IBM Support

Tivoli Access Manager for e-Business WebSEAL, Patch 6.1.1-ISS-AWS-FP0006

Download


Abstract

This is a General Availability (GA) patch containing all the fixes since the release of IBM Tivoli Access Manager for e-Business 6.1.1 (WebSEAL)

Download Description

1.0 ABOUT THIS PATCH

--------------------
This patch package contains fixes for problems in the various components that
comprise the Tivoli Access Manager WebSEAL software.


1.1 Patch contents

This patch package contains:

- This README file
- Update patch packaging


1.2 Architectures

Refer to the following URL for latest information on supported operating
systems and software

http://www-01.ibm.com/support/docview.wss?uid=swg27022004


Additional Certifications


Certification Platform Details
_____________ _________ _______________________________________

libumem.so Solaris pdweb_start was modified to use
libumem.so as follows:
LD_PRELOAD_32=libumem.so
------------------------------------------------------------------------

________________________________________________________________________

1.3 Patches superseded

All patches are cumulative unless otherwise explicitly stated.

Patches superseded by this patch:

6.1.1-TIV-AWS-FP0005
6.1.1-TIV-AWS-FP0004
6.1.1-TIV-AWS-FP0003
6.1.1-TIV-AWS-IF0002
6.1.1-TIV-AWS-FP0001

1.4 Dependencies

IBM Tivoli Access Manager Base, Version 6.1.1 with patch 6.1.1-ISS-TAM-FP0006
IBM Tivoli Access Manager Web Security Runtime, Version 6.1.1
IBM Tivoli Access Manager WebSEAL, Version 6.1.1
IBM Tivoli GSKit Version 7.0.4.42 (32-bit)

NOTE1:
When installing patches on a particular machine, install patches for components
of IBM Tivoli Access Manager, Version 6.1.1, from patch
6.1.1-ISS-TAM-FP0006 and 6.1.1-ISS-AWS-FP0006
on the same machine.
For example, consider a machine with the following components:
(your machine may have more components installed)

IBM Tivoli Access Manager Runtime (PDRTE)
IBM Tivoli Access Manager Web Security Runtime (PDWebRTE)
IBM Tivoli Access Manager WebSEAL (PDWeb)
IBM Tivoli Security Utilities (TivSecUtl)

To patch the given machine, you must install PDRTE and TivSecUtl components from Patch
6.1.1-ISS-TAM-FP0006, PDWebRTE and PDWeb components
from Patch 6.1.1-ISS-AWS-FP0006 on the given machine.
A machine in a Tivoli Access Manager environment must have all components at the same
patch level. See the 6.1.1-ISS-TAM-FP0006.README for
information about how to install the relevant components of the
6.1.1-ISS-TAM-FP0006 patch.

NOTE2:
In a Tivoli Access Manager environment, install patches in the following order:

a) Policy Server machine: install patches for all components
as described in NOTE1.
b) Policy Proxy Server, if you have one in your Tivoli Access Manager environment
c) All other machines in the Tivoli Access Manager environment.

As described in NOTE1, install patches for all components,
on each machine. You can install patches in other
machines(category c) gradually. However, once the Policy Server is patched,
we strongly encourage that all other machines in the Tivoli Access Manager
environment have the same patch level installed as soon as
possible.

2.0 APARS AND DEFECTS FIXED
---------------------------
Because patches are cumulative, this patch corrects all the problems
outlined in the following sections.

2.1 Problems fixed by patch 6.1.1-ISS-AWS-FP0006

APAR IV29543
Symptom: With correctly configured mapping rules the following error
message can be seen within the message logs
2012-02-23-10:03:12.271+00:00I----- 0x16B480C9 webseald ERROR
rgy ira ira_entry.c 3018 0xf464ab90 HPDRG0201E Error code 0x22
was received from the LDAP server. Error text: "Invalid DN
syntax".

APAR IV20369
Symptom: On Windows platform, when WebSEAL is configured to support
OAuth authorization decisions, it dones not start if any of
response files specified in the [oauth-eas] stanza contains
the CR+LF end-of-line marker.

APAR IV30723
Symptom: update to RSA client code.

APAR IV29528
Symptom: Post to pkmslogin.form where username and password are not
filled in is passed to backend server when root WebSEAL
junction acl permits it.

APAR IV15325
Symptom: http-rsp-header provides the ability to add the macro
values into the response as http headers.When locale response
redirect is enabled, the error code and error text inserted
into the response, is incorrect.

APAR IV26882
Symptom: UNAUTHENTICATED USERS cannot CACHE TFIM SSO tokens.

APAR IV19175
Symptom: The azn-decision-info structure does not allow cookie HTTP
header to be made available to the authorization framework
when making authorization decisions.

APAR IV18719
Symptom: MACRO %BASICAUTHN% not working in TOKENLOGIN.HTML properly.

APAR IV19899
Symptom: WebSEAL does not send 'Connection: Close'to backend servers,
even if max-cached-persistent-connections = 0.

APAR IV29729
Symptom: When logging in successfully through forms authentication
"unauth" is logged in the request log.


APAR IV29575
Symptom: Memory issue in WebSEAL.

