©Copyright International Business Machines Corporation 2008, 2013. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: Monday, 27 May 2013
=====================================================================================================This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway (Federated Identity Manager Business Gateway), Version 6.2.0. It requires that Federated Identity Manager Business Gateway, Version 6.2.0, be installed. After installing this fix pack, your Federated Identity Manager Business Gateway installation will be at level 6.2.0.13.
Potential cross-site scripting vulnerabiltity via macros in event page template files
Some IBM Tivoli Federated Identity Manager page macros might be vulnerable to cross site scripting attacks when their values are not properly encoded. Contact IBM Support for the list of macros that might be subjected to this issue. To remediate this, add the macros provided by IBM Support to the list of comma-separated tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their values are HTML-escaped in the template files. For example, if the list of macros provided is:
the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens with the above macros added can be:
@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MACRO2@,@EXAMPLE_MACRO3@
NOTE: Other macros that are prone to cross site scripting vulnerability can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of this runtime custom property will be revised periodically and update as needed. For more information regarding the runtime custom property, access http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.0%2Freference%2FCustomPropsSPS.html.
Possible security exposure with IBM WebSphere Application Server with WS-Security enabled applications using LTPA tokens (CVE-2011-1377)
The security that the IBM WebSphere Application Server provides might be weaker than expected when using web services security (WS-Security). A user might randomly gain elevated privileges on the provider system. WS-Security might assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC.
Versions affected:
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the fix, access http://www.ibm.com/support/docview.wss?uid=swg21587536
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the WUI has not been previously installed, the WUI can be downloaded from http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer, see the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed fix installation instructions.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, be in infinite loop, and/or crash resulting in a denial of service exposure. This same hang might occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.
The following products contain affected versions of the Java Runtime Environment:
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access, see http://www-01.ibm.com/support/docview.wss?uid=swg21462019
The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)
This APAR PM10357 is reported for WebSphere Application Server (WAS) v6.1. As a result of this APAR, operations in the IBM Tivoli Federated Identity Manager Management Console can fail with the following exception observed in the log if the Management Console is deployed on an affected version of WAS v6.1:
java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend ServletRequestWrapper or HttpServletRequestWrapper
Apply the fix provided here to all Tivoli Federated Identity Manager environments that use the affected versions of IBM WebSphere Application Server. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
The same fix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager.
The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, download the WUI from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases that are listed in the Operating systems for a specific product for the product Tivoli Federated Identity Manager and the version 6.2.0.
This fix pack package supports the same software prerequisites that are listed in the Prerequisites of a specific product for the product Tivoli Federated Identity Manager Business Gateway and the version 6.2.2.
6.2.0-TIV-TFIMBG-FP0001
6.2.0-TIV-TFIMBG-FP0002
6.2.0-TIV-TFIMBG-FP0003
6.2.0-TIV-TFIMBG-FP0008
6.2.0-TIV-TFIMBG-FP0009
Federated Identity Manager Business Gateway consists of the following components that can be installed separately:
This fix pack applies only to the administration console and management service and runtime components (first two components listed above). These two components must be at the same level. Therefore, if you install a fix pack for either the administration console component or the management service and runtime component, you must install the corresponding fix pack for the other of these two components. If the administration console and management service and runtime components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Federated Identity Manager Business Gateway support site.
FBTSPS061E An unexpected error has occurred with a protocol module error is displayed when a federated SSO request is received at the service provider and WebSeal is used as the point of contact.Be aware of the following considerations before installing this fix pack:
Because Federated Identity Manager Business Gateway is a 32-bit application its default path when installing on Windows Server 2008 changes from
C:\Program Files\IBM\FIM
to:
C:\Program Files (x86)\IBM\FIM
Note that this change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files\IBM\WebSphere
changes to:
C:\Program Files (x86)\IBM\WebSphere
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.
Use the WebSphere Update Installer to apply the fixes of each pak file to the target component on the system
that you are updating.
