Java and all
Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
The Fix Pack Readme topics describe the contents of the Tivoli Security Policy Manager Fix Pack 7.1.0.4
Visit the IBM Product Security Incident Response site for a a full list of security alerts for WebSphere Application Server.
Java Security Exposure (CVE-2010-4476) Flash for WebSphere Application Server (WSAS)
You might need to install the WebSphere Update Installer (WUI), which is at the following location: WebSphere Update Installer (WUI)Password to the plugin-key.kdb will expire on April 26, 2012
Download and extract the fix pack files from the IBM Tivoli Security Policy Manager Support website.
Tivoli Security Policy Manager Fix Pack 7.1.0.4 consists of two compressed files. One file contains the policy manager packages. The other file contains the runtime security services packages. Download the compressed files that apply to your deployment.
| Package | Fix Pack compressed file |
|---|---|
| Tivoli Security Policy Manager | 7.1.0-TIV-ITSPM-FP0004.zip |
| Tivoli Security Policy Manager Software Development Kit | |
| Runtime Security Services Server | 7.1.0-TIV-ITRTSS-FP0004.zip |
| Runtime Security Services Client | |
| Runtime Security Services Software Development Kit |
7.1.0-TIV-ITSPM-FP0004
7.1.0-TIV-ITRTSS-FP0004
This topic documents the known issues with the fix pack. You can also query the tech notes database on the Customer Support website.
There are known issues with the Installation Manager application:
Packages IBM Tivoli Runtime Security Services Server 7.1.0.4 and
IBM Tivoli Runtime Security Services Software Development Kit 7.1.0.4
cannot coexist in the same package groupIf this message is displayed, install each package in a separate Installation Manager session.
Error during "pre-install configure" phase: java.lang.OutOfMemoryError: unable to allocate 60432017 bytes for native bufferThe workaround is to increase the memory available to the Java Virtual Machine. Modify the <InstallationManager>/eclipse/IBMIM.ini file in IBM Installation Manager's installation directory to add an additional parameter, "-Xmx1024m", restart Installation Manager; and then perform the update.
Error executing deployment: java.lang.IllegalStateException. Error is Platform not running.
java.lang.IllegalStateException: Platform not running
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:374)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at com.ibm.etools.ejbdeploy.batch.impl.BootLoaderLoader.run(BootLoaderLoader.java:494)
at com.ibm.etools.ejbdeploy.batch.impl.BatchDeploy.execute(BatchDeploy.java:114)
at com.ibm.etools.ejbdeploy.EJBDeploy.execute(EJBDeploy.java:107)
at com.ibm.etools.ejbdeploy.EJBDeploy.deploy(EJBDeploy.java:348)
at com.ibm.etools.ejbdeploy.EJBDeploy.main(EJBDeploy.java:310)
EJBDeploy level: @build@
ADMA5008E: The EJBDeploy program failed on file /tmp/app3860524633747861547.ear. Exception: com.ibm.etools.ejbdeploy.EJBDeploymentException: Error executing EJBDeploy
The problem and resolution are described in EJBDeploy command Exceptions on WebSphere
Application Server and Eclipse OSGI cache purge issues. To
resolve, update the <WAS>/deploytool/itp/ejbdepoy.sh script
(or .bat for Windows) to always clear the OSGi cache by default
(the "FOURTH" workaround in the referenced technote) by
adding the " -Dosgi.clean="true" \" option to
the com.ibm.tools.ejbdeploy.EJBDeploy invocation. Note that this
option may add several seconds to the deployment operation.Error during "pre-install configure" phase: java.lang.ExceptionInitializerErrorThis fix pack topic in the information center contains instructions for manually editing the required configuration files. See Rolling back Fix Pack 7.1.0.x.
