Release notes - IBM InfoSphere Identity Insight version 8.0 fix pack 2

Contents

• About IBM InfoSphere Identity Insight
• IBM InfoSphere Identity Insight Version 8.0 fix pack 2 content
• IBM InfoSphere Identity Insight Version 8.0 fix pack 2 maintenance items
• System requirements
• Announcements
• Known problems and issues
• Starting the version 8.0 fix pack 2 installation program
• Completing the IBM InfoSphere Identity Insight Version 8.0 fix pack 2 installation
• Installing the IBM InfoSphere Identity Insight Version 8.0 fix pack 2 CEP updates

About IBM InfoSphere Identity Insight

IBM InfoSphere Identity Insight helps organizations solve business problems related to recognizing the true identity of someone or something ("who is who") and determining the potential value or danger of relationships ("who knows whom") among customers, employees, vendors, and other external forces. IBM InfoSphere Identity Insight provides immediate and actionable information to help prevent threat, fraud, abuse, and collusion in all industries.

IBM InfoSphere Identity Insight Version 8.0 fix pack 2 content

This fix pack includes product maintenance and documentation updates. In addition, it provides a new option for improved address data standardization. Please see the installation topics for fix pack 2 (in the FP2 section of the information center or attached - if this is the stand-alone version of the release notes.

The following updates have been made to how the product handles name data:

Deprecated schema tables

The following tables are deprecated:

• LAS_CONFIG
• LAS_CULTURE_CODES

Customers can safely drop these tables manually from their IBM InfoSphere Identity Insight schema. The product installation program does not automatically remove these tables when customers upgrade to V8 fix pack 2.

Updated API component libraries

The underlying IBM Global Name Management API component libraries have been updated to Version 4.2.

Name Manager system parameter CROSSCHECKCULTURE update

Existing customers: After upgrading to V8.0 fix pack 2, enable the CROSSCHECKCULTURE setting.

IBM Global Name Recognition Name Hasher updates

The following list highlights updates to Name Hasher:

Enhanced name hashing capabilities

Expands fuzzy name matching during entity resolution or when ER-like searches are provided to the pipeline.

New DQM rules: 282

New system parameter configured in the Configuration Console (HASHLESS_NAMES_ARE_GENERIC)

Migration from previous version of Name Hasher

DQM 660 was previously used to communicate with an external WebSphere servlet via HTTP to provide Enhanced name-hashing functionality. This Enhanced name hashing functionality is now built into the pipeline as an embedded component.The "new" Name Hasher must be properly configured. Use DQM 282 and DQM 610.

If you have been using the previous version of Name Hasher, further migration steps are available in the Information Center. (See Configuring the system for data > Configuring data in the system > Configuring name data > Enhanced name hashing with the IBM Global Name Recognition Name Hasher.)

Generating alternate name parses

New DQM rule 289 - expands name parses that meet the parse threshold configured for the DQM rule + secondary parses. The ability to generate secondary name parses supports generating multiple name hashes for non-Name Hasher configurations and expands the fuzzy matching capabilities for enhanced name hashing for Name Hasher configurations.

Enhanced gender determination ability

New DQM rule 258 - provides culturally-aware gender determination. Dynamically analyzes names and created gender characteristics for the incoming identity record.

Existing DQM 255 with Gender param is OK to use as an alternate method for determining the gender of names, but it is not culturally-aware. Customers cannot use both the Gender param from DQM 255 and the new gender determination capabilities of DQM 258.

Web services authentication and authorization

Two properties files are added to provide enhanced Web services security through configurable authentication and authorization settings. webservices.policy and webservices.passwd file parameters contain pipeline URL parameter settings to configure authentication and authorization security settings for Web services pipelines. Use these files for SOAP call security. They do not apply to UMF security.

The webservices.policy properties file allows you to configure authentication and authorization settings. The webservices.passwd properties file contains users and groups along with their passwords. The location of the files are in the <install_dir>/srd-home/easws directory.

