Title: 
------

   IBM Tivoli Netcool / Security Manager version 1.4.0 Interim Fix 
   Version 1.4.0.0-TIV-NCSM-IF0004a.

 ====================================================================

Date:
-----

 Nov 09, 2010      

 ====================================================================

Copyright Notice:
-----------------

   (C) Copyright IBM Corp. 2010 All Rights Reserved.
                                                                   
   US Government Users Restricted Rights - Use, duplication or
   disclosure restricted by GSA ADP Schedule Contract with 
   IBM Corp.

 ====================================================================

Contents:
--------



   * Files included in this Interim fix:

      - This README file (1.4.0.0-TIV-NCSM-IF0004a.README)
      - 1.4.0.0-TIV-NCSM-aix5-IF0004a.tar.gz
      - 1.4.0.0-TIV-NCSM-hpux11-IF0004a.tar.gz
      - 1.4.0.0-TIV-NCSM-linux2x86-IF0004a.tar.gz
      - 1.4.0.0-TIV-NCSM-solaris2-IF0004a.tar.gz
      - 1.4.0.0-TIV-NCSM-win32-IF0004a.zip


The files modified by the Interim Fix:
      security/bin/.ncsm_wrapper
	security/lib/build_def
      security/lib/nci2010Oct19.jar has replaced 
             nci2009Jun18.jar file 
	security/lib/ncsmApp2010Oct14.jar has replaced
             ncsmApp2008Dec30.jar file
    security/lib3p/nci3p2010Oct08.jar has replaced
             nci3p2007Jan26.jar file	
      security/install/propscore/ncsm_config.jar


 ===================================================================

About this Interim fix:
------------------------------------

   This Interim fix addresses problems reported in 
   IBM Tivoli Netcool / Security Manager version 1.4.0


* Fixes included in this Interim fix:

*** Please make these changes after you apply IF4a.
Edit below line in $NCHOME/security/etc/SM_smDataSource_NCOMS_tivoli1nci_mul_ie_ibm_com_4100.ds file.
replace      smDataSource_NCOMS_tivoli1nci_mul_ie_ibm_com_4100.ObjectServer.JDBCDRIVER=com.sybase.jdbc2.jdbc.SybDriver
with         smDataSource_NCOMS_tivoli1nci_mul_ie_ibm_com_4100.ObjectServer.JDBCDRIVER=com.sybase.jdbc3.jdbc.SybDriver

IZ44741 WINDOWS ACTIVE DIRECTORY DOES NOT FOLLOW REFERALS.
	  Issue is that Windows Active Directory does not follow
        the referals made in Security Manager AD configuration
        for external authentication
                                 

IZ49755 USER IS NOT LOGGED OUT FROM SECURITY MANAGER WHEN RUNNING
        WAAPI SCRIPT.
        Webtop WAAPI command needs to pass authentication before 
        it's executed. However user pass authenciation and login,
        after WAAPI is executed completely, user is not logged
        out from Security Manager. This cause Security Manager 
        performance degradation if a large amount of WAAPI is used.                                


IZ50031 EXTERNAL AUTHENTICATE USERS PROPERTIES NOT WORKING
        AS EXPECTED.
        The Security manager  doesn't function as intended.
        Even after setting the below properties to false, 
        Users are created in Securitymanager. Customer used
        ObjectServer User to login to the Webtop and found 
        the user entries in security.script file.
                                       
           impact.security.externalauth.userrecords.create=false         
           impact.security.externalauth.userrecords.remove=false         
   
                                                           
IZ51597 SECURITY MANAGER IS VULNERABLE TO CSS ATTACKS.
        The context that serves the Security Manager's error
        page is vulnerable to cross site scripting attack as 
        illustrated by the following test:                                                
                                                               
        http://x.x.x.x:8077/servlet/com.micromuse.common.
        htmlcomponents.servlets.NCErrorServlet?error=
        <script>alert('error srini');</script>   
                                                               
        If the above is submitted via the browser, a popup will
        be generated displaying the text error srini. This 
        demonstrates that the application is vulnerable to 
        malicious java script via the browser. This was put in 
        SM 1.3 under apar IY95615.                                            
        
		To protect this, after installing the patch please
            follow these steps.