Apply all of the pak files that are required by your installation to ensure that the software levels in
your environment are identical for all of the components for which a pak file is supplied.
The fixes are tested against all affected components; therefore, to minimize any possible issue that can
arise from applying a partial fix, ensure the you apply the complete set of files.
See
If this is the first time you are applying the fix pack to Federated Identity Manager Business Gateway, you must download and install the enablement fix for Tivoli Federated Identity Manager Business Gateway.
NOTE: Perform the following steps only if this is the first time you are applying a fix pack. You will not need to perform these steps for subsequent product updates.
jar -xvf to unzip the file or download an unzip
utility from the HPUX Connect site.
NOTE: If you are prompted to overwrite an existing file, accept it so that the target file is overwritten.
NOTE: Before installing this fix pack, ensure that you have reviewed the prerequisites in Before installing the fix pack.
To obtain the fix pack:
If security is enabled on the WebSphere Application Server
where Federated Identity Manager Business Gateway is installed, you must set
the appropriate password values in the fim.appservers.properties file before you can
apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties file, as described below,
you specify these passwords using plain text. However, at the end of the fix pack
installation process these passwords are obfuscated and will no longer be available in
plain text format.
To specify security passwords, use the following procedure:
FIM_INSTALL_DIR/etc/fim.appservers.properties.was.security.enabled property is present in the
fim.appservers.properties file and is set to true then
you must add two password properties to the file:
was.admin.user.pwd property with a value of the administrator
login password for the WebSphere Application Server
where Federated Identity Management Business Gateway is deployedwas.truststore.pwd property with a value of the password for
the trust store used for client-side SSL authentication in that
WebSphere Application Serverwas.admin.user.pwd=was_admin_pwwas.truststore.pwd=truststore_pwewas.security.enabled property is present in the
fim.appservers.properties file and is set to true then
you must add two password properties to the file:
ewas.admin.user.pwd property with a value of the administrator
login password for the Embedded WebSphere Application Server
where Federated Identity Management Business Gateway is deployedewas.truststore.pwd property with a value of the password for
the trust store used for client-side SSL authentication in that Embedded
WebSphere Application Serverewas.admin.user.pwd=ewas_admin_pwewas.truststore.pwd=truststore_pwfim.appservers.properties fileC:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows.or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
C:\Program Files\IBM\WebSphere\UpdateInstaller on
Windows systems, or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).C:\Program Files\IBM\FIM on Windows systems, or
/opt/IBM/FIM on UNIX-based systems), then click Next.FIM_INSTALL_DIR/etc/version.propeties file with a text editor.
The following list describes how to interpret the properties in the version.properties file:
itfim.build.version.rte-mgmtsvcs=versionitfim.build.version.mgmtcon=versionitfim.build.version.wsprov=versionitfim.build.version.wssm=versionitfim.build.version.fimpi=versionApply the fix packs to the product's components in the following order:
Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
The fix pack install automatically deploys the newly installed Federated Identity Manager Business Gateway runtime. However, you should verify that the current deployed version is 6.2.0.13.
Runtime Information
----------------------------------------------
Current deployed version 6.2.0.13 [130517a]
Note: The number within the brackets [130517a] might be different
from this example.
The product documentation for Federated Identity Manager Business Gateway, Version 6.2.0, can be found on the information center for IBM Tivoli Federated Identity Manager Business Gateway.
About this task
After the fixpack is installed, follow the procedure below.
Procedure
Modify the mapping rule of your federation and add the following attribute on the attribute list section of the STSUU.
<stsuuser:Attribute name="AZN_CRED_AUTH_METHOD" type="urn:ibm:names:ITFIM:5.1:accessmanager">
<stsuuser:Value>password</stsuuser:Value>
</stsuuser:Attribute>
Two new custom properties are added in the IBM Tivoli Federated Identity Manager Configuration Guide, under the section Customizing Runtime Properties > Custom Properties Reference > Custom Properties for SAML 2.0. These properties are:
SAML20.IDP.UnsolicitedSSO.RelayState.URLEncodingWhen specified as true, the RelayState in the unsolicited authentication response is URL encoded by the Identity Provider before it is sent to the Service Provider.