Note: There are two basic methods of accessing enhanced SOA calls, SOAP and UMF. For example, using UMF:

<SOA_ROLE_ALERT_BY_ID_REQUEST>
    <ALERT_ID>1234567</ALERT_ID>
    <DEPTH>FULL</DEPTH>
</SOA_ROLE_ALERT_BY_ID_REQUEST>

The Web services authentication and authorization feature of fix pack 2 only operates on SOAP calls. UMF-queries directly to the pipeline such as the above, are not subject to the authentication and authorization restrictions defined by webservices.policy and webservices.passwd file parameters. Securing Web service calls will not stop pipeline queries such as these from being executed without restriction.

A new 'wspwd' utility has been introduced to administer these users and groups.

Expanded Service API enhancements

New Web services enhancements are added for configuration, alerting, relationships, and resolution:

• getEventTypes
• getEventAlertsByFilter
• getEventAlertByID
• getRelationshipBetweenEntities
• getDirectEntityRelationships
• getEventDetailByFilter
• getEventDetailByID

Configuration option to support large-scale parallelization

A new configuration option is now provided to support large-scale parallelization with large numbers of pipelines, and high pipeline 'Concurrency'. This is designed to reduce latch-contention on DB2 by allowing the database-engine to allocate separate latches for each instance of a given SQL query per pipeline thread and pipeline (instead of sharing the same SQL-query-string across pipelines and threads).

Note: Enabling this configuration option will increase memory-usage on the database-tier. The impact depends on the number of pipelines and number of threads per pipeline.

To Enable this feature (disabled by default), set the following value in the [SQL] section of the pipeline.ini file: INSERT_COMMENTS=Y

Each of the pipelines then need to be started with a unique Nodename, as shown below:

Pipeline#1:  ./pipeline -n Nodename1 (other options)
Pipeline#2:  ./pipeline2 -n Nodename2 (other options)
...
Pipeline#x:  ./pipelinex -n Nodenamex (other options)

pipeline.ini parameter added for Unique Number Matching percentage

A new pipeline.ini parameter for Unique Number Matching percentage is added in fix pack 2. Set a value from 1 to 100. The higher the number, the more precisely an incoming unique-number has to match in order to generate a Unique-Number-Match. If not specified, the default is 75.

To implement, edit the [MM] section of your pipeline.ini file(s). For example, add the following entry (case-sensitive):

UNUM_MATCH_PERCENTAGE=xx

IBM InfoSphere Identity Insight Version 8.0 fix pack 2 maintenance items

This fix pack includes maintenance item fixes and corrections.

Pipeline maintenance items

Unresolve and related issues

Improvements have been made to the memory-usage and CPU-usage characteristics for Entity-resolution processing.

Legacy IW*WEBSERVER (srd.wsdl)

Some EQ searches that exceeded the max record count on returns resulted in the pipeline returning a properly formatted XML message but the XSLT in the Web services corrupted it.

Insertion of SQL Comments into all SQL-calls (with enable/disable switch)

This enhancement is required to support large-scale parallelization of pipeline-inserts in PPP / threaded environments and to stop latch-contention on DB2. By adding unique identifier information to the 'header' of each SQL query, the database-engine can allocate separate space and latches for each instance of a given SQL query per pipeline thread and pipeline rather than sharing the same SQL-query-string across pipelines and threads. This increases memory-usage on the database-tier (depending on number of pipelines and number of threads per pipeline), but reduces latch-contention.

This feature is disabled by default. To enable it, set the following value in the [SQL] section of the pipeline.ini file: INSERT_COMMENTS=Y.

Infinite deadlock retries

In HTTP mode, the pipeline should not retry transactions (bidirectional messages), but should return errors to the client so the client can retry.

GNR Name Hasher did not handle UTF-8 characters correctly

Client responses are now correctly encoded in UTF-8 when appropriate.

Resolved deadlocks and the error limit count

Resolved deadlocks are no longer counted in the error limit.

SOA process() function with data with an ampersand ('&') problem

You can now call the SOA process() function with data that has an ampersand ('&') in it. This applies to all SOA functions and for other characters.