	  	1. Stop the security Manager.

		2. Backup and Modify $NCSM_HOME/app3p/
               jakarta-tomcat-4.1.8/conf/web.xml with the 
               following (this should be the first uncommented 
               entry after the comments in the file). Remember to
               add any appropriate comments:
		   <filter>
			<filter-name>NCMaliciousScriptFilter</filter-name>
			<filter-class>
			  com.micromuse.common.htmlcomponents.
                    servlets.NCMaliciousScriptFilter
			</filter-class>
			</filter>
			<filter-mapping>
			  <filter-name>NCMaliciousScriptFilter
                    </filter-name>
			  <url-pattern>/*</url-pattern>
		   </filter-mapping>

		3. Start the Security Manager.




* Fixes included in Interim fix 3

 IZ36928 GROUP SEARCH FILTER NOT FUNCTIONING CORRECTLY FOR AD
          The Security manager queries LDAP for the wrong group 
          filter.
          member=CN=a,dc=b,dc=c
          it comes out
          member=a,dc=b,dc=c


  IZ37074 SHOULD SEE ERROR WHEN CREATE PASSWORD USING SQL KEYWORDS
          The solution removes the restriction preventing the use of 
          certain keywords in the user name or password when logging 
          on to Impact through the Security Manager.


 IZ39469 THE AD AUTHENTICATION NEEDS TO BE CHANGED SO THAT IT CAN 
         HANDLE SUN ONE DIRECTORY      
         The Solution provided the ability to authenticate against
         LDAP sources other than active directory. 
         (e.g. Sun One Directory).
         This authentication does a subtree searrch for the 
         user based on a base distingushed name and then uses the 
         distingushed name of the user to authenticate. 
         If there is no field in the LDAP server that matches the 
         distingushed name then the following property can be set
         to get the security manager to construct the distingushed 
         name based on the search results.

         Add this property in $NCHOME/security/etc/SM_server.props
         file:

			impact.security.ldap.builddn=true

  * Fixes included in Interim fix 2:

  IZ02716 AUDIT LOGGING IN SECURITY MANAGER CAN NOT BE CONTROLLED  
          Records of login attempts and logouts of users is now recorded
          in a log file SM_userauditlog.log

  IZ19685 PROBLEMS WITH THE UNINSTALLER ON SECURITY MANAGER.
          After uninstalling Security Manager 1.3, not able to configure
          LDAP with SM 1.4.  The issue is that the uninstaller left some
          configuration information in the common installer.

  IZ24729 SECURITY MANAGER IN FAILOVER MODE UNABLE TO RESYNCH.
          Security Manager 1.4 on failover mode unable to resynch database.  

          The following additional step needs to be done when setting up 
          failover.
          This step has been added to the document SM_HowToSetupFailover.doc
         (c) Add/modify the following properties in 
          $NCSM_HOME/etc/SM_smDataSource.ds file for
          Primary and secondary Security Managers.

          smDataSource.HSQL.NUMDSPROPERTIES=1
          smDataSource.HSQL.DSPROPERTY.1.NAME=IMPACT_REPLICATE_CHANGES
          smDataSource.HSQL.DSPROPERTY.1.VALUE=true 

          Please see the technote titled
          "Security Manager 1.4 unable to resynch in failover mode."
                    for the updated file SM_HowToSetupFailover.doc.


  IZ24763 SINGLE QUOTE OR QUOTATION MARK IN NAME DOES NOT TRANSFER OVER
          Single quote or qutation mark does not transfer over to the
          failover system.   Error in log file:  DatabaseResyncManager:in
          resyncDatabase:Unexpected token: DOE in statement  insert into
          sm_user

  IZ33040 UNABLE TO CONNECT TO ACTIVE DIRECTORY LDAP AFTER APPLYING
          IF-0001 FOR SECURITY MANAGER 1.4

  IZ34959 HOW TO CONFIGURE SSL ON NCSM 1.4 WITH ACTIVE DIRECTORY LDAP
          Updates have been made to the security manager documentation
          to clarify this setup.