Default value: trueValue type: booleanExample value: trueWhen specified as false, add the macro @TOKEN:RelayState@ to the list of comma-separated list of tokens in the runtime custom property SPS.PageFactory.HtmlEscapedTokens. Add the macro so that the RelayState is HTML-escaped in the authentication response.
SAML20.SP.UnsolicitedSSO.RelayState.URLEncodingWhen specified as true, the RelayState in the unsolicited authentication response is URL decoded by the Service Provider after it is received from the Identity Provider.
Default value: trueValue type: booleanExample value: trueFor Tivoli Federated Identity Manager 6.2.0 release, the Trust Service custom property must add the new custom property.
Default value: True
The SAML STS Modules validates that the token provided on the STS request is the correct type. The STS obtains the input token from either the Base element of the RequestSecurityToken message or from the WS-Security headers included on the SOAP envelope.
If multiple security headers are included on the SOAP envelop, Tivoli Federated Identity Manager selects the very first one that it finds even if the STS module configured to consume the token can handle the token type retrieved.
To enable the SAML STS modules to notify the STS of the expected token type so that the correct token is retrieved from the SOAP envelope headers, enable the following custom property:
sts.multiple.tokens.security.header.enabled=true
Back to Contents
You can configure the Tivoli Federated Identity Manager Single Sign-on Protocol Service (SPS) SAML 2.0 implementation to use the urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier format. You can choose to use this name identifier format when issuing a SAML assertion in a single sign-on flow.
By default, Tivoli Federated Identity Manager treats a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier as a urn:oasis:names:tc:SAML:2.0:nameidformat:persistent name identifier. This means that the SAML 2.0 implementation invokes the alias service to determine the user identity.
To avoid the call to the alias service, set the DefaultNameIDFormat configuration property to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
The IVCRED STS Module has been enabled to consume and validate IVCRED tokens that corresponds to an unauthenticated user. The modification done as part of this fix will allow for two modes of operation.
For behavior #1 (Default), the sts module will generate an error if a token received corresponds to an unauthenticated user. The error is the following:
FBTSTS015E The IV-Cred binary token is invalid or not present.?
For Behavior #2 the IVCRED STS Module can be configured to map the unauthenticated user token to an special user account that can be configured. The user account selected should be considered as a low entitlements or guest account.
The IVCRED STS module add a unauthenticated user name to the universal user structure.
To enable behavior #2 add the following custom property:
ivcred.unauthenticated.user.name=myusername
where myusername is the user name value to use for mapping.
The following additional properties can also be provided to describe the user account to map to when using behavior #2:
ivcred.unauthenticated.user.registry.id
ivcred.unauthenticated.user.uuid
ivcred.unauthenticated.user.registry.id is used to include the registry id of the account and ivcred.unauthenticated.user.uuid to indicate the unique id for the user account.
This fix ensures that Identity Provider with a metadata that contains SAML attributes can be added as a SAML 2.0 federation partner. However, these attributes are ignored, since they are currently not supported by FIM 620.
Back to ContentsIn some IBM Tivoli Federated Identity Manager SSO service provider scenarios with WebSphere as point of contact and when the application relies on extended attributes added to the SSO token, it is possible that a user may be authenticated using the wrong WebSphere credential from the credential cache. This fix will ensure that a unique WebSphere credential is created for every Tivoli Federated Identity Manager SSO as a service provider with WebSphere point of contact.
Back to ContentsIn the IBM Tivoli Federated Identity Manager Installation and Configuration Guide, under the topic Sample identity mapping rules for SAML
federations->Mapping a local identity to a SAML 2.0 token using an alias, the following entry is added to Table 40. STSUUSER entries used to generate a SAML token (using an alias):
[STSUU Element] Attribute: AudienceRestriction
[SAML Token Information] The audience of the audience restriction condition.