<property name='user.tipProfilePath' value='/opt/IBM/InstallationManager/eclipse/null'/>
<property name='user.tipWsAdminScript' value='/opt/IBM/InstallationManager/eclipse/null/bin/wsadmin.sh'/>
<property name='user.tipProfilePath' value='/opt/IBM/tivoli/tip/profiles/TIPProfile'/>
<property name='user.tipWsAdminScript' value='/opt/IBM/tivoli/tip/profiles/TIPProfile/bin/wsadmin.sh'/>
<property name='user.wasProfilePath' value='/opt/IBM/InstallationManager/eclipse/null'/>
<property name='user.wasWsAdminScript' value='/opt/IBM/InstallationManager/eclipse/null/bin/wsadmin.sh'/>
<property name='user.wasProfilePath' value='/opt/IBM/WebSphere/AppServer/profiles/<profileName>'/>
<property name='user.wasWsAdminScript' value='/opt/IBM/WebSphere/AppServer/profiles/<profileName>/bin/wsadmin.sh'/>
There are known issues with the Tivoli Integrated Portal application:
Tech notes on the IBM Software Support website document known problems and limitations:
http://www.ibm.com/software/tivoli/support/security-policy-mgr/
As limitations and problems are discovered and resolved, the IBM Software Support team updates the knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems. The following link sends a customized query to the live Support knowledge base for Tivoli Security Policy Manager:
To create your own query, go to the Advanced search page on the IBM Software Support website.
You can update a Tivoli Security Policy Manager 7.1.0, 7.1.0.1, 7.1.0.2, or 7.1.0.3 deployment with the files in Fix Pack 7.1.0.4. Consult the IBM Tivoli Security Policy Manager information center for additional configuration and upgrade requirements.
Use the Installation Manager application to add the fix pack packages. The Installation Manager Update icon runs a wizard to guide you through adding fix pack packages to an existing deployment.
Use Installation Manager to install the fix pack files. During the update, you can specify values for the same configuration properties that were used during installation or previous fix pack updates.
| Package | Features |
|---|---|
| Tivoli Security Policy Manager | Tivoli Policy Platform |
| Tivoli Security Policy Manager server | |
| Tivoli Security Policy Manager administration console | |
| Tivoli Integrated Portal console | |
| Tivoli Security Policy Manager configuration utility | |
| Tivoli Security Policy Manager SDK | Software Development Kit and Samples |
| Runtime Security Services Server | Authorization Service |
| Runtime Security Services Client | Authorization Service Runtime |
| Policy Management Administration Agent | |
| Web Services Application Enforcement | |
| Runtime Security Services SDK | Software Development Kit and Samples |
| Portal Application Enforcement Software Development Kit |
You can update the policy administration components with the fix pack installation files that you downloaded from the Customer Support website. The policy administration components include the policy manager server, configuration tool, and policy manager console.
Complete the prerequisite tasks in Updating Version 7.1.0, 7.1.0.1, 7.1.0.2 or 7.1.0.3 with Fix Pack 7.1.0.4. The tasks include extracting the fix pack compressed files.
Note: If you are installing the fix pack into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
C:\Temp\policy\delta.7104\repository.config
All repositories are connected
Components can include:
Installation Manager displays current values for:
The default installation directory is:
/opt/IBM/tivoli/tip
C:\Program Files\tivoli\tip
After you install Tivoli Security Policy Manager, the plug-ins are on the deployment manager server:
WAS_HOME/profiles/profile_name/bin/osgiCfgInit.sh
WAS_HOME\profiles\profile_name\bin\osgiCfgInit.bat
stopServer.bat -server1 -username adminname -password adminpassword
startServer.bat server1
stopServer.sh -server1 -username adminname -password adminpassword
startServer.sh server1
Continue with the updates that are appropriate for your environment:
You can update the Tivoli runtime security services server package with the fix pack installation files that are downloaded from the Customer Support website.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
C:\Temp\policy\delta.7104\repository.config
All repositories are connected
Installation Manager displays current values for:
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
You can update the Tivoli runtime security services package with the fix pack installation files that are downloaded from the Customer Support website.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
C:\Temp\policy\delta.7104\repository.config
All repositories are connected
Installation Manager displays current values for:
Update and verify the client configuration. Use the following links to complete the configuration. The links point to configuration tasks on the Tivoli Security Policy Manager information center.
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
You can update the Tivoli Security Policy Manager software development kit package with the fix pack installation files.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
C:\Temp\policy\delta.7104\repository.config
All repositories are connected
You can update the Runtime Security Services software development kit package by installing the fix pack installation files.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
C:\Temp\policy\delta.7104\repository.config
All repositories are connected
Use Installation Manager to roll back or uninstall a set of software packages.
Installation Manager supports two different tasks for removing the fix pack files. You must choose which task you want to do.
The Installation Manager graphical user interface has icons for Roll back and Uninstall.