          The documentation needs to be updated with below details for
          Security Manager v1.4 SSL-LDAP setup.
          Page 33 of the Security Manager v1.4 Installation Guide should
          specify that the ds type of primary needs to be changed as below:

          To configure the Security Manager server, you edit the primary 
          ds properties file for the LDAP authentication source. This file
          is named SM_smDataSource_LDAP_HOST_PORT.ds and is located in the
          $NCHOME/security/etc directory. 

          You must make the following changes to the primary ds properties
          file:
          1.Set the value of the smDataSource_LDAP_HOST_PORT.LDAP.PORT 
            property to the SSL port used by the LDAP server.
          2.Uncomment the smDataSource_LDAP_HOST_PORT.LDAP.SECURITY_PROTOCOL 
            property.
           Example:  
            smDataSource_LDAP_9.42.23.59_389.LDAP.PORT=636
            smDataSource_LDAP_9.42.23.59_389.LDAP.SECURITY_PROTOCOL=ssl


   * Fixes included in Interim fix 1:
   
   IZ14264 WHEN USER CONFIGURES ACTIVE DIRECTORY LDAP WITH SECURTY 
           MANAGER 1.3 AND CN HAS A ","  DOESN'T FIND LDAPGROUP
     When the CN has "," such as "Doe, Jane", Security  Manager 
     does not find LDAP Groups during the user is authenticating. When
     CN does not have "," in the CN, such as "Jane Doe", LDAP
     groups are found when the user is authenticated. 
             
   IZ15430 THE SECURITY MANAGER NEEDS TO BE ABLE TO ACCEPT A
          DIFFERENT ALGORITHM WHEN SSL IS BEING ENABLED ON AIX
  
   In addition to applying the Interim Fix, the following additional
   steps need to take place. Which is in addition to the changes customer
   has already made (per the SM_HowToSSL_new.txt previously provided).

   1. Backup and then Update the SM_servletservice.props file, which is 
   located under directory $NCHOME/security/etc
   Insert the following lines anywhere in the file:
   impact.ssl.algorithm=IbmX509
   impact.ssl.protocol=SSL
   - The above will resolve the issue where the Security Manager is 
   reporting a problem in the SM_server.log trying to locate and use the
   SunX509 algorithm.

   2. Backup and then Update the server.xml file, which is located under
   directory $NCHOME/guifoundation/conf
   Insert the following line anywhere in the Connector section for port
   8443 (or whatever you are using for SSL):
   algorithm="IbmX509"
   also edit the following line
   sslProtocol="TLS" to sslProtocol="SSL"
   - The above will resolve the issue where the tomcat.log is reporting
   a problem trying to locate and use the SunX509 algorithm. 


  IZ16407 SM silent install
          The documentation is missing the silent response  file installation
          procedure for Netcool Security Manager 1.4.

    This is an example xml file containing the changes that you can make 
     to the security manager during silent install.

