using the WebSphere Admin Console

Before you begin

Part 4.b : Deploy the updateSHACertificates.bat file

  1. WebSphere Application ISAMESSOIMS and ISAMESSOIMSConfig must be in running state.
  2. Open the command prompt with administrator privileges.
  3.  In the command prompt, from the IMS Server installation directory, browse to the /bin folder and locate the updateSHACertificates.bat file.
  4. Run the updateSHACertificates.bat file script.
    updateSHACertificates.bat <WebsphereUsername> <WebspherePassword> --keystorePassword <KeystorePassword>

    For example:
    updateSHACertificates.bat wasadmin  wasadmin --keystorePassword WebAS

Note: In the IMS Server bin folder, see readme_updateSHACertificates.txt file.

Part 5: Updating the deployment files in IMS Server

Note: The license file was updated in FP0002 and is required if license files are not updated previously

  1. Launch the command prompt as an administrator.
    1. Click Start and type "cmd" in Search
    2. Right click on the cmd.exe and select "Run as Administrator".
  2. In the command Prompt navigate to the folder containing downloaded files.  There is a file called UpdateDeploymentFile.vbs
  3. Type UpdateDeploymentFile.vbs and press ENTER to execute the script.

Part 6: Verifying the IMS Server version after the fix pack installation

You can verify the IMS Server version to determine whether the fix pack installation was successful.

  1. Log on to AccessAdmin (https://<Web server name>/admin).
  2. Click System > Status > IMS Server version. If you successfully installed 8.2.2-ISS-SAMESSO-IMS-FP0015, the IMS Server version is updated to 8.2.2.0.333.
Note: If the fix pack installation fails, manually uninstall the IMS Server and reinstall the IMS Server in the WebSphere Application Server. To uninstall the fix pack, see Uninstalling the fix pack.

Part 7: Configuring audit file log parameters
To configure the audit file log parameters, see Part 6: Configuring audit file log parameters in 8.2.2-ISS-SAMESSO-IMS-FP0006.

Uninstalling the fix pack 

Complete the following steps:
Part 1: Remove the MSSQL configuration from the IMS Server
  1. Stop the WebSphere Application Server (WAS) from First Steps.
  2. Launch the command prompt with administrator privileges.
  3. In the command prompt, browse to the <IMS Server installation path>/bin folder and locate unDeployMSSqlConfig.bat file.
  4. Run the unDeployMSSqlConfig.bat script.
  5. Start the WebSphere Application Server (WAS) from First Steps.

Part 2: Remove the Ojdbc configuration from the IMS Server
Note: This step is required if the rolled back version of the IMS Server fix pack is 8.2.2-ISS-SAMESSO-IMS-FP0006.pak or lower versions.

  1.  Stop the WebSphere Application Server (WAS) from First Steps.
  2.  Launch the command prompt with administrator privileges.
  3. In the command prompt, browse to the <IMS Server installation path>/bin folder and locate unDeployOjdbcConfig.bat file.
  4. Run the unDeployOjdbcConfig.bat script.
  5. Start the WebSphere Application Server (WAS) from First Steps.

Part 3: Remove the audit log file configuration from the IMS Server
Note: This step is required if rolled back version of IMS fix pack is 8.2.2-ISS-SAMESSO-IMS-FP0005.pak or lower versions.
  1. Launch the command prompt with administrator privileges.
  2. In the command prompt, browse to the <IMS Server installation path>/bin.
  3. Run the unDeployAuditFileConfig.bat script.
Part 4: Uninstall the IMS Server fix pack 
To uninstall the fix pack from the IMS Server, see Uninstalling the IMS Server fix pack.

On
[{"DNLabel":"8.2.2-ISS-SAMESSO-IMS-FP0015","DNDate":"30 Jun 2023","DNLang":"English","DNSize":"305081916 B","DNPlat":{"label":"Windows","code":"PF033"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/Tivoli+Access+Manager+for+Enterprise+Single+Sign-On&release=All&platform=All&function=fixId&fixids=8.2.2-ISS-SAMESSO-IMS-FP0015&includeRequisites=1&includeSupersedes=0","DNURL_FTP":"","DDURL":null}]
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9JLE","label":"IBM Security Access Manager for Enterprise Single Sign-On"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.2.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
05 July 2023

UID

ibm17009621

Page Feedback