In one session, Installation Manager:
In one Installation Manager session, uninstalls the files for Fix Pack 7.1.0.4 and all previously installed versions. You can remove files on a package or feature level.
Select the instructions that are appropriate for your deployment:
Use Installation Manager to roll back the fix pack and return to a Version 7.1.0 configuration.
The Installation Manager application provides a roll back option so you can return Tivoli Security Policy Manager to a Version 7.1.0 configuration.
Installation Manager provides a graphical user interface for the roll back process, but does not prompt for configuration properties. You must edit properties files before running Installation Manager. Installation Manager automatically saves configuration files, uninstalls the fix pack files, installs the Version 7.1.0 files, and restores the saved configuration files.
See Using Installation Manager to roll back to a previous version.
You must manually edit the properties files before starting the Installation Manager rollback process. The process obtains properties directly from the product properties files and does not offer an opportunity for verifying or modifying them.
Installation Manager and Tivoli Security Policy Manager do not store values for passwords in properties files. You must manually insert values for passwords into each property file.
| Package | Administration properties files | Installation Manager properties files |
|---|---|---|
| Tivoli Security Policy Manager |
admin.client.properties tip.admin.client.properties tip.properties |
installed.xml installRegistry.xml |
| Tivoli Security Policy Manager Software Development Kit | none | none |
| Runtime Security Services Server | admin.client.properties |
installed.xml installRegistry.xml |
| Runtime Security Services Client | admin.client.properties |
installed.xml installRegistry.xml |
| Runtime Security Service Software Development Kit | none | none |
Follow the instructions for editing each property file that applies to the package that you want to roll back.
After you have modified the properties files, use Installation Manager to roll back the product files. See Using Installation Manager to roll back to a previous version.
Insert values for necessary passwords into properties used by Installation Manager.
Installation Manager requires values for several passwords in order to complete the roll back process. Installation Manager does not store passwords. Because the Installation Manager roll back process does not supply a method to enter the password values through a graphical panel, you must manually insert password values into two properties files.
Both files are located in the Installation Manager agent data location. The agent data location is the directory that Installation Manager uses for data that is associated with an application.
The installing user may override the default data location by using the Installation Manager -dataLocation switch and if this has been done when installing TSPM or RTSS components, the two files that will need updating will reside in that location rather than in the default locations listed below.
Additionally, the default location of the agent data location will differ depending whether an admininstrative (root) or non-administrative type installation of Installation Manager was done. If an administrative user installed Installation Manager using the 'install' command then this is considered an administrative install. If the 'userinst' command was used to install the Installation Manager then this is considered to be a non-administrative install.
Administrative installation default agent data location/var/ibm/InstallationManager
C:\ProgramData\IBM\Installation Manager
C:\Documents and Settings\All Users\Application Data\IBM\Installation Manager
<user home>/var/ibm/InstallationManager
C:\Users\<user>\AppData\Roaming\IBM\InstallationManager
C:\Documents and Settings\<user>\Application Data\IBM\Installation Manager
<property name='user.wasAdminUserPwd' value='ExamplePasswOrdForWASAdmin'/> <property name='user.wasTruststorePwd' value='ExamplePasswOrdForWAStruststore'/> <property name='user.tipAdminUserPwd' value='ExamplePasswOrdForTIPAdmin'/>
<property name='user.wasKeystorePwd' value='ExamplePasswOrdForWASKeystore'/>
<property name='user.wasAdminUserPwd' value='ExamplePasswOrdForWASAdmin'/> <property name='user.wasTruststorePwd' value='ExamplePasswOrdForWAStruststore'/>
<property name='user.wasKeystorePwd' value='ExamplePasswOrdForWASKeystore'/>
Ensure you save and close the file before starting Installation Manager.
Specify and verify values in the administration client properties file, in order to use Installation Manager to roll back your deployment to a previous version. Although you supplied these values during the Fix Pack installation, password values are not stored and must be manually inserted. You must also verify that other values, such as truststore names, are correct.
For a complete description of the administration client file properties, see Administration client properties file.
