IBM(R) Tivoli(R) Access Manager for Operating Systems Agent for Solaris Zones and AIX WPARS, Patch 6.0.0-TIV-PDOAG-FP0001 README ============================================================================= (C) Copyright International Business Machines Corporation 2009. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. NOTE: Before using this information and the product it supports, read the general information under "NOTICES" in this document. Created/Revised by Date of Creation/Update Summary of Changes ------------------ ----------------------- ------------------ SVK September 22, 2009 Document Created ------------------------------------------------------------------------------ CONTENTS 1.0 ABOUT THIS PATCH 1.1 Patch contents 1.2 Architectures 1.3 Patches superseded 1.4 Dependencies 2.0 APARS AND DEFECTS FIXED 2.1 Problems fixed by patch 6.0.0-TIV-PDOAG-FP0001 3.0 BEFORE INSTALLING THIS PATCH 3.1 Back up Tivoli Access Manager for Operating Systems Agent data 4.0 INSTALLING THIS PATCH 4.1 Installing this patch on AIX systems 4.2 Installing this patch on Solaris Operating Environment systems 5.0 UNINSTALLING THIS PATCH 6.0 AFTER INSTALLING THIS PATCH 6.1 Verifying patch level 7.0 DOCUMENTATION UPDATES 8.0 SOFTWARE LIMITATIONS 8.1 SWAP Filesystems do not support extended access control lists (ACLs) 8.2 Globalization 8.3 Solaris login activity policy for the root user 8.4 AIX GPFS™ 8.5 AIX Clogin and Solaris Zlogin Behavior 9.0 KNOWN PROBLEMS AND WORKAROUNDS 9.1 Known issues 9.1.1 System resource usage during policy application 9.2 Workarounds/Troubleshooting 9.2.1 Pluggable Authentication Module Parameters 10.0 NOTICES 10.1 Trademarks ***************************************************************************** ***************************************************************************** 1.0 ABOUT THIS PATCH -------------------- This patch package contains fixes for problems in Tivoli Access Manager for Operating Systems (TAMOS) Agent for – 1) Solaris – 10 SPARC Global zone and Zones (Whole root and Sparse Root) 2) AiX 6.1 Global environment and System WPARS. This patch requires that IBM Tivoli Access Manager for Operating Systems Agent Version 6.0 already be installed successfully on the above mentioned platforms. 1.1 Patch contents This patch contains: - This README file - Update patch packaging for TAMOS Agent for Solaris Zones and AIX WPARS 1.2 Architectures This patch package applies to the following architectures: AIX 6.1 Solaris 10 SPARC Systems. 1.3 Patches superseded Patches superseded by this patch: None 1.4 Dependencies IBM Tivoli Access Manager for Operating Systems Agent for Solaris Zones and AIX WPARS, Version 6.0.0.0 2.0 APARS AND DEFECTS FIXED --------------------------- 2.1 Problems fixed by patch 6.0.0-TIV-PDOAG-FP0001 Internal Defect 89764 Symptom: PDOSCFG DOESN'T UPDATE KDB AFTER RECONFIG Forward Ported from TAMOS APAR IZ15908 When reconfiguring TAMOS after ldap's ssl certificate has been changed, the pdoscfg command does not update the kdb file. Internal Defect 89766 Symptom: POP EXTENDED ATTRIBUTES AUDIT_PERMIT_ACTIONS Forward Ported from TAMOS APAR IZ17511 The pdosd daemon eventually cores due to exceeding the process size limit, when audit_permit and audit_deny actions are defined and the resource is accessed repeatedly. Internal Defect 89767 Symptom: PDOSD NOT TERMINATING DUE TO PROTECTED THRDS Forward ported from TAMOS APAR IZ22320 "rc.osseal stop" reports that PDOSD did not terminate within 180 seconds and PDOSD will not terminate using "kill -9" command. Internal Defect 89719 Symptom: COMPRESSED AUDIT LOG FILES RENAMED V3700 Forward ported from TAMOS APAR IZ23251. Compressed backup audit.log files are being tagged with v3700. For example audit.log.YYYY-MM-DD-HH-MM-SS.Z changed to v3700.audit.log.YYYY-MM-DD-HH-MM-SS.Z Internal Defect 91015 Symptom: VARIABLES DECLARED WITHOUT A TYPE IN CAS_INT.C Internal Defect 91428 Symptom: REFRESH BUNDLED JRE TO THE 5.0 SERVICE REFRESH 9-SSU APAR IZ53211 Symptom: COMMANDS RUN WITH PDOSSUDO ON AN ITAMOS AGENT CREATE FILES WITH When running commands with pdossudo on an iTAMOS Agent, all files are created with group ownership of 'OSSEAL'. On the full install of iTAMOS the group ownership is always the primary group of the executor. Internal Defect 91745 Symptom: PDOSLRD EXPERIENCING SEGMENTATION FAULT Forward Ported from TAMOS APAR IZ51229 Pdoslrd experiences a segmentation fault while using sudo commands. APAR IZ53881 Symptom: LOGIN-MAXPASSWORDDAYS OF "0" FOR TAMOS AGENT ON SOLARIS PLACES When setting Login-MaxPasswordDays to "0" for specific accounts to prevent password expiration), the applicable field for the account's record in /etc/shadow is populated with a "0", as opposed to being left null (unpopulated) APAR IZ53957 Symptom: TAMOS AGENT 6.0 ON SOLARIS 10 ZONES RESULTS IN ILLEGAL MODULE AGENT 6.0 ON SOLARIS 10 ZONES RESULTS IN ILLEGAL MODULE OPTION ERROR FROM SSH DAEMON, AND SSH LOGIN FAILURES. A comment appended to a line in /etc/pam.conf was generating error messages in /var/adm/messages as it was treating it as a module option. 3.0 BEFORE INSTALLING THIS PATCH -------------------------------- Before installing this patch, review the following prerequisites and dependencies. 3.1 Back up Tivoli Access Manager for Operating Systems Agent data Before applying any maintenance, be sure to back up your system. Use the pdosbackup command provided with the TAMOS Agent product to back up TAMOS Agent-specific data. Documentation for the pdosbackup command is located in the - "IBM Tivoli Access Manager for Operating Systems Administration Guide, Version 6.0." 4.0 INSTALLING THIS PATCH ------------------------- NOTE: Before installing this patch, be sure that you have reviewed the prerequisites and have completed the backup procedure in section 3.0, "BEFORE INSTALLING THIS PATCH". This README assumes that $PATCH is the path to your temporary directory. 4.1 Installing this fixpack on AIX systems Note: The TAMOS Agent daemons must be stopped and the fixpack installed on the global environment and each of the system’s WPARs independently. 1. Log in to the system as root. 2. Extract the archive into a temporary directory. For the purpose of this README, assume that the symbol $PATCH points to this temporary directory. # uncompress 6.0.0-TIV-PDOAG-AIX-FP0001.tar.Z # tar -xvf 6.0.0-TIV-PDOAG-AIX-FP0001.tar 3. Stop the Tivoli Access Manager for Operating Systems processes. # rc.osseal stop 4. At the command prompt, enter the following: # installp -a -g -X -d $PATCH/PDOS.agent_6.0.0.1.bff PDOS.agent 5. Restart the Tivoli Access Manager for Operating Systems Agent processes: # rc.osseal start 4.2 Installing this fixpack on Sun Solaris Operating Environment systems Note: If the original TAMOS Agent package was installed independently on each zone, the fixpack should be installed on the system zones independently. If, however, the original TAMOS Agent package was installed on the global zone (without the pkgadd -G option) automatically installing it on non-global zones, the TAMOS Agent daemons should be stopped in each of the non-global zones independently, before the fixpack is installed on the global zone (which will automatically install it on all other system zones). Also, before installing the fixpack on the Solaris-10 Global zone, be aware of any Sparse root zones sharing the global zone file systems and stop the TAMOS Agent daemons in each zone independently. 