This document contains
information about the fixes addressed by IBM Tivoli Access Manager for
Enterprise Single Sign-On (TAM E-SSO) 6.00 Rollup F Fix Pack 7, as well as a
list of known issues, if applicable. It also provides instructions for
installing and uninstalling this fix pack.
Contents:
This section contains the
list of issues addressed in this fix pack with the corresponding tracking
numbers:
Cumulative
from Fix Pack 7
Fixed in fixPack 7 (fixpacks are cumulative)
APAR: IZ31114 [PMR: 67603,211,848]
Symptom: s5528: After a Windows logon, the Agent
intermittently did not respond to applications. If the user closed the Agent
and restarted it, the Agent responded. This occurred following installation of
Rollup F Fix Pack 5.
APAR: IZ31308 [PMR: 67605,211,848]
Symptom: s5532: The Agent waited 10 to 15 seconds
before injecting credentials into an application following creation of a new
logon.
APAR: IZ28923 [PMR: 67622,211,848]
Symptom: s5533: Trace logging now remains enabled
during a reboot, enhancing the ability to diagnose startup issues.
APAR: IZ31123 [PMR: 67623,211,848]
Symptom: s5537: The Agent failed to respond or
submitted only partial credentials to Java applications.
APAR: IZ28995 [PMR: 67709,211,848]
Symptom: s5580: The Agent did not detect updates
in Web pages that displayed frames dynamically.
APAR: IZ24456 [PMR: 66744,211,848]
Symptom: s5252: planview application shifts left when
credentials are injected.
APAR: IZ28214 [PMR: 67222,211,848]
Symptom: s5411: Password Change
Options - Auto w/Manual - setting won't hold after you select on template
No Associated APAR
Symptom: a11632: Trace Logging support has been
extended for the SSO GINA.
Cumulative
from Fix Pack 6
Fixed in fixPack 6 (fixpacks are cumulative)
APAR: IZ21848 [PMR: 17163,422,000] &
APAR: IZ22428 [PMR: 35957,122,000]
Symptom: s4764, s5108, s5188: An ssoShell.exe
failure during workstation shutdown caused display of the message, "The
application failed to initialize because the Windows station is shutting
down."
No Associated APAR
Symptom: s4837, s4963, s5153: Some Java
applications did not accept credentials entered by the Agent. See the Technical Note for more information.
No Associated APAR
Symptom: s5002: In the Japanese version of the Agent,
the text in the Retry Logon dialog box and the Submit button in the Change
Password dialog box was incorrect.
No Associated APAR
Symptom: s5309: The Agent did not set
a new password after multiple submission attempts. Instead, it injected the old
password in the New Password field.
No Associated APAR
Symptom: s5310: The Agent mistakenly
performed an Auto-Submit on host/mainframe
applications whose names had been changed in the Logon Manager.
No Associated APAR
Symptom: s5311: The Agent did not respond to a
Web application.
APAR: IZ29611 [PMR: 46367,122,000] & APAR: IZ25789 [PMR: 67011,211,848]
Symptom: s5320, s5360, s5369,
s5375:
A communication problem occurred between the GINA and authenticator during
startup.
No Associated APAR
Symptom: s5453: The Agent
sporadically caused browser windows to cease responding.
APAR: IZ28577 [PMR: 67661,211,848]
Symptom: s5560: The Agent recognized
a Change Password screen as a Logon screen under certain conditions when the application
window titles were the same.
No Associated APAR
Symptom: a11229: After Agent startup,
the first authentication request displayed the Primary Logon Method without
focus.
No Associated APAR
Symptom: a11259: A logon created with
the Learning Tool caused the Logon Chooser to launch, prompting the user to
choose from all Windows applications currently in the Logon Manager. This
occurred after installation of Rollup F Fix Pack 5.
No Associated APAR
Symptom: a11362: When using Mozilla Firefox, the Agent did
not respond to some Web applications whose templates were configured to use
matching.
No Associated APAR
Symptom: a11379: The Agent did not
respond to Java applications whose templates were configured to use matching.
Cumulative
from Fix Pack 5
Fixed in fixPack 5 (fixpacks
are cumulative)
APAR: IZ15477
[PMR: 65108,211,848]
Symptom: s5313, s5314, s5315, s5318, s5319: TAM E-SSO did not
disconnect completely from SAP, causing erratic behavior.