The default installation location is:
<TSPM_installation_dir>/etc/admin.client.properties
The application uses this truststore when communicating with WebSphere Application Server. For example:
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\ profiles\\AppSrv01\\etc\\trust.p12
For example:
javax.net.ssl.trustStorePassword=<your_trustStore_password>
For example:
username=wasadmin
For example:
password=<your_WebSphere_adminstrator_password>
Default value:
javax.net.ssl.keyStore=
For example:
javax.net.ssl.keyStorePassword=<your_keyStore_password>
The file contains other properties that are used by Installation Manager and WebSphere. Do not modify the values when using the Installation Manager roll back process.
The example shows a properties file with password values manually inserted for the rollback process. The properties file, when stored on the file system, does not contain password values.
#Wed Sep 15 15:13:10 CDT 2010
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\
profiles\\AppSrv01\\etc\\trust.p12
port=8880
cacheDisabled=true
securityEnabled=true
username=wasadmin
javax.net.ssl.keyStore=
ssl.disable.url.hostname.verification=true
javax.net.ssl.trustStorePassword=myTrustStOrePasswOrD
type=SOAP
javax.net.ssl.keyStorePassword=myKeyStOrePasswOrD
location=remote
password=myWASAdminPasswOrD
autoAcceptSignerForThisConnectionOnly=true
host=localhostThe administration client properties file contains configuration and communication properties for Tivoli Security Policy Manager components and for runtime security services components.
The Installation Manager application uses this file. For most Installation Manager processes, you supply values for some of the properties in this file through the graphical user interface. However, for the Installation Manager roll back process, Installation Manager does not prompt for values for any properties. For the rollback process, you must supply values for passwords and verify the values for other properties, such as truststore and keystore locations.
The properties file also contains some properties which are used internally by Installation Manager for communicating with the administration client for WebSphere Application Server. Do not edit these internal properties. The following descriptions identify the properties that must not be modified.
The default installation location for the file is:
<TSPM_installation_dir>/etc/admin.client.properties
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\ profiles\\AppSrv01\\etc\\trust.p12
For the rollback process, verify that this value is correct for your current deployment.
Specifies the port value that is used by WebSphere Application Server for SOAP communications. The default port value is 8880 for a stand-alone server. Do not modify this value for the Installation Manager roll back process.
Specifies whether the WebSphere administration client uses an internal cache. This property is internal to the WebSphere administration client. Do not modify it.
Specifies whether communication with WebSphere Application Server occurs only over secure connections. This option is true by default and ensures that communications between Tivoli Security Policy Manager and WebSphere Application Server are always encrypted. Do not modify this value for the Installation Manager roll back process.
username=wasadmin
For the rollback process, verify that this value is correct for your current deployment.
javax.net.ssl.keyStore=
For the rollback process, verify that this value is correct for your current deployment.
Specifies whether host name verification is disabled by default for URL connections. Host name verification checks that the X509 Certificate Common Name (CN) matches the host name from which it is received. This property is internal to the WebSphere administration client. Do not modify it.
javax.net.ssl.trustStorePassword=<your_password>
The type of connector used by the WebSphere administration client. Possible values include SOAP, RMI, and JMS. Do not modify this value for the Installation Manager roll back process.
javax.net.ssl.keyStorePassword=<your_password>
This property is internal to the WebSphere administration client. Do not modify it.
password=<WebSphere_administrative_user_password>
Specifies whether the WebSphere administration client programmatically trusts the connection, without storing the signer in the local truststore. This property is internal to the WebSphere administration client. Do not modify it. For example:
autoAcceptSignerForThisConnectionOnly=true
The name of the host that runs WebSphere Application Server for the administration client. This value is internal to the WebSphere administration client. Do not modify it.
The example file does not display any values for password properties. The file, when stored on the file system, does not contain passwords.
#Wed Sep 15 15:13:10 CDT 2010 javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\ profiles\\AppSrv01\\etc\\trust.p12 port=8880 cacheDisabled=true securityEnabled=true username=wasadmin javax.net.ssl.keyStore= ssl.disable.url.hostname.verification=true javax.net.ssl.trustStorePassword= type=SOAP javax.net.ssl.keyStorePassword= location=remote password= autoAcceptSignerForThisConnectionOnly=true host=localhost
Specify and verify values in the Tivoli Integrated Portal administration client properties file, in order to use Installation Manager to roll back your deployment to a previous version. Although you supplied these values during the Fix Pack installation, password values are not stored and must be manually inserted.
For a complete description of the Tivoli Integrated Portal administration client file properties, see Tivoli Integrated Portal administration client properties file.