     <?xml version="1.0" ?>
     <CommonInstaller version="1.0">
     <!-- This is an example of the changes that you can make to the project 
     itself.-->
     <features>
     <feature id="Installer" selected="true" /></features>
     <properties>
	 <property name="NCHOME.INSTALLDIR" value="[$NCHOME]" description=
        "NCHOME default destination folder." />
       <property name="NCSM0.AUTH" value="0" description="Type of 
        authentication to use 0=ObjectServer, 1=LDAP, 2=NIS" />
       <property name="OBJECTSERVER0.HOST" value="localhost" description=
         "ObjectServer Host" />
       <property name="OBJECTSERVER0.PORT" value="4100" description=
         "ObjectServer Port" regexp="^[1-9][0-9]*$" />
       <property name="OBJECTSERVER0.USERNAME" value="root" description= 
         "ObjectServer Username" />
       <property name="OBJECTSERVER0.PASSWORD" value="" description=
         "ObjectServer Password" />
       <property name="NCSM0.LDAPUID" value="uid" description=
         "LDAP User ID" />
       <property name="NCSM0.LDAPBASECONTEXTUSERS" value="bcu" description=
         "LDAP Base Context Users" />
       <property name="NCSM0.LDAPGROUPNAME" value="cn" description= 
         "LDAP Group Name" />
       <property name="NCSM0.LDAPBASECONTEXTGROUPS" value="bcg" description=
         "LDAP Base Context Groups" />
       <property name="NCSM0.LDAPGROUPFILTER" value="uniquemember=uid" 
         description="Group Filter" />
       <property name="NCSM0.LDAPNOVELL" value="false" description="Novell
         or Microsoft Server" />                        
       <property name="NCSM0.LDAPHOST" value="" description="LDAP Host" />
       <property name="NCSM0.LDAPPORT" value="" description="LDAP Port"
        regexp="^[1-9][0-9]*$" />
       <property name="NCSM0.LDAPUSERNAME" value="" description=
         "LDAP Username" />
       <property name="NCSM0.LDAPPASSWORD" value="" description=
         "LDAP Password" />
       <property name="NCSM0.NISDOMAIN" value="" description=
         "NIS Domain for Authentication" />
       <property name="NCSM0.HOST" value="localhost" description=
         "Security Manager Host"/>
       <property name="NCSM0.PORT" value="1275" description=
         "Security Manager Port" regexp="^[1-9][0-9]*$" />
       <property name="NCSM0.HTTPPORT" value="8077" description=
         "Security Manager HTTP Port" regexp="^[1-9][0-9]*$" />
       <property name="NCSM0.DBPORT" value="5600" description=
         "Security Manager DB Port" regexp="^[1-9][0-9]*$" />
       <property name="LICENSESERVER.HOST" value="localhost" visible=
         "false" description="License Server Host" />
       <property name="LICENSESERVER.PORT" value="27000" visible=
         "false" description="License Server Port" regexp=
         "^[1-9][0-9]*$" />             
       <property name="NCSM0.USEAPPREG" value="false" description=
         "Use Application Registry" regexp="true|false" />
       <property name="NCSM0.APPREG.NAME" value="NCSM-1" description=
         "Application Registry Name" />
       <property name="NCSM0.APPREG.HOST" value="localhost" description=
         "Application Registry Host" />
       <property name="NCSM0.APPREG.PORT" value="8080" description=
         "Application Registry Port" regexp="^[1-9][0-9]*$" />
       <property name="NCSM0.APPREG.LOCATION" value="/registry/services"
         description="Application Registry Location" />
       <property name="NCSM0.APPREG.USERNAME" value="admin" description=
        "Application Registry Username" />
       <property name="NCSM0.APPREG.PASSWORD" value="netcool" description=
        "Application Registry Password" />
	</properties>
      </CommonInstaller>


 IZ17354 SM 1.4 ERRORS WITH LDAP SERVER NAME CONTAINING "-"
          User is unable to specify a hostname containing the "-" character ,
          when setting up their Security Manager(SM) 1.4 definitions.

 IZ20881 RESYNCH OF THE SECURITY MANAGER 1.4 DATABASE DON'T WORK ON A
          FAILOVER CONFIGURATION
          This issue has been fixed.

 IZ21266 SECURITY MANAGER DOES NOT INSTALL ON AIX 6.1
         Allow Security manager to be installed on AIX 6.1

 IZ22951 "ncsm_db" COMMAND LINE DOES NOT WORK ON WINDOWS
         The documentation needs to incidate that "ncsm_db.bat" command line
         does not work on Windows operating system. Pages 12 and 20 of the 
         Security Manager 1.4 Installation Guide should indicate that the 
         command line options involving "ncsm_db" only work on Unix/Linux 
         OS's. 

