This is a cumulative Fix Pack (FP) patch for a variety of problems in the
components that compose the TFIM 6.2.1 product. It upgrades a TFIM 6.2.1
installation to TFIM 22.214.171.124.
This fix pack corrects problems in IBM Tivoli Federated Identity Manager (Federated Identity Manager), Version 6.2.1. It requires that Federated Identity Manager, Version 6.2.1, be installed. After installing this fix pack, your Federated Identity Manager installation will be at level 126.96.36.199.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability may cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang may occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
The following products contain affected versions of the Java Runtime Environment:
- IBM WebSphere Application Server Versions 7.0 through 188.8.131.52 for Distributed, i5/OS and z/OS operating systems.
- IBM WebSphere Application Server Versions 6.1 through 184.108.40.206 for Distributed, i5/OS and z/OS operating systems.
- IBM WebSphere Application Server Versions 6.0 through 220.127.116.11 for Distributed, i5/OS and z/OS operating systems.
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21462019
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see here.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
Fix pack contents and distribution
This fix pack package contains:
- The fix pack zip file
- This README.
This fix pack is distributed as an electronic download from the IBM Support Web Site.
Software requirements for IBM Tivoli Federated Identity Manager version 6.2.1 can be found here.
Fix packs superseded by this fix pack
Fix pack structure
Federated Identity Manager consists of the following components that can be installed separately:
- Administration console
- Management service and runtime component
- Web services security management (WSSM)
- WS-provisioning runtime
- Internet information services (IIS) Web plug-in
- Apache/IBM HTTP Server Web plug-in
- IBM Support Assistant plugin
This fix pack applies only to the administration console, management service and runtime component, and Web services security management (first three components listed above). These three components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components. If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
APARs and defects fixed
Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0002
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager support site.
SYMPTOM: Improve SAML Signature Conformance
SYMPTOM: IBM Tivoli Federated Identity Manager SAML 2.0 SSO plugin will generate an "invalid_message_timestamp" error when it receives an AuthnRequest message with a IssueInstant where the second fractions are higher than 999. The following is an example of a timestamp that generates the issue: "2011-07-01T13:30:50.830773Z".
SYMPTOM: Enabling and disabling RelayState URL encoding and decoding in SAML 2.0 unsolicited authentication response.
SYMPTOM: RelayState in the authentication request sent by the SAML 2.0 Service Provider into the Identity Provider is not available as query string parameter in the redirect URL to the custom login page.
SYMPTOM: Security update for TFIM Runtime.
SYMPTOM: Configuration information related to keystore is removed from kessjks.xml when SAML 1.1 or SAML 2.0 partner is added through CLI, no metadata file is specified in the response file or metadata file specified does not contain signing and encryption key, and keystore password provided is wrong.
SYMPTOM: The STSUniversalUser java class does not preserve attributes with empty values.
SYMPTOM: In cases where a SAML validation error occurs and there is no message detail, the error page handler throws a NullPointerException.
SYMPTOM: The TFIM SPS fails to return the appropriate page template when a HTTP GET request does not specify the content encoding. Most browsers do not send the Content-Type: header with the charset value defined for GET requests.
SYMPTOM: Ability for IVCRED STS Module to return error (default) or map to special user account for unauthenticated user token.
SYMPTOM: ADD ADDITONAL TRACES FOR FBTSPS061E ERROR.
SYMPTOM: When no Format attribute for the NameIDPolicy element is found in the SAML 2.0 AuthnRequest message, the Identity Provider will treat the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Identity Provider should instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner, which is what it does when the Format for the NameIdPolicy element in AuthnRequest message is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
SYMPTOM: Error message FBT0ID0029E is returned by the OpenID Provider when the Relying Party sends an authentication request with Return To URL that matches the Realm URL. This problem happens when the Return To URL has path, and the Realm URL has no path.
SYMPTOM: The Audit Event Handler of an Audit Client Profile cannot be changed into CARSAuditClientEventHandler using IBM Tivoli Federated Identity Manager Management Console. This causes the CARSAuditClientEventHandler setting to be not displayed in the Event Handler Setting tab in the Audit Client Profile Properties page. This also causes the Audit Client Profile Properties page to be reloaded when clicking the OK button in that page, but without saving the Audit Client Profile.