UNUM_MATCH_PERCENTAGE - new pipeline.ini parameter

The Unique Number Matching percentage parameter can be set from 1 to 100. The higher the number, the more precisely an incoming Unique-number has to match in order to generate a Unique-Number-Match.

To implement: In the [MM] section of your pipeline.ini file(s), add the following entry (case-sensitive) UNUM_MATCH_PERCENTAGE=xx. The default is 75 if not specified.

Incorrect attribute denials

The system no longer denies when there is a common attribute. The system does not run the whole unresolve analysis project if the new conflicting attributes are found with a denial, but no penalty score (a penalty score of 0.)

Additional resolved issues and reported problems

• Address scores severely penalized for different postal code 4-digit extensions.
• Missing index on SEARCH table corrected.
• SOA Identity calls did not return Last-Update, Sys-Create or Source-Create dates.
• Updated SifterRules.ibm file.
• Namesifter feature no longer over-categorizes names as Company-names.
• Pipeline startup no longer hangs if QS-AVI feature is enabled without the International address-database installed.
• Pipeline transaction rollback occurring at database server, but UMFLOG incorrectly logging that the transaction was successfully processed.
• Additional incorrect Gender record logged during soft-delete.

Visualizer maintenance items

Missing alert on Upgrade from 8.0 to FP1

The Visualizer will now successfully obtain Match Merge rule information from a new IIv8.0 database column if it is populated, or fallback to the previous method if it is not populated.

Additional resolved issues and reported problems

• The Visualizer would hang under certain situations where accounts were deleted from the system. The entity resume would fail to display.
• Disclosed relations role alert graph was not displaying correctly if description left blank.
• Entity resume was not using latest in the resume header section.

Miscellaneous maintenance items

Documentation corrections

Various topics throughout the content have been corrected or improved.

Updated CEP Rule-Builder deployment and instructions

When the fix pack 2 installer is run on the Application Server, a new zip file is provided as part of the IBM Identity Insight installation on the Application Server (<RR_INSTALL>/cep/CEP_3.0.1.1.03-J2SE.zip). This zip file contains updated files that enable you to obtain an ArrayList containing the values of the "externalId" attributes of the events which participated in the situation, for the IOutputSituation function. This new function is available when creating CEP Rules using the Client-side Eclipse-based CEP Rule-Builder (previously provided in IIv8.0 in the <RR_INSTALL>/cep/CEP_3.0.1.01.zip file). Once the fix pack 2 Installer has been run on the Application Server, you must perform the following Manual steps to install these updated files into your Eclipse (CEP Rule-builder) framework:

1. Copy the new CEP zip file down to the client machine where the CEP Rule-Builder is being run.
2. Expand the zip file.
3. Copy the files to the following directory on the client <CEP_DEPLOY_DIRECTORY>\CEP_3.0.1.1.00\eclipse\plugins\com.ibm.amit.commonlib_3.0.1.1.

MQ 6.0.1.1 on HP (11i v3)

Use MQ 6.0.1.1 on HP (11i v3) rather than MQ 6.0.1.0.

System requirements

For information about hardware and software compatibility, see System requirements and planning.

Announcements

You can search for the IBM InfoSphere Identity Insight 8.0 announcement at http://www-306.ibm.com/common/ssi/OIX.wss. See the announcement for the following information:

• Detailed product description, including a description of new functions
• Product-positioning statement
• Packaging and ordering details
• International compatibility information

Known problems and issues

Known problems are documented in the form of individual technotes in the Support knowledge base at http://www-306.ibm.com/software/data/db2/eas/relationship/support.html:

• Under Search Support, in the Enter terms, error code or APAR # field, enter a keyword, phrase, error code, or APAR number to search on.
• Select Solve a problem.
• Click the Search button.

As problems are discovered and resolved, the IBM Support team updates the knowledge base. By searching the knowledge base, you can quickly find workarounds or solutions to problems. Be sure to check the Support knowledge base for any late-breaking information.