The default installation location is:
<TSPM_installation_dir>/etc/tip.admin.client.properties
For example:
port=16313
For example:
username=tipdmin
For example:
password=<your_TIP_adminstrator_password>
The properties file contains other properties that are used by WebSphere, and might contain entries for truststore and keystore configuration.
The example shows a properties file with password values manually inserted for the rollback process. The properties file, when stored on the file system, does not contain password values.
#Mon Sep 27 14:46:11 CDT 2010 javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\tip\\profiles\\TIPProfile\\ etc\\trust.p12 port=16313 cacheDisabled=true securityEnabled=true username=tipadmin ssl.disable.url.hostname.verification=true javax.net.ssl.trustStorePassword= type=SOAP javax.net.ssl.keyStore= javax.net.ssl.keyStorePassword= location=remote password=myTIPAdminPasswOrD autoAcceptSignerForThisConnectionOnly=true host=myhost.example.com
Go to Setting Tivoli Integrated Portal properties.
The Tivoli Integrated Portal administration client properties file contains configuration and communication properties for Tivoli Security Policy Manager components and for runtime security services components. The Installation Manager uses this file.
The Installation Manager application uses this file. For most Installation Manager processes, you supply values for some of the properties in this file through the graphical user interface. However, for the Installation Manager roll back process, Installation Manager does not prompt for values for any properties. For the rollback process, you must supply values for passwords.
The properties file also contains some properties which are used internally by Installation Manager for communicating with the administration client for WebSphere Application Server. Do not edit these internal properties. The following descriptions identify the properties that must not be modified.
The default installation location for the file is:
<TSPM_installation_dir>/etc/tip.client.properties
Optional. Specifies the fully qualified path and name of the truststore for WebSphere Application Server. Do not modify this property for the Installation Manager roll back process.
Specifies the password for the truststore. For example:
javax.net.ssl.trustStorePassword=<your_password>
Specifies the port number used for connecting to the console using a web browser.
The default port number is 16310. Do not modify this property for the Installation Manager roll back process.
This value specifies whether the WebSphere administration client uses an internal cache. Do not modify this property for the Installation Manager roll back process.
Specifies whether communication with WebSphere Application Server occurs only over secure connections. This option is true by default and ensures that communications between Tivoli Security Policy Manager and WebSphere Application Server are always encrypted. Do not modify this property for the Installation Manager roll back process.
username=tipadmin
Optional. Specifies the keystore location used by the WebSphere server to establish a secure connection with the installation program. If you are using the default keystore, you can leave the location blank. You do not have to enter this password for the Installation Manager roll back process.
Specifies the password for the keystore location used by the WebSphere server to establish a secure connection with the installation program. You do not have to enter this password for the Installation Manager roll back process.
Specifies whether host name verification is disabled by default for URL connections. Host name verification checks that the X509 Certificate Common Name (CN) matches the host name from which it is received. This property is internal to the WebSphere administration client. Do not modify it.
The type of connector used by the WebSphere administration client. Possible values include SOAP, RMI, and JMS. Do not modify this value for the Installation Manager roll back process.
This value is internal to the WebSphere administration client. Do not modify this value for the Installation Manager roll back process.
password=<WebSphere_administrative_user_password>
The name of the host that runs WebSphere Application Server for the administration client. This value is internal to the WebSphere administration client. Do not modify this value for the Installation Manager roll back process.
The example file does not display any values for password properties. The file, when stored on the file system, does not contain passwords.
# javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\tip\\profiles\\TIPProfile\\ etc\\trust.p12 port=16313 cacheDisabled=true securityEnabled=true username=tipadmin ssl.disable.url.hostname.verification=true javax.net.ssl.trustStorePassword= type=SOAP javax.net.ssl.keyStore= javax.net.ssl.keyStorePassword= location=remote password= autoAcceptSignerForThisConnectionOnly=true host=myhost.example.com
Specify and verify values in the Tivoli Integrated Portal administration client properties file, in order to use Installation Manager to roll back your deployment to a previous version. Although you supplied these values during the Fix Pack installation, password values are not stored and must be manually inserted.
For a complete description of the Tivoli Integrated Portal properties, see Tivoli Integrated Portal properties file.