APAR IV21265
Symptom: WebSEAL startup time increases in proportion to the number of
junctions.

APAR IV21906
Symptom: When using persistent connections, if a response is received
from a junction which does not contain a body (such as a 304
Not Modified), then the connection is not returned to the
connection pool and reused.

APAR IV22661
Symptom: Junction-specific local-response-redirect does no work for
pkmslogin operations.

APAR IV29737
Symptom: WebSEAL memory abends when using portal-map.

APAR IV23464
Symptom: %USERNAME% MACRO RETURNS "UNKNOWN" INSTEAD OF THE USERID ON A
NO SESSION COOKIE LOGIN ATTEMPT.

APAR IV31670
Symptom: In some cases, WebSEAL Audit records contain "Invalid credentials"
reference even though the user has proper credentials.

APAR IV24602
Symptom: WebSeal abends because junctioned backend server sends an empty
SSL session ID within Server Hello during SSL handshake.

APAR IV29738
Symptom: WEBSEAL DOES NOT RETURN RESPONSE?BODY?IF THE RESPONSE STATUS
OF THE FIRST REQUEST IS 503.

APAR IV26841
Symptom: WEBSEAL BLOCKS REQUESTS WITH OAUTH AUTHENTICATION HEADERS
PREVENTING BACKEND SERVERS FROM PROCESSING REQUESTS.

APAR IV31699
Symptom: When SMS server (ie websphere) sends a FIN packet to webseal,
webseal does not recognizes the connection has been closed by
websphere server.

[{"PRLabel":"IBM Global Security Toolkit (GSKit) version 7.0.4.42","PRLang":"UK English","PRSize":"1111111","PRPlat":{"label":"All Platforms","code":""},"PRURL":"https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt"}]

Installation Instructions

3.0 BEFORE INSTALLING THIS PATCH
--------------------------------
Before installing this patch, review the following prerequisites and
dependencies.

3.1 Back up Tivoli Access Manager data

Before applying any maintenance, be sure to back up your system. Use
the 'pdbackup' command provided with the Tivoli Access Manager product
to back up Tivoli Access Manager-specific data. Documentation for the
'pdbackup' command is located in the "IBM Tivoli Access Manager Command
Reference."

Patch installation for PDWeb component should not over-write the existing
pdweb_start script but still it is highly recommended to backup pdweb_start
script in UNIX systems, specially if any customizations are made on this script.
Patch for PDWeb component will install pdweb_start script as pdweb_start.fixpack
so that if any update or fix made to pdweb_start script is available to Customers
to incorporate into their customized pdweb_start script.

3.2 Upgrade GSKit to Version 7.0.4.42 or later

Note:
IBM Global Security Toolkit (GSKit) version 7.0.4.33 and higher supports
RFC 5746 (TLS Renegotiation Indication Extension ) so the Security
Exposure CVE-2009-3555 (TLS/SSL Protocol Vulnerability ) will not be
applicable to these versions of GSKit. Every
customer using versions of GSKit prior to 7.0.4.33 must upgrade to a
later version immediately.

Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.42
BEFORE installing the Tivoli Access Manager packages in this patch. The 32-bit
version must be used regardless of system architecture.

The updated GSKit installation packages may be downloaded at the URL:

https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt

Instructions for installing GSKit may be found in the IBM Tivoli Access Manager
for e-business Installation Guide, under the section "Reference information >
Installing prerequisite products".


4.0 INSTALLING THIS PATCH
-------------------------

Before installing this patch, be sure that you have reviewed the
prerequisites and have completed the back-up procedure in section 3.0,
"BEFORE INSTALLING THIS PATCH".

If the Tivoli Access Manager product is distributed over multiple machines,
this patch must be applied to all WebSEAL systems within a secure domain.

If the user needs the special character support for remote filenames offered by
IV03925, they must redeploy query_contents.sh manually. See the IBM Tivoli
Access Manager Administration Guide for details.

This README assumes that $PATCH (or %PATCH% for Windows) is the path to
your temporary directory.


4.1 Installing this patch on AIX systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

installp -a -g -X -d $PATCH <package>

where <package> is:

PDWeb.RTE Specifies the Access Manager Web Security Runtime
PDWeb.ADK Specifies the Access Manager Web ADK package
PDWeb.Web Specifies the Access Manager Webseal Server

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.2 Installing this patch on HP-UX systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

swinstall -s $PATCH/<package> <patch>

where <package> and <patch> are:

<package> <patch>
------------------------------ -------------
PDWebRTE000611-06.depot PDWebRTE
PDWebADK000611-06.depot PDWebADK
PDWeb000611-06.depot PDWeb

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.3 Installing this patch on Linux systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes.

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

rpm -U <patchname>

where <patchname> is one of the following:

Linux on xSeries(R)

PDWebRTE-PD-6.1.1-6.i386.rpm
PDWebADK-PD-6.1.1-6.i386.rpm
PDWeb-PD-6.1.1-6.i386.rpm

Linux on zSeries

PDWebRTE-PD-6.1.1-6.s390.rpm
PDWebADK-PD-6.1.1-6.s390.rpm
PDWeb-PD-6.1.1-6.s390.rpm

Note:
If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:

rpm -U --noscripts <patchname>

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.4 Installing this patch on Sun Solaris Operating Environment systems

1. Log in to the system as root.

2. Extract the archive into a temporary directory. For the
purpose of this README, assume that the symbol $PATCH
points to this temporary directory.

