README IBM Tivoli Security Operatons Manager(TM) Version 4.1.1 Fix Pack 007 for IBM AIX, Solaris Operating Environments, Red Hat Linux ES and Windows Server 2003 © Copyright International Business Machines Corporation 2009. All rights reserved. Contents 1.0 About this release 1.1 Supported products and components by platform 1.2 PTF and VRMF information 2.0 Installation and configuration 2.1 Supported languages for DB2 clients available from the FTP site 2.2 Prerequisites 2.3 Before installation 2.4 Installing the Tivoli Securition Operations Manager 4.1.1 Fix Pack 007 2.5 After installation 2.6 Uninstalling / rollback 4.0 Resolved Problems 5.0 Contacting customer support 6.0 Notices and trademarks 1.0 About this release Set the font to monospace to better view this file. The information in this readme file should be read by Tivoli Security Operations Manager administrators who plan to install Tivoli Security Operations Manager 4.1.1 Fix Pack 007 (R). This readme file contains platform specific information about the latest changes and known problems and workarounds for TSOM. This readme file contains TSOM 4.1.1 Fix Pack 007 information for all UNIX(R) operating systems supported by Tivoli Security Operations Manager. Specific information for each supported UNIX operating system is described in separate sections of this readme. However, unless otherwise specified, the instructions are applicable to all supported UNIX operating systems. 1.1 Supported products and components by platform This readme file contains information for the following products and components for each UNIX operating system: IBM AIX Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 007 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 007 Linux(TM) (RedHat(R)) 32-bit Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 007 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 007 Solaris(R) Operating Environments (32-bit) Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 007 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 007 Windows(TM) Server 2003 Enterprise Edition R2 SP2 (64-bit) Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 007 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 007 1.2 PTF and VRMF information +-----------------------+---------------------------------------+------------------+ | Operating system | PTF | VRMF | +-----------------------+---------------------------------------+------------------+ | AIX 5L | 4.1.1-TIV-TSOM-AIXPPC32-FP007.bin | 4.1.1-FP007 | +-----------------------+---------------------------------------+------------------+ | Solaris Operating | 4.1.1-TIV-TSOM-SolarisSparc-FP007.bin | | | Environment | | 4.1.1-FP007 | +-----------------------+---------------------------------------+------------------| | LINUX (RedHat) | 4.1.1-TIV-TSOM-LinuxIA32-FP007.bin | | | | | 4.1.1-FP007 | +-----------------------+---------------------------------------+------------------+ | Windows (Server 2003) | 4.1.1-TIV-TSOM-WinX64-FP007.exe | | | | | 4.1.1-FP007 | +-----------------------+---------------------------------------+------------------+ 2.0 Installation and configuration The package names for each specific UNIX operating system are: +-----------------------------+---------------------------------------------+ | AIX | 4.1.1-TIV-TSOM-AIXPPC32-FP007.bin | +-----------------------------+---------------------------------------------+ | Linux (RedHat) | 4.1.1-TIV-TSOM-LinuxIA32-FP007.bin | +-----------------------------+---------------------------------------------+ |Solaris Operating Environment| 4.1.1-TIV-TSOM-SolarisSparc-FP007.bin | |(32-bit) | | +---------------------------------------------------------------------------+ |Windows Operating Environment| 4.1.1-TIV-TSOM-WinX64-FP007.exe | |(64-bit) | | +---------------------------------------------------------------------------+ The packages are self extracting executables. 