The default installation location is:
<TSPM_installation_dir>/etc/tip.properties
For example:
tip.adminUser=tipadmin
For example:
tip.adminUserPwd=<your_password>
The properties file does not contains passwords when stored on the file system. The example shows the file after you have manually inserted a password for use during the rollback process.
#Mon Sep 27 14:46:11 CDT 2010 tip.installLocation=C\:\\Program Files\\IBM\\tip tip.adminUser=tipadmin tip.consolePort=16310 tip.adminUserPwd=myTIPAdminPasswOrD
The Tivoli Integrated Portal properties file contains configuration properties. The Installation Manager uses this file.
The Installation Manager processes for installation, update, and uninstallation present a graphical user interface for entering values. However, Installation Manager rollback process does not present a graphical user interface. For rollback, you must manually edit the file, and supply a value for the Tivoli Integrated Portal administrator password.
Some properties are used internally by Tivoli Integrated Portal for communicating with the administration client for WebSphere Application Server. Do not edit these internal properties. The following descriptions identify the properties that must not be modified.
The default installation location is:
<TSPM_installation_dir>/etc/tip.properties
Fully qualified path name to the installation directory for the Tivoli Integrated Portal console. Do not modify this value for the Installation Manager roll back process.
tip.installLocation=C\:\\Program Files\\IBM\\tip
Specifies the port number used for connecting to the console using a web browser. The default port number is 16310. Do not modify this value for the Installation Manager roll back process.
The example file does not display any values for password properties. The file, when stored on the file system, does not contain passwords.
# #Mon Sep 27 14:46:11 CDT 2010 tip.installLocation=C\:\\Program Files\\IBM\\tip tip.adminUser=tipadmin tip.consolePort=16310 tip.adminUserPwd=
Use Installation Manager to roll back your deployment to a previous version of the product.
The Installation Manager rollback process automatically saves aside configuration files, uninstalls the fix pack files, installs the Version 7.1.0 files, and restores the saved configuration files.
Important notes:
Error during "pre-install configure" phase: java.lang.ExceptionInitializerErrorFor more information on the required editing tasks, see Setting properties for rollback.
| Package | Features |
|---|---|
| Tivoli Security Policy Manager | Tivoli Policy Platform |
| Tivoli Security Policy Manager server | |
| Tivoli Security Policy Manager administration console | |
| Tivoli Integrated Portal console | |
| Tivoli Security Policy Manager configuration utility | |
| Tivoli Security Policy Manager SDK | Software Development Kit and Samples |
| Runtime Security Services Server | Authorization Service |
| Runtime Security Services Client | Authorization Service |
| Policy Management Administration Agent | |
| Web Services Application Enforcement | |
| Runtime Security Services SDK | Software Development Kit and Samples |
| Runtime Security Services SDK | Portal Application Enforcement Software Development Kit |
Follow the instructions for the package that you want to roll back:
Use this procedure to interactively roll back the policy manager server, console, Tivoli Integrated Portal, and configuration tool.
Complete these tasks in the order listed before you roll back the policy manager components:
If you created a response file for the Tivoli Security Policy Manager configuration tool in the /opt/IBM/TSPM directory hierarchy, back up the response file before you roll back Tivoli Security Policy Manager. Place the backup files in a directory that is separate from the Tivoli Security Policy Manager installation directory.
Error during "pre-install configure" phase: java.lang.ExceptionInitializerError
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
See the stopping topics in the WebSphere® Application Server information center:
WAS_HOME/profiles/profile_name/bin/osgiCfgInit.sh
WAS_HOME\profiles\profile_name\bin\osgiCfgInit.bat
See the starting topics in the WebSphere® Application Server information center:
See the starting topics in the WebSphere® Application Server information center:
stopServer.bat -server1 -username adminname -password adminpassword
startServer.bat server1
stopServer.sh -server1 -username adminname -password adminpassword
startServer.sh server1
If you want, you can view the results of the Installation
Manager process by using the Installation Manager log viewer to review
the log file.
The default Installation Manager log files are located in these directories:
|
Verify that the packages that rolled back are active and correctly configured.
Before running the roll back process, the corresponding file names in <TSPM_installation_directory>/properties/version are:
The WebSphere administrator uses the procedure in this topic to interactively roll back the runtime security services server.