APAR: IZ16825
[PMR: 65490,211,848]
Symptom: s5316: did not inject the third or fourth field configured for a
Change Password form in a Web template.
No Associated APAR
Symptom: s4727: TAM E-SSO recognized a Change Password form as a Logon
form when multiple SAP forms were defined in the Administrative Console.
No Associated APAR
Symptom: s4912, s5126: TAM E-SSO did not recognize multiple
sessions of SAP applications.
No Associated APAR
Symptom: a10988: Trace logging for AD synchronization has been
enhanced.
No Associated APAR
Symptom: a11030: When multiple forms were used to define fields
within the same Windows application template, not all fields were available in
the Add New Logon dialog box.
Cumulative
from Fix Pack 4
Fixed in fixPack 4 (fixpacks
are cumulative):
APAR: IZ17943,
IZ19135 [PMRs: 21487,122,000;
42651]
Symptom: s5084, s5104, s5111: An ssoshell.exe synchronization process sporadically used nearly
100% of CPU time and did not exit.
No Associated APAR
Symptom: s4479: TAM E-SSO Provisioning Adapter caused a delay in loading TAM
E-SSO on system startup.
No Associated APAR
Symptom: s4857: TAM E-SSO responded very slowly to Web applications with a large
cumulative number of URL matches in Web templates. Performance varied depending
on the capacity of the workstation.
No Associated APAR
Symptom: s4964: The Agent terminated unexpectedly after credentials were
submitted to applications on all platforms when using SendKeys
using Journal Hook.
No Associated APAR
Symptom: s5052: Web pages did not immediately respond to the user following a
password change when using TAM E-SSO Provisioning Adapter.
No Associated APAR
Symptom: s5075: TAM E-SSO caused a browser page to scroll and display incorrectly
when responding to the page. New settings have been added to control TAM E-SSO
interaction with Web pages.
No Associated APAR
Symptom: s5083: "Registry is disabled" error message displayed during
Backup/Restore when the administrator disabled registry editing through a
policy.
No Associated APAR
Symptom: s5115, s5116: Caching credentials in TAM E-SSO Kiosk Adapter with Xyloc caused credentials to corrupt.
No Associated APAR
Symptom: s5141: SendKeys did not work correctly for a
password change.
No Associated APAR
Symptom: a11017: The Agent caused a 100% spike in CPU usage when the Wait for
synchronization at startup setting was turned off while performing an ADAM synchronization.
Cumulative
from Fix Pack 3
Fixed in fixPack 3 (fixpacks
are cumulative)
APAR: IZ18132 [PMR: 65757,033,000]
Symptom: s4726: TraceController.exe caused a browser to terminate unexpectedly
when capturing events at the "Debug" level.
No Associated APAR
Symptom: s5038: Using Oracle Internet Directory, users could not write Objects to
the People container.
No Associated APAR
Symptom: a10467: The AD synchronization dialog box occasionally displayed behind
the TAM E-SSO Kiosk Adapter desktop, creating the appearance that TAM E-SSO
Kiosk Adapter had stopped responding.
Cumulative
from Fix Pack 2
Fixed in fixPack 2 (fixpacks
are cumulative)
No APARs,
Internal Defects
No Associated APAR
Symptom: a10689: Using a SmartCard or Proximity Card
occasionally corrupted credentials with TAM E-SSO Kiosk Adapter.
No Associated APAR
Symptom: a10713: Settings for Proximity Card, RSA SecurID,
SecureDataStorage, and Smart Card have been added to
the Administrative Console.
No Associated APAR
Symptom: a10717: The Administrative Console with Fix Packs terminated unexpectedly
under
No Associated APAR
Symptom: a10739: Sphinx, Proximity Card, and RSA SecurID have been added to the Administrative Console under
the Kiosk Adapter > Session States > [session state name] >
Authenticators tab.
Cumulative
from Fix Pack 1
Fixed in fixPack 1 (fixpacks
are cumulative)
No APARs,
Internal Defects
No Associated APAR
Symptom: s4348: TAM E-SSO did not permit logon modification after the logon was
excluded from a credential-sharing group.