2.1 Supported languages for Tivoli Security Operations Manager available from the FTP site The following table details the supported languages that are available from the FTP site: +------------+---------------------------+ | Operating | Central Management System | | System | | +------------+---------------------------+ | AIX | English only | | | | | | | +------------+---------------------------+ | RedHat | English only | | Linux | | | Intel | | | (32-bit) | | | | | +------------+---------------------------+ | Solaris | English only | | Operating | | | System | | | | | +------------+---------------------------+ | Windows | English only | | Operating | | | System | | | (64-bit) | | +------------+---------------------------+ 2.2 Prerequisites * You must have a supported operating system installed. The supported operating systems are: - AIX 5L Version 5.3 (5.3.x) - Solaris Version 10 (10.x) - RedHat Version 5 (5.x) - Microsoft Windows Server 2003 Enterprise Edition R2 SP2 (64-bit) * You must have a supported database installed and a schema and user created and available. The supported databases are: - IBM DB2 Enterprise 9 (9.x) - Oracle 10g Release 1 (10.2.x) * This Interim fix must be installed on the Central Management System (CMS) and all Event Aggregation Modules (EAM) * Ensure that you have read the entire contents of this readme. * This Interim fix can be installed on systems with: Tivoli Security Operations Manager 4.1.1 GA release or Tivoli Security Operations Manager 4.1.1 Interim Fix 001 or Tivoli Security Operations Manager 4.1.1 Interim Fix 002 or Tivoli Security Operations Manager 4.1.1 Interim Fix 003 or Tivoli Security Operations Manager 4.1.1 Fix Pack 004 or 2.3 Before installation * You must install this Fix pack using the same method that you used to install the product initally. - If you installed Tivoli Security Operations Manager v 4.1.1 using Xwindows install, you must use an Xwindows installation to install this Fix pack. - If you used a console install to install Tivoli Security Operations Manager, you must use the console installation to install this Fix pack. 2.4 Installing Tivoli Security Operations Manager 4.1.1 Fix Pack 007: Procedures To install Tivoli Security Operations Manager Fix Pack 007 : 1. Log in to the server hosting the Tivoli Security Operations Manager component as the root user or as a user that has privilges to sudo to root, or on Windows as the same user originally used to install Tivoli Security Operations Manager . 2. Change directories to the directory where you downloaded the self-extracting binary. 3. Run the self-extracting binary (use -i console for a text based install): On UNIX/Linux: If you have Xwindows installed: ./4.1.1-TIV-TSOM--FP007.bin If you do not have Xwindows installed: ./4.1.1-TIV-TSOM--FP007.bin -i console Where is the operating system on the server. The Install Anywhere installer will launch. On Windows: Using Windows Explorer locate the downloaded file 4.1.1-TIV-TSOM-WinX64-FP007.exe and doubleclick. 4. On the Locale screen, select the locale in which the install utility will run and click Ok. 5. On the Introduction screen, click Next. 6. Review the installation on the Pre-Installation Summary screen, and click Install. 7. When the installation has completed, click Done on the Install Complete screen. General reminder - Fix Pack installer does not upgrade Device Rules. Please install latest Device Rules Update Package separately. 