Error during "pre-install configure" phase: java.lang.ExceptionInitializerError
This task applies to installations of the runtime security services server on either stand-alone WebSphere Application Servers or on WebSphere Network Deployment clusters.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
The files are uninstalled and replaced with files from the previous version.
If you want, you can view the results of the Installation
Manager process by using the Installation Manager log viewer to review
the log file.
The default Installation Manager log files are located in these directories:
|
Verify that the runtime security services server is correctly configured:
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
Uses the procedure in this topic to interactively roll back the runtime security services client.
Error during "pre-install configure" phase: java.lang.ExceptionInitializerError
This task applies to installations of the runtime security services client on either stand-alone WebSphere Application Servers or on WebSphere Network Deployment clusters.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
The instructions for this step are specific to the client mode (local or remote) and to the type of WebSphere server environment (stand-alone or cluster). Use the instructions that fit your deployment.
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
If you want, you can view the results of the Installation
Manager process by using the Installation Manager log viewer to review
the log file.
The default Installation Manager log files are located in these directories:
|
Tivoli_Security_Policy_Manager_Runtime_Security_Services.7.1.0.cmptag Tivoli_Security_Policy_Manager.7.1.0.swtag
The WebSphere administrator uses the procedure in this topic to interactively roll back the Tivoli Security Policy Manager Software Development Kit.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
If you want, you can view the results of the Installation
Manager process by using the Installation Manager log viewer to review
the log file.
The default Installation Manager log files are located in these directories:
|
The WebSphere administrator uses the procedure in this topic to interactively roll back the Tivoli Runtime Security Services Software Development Kit.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
The default installation directory is:
/opt/IBM/InstallationManager/eclipse
IBMIM
If you want, you can view the results of the Installation
Manager process by using the Installation Manager log viewer to review
the log file.
The default Installation Manager log files are located in these directories:
|
Use Installation Manager to uninstall both the Fix Pack 7.1.0.4 and the Version 7.1.0 files. If Version 7.1.0.1 or Version 7.1.0.2 files were previously installed, they are also removed.
If you are uninstalling the Tivoli Security Policy Manager package and previously created a response file that you want to use later, save the response file before uninstalling the product.
If you created a response file for the Tivoli Security Policy Manager configuration tool in the /opt/IBM/TSPM directory hierarchy, back up the response file before you uninstall Tivoli Security Policy Manager. Place the backup files in a directory that is separate from the Tivoli Security Policy Manager installation directory.
You can use one Installation Manager uninstallation task to remove the Fix Pack 7.1.0.4 files, Version 7.1.0.3 files, Version 7.1.0.2 files, Version 7.1.0.1 files, (if previously installed) and Version 7.1.0 files. The fix pack has the same packages (components) and features as Version 7.1.0. The Installation Manager uninstallation process removes all files for the selected packages.
The uninstallation process on the information center applies to the fix pack files as well as to the Version 7.1.0 files. The information center describes both interactive and silent uninstallation mode. The information center topics describe the necessary unconfiguration and uninstallation steps for each of the product packages:
See the stopping topics in the WebSphere Application Server information center:
WAS_HOME/profiles/profile_name/bin/osgiCfgInit.sh
WAS_HOME\profiles\profile_name\bin\osgiCfgInit.bat
See the starting topics in the WebSphere Application Server information center:
stopServer.bat -server1 -username adminname -password adminpassword
startServer.bat server1
stopServer.sh -server1 -username adminname -password adminpassword
startServer.sh server1
The fix pack provides fixes for a number of the APARs. Fixes are cumulative, meaning the latest fix pack also contains all the fixes contained in the previous fix packs.