[Required] Optional
Under the same topic, it states:
3. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners.
It should state:
3. Setting the audience of the audience restriction condition to the value of the STSUU element "AudienceRestriction". If this STSUU element is not present, the audience is set to the Provider ID of the federation partner.
4. Populating the attribute statement of the assertion with the attributes in the AttributeList in the In-STSUU. This information becomes custom information in the token. There can be custom attributes that are required by applications that will make use of information that is to be transmitted between federation partners.
In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules->Modifying trust service chain properties, the following note is added:
Note: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.
In the IBM Tivoli Federated Manager Administration Guide, under the topic Managing Modules->Modifying chain module properties, the following note is added:
Note: Do not modify the built-in SSO trust chains. To know why this is not an architecturally good approach, see the article on Complex Federation Identity and Attribute Mapping for Tivoli Federated Idenity Manager from the IBM community blogs.
The response generated by a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule module for a WS-Trust v1.3 request includes more than 1 status code. In addition, some of the status codes contains a URI value that belongs to the WS-Trust v1.2 specification.
This fix ensures that the WS-Trust v1.3 response returned for a STS chain with a TAMAuthorizationSTSModule, TAMAuthenticationSTSModule or AuthorizationSTSModule has only 1 status code that will contain a URI value belonging to the WS-Trust v1.3 specification.
Back to ContentsThe RelayState parameter is used to share state information between the sender and the receiver of a SAML 2.0 message. The receiver of a RelayState is expected to return the value without any modification. ITFIM SAML 2.0 SPS module used to URL encode the RelayState causes changes on the value in some instances. This fix modifies the code so it only URL encode the RelayState during unsolicited (Identity Provider initiated) Single Sign On operations where the Target URL is the value sent in the RelayState.
Back to ContentsIf a SAML 1.x service provider needs to accept a samlp:Response that doesn't contain a Recipient attribute, this runtime custom property can be used:
SAML.AllowNoRecipient=true
Typically the Recipient is a required attribute so there should be no need to set this runtime custom property. It is only offered for uncommon backwards compatibility use cases.
Back to ContentsWhen configuring a custom STS chain that includes a SAML 2.0 STS module, a new configuration parameter has been added to configure the default name ID format. This parameter controls the treatment given to the unspecified name ID format value.
The new parameter is called:
com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat
The value should be the complete NameID Format that you wish to use for processing the NameID. Most commonly this will be:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
This will cause the NameID included in the assertion to be treated as a string literal and no alias service lookup will be used.
Back to ContentsThe SAML 2.0 SPS module allows the customer to specify if signatures are required for the SAML Artifact Resolution Response, SAML Response and SAML Assertion XML documents. The requirement for SAML assertion signature can be fulfilled if the enclosing document, e.g. SAML Response or SAML Artifact Resolution Response, is signed. The SAML 2.0 SPS module will no longer issue a signature validation error if the assertion is not signed and its enclosing document is signed.
Back to ContentsThe assertion signature is controlled by the WantAssertionsSigned
property on the federation and partner configuration. The federation
property overrides the setting on the partner. That is
different for most of the properties on the ITFIM federation configuration.
The WantAssertionsSigned for the federation configuration is set to
true when typical message signature settings is chosen. It is set to false when
all or none message signature is selected on the federation signature
configuration.
Even if WantAssertionSigned is set to false on the federation configuration,
the Identity Provider might still sign the assertion in two situations:
WantAssertionsSigned property is set to true on the partner configuration.
That property is set during metadata import of the Service Provider partner. The
wantAssertionsSigned attribute on the metadata schema for SPDescriptor is used
to populate the partner property.The IBM Tivoli Federated Identity Manager SAML 2.0 SPS module allows the customer to specify a default name ID format to use when the name ID format has not been specified. At the Service Provider that value is used to determine the type of treatment that will be given to an unspecified name ID format that is received on a SAML assertion. By default, IBM Tivoli Federated Identity Manager will treat unspecified name ID format as persistent name ID. The SAML 2.0 STS module will process the assertion name identifier with an unspecified name ID format according to the value configured on the default name ID format configuration selection. For steps on how to set the default name ID format configuration parameter using the command line interface, see the ITFIM 6.2 Administration Guide.