	   To backup the security manager database on Windows the operator 
         should manually copy the %NCHOME%\security\db\security.script file 
         and save it to another location.




====================================================================

Installation, migration, upgrade and configuration information:
---------------------------------------------------------------

   * Hardware and software requirements:

      Please refer to the 1.4.0 Release Notes for a full description
      of all the hardware and software requirements of the product.

   * Dependencies:

      IBM Tivoli Netcool / Security Manager version 1.4.0

   * Superceeded fixes:

      1.4.0.0-TIV-NCSM-IF0001
      1.4.0.0-TIV-NCSM-IF0002
	  1.4.0.0-TIV-NCSM-IF0003

      
   * Special considerations:

      1)Backup the current server data before installing the patch
      
   * Extracting this Interim fix:

      1. Copy the file 1.4.0.0-TIV-NCSM-<platform>-IF0004a.tar.gz to your 
         system
      2. Unzip the file with the command
         gunzip 1.4.0.0-TIV-NCSM-<platform>-IF0004a.tar.gz 
         You should get a tar file - 1.4.0.0-TIV-NCSM-<platform>-IF0004a.tar
      3. Unpack the file with the command:
         tar -xvf 1.4.0.0-TIV-NCSM-<platform>-IF0004a.tar        
   
 Installation 
 -------------

    In a failover environment the interim fix should be installed on both the 
    primary and backup security managers.

 UNIX
    Enter the following command to install this fix interactively. 
    The placeholder <arch> should be replaced with the string 
    identifying your platform.

  $NCHOME/install/ncisetup -install 1.4.0.0-TIV-NCSM-<arch>-IF0004a.jar

    Enter the following command to install this fix non-interactively. 
    The placeholder <arch> should be replaced with the string 
    identifying your platform.

  $NCHOME/install/ncisetup -install 1.4.0.0-TIV-NCSM-<arch>-IF0004a.jar -silent

 WINDOWS
    Unzip 1.4.0.0-TIV-NCSM-win32-IF0004a.zip and double-click setup.exe 
    to install this fix.

      
============================================================================

   Notices:

    This information was developed for products and services offered 
    in the U.S.A. IBM may not offer the products, services, or 
    features discussed in this document in other countries. Consult 
    your local IBM representative for information on the products 
    and services currently available in your area. Any reference to 
    an IBM product, program, or service is not intended to state or 
    imply that only that IBM product, program, or service may be 
    used. Any functionally equivalent product, program, or service 
    that does not infringe any IBM intellectual property right may be
    used instead. However, it is the user’s responsibility to 
    evaluate and verify the operation of any non-IBM product, 
    program, or service.

    IBM may have patents or pending patent applications covering 
    subject matter described in this document. The furnishing of this 
    document does not give you any license to these patents. You can 
    send license inquiries, in writing, to:

    IBM Director of Licensing 
    IBM Corporation
    North Castle Drive
    Armonk, NY 10504-1785 U.S.A.

    For license inquiries regarding double-byte (DBCS) information, 
    contact the IBM Intellectual Property Department in your country 
    or send inquiries, in writing, to:

    IBM World Trade Asia Corporation
    Licensing
    2-31 Roppongi 3-chome, Minato-ku
    Tokyo 106, Japan

    The following paragraph does not apply to the United Kingdom or 
    any other country where such provisions are inconsistent with 
    local law:

    INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
    PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
    EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
    WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
    FOR A PARTICULAR PURPOSE.

    Some states do not allow disclaimer of express or implied 
    warranties in certain transactions, therefore, this statement 
    might not apply to you.

    This information could include technical inaccuracies or 
    typographical errors. Changes are periodically made to the 
    information herein; these changes will be incorporated in new 
    editions of the publication. IBM may make improvements and/or 
    changes in the product(s) and/or the program(s) described in this
    publication at any time without notice.