2.5 After installation * Ensure the installed components are running by logging into the UI using the admin user (username: admin password:password): https://:8443 where is the IP address of the server hosting the CMS. *** Important Note *** This Interim Fix includes an updated UCM that will run as a service on windows. After installing the fix the UCM file that should be installed on a windows system is /misc/install_ucm.exe. This file can also be obtained from the downloads link on the TSOM Portal at: https://:8443 -or- http://:8080 where is the IP address of the server hosting the CMS. Known issue: The default configuration does not include the necessary library ITSOM_LogParser.dll in the java library path. There are two ways to get the ITSOM_LogParser.dll into the JAVA library PATH: (Assuming default install dir of C:\Program Files\IBM\TSOM) ------------------------------------------------------------ 1) Copy the file ITSOM_LogParser.dll from C:\Program Files\IBM\TSOM\lib\ITSOM_LogParser.dll to C:\Program Files\IBM\TSOM\ITSOM_LogParser.dll For example: cd C:\Program Files\IBM\TSOM\ copy lib\ITSOM_LogParser.dll ITSOM_LogParser.dll ------------------------------------------------------------ 2) Alter the C:\Program Files\IBM\TSOM\UCM.iax file. Add this block of text: # LAX.NL.JAVA.OPTION.ADDITIONAL # ----------------------------- # -Dargument=value args to JAVA lax.nl.java.option.additional= -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv6Addresses=false -Djava.library.path=lib General reminder - the UCM will also need Windows Log Parser installed. This is a free tool from Microsoft that that is used to safely communicate with the Event Log system. 2.6 Uninstall *** Warning *** Uninstalling a cumulative fix (such as this one) will uninstall the complete product 1. Log in to the server hosting the Tivoli Security Operations Manager component as the root user or as a user that has privilges to sudo to root. 2. Change directories to the directory /Uninstall_Tivoli Security Operations Manager where is the direcotry where you installed Tivoli Security Operations Manager. 3. Execute the uninstaller(use -i console for a text based install): If you have Xwindows installed: ./Uninstall_Tivoli_Security_Operations_Manager If you do not have Xwindows installed: ./Uninstall_Tivoli_Security_Operations_Manager -i console Where is the operating system on the server. The Install Anywhere uninstaller will launch. 4. On the Summary screen, click Uninastall. 5. When the uninstallation has completed, click Done on the Uninstall Complete screen. 3.0 Documentation Updates 1. New handling of checkpoint conduit. Starting with 4.1.1-TIV-TSOM-FP004 native handling checkpoint conduit is running as separate service on all supporting platform. On Solaris and Linux: On each EAM server which collect date via checkpoint conduit you have to start tsom_leads.sh service by: ./bin/tsom_leads.sh start Service stop automatically when EAM process stop. On Windows: New service TSOMLEADS will be created when EAM on Windows is installed. You can stop it manually when do not use checkpoint conduit on EAM. 2. Cleanup of event_data table causing application downtime in Oracle. In order to efficiently clean up the EVENT_DATA tables, drop partition is used in the Oracle install. To achieve this all indexes that are created must be partitioned by normalization_time as well. This was already done, however as EVENT_DATA_ID is the primary key of the event data table this creates an implicit index. So after issuing drop partition statements, this index becomes invalid and must be manually rebuilt which takes 3-4 hours approximately. During this time, CMS is unavailable. This was resolved by issuing 2 schema change sqls: 1. Remove the constraint of the primary key from the table ALTER TABLE EVENT_DATA DROP PRIMARY KEY DROP INDEX 2. Create an index on EVENT_DATA_ID and NORMALIZATION_TIME such that a partitioning by NORMALIZATION_TIME is possible . ALTER TABLE EVENT_DATA ADD CONSTRAINT UNIQ_EVTDATA_NORMTIME UNIQUE (Event_data_id, Normalization_time) The above 2 sqls can be provided to customers (on oracle) on a need basis if they encounter similar problem. 3. Starting with 4.1.1-TIV-TSOM-FP007 logging level could be changed dynamically. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH&q1=log4j&uid=swg21404702&loc=en_US&cs=utf-8&lang=en 4.0 Resolved Problems Problems fixed by 4.1.1-TIV-TSOM-FP007 IZ58989 TSOM/TOMCAT FAILS TO INSTALL WHEN NOT USING THE DEFAULT DIRECTORY. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH&q1=C+drive&uid=swg21403929&loc=en_US&cs=utf-8&lang=en IZ60123 ADD/REMOVE PROGRAMS CANNOT UNINSTALL TSOM UCM. ERROR: AN ERROR OCCURRED WHILE TRYING TO REMOVE. MAY ALREADY BE UNINSTALLED. IZ60117 TICKETS SHOW UP TWICE FOR NON ADMIN USERS. IZ59821 COPY/PASTE FUNCTION OF RULES DOES NOT WORK IZ52607 CONFIGURING MULTIPLE CHECKPOINTS ONTO A SIGLE EAM WITH IF 03 ON TSOM 4.1.1 NEEDS A RESTART OF THE CMS. IZ52882 CUSTOMER IS GETTING "DUPLICATE SENSOR NAME" ERROR WHILE CREATING EAM IZ50915 INTERIM FIX 03 GETS INSTALLED IN C:\PROGRAM FILES\IBM\TSOM\ IRRESPECTIVE OF TSOM BEING INSTALLED ON A DIFFERENT DRIVE. IZ53747 EXTENSIVE CMS-DATABASE COMMUNICATION UNDER LOAD WITH RELATIVELY HIGH 'NEW' HOSTS FRACTION. IZ52884 "CONNECTION TIMED OUT" POPUP ERROR WHEN OPENING PUBLIC_MASTER_NETBLOCK. NETBLOCK CONTAINS 3 MILLION HOSTS IZ59902 (devices) EVENTS FROM MICROSOFT EXCHANGE SERVER 2003 DOES NOT HAVE THE OBJECT NAME IZ54879 (devices) CISCO ASA EVENTS HAVE THE SENSOR CLASS SET TO OS, BUT SHOULD BE SET TO FIREWALL IZ55996 (devices) IP ADDRESS DOES NOT GET PARSED FROM CISCO IOS 12X TCP-6-BADAUTH EVENTS. IZ55215 CISCO NIDS EVENTS NEED TO HAVE THE SIGNATURE ID PARSED IZ49811 WEBSEAL LOG FILES NOT BEING READ IZ54255 (devices) THE USERNAME IS NOT PARSING OUT OF A CISCO IOS EVENT BY THE SYSLOG CONDUIT. Problems fixed by 4.1.1-TIV-TSOM-IF006 IZ54449 WITH FP 04 ON TSOM 4.1.1, THE CMS MAY START FACING MEMORY LEAK ISSUE. IZ53550 VULNIMPORT FAILS TO CONNECT TO QUALYS DUE TO UNKNOWN PROTOCOL "HTTPS", RUNNING ON THE SOLARIS PLATFORM. IZ54448 WITH FP 04 ON TSOM 4.1.1, THE SAME CHECKPOINT EVENT MAY COME IN MORE THAN ONCE INTO TSOM IZ57753 SDEE CONDUIT STOPS WORKING AFTER RUNNING FINE FOR SOME TIME IZ58261 IP ADDRESS FILTERS ON EAM NOT FUNCTIONING Problems fixed by 4.1.1-TIV-TSOM-FP004 IZ46175 PARSING ISSUE WITH CISCO ASA DEVICE IZ53747 EXTENSIVE CMS-DATABASE COMMUNICATION UNDER LOAD WITH RELATIVELY HIGH 'NEW' HOSTS FRACTION. IZ53012 PARSING ISSUE WITH CISCO IPS USING THE SDEE CONDUIT IZ48223 CHECKPOINT CONDUIT[S] STOPS SENDING EVENTS TO EAM Internal defect 3239 No Pause When Investigating Events. The Event Console/Top Sources/Top Destinations does not pause incoming events when you click on row item as it did in the past. Now, if an event of concern scrolls by it is necessary to explicitly click on the Pause/Play button whereas in previous versions simply clicking on a row item data would invoke the Pause action. Internal defect 3240 Investigation Window Disapears. As new events are drawn the right-click menu data is terminated. This means an explicit Pause must be issues before there is any chance of successfully executing the 'Show Event Details' right-click pop-up menu. Internal defect 3296 Filtering based on 'Host name' column doesn't work in 'Top Sources' and 'Top Destinations' views. Internal defect 3295 Filtering based on 'Watchlist' column doesn't work in 'Top Sources' and 'Top Destinations' views. Internal defect 3245 Text search case sensitivity. The 'contains' search entity was case sensitive, now user can choose an option regarding case sensitivity. IZ52955 CAN CREATE AND DELETE BUT CANNOT MODIFY EXISTING ROLES. RECEIVE "CAN NOT UPDATE ROLE" ERROR MESSAGE. IZ47012 ONCE EVER 2-3 DAYS CMS WOULD CORE DUMP. IZ47026 SYSLOG AND UCM EVENTS WOULD STOP FLOWING FROM EAM TO CMS. IZ51121 ERRORS RELATED TO THE CHECK POINT CODE ADDITION IZ50903 SOME FIELDS IN THE TSOM GUI ARE NOT UPDATABLE IF THE OS LANGUAGE IS SET TO PORTUGUESE (BRAZIL) IZ51191 LARGE NUMBER OR TICKETS CAUSE A DB2 QUERY ERROR WITH SQLSTATE:54001 STATEMENT TOO LONG OR TOO COMPLEX IZ50828 A '$' IN THE INFO FIELD CAUSES THE STRING '$EVENT.INFO' TO POPULATE A TICKET'S SUMMARY OR E-MAIL BODY CREATED BY AN ACTION Problems fixed by 4.1.1-TIV-TSOM-IF003 