Back to ContentsBy default TFIM allows an administrator to specify a key to use for signing or validation by having them select an alias from a key store. The alias is not actually used at runtime to select the key, the alias is only used to determine the X.509 Distinguished Name (DN). Once the DN is determined, a list of all keys from all key stores is built based on the exact same DN and the oldest still valid X.509 (or Private Key) is used for the specific runtime operation first.
This fix provides two additional options for key selection criteria. The supported key selection criteria are:
Key: key.selection.criteria
Possible Values (only one can be set):
only.alias - Only the alias will be used for select the key. No key list is created.
longest.lifetime - A list of keys built sorted by longest lifetime.
shortest.lifetime - A list of keys built sorted by shortest lifetime.
In the IBM Tivoli Federated Identity Manager Service Provider (SP) deployments of SAML 1.x, when signatures are not used in assertions, it is often required to identify to an application from which Identity Provider the credential comes from. To satisfy this requirement, this fix inserts new attirbutes into the Claims element for SAML 1.x service provider federations that use browser artifact profile. The new attributes are called ArtifactSourceID and ArtifactResolutionServiceEndpoint. The new Claims element attributes will be included in the RequestSecurityToken message that is sent to the Service Provider trust service during single sign-on.
Mapping rules on the Service Provider can use these values to map to an expected Issuer URL and perform that check in the mapping rule and throw an exception if a bad Issuer is detected.
To check for the new attributes ArtifactSourceID and ArtifactResolutionServiceEndpoint of the new SAML claims, you can do the following:
An example STSUU is as follows:
<stsuuser:Attribute name="Claims" type="http://schemas.xmlsoap.org/ws/2005/02/trust">Back to Contents
<stsuuser:Value>
<wst:Claims xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"
Dialect="urn:ibm:names:ITFIM:saml">
<fimsaml:SAMLClaims xmlns:fimsaml="urn:ibm:names:ITFIM:saml"
ProtocolProfile="" TokenUsername=""
ArtifactSourceID="KmoOP8TQR6rMbUFZwpcy6rtxWzE="
ArtifactResolutionServiceEndpoint="http://soap_endpoint">
</fimsaml:SAMLClaims>
</wst:Claims>
</stsuuser:Value>
</stsuuser:Attribute>
The default secure protocol for HTTPS connections created by Tivoli Federated
Identity Manager Business Gateway is SSL_TLS. To change (override) the default protocol, specify the
following runtime custom property in the fim.appservers.properties file:
com.tivoli.am.fim.soap.client.ssl.protocol= PROTOCOL
where the value of PROTOCOL can be any of the following values: SSL_TLS, SSL, SSLv2, SSLv3, TLS or TLSv1
A timestamp is embedded within a passticket, but the time value interval is only granular to a full second. If two passtickets are generated for the same object (user, target app, secret-key) within one second, then the two passtickets will be identical, that is, the passtickets will look to the validator like a "replay attack." To manage this problem, RACF allows "disable replay detection," and this APAR enables Federated Identity Manager Business Gateway to support this functionality.
To disable replay, you can set either or both of the following custom runtime properties:
passticket.disable.replay.check.[chainid_uuid]=true
passticket.disable.replay.check=true
where chainid_uuid is the value of the chain UUID. For example:
passticket.disable.replay.check.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true
To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.