    Any references in this information to non-IBM Web sites are 
    provided for convenience only and do not in any manner serve as 
    an endorsement of those Web sites. The materials at those Web 
    sites are not part of the materials for this IBM product and use 
    of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in 
    any way it believes appropriate without incurring any obligation 
    to you.
 
    Licensees of this program who wish to have information about it  
    for the purpose of enabling: (i) the exchange of information 
    between independently created programs and other programs 
    (including this one) and (ii) the mutual use of the information 
    which has been exchanged, should contact:

    IBM Corporation
    2Z4A/101
    11400 Burnet Road
    Austin, TX 78758 U.S.A.

    Such information may be available, subject to appropriate terms 
    and conditions, including in some cases payment of a fee.

    The licensed program described in this document and all licensed 
    material available for it are provided by IBM under terms of the 
    IBM Customer Agreement, IBM International Program License 
    Agreement or any equivalent agreement between us.

    Any performance data contained herein was determined in a 
    controlled environment. Therefore, the results obtained in other 
    operating environments may vary significantly. Some measurements 
    may have been made on development-level systems and there is no 
    guarantee that these measurements will be the same on generally 
    available systems. Furthermore, some measurement may have been
    estimated through extrapolation. Actual results may vary. Users 
    of this document should verify the applicable data for their 
    specific environment.

    Information concerning non-IBM products was obtained from the 
    suppliers of those products, their published announcements or 
    other publicly available sources. IBM has not tested those 
    products and cannot confirm the accuracy of performance, 
    compatibility or any other claims related to non-IBM products. 
    Questions on the capabilities of non-IBM products should be 
    addressed to the suppliers of those products.

    All statements regarding IBM’s future direction or intent are 
    subject to change or withdrawal without notice, and represent 
    goals and objectives only.

    This information may contain examples of data and reports used in 
    daily business operations. To illustrate them as completely as 
    possible, the examples include the names of individuals, 
    companies, brands, and products. All of these names are 
    fictitious and any similarity to the names and addresses used by 
    an actual business enterprise is entirely coincidental.

    COPYRIGHT LICENSE:

    This information may contain sample application programs in 
    source language, which illustrate programming techniques on 
    various operating platforms. You may copy, modify, and distribute 
    these sample programs in any form without payment to IBM, for the 
    purposes of developing, using, marketing or distributing 
    application programs conforming to the application programming 
    interface for the operating platform for which the sample 
    programs are written. These examples have not been thoroughly 
    tested under all conditions. IBM, therefore, cannot guarantee or
    imply reliability, serviceability, or function of these programs. 
    You may copy, modify, and distribute these sample programs in any 
    form without payment to IBM for the purposes of developing, 
    using, marketing, or distributing application programs conforming
    to IBMs application programming interfaces.


   Trademarks:

    The following terms are trademarks of International Business 
    Machines Corporation in the United States, other countries, or 
    both: IBM, IBM logo, Tivoli, Tivoli logo, AIX, AOC/MVS, APPN, 
    CICS, CICSPlex, CICS/ESA, DB2, DB2 Universal Database, DFSMShsm, 
    Domino, DB2 Universal Database, IMS, IMS/ESA, Informix, MQSeries, 
    MVS, MVS/ESA, NetView, NWays, OS/390, RACF, RMF, SNA/APPN, 
    SecureWay, Tivoli Enterprise, Tivoli Enterprise Console, Tivoli
    Management Environment, TME 10, VTAM, WebSphere, z/OS.
 
    UNIX is a registered trademark of The Open Group in the United 
    States and other countries.

    Microsoft, Windows, Windows NT, and the Windows logo are 
    trademarks of Microsoft Corporation in the United States, other 
    countries, or both.

    Java and all Java-based trademarks and logos are trademarks or 
    registered trademarks of Sun Microsystems, Inc. in the United 
    States and other countries.

    Pentium is a registered trademark of Intel in the United States 
    and other countries. Other company, product, or service names may 
    be trademarks or service marks of others.

 ====================================================================