SYMPTOM: ClassCastException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "exportPrivateKey" is not specified, or is specified with value "false". CommandException is thrown when exporting a key from a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "exportPrivateKey" is specified with no value, or is speficied with value "true". ClassCastException is thrown when importing a keystore using IBM Tivoli Federated Identity Manager Command Line. This problem happens when the parameter "trustedKeystore" is not specified, or is specified with value "false".
SYMPTOM: ChainableRuntimeException is thrown when exporting a key from a keystore using the IBM Tivoli Federated Identity Manager Management Console. This problem happens if the IBM Tivoli Federated Identity Manager is deployed in certain WebSphere Application Server versions (e.g., WebSphere Application Server 7 Fix Pack 11).
SYMPTOM: String "???????? Web ??????!" is returned when accessing the URL
http://hostname:9080/Info/InfoServiceusing web browser. This problem might happen when the language of the browser is different from the language of the operating system where IBM Tivoli Federated Identity Manager Runtime is installed.
SYMPTOM: Security update for IBM Tivoli Federated Identity Manager Runtime.
SYMPTOM: The IBM Tivoli Federated Identity Manager LTPA STS module support code is not thread safe. The code uses an static instance of a JDK class that is not thread safe causing undetermined results while verifying or generating the ltpa token signature on environments with high volume of transaction.
SYMPTOM: KERBEROS STS MODULE TO ENFORCE TOKEN ONE TIME USE.
SYMPTOM: The CBEXMLAuditEvent audit profile event handler is not setting the sequence number and global instance id on the audit records.
SYMPTOM: The IBM Tivoli Federated Identity Manager generates a NullPointerException when the SAMLResponse received from the Identity Provider does not include a Issuer value though the Issuer value is included in the assertion.
SYMPTOM: SAML 2.0 SPS Module is setting the Destination attribute on LogoutReponse message when the request is received through SOAP binding at the Identity Provider and there is more than one service provider session that was authenticated based on the Identity Provider session. The Destination field might have the url for the incorrect partner that is not the one that send the LogoutRequest.
SYMPTOM: SAML 2.0 STS Module fails to validate the subject confirmation method correctly when the assertion is received as part of the SAML 2.0 Single Sign On operation. The specification requires that an assertion that is generated as part of a Single Sign On flow should at least include one of the subject confirmation methods of value urn:oasis:names:tc:SAML:2.0:cm:bearer.
SYMPTOM: The SAML 2.0 SPS module, during a Single Logout operation on Service Provider side, invokes the alias service even if the email name id format was used to single sign on the user. While the Single Logout Operation is successful, an error is included on the logs though the alias operation is not required.
SYMPTOM: In the 'Configure Key Service' -> 'Hardware Cryptographic Device' panel in the TFIM Management Console, the checkbox for 'Use hardware cryptographic device' does not remain selected 2-3 seconds after it is selected.
SYMPTOM: LDAP ALIASES NOT DELETED FOR SAML 20 DEFEDERATE OPERATION
SYMPTOM: TFIM Management Service and Runtime fail to start on WAS 6.0.2. The following is observed in the logs: javax.management.MBeanException: null nested exception is javax.management.ServiceNotFoundException: Cannot find ModelMBeanOperationInfo for operation getInternalClassAccessMode
SYMPTOM: When the Format attribute for the NameID element in the SAML 2.0 Assertion is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", the Service Provider treats the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Service Provider must instead refer to the "DefaultNameIDFormat" parameter configured for the Federation/Partner.
SYMPTOM: Provider ID and assertion consumer service URL of an existing partner of a SAML2 federation are not updated after changing the partner using a response file through the command modifyItfimPartner with the operation 'modify'.
SYMPTOM: When TFIM is deployed on eWAS, and USC (User Self Care) is configured, USC operations enrollment, forgotten ID and forgotten password fail with the exception that an object cache instance (e.g. itfim/distributedmaps/usc_accountcreate) cannot be fetched.
SYMPTOM: WS-Federation 1.1 Passive profile SignOut operation fails when Identity Provider is using WebSEAL as POC.
SYMPTOM: When adding a SAML2.0 Identity Provider federation as a partner to a Service Provider federation through CLI, although signing key identifier is specified, a "FBTADM072E A key with alias 'null' was not found in the keystore ''" appears and prevents the user from adding the partner.
SYMPTOM: Property doIntrospection of STS chain mapping is set to false after updating the STS chain mapping by using the CLI.