| APAR | Problem summary |
|---|---|
| IV15661 | CREATEPOLICY() AND MODIFYPOLICY() RETURN INCORRECT DATA IN SOMETRUE |
| IV15818 | UNABLE TO EXPORT TSPM POLICY USING IE BROWSER |
| IV20522 | TSPM CONSOLE ERRORS INTERNET EXPLORER 8 |
| IV21909 | TSPM 7.0 -> 7.1 MIGRATION FAILURE (PARTIAL) |
| IV22007 | POLICY CHANGES DO NOT TAKE AFFECT UNTIL RTSS IS RELOADED |
| IV22638 | SUPPRESS ERRORS LOG ENTRIES FOR NULL VALUE |
| IV25186 | WRONG UPDATE MAPPING WHEN SORTING LIST |
| IV23845 | 7.1 DOCUMENTATION FIXPACK TYPO AND CLARIFICATION |
| APAR | Problem summary |
|---|---|
| IV02079 | WSDL IMPORT FAILS IF XSD FILES ARE REFERENCED WITH RELATIVE PATH |
| IV03218 | TSPM POLICY/DIRECTORY NOT GETTING PROPAGATED TO THE DMGR. |
| IV04689 | MISSING TSPMREPORTS.SQL |
| IV06278 | POLICY PENDING RETRIEVAL WHEN VALID TIMESTAMP NOT FOUND |
| IV07258 | SEARCHING FOR MEMBERS OF A TSPM ADMIN GROUP TO ASSIGN POLICY OW |
| IV08352 | ILLEGALSTATEEXCEPTION: SESSION HAD BEEN INVALIDATED: |
| IZ96492 | TSPMRUNTIMEEXCEPTION: UNHANDLED EXCEPTION |
| IV05128 | NULLPOINTER EXCEPTION WHEN RUNNING THE CREATEPOLICY API. |
| APAR | Problem summary |
|---|---|
| Stability Fixes | Some Stability Fixes Went into FP02 |
| APAR | Problem summary |
|---|---|
| IZ80883 | RTSS LOCAL MODE IS FAILING WITH J2EE ENFORCEMENT |
| IZ87160 | NULLPOINTEREXCEPTION IN STS ATTRIBUTE FINDER WHEN PARSING RTSR |
| IZ77364 | JAX-WS PEP DOES NOT ENFORCE SERVICES USING MESSAGE LEVEL AUTHENTICATION |
| IZ87161 | JAXWS PEP SHOULD LOOK IN MESSAGE CONTEXT FOR SUBJECT |
| IZ87166 | JAXWS PEP SHOULD FALL BACK TO RUN-AS SUBJECT |
| IZ83168 | PROBLEM ATTACHING POLICY VIA CLASSIFICATION |
| IZ81535 | TSPM WILL GENERATE INDIVIDUAL POLICY AND POLICYATTACHEMENT DOCUMENTS |
New features were added in Fix Pack 7.1.0.4. They are available in Fix Pack 7.1.0.4 and later, but they are not enabled by default. You can enable the features you want to use.
Some of the new features are part of the runtime environment. These features are not enabled by default. To enable them, see New features for the runtime environment
Other new features provide enhanced capabilities for configuration or customization. To deploy these features, see New features for deployment.
The new features are fully described on the Tivoli Security Policy Manager information center. Click on the following links to access information on each new feature:
Registering an endpoint with Tivoli Security Policy Manager using the tspmRegisterPDT utility will now automatically generate certificates in a PCKS#12 store for use with DataPower.
A new Tivoli Runtime Security Services thin client provides the Tivoli Security Policy Manager authorization API Java for J2SE applications.
A new optional setting enables Tivoli Security Policy Manager to identify web services using the namespace and web service name at runtime, allowing multiple web services to share the same namespace.
Use the policy simulator to excercise simulated authorization requests against access policy prior to distributing to endpoints.
Post-decision directives can now be added to authorization policies.
You can import multiple policies from a single file that was created by the Policy Design Tool.
Use the import wizard in the console to import the resources, policies, and roles of a J2EE application into Tivoli Security Policy Manager.
Update the definition of a service that was previously imported, or discovered, by importing the service again. The service name must be the same.
There are two types of enhanced policy information point (PIP) chaining you can use to evaluate a policy: standard and complex.
When you import or discover web services, Tivoli Security Policy Manager can parse down to the message level. You can then attach a message protection policy to a message.
You can install the Tivoli Security Policy Manager server in a clustered WebSphere Application Server environment.
The fix pack includes a new report that integrates data from Tivoli Identity Manager and your Tivoli Security Policy Manager environment.
The Tivoli Security Policy Manager product offers two Software Development Kits (SDK). The Tivoli Security Policy Manager Software Development Kit (SDK) includes the policy management API, API documentation, and sample programs. The runtime security services software development kit (SDK) includes the API documentation and sample programs.
You can use the runtime security services SDK to develop custom policy information points.
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Intel, Intel Inside (logos), Itanium, MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all
Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Other company, product, or service names may be trademarks or service marks of others.