3. Stop the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start stop

4. At the command prompt, enter the following:

cd $PATCH

Solaris 9:
patchadd <package>

Solaris 10 and above:
patchadd -t <package>

where <package> is:

PDWEBRTE000611-06 Specifies the Access Manager Web Security Runtime
PDWEBADK000611-06 Specifies the Access Manager Web ADK package
PDWEB000611-06 Specifies the Tivoli Access Manager WebSEAL Server

5. Restart the Tivoli Access Manager processes:

/opt/pdweb/bin/pdweb_start start


4.5 Installing this patch on Windows systems

1. Log in to the Windows system as the Administrator.

2. Shut down the Tivoli Access Manager WebSEAL server:
a. Click 'Control Panel' > 'Services'
b. Click 'Access Manager WebSEAL Server' > 'Stop'.
c. To confirm this action, click 'Yes'.

3. Unpack the self-extracting archive into a temporary
directory. For the purpose of this README, assume that
%PATCH% points to this temporary directory.

4. Change to the patch directory:

cd %PATCH%

For each component to apply service to, run the following command:

<component directory>/Disk Images/Disk1/setup.exe

List of component directory names.

PDWebRTE Specifies the Access Manager Web Security Runtime
PDWebADK Specifies the Access Manager Web ADK package
PDWeb Specifies the Tivoli Access Manager WebSEAL Server


Note: If you must to reboot your system to
complete this installation, you might subsequently encounter a
problem running the Web Portal Manager to access the console. An example
of a reboot situation is to overcome a shared DLLs problem.
If this happens, confirm that the WebSphere service is
running. The WebSphere service is installed in manual startup
mode and might not be running after a reboot.

5. Restart the Tivoli Access Manager WebSEAL server:

From the Windows Start menu, click:

a. 'Settings' > 'Control Panel' > 'Administrative Tools' > 'Service'.
b. Click 'Access Manager WebSEAL Server' > 'Start'.
c. Click 'IBM WS AdminServer' > 'Start'.

[{"INLabel":"6.1.1-ISS-AWS-FP0006.README","INLang":"US English","INSize":"1111111","INURL":"http://www.ibm.com/support/fixcentral"}]
On
[{"DNLabel":"6.1.1-ISS-AWS-FP0006-AIX.tar.Z","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"16686080","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-AIX","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-ISS-AWS-FP0006-HP-IA64.tar.Z","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"15977907","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-HP-IA64","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-ISS-AWS-FP0006-HP.tar.Z","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"11537097","DNPlat":{"label":"HP-UX","code":"PF010"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-HP","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-ISS-AWS-FP0006-LIN.tar.Z","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"7707003","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-LIN","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-ISS-AWS-FP0006-S390.tar.Z","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"6777564","DNPlat":{"label":"Linux on zSeries","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-S390","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-ISS-AWS-FP0006-SOL-X86.tar.Z","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"9362103","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-SOL-X86","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-ISS-AWS-FP0006-SOL.tar.Z","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"9420593","DNPlat":{"label":"Solaris","code":"PF027"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-SOL","DNURL_FTP":" ","DDURL":null},{"DNLabel":"6.1.1-ISS-AWS-FP0006-WIN.zip","DNDate":"20 Nov 2012","DNLang":"US English","DNSize":"15579458","DNPlat":{"label":"Windows Server 2003","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?source=dbluesearch&product=ibm%2FTivoli%2FIBM%20Tivoli%20Access%20Manager%20for%20e-business&vrmf=6.1.1&fixids=6.1.1-ISS-TAM-FP0006-WIN","DNURL_FTP":" ","DDURL":null}]
[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSEAL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Problems (APARS) fixed
IV29543;IV20369;IV30723;IV29528;IV15325;IV26882;IV19175;IV18719;IV19899;IV29729;IV29575;IV21265;IV21906;IV22661;IV29737;IV23464;IV31670;IV24602;IV29738;IV26841;IV31699;IV16959;IV19875;IV16002;IV21452;IV00022;IV04339;IV17906;IV17912;IV17933;IV04518;IV06766;IV12947;IV17936;IV11164;IV17937;IV16142;IV19485;IV17968;IV06622;IV11584;IV17940;IV17903;IV08746;IV17934;IV05945;IV00714;IV00002;IV00005;IV00645;IV10064;IV10067;IV10070;IV10085;IV10087;IV10095;IV03904;IV03909;IV03915;IV03917;IV03919;IV03925;IV03941;IV03951;IZ82713;IZ86659;IZ88109;IZ88202;IZ89027;IZ89792;IZ90134;IZ90402;IZ90403;IZ90408;IZ90420;IZ91620;IZ91635;IZ91636;IZ91919;IZ92253;IZ92259;IZ93838;IZ95304;IZ95934

Document Information

Modified date:
15 June 2018

UID

swg24033436

Page Feedback