SYMPTOM: The value of the attribute "IsDefault" of all assertion consumer services of the SAML 2.0 Service Provider partner is changed to "true" after clicking the OK or Apply button in the Partner Properties page in the IBM Tivoli Federated Identity Manager Management Console.
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Management Console.
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager Runtime.
SYMPTOM: An HTML page, instead of a SOAP Fault, is returned as a response when sending Request Security Token SOAP request to SAML 1.1 Artifact Service endpoint. This problem happens when the request has invalid "Issuer" or "AppliesTo".
SYMPTOM: Duplicate STS chain mappings are created when adding a SAML 2.0 Service Provider as a partner. This problem happens if the metadata of the Service Provider contains at least three distinct assertion consumer services with at least three distinct URLs.
SYMPTOM: Mapping from single logout URL to protocol is deleted from the configuration file after clicking the OK or Apply button in the Federation Properties page in Tivoli Federated Identity Manager Management Console. This problem happens if the single logout bindings that are enabled are only HTTP-Redirect and SOAP. The missing mapping causes single logout operation to fail.
SYMPTOM: ClassCastException is thrown when adding or modifying LDAP host using the IBM Tivoli Federated Identity Manager Command Line. This problem happens if the parameter "hostPort" is 389, or the parameter "minConnections" is 2, or the parameter "maxConnections" is 10, or the parameter "hostOrder" is -1.
SYMPTOM: Security update for IBM Tivoli Federated Identity Manager Runtime.
Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0001
SYMPTOM: SECURENONCEGENERATOR NOT READING THE RIGHT AMOUNT OF TIME BYTES
SYMPTOM: PASSWORDS NOT OBSCURED IN TRACE
SYMPTOM: TFIMCFG TOOL FAILS WHEN FIPS IS ENABLED.
Internal defect 101608
SYMPTOM: Several USC operations are very slow. These include: user ID existence check, enrollment and password recovery.
SYMPTOM: TAM AUTHORIZATION MODULE DOES NOT WORK WITH FEDERATION SCENARIO
SYMPTOM: NPE TRYING TO LOAD CONFIG INSTANCE IN TDI MAPPING RULE.
SYMPTOM: CONSOLE WILL NOT SHOW LIST OF KEYS ON WEBSPHERE 18.104.22.168.
SYMPTOM: SAML1.1 ARTIFACT RESOLUTION FAILURE NEEDS ERROR INFO IN MSG.
Internal defect 100956
SYMPTOM: NPE MODIFYING XSLT MAP MODULE IN CUSTOM TRUST CHAIN
SYMPTOM: Missing InResponseTo attribute in samlp:Response error responses.
Internal defect 102832
SYMPTOM: DEFAULT NAMEID FORMAT NOT WORKING WHEN NO CLAIMS PASSED.
Internal defect 102551
SYMPTOM: OPENID AUTHENTICATION WITH HTML DISCOVERY FAILS.
Internal defect 101623
SYMPTOM: NPE in console editing mapping rule.
SYMPTOM: FEDERATION PARTNER UPDATE MODIFIES NON-ZERO ACS URL INDEX.
Internal defect 100942
SYMPTOM: Reverse migration fails if the user's TAM LDAP DN is more than one search level below the LDAP suffix where they reside.
SYMPTOM: XML PARSING OF INCOMING SAML MESSAGE FAILS WHEN MACHINE LOCALE IS NOT UTF8-COMPATIBLE AND UTF-8 EXTENDED CHARACTERS APPEAR IN MSG.
SYMPTOM: STATE INFORMATION IN SOME FEDERATION PROTOCOLS INVALID.
SYMPTOM: PROVIDER NAME NEEDS TO BE PART OF THE AUTHENTICATION REQUEST.
SYMPTOM: NULL EXCEPTION OCCURS DURING CLAIMS PROCESSING.
SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console does not operate correctly.
SYMPTOM: SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING NOT CONFORMANT.
Internal defect 102886
SYMPTOM: TFIMCFG TOOL FAILS WHEN FIPS IS ENABLED.
SYMPTOM: TDI STS MAP MODULE FAILS TO CACHE CORRECTLY CONFIG INFO
Internal defect 102057
SYMPTOM: STS LTPA TOKEN MODULE READING THE EXPIRATION DATE INCORRECTLY
SYMPTOM: SAML STS MODULES CALCULATES WRONG VALIDITY PERIOD OF ASSERTION.