No Associated APAR
Symptom: s4521, s4778, s4797: TAM E-SSO did not recognize a password change form in a web
application.
No Associated APAR
Symptom: s4573: The TAM E-SSO Console terminated unexpectedly when generating a
customized MSI with templates included.
No Associated APAR
Symptom: a10120: A template that was created and added to a credential sharing
group could not be brought back to the TAM E-SSO Console after being exported
to the repository as an entlist.ini file.
No Associated APAR
Symptom: a10121: An ftulist that included a passphrase set and was exported to the repository did not
include the passphrase set when imported back to the
TAM E-SSO Console.
No Associated APAR
Symptom: a10173: The Console terminated unexpectedly when the user clicked the Edit
button to define SendKeys or SendKeys
using journal hooks for a Terminate list.
No Associated APAR
Symptom: a10414: TAM E-SSO did not perform a synchronization
after users changed their primary logon methods.
To help ensure a
satisfactory installation of this fix pack:
To install this fix pack
using the installation wizard:
To
install this fix pack manually:
where
[INSTALLDIR] is the directory where you installed v-GO SSO
and
[JAVAINSTALLDIR] is the directory where you installed your Java Runtime Environment.
You cannot uninstall this
fix pack. If for any reason you must uninstall the fix pack, you must uninstall
the TAM E-SSO product and reinstall. For more information on uninstalling TAM
E-SSO, see the TAM E-SSO Installation and Setup Guide.
The flags are located in
HKLM\SOFTWARE\Passlogix\Extensions\AccessManager and
are as follows:
JhoHierarchyProcessing
Determines which Java hierarchy events are recognized. Set the flag as follows:
HIERARCHY_EVENT_CHANGED = 0x1
The above value instructs the JHO to recognize all hierarchy events.
JhoEventWaitTimeout
Determines the event processing timeout for JHO controls (in milliseconds). The
default value of 0 instructs the JHO to wait indefinitely.
JhoWindowEventProcessing
Determines which Java window events are recognized. This flag is a
combination of the following values:
WINDOW_EVENT_OPENED = 0x1
WINDOW_EVENT_CLOSED = 0x2
WINDOW_EVENT_ACTIVATED = 0x4
WINDOW_EVENT_DEACTIVATED = 0x8
WINDOW_EVENT_CLOSING = 0x10
WINDOW_EVENT_ICONIFIED = 0x20
WINDOW_EVENT_DEICONIFIED = 0x40
By default, all window events are recognized.
JhoComponentProcessing
Determines which Java component events are recognized. This flag is a
combination of the following values:
COMPONENT_EVENT_SHOWN = 0x1
COMPONENT_EVENT_HIDDEN = 0x2
COMPONENT_EVENT_ADDED = 0x4
COMPONENT_EVENT_REMOVED = 0x8
By default, all component events are recognized.
JhoInjectType
Determines the injection type used by the JHO to
submit data to the controls. This flag takes one of the following values:
INJECT_TYPE_DEFAULT = 0
INJECT_TYPE_METHOD = 1
INJECT_TYPE_ACCESSIBLE = 2
INJECT_TYPE_NONACCESSIBLE = 3
INJECT_TYPE_ROBOT = 4
By default this flag is set to INJECT_TYPE_DEFAULT.
If you set JhoInjectType to INJECT_TYPE_DEFAULT, the
JHO attempts injection using each of following methods, in the order shown,
until injection is successful:
INJECT_TYPE_METHOD (if an appropriate set method had been found for the
control)
INJECT_TYPE_ACCESSIBLE (if the control supports accessibility)
INJECT_TYPE_NONACCESSIBLE
INJECT_TYPE_ROBOT
Note: For combo and list boxes, the JHO always uses INJECT_TYPE_METHOD.
We recommend the following default settings on new installations of v-GO SSO:
JhoWindowEventProcessing=0x3
JhoComponentProcessing=0xB
JhoHierarchyProcessing=0x0
These values instruct the JHO to recognize the following events:
WINDOW_EVENT_OPENED (0x1)
WINDOW_EVENT_CLOSED (0x2)
COMPONENT_EVENT_SHOWN (0x1)
COMPONENT_EVENT_HIDDEN (0x2)
COMPONENT_EVENT_REMOVED (0x8)