WebSphere Application Server versions 6.0.2 and 6.1 do not distinguish between LTPA v1 and LTPA v2 tokens in Web Services. Only one BinarySecurityToken ValueType is supported for LTPA tokens, and the QName of the value type is:
http://www.ibm.com/websphere/appserver/tokentype/5.0.2#LTPA
When the Federated Identity Manager Business Gateway STS issues an LTPA v2 token, the token is created with the following QName. This QName is correct, but it is not supported by WebSphere Application Server versions 6.0.2 and 6.1:
http://www.ibm.com/websphere/appserver/tokentype#LTPAv2
This APAR provides custom Federated Identity Manager Business Gateway runtime properties that force compatible QName generation if needed. To enable compatibility mode, set either or both of the following custom runtime properties:
ltpa.enable.compat.mode.[chainid_uuid]=true
ltpa.enable.compat.mode=true
where chainid_uuid is the value of the Chain UUID. For example:
ltpa.enable.compat.mode.[uuideb42e428-011b-1ebc-a0cb-9e6c4b35c1c7]=true
To determine the value of Chain UUID, in the administration console select Trust Service Chains-> Select Action, then select Show Chain ID in column in table. This action selection causes a new column to appear in the table that displays the unique Chain ID.
When authoring XSLT rules for identity mapping, there is no mechanism to log or trace statements for debugging purposes. This APAR adds an extension that enables you to generate debugging statements to XSLT rules.
To invoke debug statements for identity mapping, add entries in the XSLT rules using the
following syntax:
<xsl:variable name="variablename" select="mapping-ext:traceString('debug string')">
Back to Contents
This APAR fixes an XSLT identity mapping failure that occurred when using the alias server with JDBC. An XSLT identity mapping that links accounts from a JDBC configure-alias service would fail with the following exception:
com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc
init javax.naming.NoInitialContextException: Need to specify class name in environment or system property,
or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:657)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:259)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:296)
at javax.naming.InitialContext.lookup(InitialContext.java:363)
at com.tivoli.am.fim.identity.service.jdbc.IdServiceJdbc.
at com.tivoli.am.fim.identity.service.client.jdbc.IdServiceJdbcClient.
at java.lang.Class.newInstanceImpl(Native Method)
at java.lang.Class.newInstance(Class.java:1301)
at org.eclipse.core.internal.registry.osgi.RegistryStrategyOSGI.createExecutableExtension(RegistryStrategyOSGI.java:170)
You might need to restart the WebSphere Application Server if you specified inaccurate information in the security settings panel when creating a Federated Identity Manager domain (or a connection to a domain).
If you enter correct data and the Federated Identity Manager console successfully connects to the management service (use Test Connection to test the connection), you do not need to reconnect to WebSphere Application Server. If the Federated Identity Manager console cannot connect to the Management Service, even if correct security information is supplied, then you need to restart WebSphere Application Server.
See Tech Note #1326460, "IBM Tivoli Federated Identity Manager 6.1.1 and 6.2 POST profile SSO can fail with a SRVE0216E error". for a description of how to address this problem.
It is impossible to query the Federated Identity Manager Business Gateway runtime
status from the eWAS console. The following wsadmin commands
show how to query the Federated Identity Manager Business Gateway runtime's
status and how to start and stop the Federated Identity Manager Business Gateway runtime from the
command line.
These commands assume the WebSphere Application Server instance is named "server1."
wsadmin>$AdminApp list
wsadmin>$AdminControlqueryNamestype=Application,process=server1,name=ITFIMRuntime,*
wsadmin>setappManager[$AdminControlqueryNamestype=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager
stopApplication ITFIMRuntime
wsadmin>setappManager[$AdminControlqueryNamestype=ApplicationManager,process=server1,*]
wsadmin>$AdminControl invoke $appManager
startApplication ITFIMRuntime
The fix pack installation of the Federated Identity Manager Business Gateway runtime must
connect to a WebSphere Application Server SOAP port in order to deploy
the runtime. The fix pack installer acquires its SOAP port value from the following line
in the /<-installation-directory>/etc/fim.appservers.properties file
of the Federated Identity Manager instance being patched:
was.soap.port=8880
OR
ewas.soap.port=8880
This value is set in the file when the Federated Identity Manager Business Gateway instance is installed.