SYMPTOM: UNABLE TO MODIFY SIGNATURE POLICY SETTINGS FOR SAML 2.0 PARTNER
SYMPTOM: SAML20 SSO FAILS TO DETECT FATAL ERRORS WHILE READING ALIAS
SYMPTOM: NON XML RESPONSE FOR BAD SAML 2.0 AUTHNREQUEST
SYMPTOM: FIM CONSOLE FAILS TO DISPLAY SAML2 PROPS PAGE IF NO ARTIFACT
Internal defect 102887
SYMPTOM: Attribute Query request messages are not reporting timestamp validation errors.
SYMPTOM: Tivoli Federated Identity Manager SAML 2.0 metadata is not properly formatted when TFIM is running on the latest versions of the WebSphere Application Server.
SYMPTOM: SAML 2.0 STS MODULE NOT READING THE DEFAULT NAMEID FORMAT PARAM.
SYMPTOM: TFIM FAILS TO LOAD SAML METADATA WITH ENTITIES DESCRIPTOR
SYMPTOM: Some of Tivoli Federated Identity Manager Console portlet pages cannot be displayed when it is installed in WAS 7 FP 11.
SYMPTOM: FIM CONSOLE INSTALL SHOULD SET JACL LANG WHEN CALLING WSADMIN
SYMPTOM: For a WS-Trust v1.3 request, FIM Security Token Service returns a response with multiple status codes, some of which contain WS-Trust v1.2 URI values.
Internal defect 100723
SYMPTOM: New domain created in 6.2.1 does not have all custom properties. Namely ADMIN.validateFederationName and STS.showUSCChains are missing.
Internal defect 102338
SYMPTOM: CLI throws a StringIndexOutOfBoundsException when adding a SAML 2.0 service provider partner to a SAML 2.0 federation.
Internal defect 102339
SYMPTOM: ClassCastException is thrown when configuring LDAP alias service using Tivoli Federated Identity Manager Command Line. This problem happens if at least one LDAP server exists in the system.
SYMPTOM: Tivoli Federated Identity Manager supported Oracle database for the Tivoli Federated Identity Manager alias service and that attempts to use Oracle displayed errors.
Internal defect IV07711
SYMPTOM: Tivoli Federated Identity Manager Configuration Guide does not describe the steps to enable certificate revocation list checking for certificates that are used for XML message signing, verification, encryption, and decryption.
You must have the following software installed in order to install this fix pack:
- Federated Identity Manager 6.2.1 and its prerequisites
- WebSphere Update Installer version 22.214.171.124 (see Update Installer below.)
Installation path specification for the Windows Server 2008 platform
This preinstallation item applies only to installations on a 64-bit Windows platform like Windows Server 2008.
Because Federated Identity Manager is a 32-bit application its default path when installing on Windows Server 2008 changes from
C:\Program Files (x86)\IBM\FIM
NOTE: This change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files (x86)\IBM\WebSphere
This fix pack requires the use of the WebSphere Update Installer version 126.96.36.199. Ensure that you have installed the correct version of the WebSphere Update Installer on each computer where you will install the fix pack. You can download the WebSphere Update Installer version 188.8.131.52 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.
Fix pack packaging
This Tivoli Federated Identity Manager 6.2.1-TIV-TFIM-FP0002 patch package is provided on the Tivoli Support Web site as a single downloadable zip file for each supported platform. After you select the package that is appropriate for the target platform, download the package and unzip the contents into a target directory, typically the default WebSphere Update Installer directory, either
for Windows or
You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.
You use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components; therefore, to minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See Installing the fix pack for specific instructions on using Update installer to apply the fixes.
Automatic creation of a backup directory
The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager files.
Installing the fix pack
NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.
Downloading the fix pack
To obtain the fix pack:
1. Go to the IBM Tivoli Federated Identity Manager Support Web site.
2. Click Download. The fix pack (6.2.1-TIV-TFIM-FP0002) should be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.1-TIV-TFIM-FP0002" in the Search field to access the link to the download window.
3. In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
4. Select the platform that corresponds to the target platform where you will apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, you must configure your browser to use Java security. Click What is DD? for configuration instructions.