Pipeline exception on shutdown on CEP-enabled system

This issue affects customers who have enabled CEP. With data-loads that do not contain any EVENT data, the pipeline produces an exception when shutting down. These data-loads (without EVENT data) occur successfully. The exception only occurs as the pipeline attempts to shut down. In this situation, even though the data has successfully been processed, the data source summary (UMF_LOAD_SUM) and load summary (UMF_SUM_*) reports are not updated.

Data-loads with EVENT data also occur successfully.

Installing and configuring IBM InfoSphere Identity Insight Version 8.0 fix pack 2

Procedure

1. Start the IBM InfoSphere Identity Insight Version 8.0 fix pack 2 installation program. (See the detailed steps and information in the related topics listed below.)
2. Complete the IBM InfoSphere Identity Insight Version 8.0 fix pack 2 installation.

Starting the version 8.0 fix pack 2 installation program

Before you begin

On Microsoft Windows:

You must copy the product installation file to a local drive. The product installation program will not run from either the installation media or from a network drive.

On AIX, HP-UX, Linux, and Solaris:

To enable the License-print function within the Installer running in GUI mode, you need to define your printer within the X-windows subsystem that you are running on the client machine.

To enable the License-print function within the Installer running in command line mode, you need to set up a default print-queue and printer on the machine you are installing on.

Patching WebSphere Application Server

You must patch your WAS implementation with files provided in fix pack 2 in the 'Patches' directory, under the normal 'Disk1' Installer-directory structure. The fix pack 2 installer will not run until you do this. IBM Update Installer - Can be obtained from here: http://www-01.ibm.com/support/docview.wss?uid=swg24020212

1. Download and install the IBM Update Installer (UPDI) tool from IBM Support website ( http://www-01.ibm.com/support/docview.wss?uid=swg24020212 ).
2. Run the UPDI tool to apply the supplied *.pak files. These files can be found in the ../Patches/ directory of the fix pack 2 installation media.
3. On the "Product Selection" screen of the UPDI tool, when asked to 'Enter the installation location of the product you wish to update', enter the path to the '<RR_INSTALL>/ewas' directory
4. After this is complete, follow the fix pack installation steps below.

Procedure

1. Obtain the IBM InfoSphere Identity Insight product software DVD (or DVD image) or .tar file.
2. Do one of the following steps:
   1. On Microsoft Windows: If obtaining a .tar file, unzip the file to temporary directory on a local drive of the target installation machine.
      Note: On Microsoft Windows, you must copy the product installation file to a local drive. The product installation program will not run from either the installation media or from a network drive. Ensure that the .tar file is unzipped with the directory structure intact.
   2. On Microsoft Windows: If obtaining a DVD image, burn the image to a DVD and copy the product installation file to a local drive.
      Note: On Microsoft Windows, you must copy the product installation file to a local drive. The product installation program will not run from either the installation media or from a network drive. Ensure that the product installation file's parent directory structure of \Disk1\InstData\VM\ is retained when copying files.
   3. On AIX, HP-UX, Linux, and Solaris: If obtaining a .tar file, unzip the file to temporary directory on a local drive of the target installation machine.
      Note: Ensure that the .tar file is unzipped with the directory structure intact. Ensure that the product installation file's parent directory structure of /Disk1/InstData/VM/ is retained if you copy the installation file to another location.
   4. On AIX, HP-UX, Linux, and Solaris: If obtaining a DVD image, burn the image to a DVD.
      Note: Ensure that the product installation file's parent directory structure of /Disk1/InstData/VM/ is retained if you copy the installation file to another location.
3. If installing from a DVD, insert the DVD into the DVD drive where you want to install the product component.
4. Run the install program:

   Option	Description
   in GUI mode from a GUI	Navigate to the /platform/Install/Disk1/InstData/VM/ directory. Double-click the appropriate installer file for your operating system. Microsoft Windows Server x86 ISII_80_FP2_win_x86.exe Microsoft Windows Server x86_64 ISII_80_FP2_win_x64.exe IBM AIX ISII_80_FP2_aix_ppc.bin HP-UX ISII_80_FP2_hpux_ia64.bin Linux x86 ISII_80_FP2_linux_x86.bin Linux x86_64 ISII_80_FP2_linux_x64.bin 64-bit Linux on System z ISII_80_FP2_linux_s390x.bin Sun Solaris ISII_80_FP2_solaris_sparc.bin
   in GUI mode from a command line	Change directory to the /platform/Install/Disk1/InstData/VM/ directory. Run the appropriate installer file for your operating system. Microsoft Windows Server x86 ISII_80_FP2_win_x86.exe Microsoft Windows Server x86_64 ISII_80_FP2_win_x64.exe IBM AIX ISII_80_FP2_aix_ppc.bin HP-UX ISII_80_FP2_hpux_ia64.bin Linux x86 ISII_80_FP2_linux_x86.bin Linux x86_64 ISII_80_FP2_linux_x64.bin 64-bit Linux on System z ISII_80_FP2_linux_s390x.bin Sun Solaris ISII_80_FP2_solaris_sparc.bin
   in command line mode	Change directory to the /platform/Install/Disk1/InstData/VM/ directory. Run the appropriate installer file for your operating system with the -i console option. Microsoft Windows Server x86 ISII_80_FP2_win_x86.exe -i console Microsoft Windows Server x86_64 ISII_80_FP2_win_x64.exe -i console IBM AIX ISII_80_FP2_aix_ppc.bin -i console HP-UX ISII_80_FP2_hpux_ia64.bin -i console Linux x86 ISII_80_FP2_linux_x86.bin -i console Linux x86_64 ISII_80_FP2_linux_x64.bin -i console 64-bit Linux on System z ISII_80_FP2_linux_s390x.bin -i console Sun Solaris ISII_80_FP2_solaris_sparc.bin -i console

5. Follow the instructions on the installation program wizard or the command line.

Completing the IBM InfoSphere Identity Insight Version 8.0 fix pack 2 installation

Procedure

1. On the Introduction panel, review the screen.
2. On the Destination panel, type or browse to the directory (fully qualified path) in which to install IBM InfoSphere Identity Insight Version 8.0 fix pack 2. This directory must be the directory which contains your existing InfoSphere Identity Insight Version 8.0 installation. If browsing to an installation directory, you must click the Choose button, then select the install directory and click the Open button.
   Note:
   On Microsoft Windows, the install path length must not exceed 45 characters due to WebSphere restrictions.
3. On the Product features panel, review the product features that will be installed.
4. On the Database Configuration - Database Information panel, enter the configuration information for the type of database installed.
5. On the Database Configuration - Database Population panel, review the screen and select the option to generate and update the database schema.
6. On the Pre-Installation Summary panel, review the summary (click back if any changes are needed), and then click the Next button to complete the installation.
7. On the Install Complete panel, review the status, and then click the Done button to exit the installation. When installing on Solaris systems, you might see the No such file or directory message on the final window. You can safely ignore this warning message.

Installing the IBM InfoSphere Identity Insight Version 8.0 fix pack 2 CEP updates

About this task

When the IBM InfoSphere Identity Insight Version 8.0 fix pack 2 installer is run, the following file is deployed into the Identity Insight installation:

• <product installation directory>\cep\CEP_3.0.1.1.03-J2SE.zip

This file contains updates to enable customers to obtain an ArrayList containing the values of the "externalId" attributes of the events which participated in this situation, for the 'IOutputSituation' function. This new functionality is available when creating CEP Rules using the cient-side Eclipse-based CEP Rule Author tool.

Procedure

1. Copy <product installation directory>\cep\CEP_3.0.1.1.03-J2SE.zip to the client machine.
2. Extract the files to the following client location (overwriting the existing files in the directory):
   • <CEP directory>\CEP_3.0.1.1.00\eclipse\plugins\com.ibm.amit.commonlib_3.0.1.1