For the connection to be successful, the WebSphere Application Server instance to which it is being deployed must still be using that SOAP port. If it is not, then the Federated Identity Manager Business Gateway fix pack installation fails in the WebSphere Application Server UPDI and the error is reported as:
Prerequisite checking has failed. Click Back to select a different package, or click Cancel to exit.
Associated failure messages are:
The WebSphere server does not seem to be listening in host localhost port 8881 as specified
in /opt/IBM/FIM/etc/fim.appservers.properties. Make sure the server is running and that the specified
port and host are correct.
If the specified port is different than the actual SOAP port used, then change the value in the
fim.appservers.properties file to agree with the port being used by WebSphere Application Server and
reapply the fix pack.
A limitation of the z/OS platform can cause Federated Identity Manager actions to hang and fail. This has been observed with the deployment of the Federated Identity Manager runtime, and can be diagnosed by examining the WebSphere Application Server log file and looking for a WARNING message such as the following:
Trace: 2008/02/20 15:30:48.909 01 t=9BE748 c=UNK key=P8 (13007002)
ThreadId: 00000044
FunctionName: com.ibm.ws.runtime.component.ThreadMonitorImpl
SourceId: com.ibm.ws.runtime.component.ThreadMonitorImpl
Category: WARNING
ExtendedMessage: BBOO0221W: WSVR0605W: Thread "WebSphere:ORB.thread.pool t=009c22b8"
(00000022) has been active for 181010 milliseconds and may be hung.
There is/are 1 thread(s) in total in the server that may be hung.
To resolve this problem, define the WebSphere Application Server environment variable to increase an essential thread pool size.
To define the environment variable for a standalone application server from the WebSphere administration console, browse to: Servers-> Application servers-> server_name-> Server Infrastructure-> Administration-> Custom properties.
Add the property private_bboo_internal_work_thread_pool_size
with the value of 5.
To define the environment variable for a network deployment configuration from the WebSphere administration console, browse to: System Administration-> Deployment manager-> Administration services-> Custom properties.
As in the standalone environment, add the property
private_bboo_internal_work_thread_pool_size
with the value of 5.
Restart the WebSphere Application Server instance that has had the environment changed. To verify that the new value has taken effect, when the server starts look for this message in the output of the server:
BBOM0001I private_bboo_internal_work_thread_pool_size: 5.
These failures have currently only been reported on the deployment of the Federated Identity Manager runtime, and the value of 5 has resolved the issue. However, if similar error messages are seen performing other Federated Identity Manager activities, the pool size environment variable should be increased to resolve the problem.
Attempts to use Oracle database for TFIM alias service displayed errors like:
com.ibm.ws.ejbpersistence.utilpm.PersistenceManagerException:
PMGR1012E: The current backend id DB2UDBNT_V8_1, does not match
the datasource connected to.
To fix this error, follow these additional steps after installing the Fix Pack (assume on UNIX-based system):
If you receive subsequent fixpacks, or anything that alters the deployed itfim.ear, step 1 above needs to be re-performed.
Back to ContentsFrom the updated TFIM Configuration Guide, the steps are:
Issue:
Patch installation fails when FIPS is enabled for WebSphere Application Server where Tivoli Federated Identity Management Business Gateway is deployed.Workaround:
Before installing the patch, disable FIPS for WebSphere Application Server where Tivoli Federated Identity Management Business Gateway is deployed.Issue:
IBM Tivoli Federated Identity Manager command manageItfimPartner does not check if the signature validation key and encryption key specified in the response file exist in the given keystores even though keystore passwords are provided.Workaround:
After running the command manageItfimPartner, check if the signature validation key and encryption key specified in the response file provided exist in the given keystores with one of the following methods:This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
Adobe®, Acrobat, PostScript® and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux® is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX® is a registered trademark of The Open Group in the United States and other countries.
Cell Broadband Engine™ and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Other company, product, and service names may be trademarks or service marks of others.