APAR IZ27430 EAMS & SENSORS: UI FAILING TO LOAD SENSOR IDENTIFIER LIST ON START-UP AND EAMS & SENSORS VIEW FAILS TO LOAD AS WELL APAR IZ38257 LEA_X.CONF GETTING OVERWRITTEN WHEN CHECKPOINT CONDUIT IS STARTED APAR IZ32568 EXTREMELY HIGH CPU LOAD THEN GUI LOCKUP ON LARGE THREAT VIEW APAR IZ40155 USERNAME AND USERCONTEXT BEING DROPPED BY SNMP CONDUIT. APAR IZ40118 WATCHLISTS ARE 'UNATTACHED' WHEN DUPLICATE ADDRESSES ARE CONFIGURED. APAR IZ45708 Allow opsec to connect to multiple CheckPoint devices Internal defect 3220 Flaw in logic in UCMParser would only allow one Java rules file to be checked for event compatibility Internal defect 3199 Added clear channel handling. Internal defect 3198 Added the functionality to match the language selected in Raports Advanced Format to match the browser locale. Internal defect 3224 Breaking suport for Windows 2003 in Installer. Problems caused by JVM on linux: Java Out of Memory and SNMP problem. Problems fixed by 4.1.1-TIV-TSOM-IF002 APAR IZ25896 PERFORMANCE DEGREDATION WITH MULTIPLE CLIENTS CONNECT APAR IZ29743 IF TOKEN REF $EVENT.INFO CONTAINS DOUBLE QUOTES TSOM RETURNS BLANK APAR IZ31058 Windows Syslog adds debug to messages APAR IZ33559 EAM Filter: Duplicate Filter issue APAR IZ34660 SNMP v3 Engine ID needs to be stored in Octect String format APAR IZ33759 Syslog binding to port 514 APAR IZ37268 TSOM 4.1.1 CMS Core dump/ Heap Dump APAR IZ38624 SNMP MESSAGES LOST ON HEAVILY LOADED EAM APAR IZ39499 Performance fix for Host Creation Queue APAR IZ39500 EAM Memory leak from Apache commons pool Problems fixed by 4.1.1-TIV-TSOM-IF001 APAR IZ32566 EAM crashes or hangs after every few hours with perl errors APAR IZ27248 TSOM 4.1.1 init script poiting wrong tomcat scripts APAR IZ27280 4.1.1 UCM INSTALLER FOR WINDOWS BROKE APAR IZ29081 A NEW SENSOR IS CREATED FOR EVERY EVENT THAT THE JAVA RULE PROCESSES APAR IZ29719 CMS runs out of memory on systems with over 300,000 hosts APAR IZ29739 GUI Help --> About still shows 4.1.0 after upgrade 5.0 Contacting customer support Support for Tivoli Security Operations Manager products, including documentation, FixPaks,and APAR information is provided at: http://www-306.ibm.com/software/sysmgmt /products/support/IBMTivoliSecurityOperationsManager.html?S_CMP=rnav IBM hardware, software, and systems support * 1-800-IBM-SERV (1-800-426-7378) 5.0 Notices and trademarks IBM may not offer the products, services, or features discussed in this document in all countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country/region or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country/region where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product, and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact: IBM Canada Limited Office of the Lab Director 8200 Warden Avenue Markham, Ontario L6G 1C7 CANADA Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems, and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements, or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information may contain examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious, and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. This information may contain sample application programs, in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. Trademarks IBM, Tivoli Security Operations Manager, DB2, and AIX are trademarks of International Business Machines Corporation in the United States, other countries, or both. Check Point FireWall-1, the Check Point logo, OPSEC, Site-Manager-1, SmartCenter Pro are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Red Hat and Red Hat Linux are registered trademarks of Red Hat Incorporated. Oracle and Oracle 10g are registered trademarks of Oracle Incorporated. Solaris and Solaris 10 are registered trademarks of Sun Microsystems Incorporated. Windows is a registered trademark of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others.