Setting the WebSphere security passwords
If security is enabled on the WebSphere Application Server where Federated Identity Manager is installed, you must set the appropriate password values in the fim.appservers.properties file before you can apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties file, as described below, you specify these passwords using plain text. However, at the end of the fix pack installation process these passwords are obfuscated and will no longer be available in plain text format.
To specify security passwords, use the following procedure:
1. Using a text editor, open the file FIM_INSTALL_DIR/etc/fim.appservers.properties.
2. If the was.security.enabled property is present in the fim.appservers.properties file and is set to true then you must add two password properties to the file:
- the was.admin.user.pwd property with a value of the administrator login password for the WebSphere Application Server where Federated Identity Management is deployed
- the was.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that WebSphere Application Server
- the ewas.admin.user.pwd property with a value of the administrator login password for the Embedded WebSphere Application Server where Federated Identity Management is deployed
- the ewas.truststore.pwd property with a value of the password for the trust store used for client-side SSL authentication in that Embedded WebSphere Application Server
Applying the fix pack
1. Unzip the file you downloaded in Downloading the fix pack, preferably into the default WebSphere Update Installer's maintenence directory,
2. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component is running.
3. Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
4. Start the appropriate WebSphere Update Installer (typically located in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
5. In the Welcome window click Next. Federated Identity Manager will not be listed, but is supported.
6. Specify the path to the installation directory for Federated Identity Manager (typically C:\Program Files\IBM\FIM on Windows systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
7. Select Install maintenance in the dialog.
8. Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
9. Determine which product components are installed on the system that you are updating. You should install only the pak files that correspond to the components on the target system. To determine the names and version levels of the product components installed on the target system, view the contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text editor. The following list describes how to interpret the properties in the version.properties file:
Specifies that the management service and runtime component is installed at the level specified by version.
Specifies that the administration console component is installed at the level specified by version.
Specifies that the WS-provisioning runtime component is installed at the level specified by version.
Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.
Apply the fix packs to the product's components in the following order:
1. Management service and runtime and administration console>
2. Other components
Note: If a domain is not created before application of Tivoli Federated Identity Manager fix pack, the fix pack installation completes successfully with a "Partially Successful" message.
10. Compare the list of installed components to the list of pak files in the WebSphere Update Installer and select the pak files that correspond to the installed components, then click Next.
NOTE: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
11. If needed (for example, if you must install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.
Deploying the fix pack runtime component
After you install the fix pack, you must redeploy the Tivoli Federated Identity Manager runtime. This task is identical to the deployment task you completed after the initial installation of the management service and runtime components. In a WebSphere cluster environment, you must ensure that the new runtime component is deployed to each WebSphere node.
The initial deployment steps are described in Creating and deploying a new domain in the Installation and Configuration Guide. The specific instructions for deploying the runtime begin in step 16.
- You do not have to re-configure the runtime into Tivoli Access Manager. The Tivoli Access Manager configuration is retained when the fix pack is applied.
- During redeployment of the runtime in a cluster environment, you might receive errors, such as, "ClassNotFoundException" in the WebSphere SystemOut.log files. Any such errors should stop after you restart the cluster.
Use the following procedure to deploy the updated Federated Identity Manager runtime:
1. Log in to the administration console.
2. Select Domain Management-> Runtime Node Management.
3. Ensure that the new runtime (version 184.108.40.206) is displayed as available, then click Deploy Runtime.
4. Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion...
5. If the domain was not created before application of Tivoli Federated Identity Manager fix pack, click Publish Plug-ins.
6. Verify that the currently deployed version is now 220.127.116.11 as follows:
1. Navigate to the Runtime Node Management window.
2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel and review the runtime information.
Current deployed version 18.104.22.168 [111017a]
NOTE: The number in the brackets [111017a] might be different from this example.
7. Repeat the previous step for each node in a WebSphere cluster environment.
Then, restart the ITFIMManagementService.
Restarting the ITFIMManagementService
1. Log in to the Integrated Solutions Console.
2. Select Applications -> WebSphere enterprise applications.
3. Select ITFIMManagementService from the Enterprise Applications list.
4. Click Stop.
5. Select ITFIMManagementService in the Enterprise Applications list.
6. Click Start.
After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.
Use the following procedure to re-publish the plug-ins:
1. Log in to the administration console.
2. Select Domain Management -> Runtime Node Management.
3. Click Publish Plugins.
4. After the plug-ins are published, reload the runtime configuration.
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
15 June 2018