1. Log in to the system as root. 2. Extract the archive into a temporary directory. For the purpose of this README, assume that the symbol $PATCH points to this temporary directory. # uncompress 6.0.0-TIV-PDOAG-Solaris-FP0001.tar.Z # tar -xvf 6.0.0-TIV-PDOAG-Solaris-FP0001.tar 3. Stop the Tivoli Access Manager for Operating Systems Agent processes. # rc.osseal stop 4. At the command prompt, enter the following: cd $PATCH a) Installation only on the global zone (and NOT propogate the changes in other zones) - patchadd –G PDOSAGENT000600-01 b) Installation steps for zones(Whole Root and Sparse Root) also when executed from Global zone and propogate to other zones – patchadd PDOSAGENT000600-01 5. Restart the Tivoli Access Manager for Operating Systems processes: # rc.osseal start 5.0 UNINSTALLING THIS PATCH --------------------------- To remove the fixpack on UNIX systems, perform the following steps. 1. Log in to the system as root. 2. Stop the TAMOS processes. # rc.osseal stop 3. At the command prompt, enter the following: AIX, reject the applied fixpack: Note: The TAMOS Agent daemons must be stopped and the fixpack rejected from the global environment and each of the system’s WPARs independently. installp -r PDOS.agent Solaris, remove the fixpack: Note: If the original TAMOS Agent package and the fixpack were installed independently on each zone, the fixpack can be removed from one or more of the system zones independently. If, however, the original TAMOS Agent package and the fixpack were installed on the global zone (without the pkgadd -G option) automatically installing it on non-global zones, the TAMOS Agent daemons should be stopped in each of the non-global zones independently, before the fixpack is removed from the global zone (which will automatically remove it from all other system zones). Also, before removing the fixpack from the Solaris-10 Global zone, be aware of any Sparse root zones sharing the global zone file systems and stop the TAMOS Agent daemons in each zone independently. a) Removing the patch only from the global zone(and NOT from the other zones) – patchrm –G PDOSAGENT000600-01 b) Removing the patch from individual zones or Removing the patch from all zones and Global zone too while logged on to Global zone - patchrm PDOSAGENT000600-01 Note: While removing the patch from Solaris-10 Global environment, be sure that the same code is not being executed on the Sparse root zone. c) Uninstalling patch PDOSAGENT000600-01 from Global Zone such that it propogates the uninstall in the non-root zones too having the patch PDOSAGENT000600-01 applied. If the PDOS daemons are running on the non-root zones, this uninstall from the Global Zone would not be able to check for the daemons running in the non-root zones and will uninstall from the non-root zones too. If you wish to uninstall only from the Global zone, kindly use the command specific only for uninstalltion in the Global zone viz patchrm -G PDOSAGENT000600-01 If you wish that the uninstall propogates through all the non-root zones when executed from the Global zone, please follow the following steps for a clean and successful uninstall. 1. Make sure that PDOS daemons are stopped on all zones (Global as well as non-root zones) Use the following command - rc.osseal stop To check the status if the daemons are stopped or running use the command - pdosctl -s 2. Then execute the patch uninstall from the Global zone which propogates the uninstall to all the zones - patchrm PDOSAGENT000600-01 6.0 AFTER INSTALLING THE PATCH ------------------------------ Complete the following tasks after you have installed the patch. 6.1 Verifying fixpack level The best method of determining the fixpack level on a system is to run the pdosversion command. The current fixpack version is on the "pdosversion" line of the output. # pdosversion IBM Tivoli Access Manager for Operating Systems Agent 6.0.0 pdosversion 6.0.0.1 (090921c) libosseald 6.0.0.1 (090921a) libosseal 6.0.0.1 (090921a) LRD_AuditInput 6.0.0.1 (090921a) LRD_EmailOutput 6.0.0.1 (090921a) LRD_FileOutput 6.0.0.1 (090921a) LRD_NetOutput 6.0.0.1 (090921a) 7.0 DOCUMENTATION UPDATES ------------------------- The product documentation for Tivoli Access Manager for Operating Systems Agent for Solaris Zones and AIX WPARS Version 6.0, can be found at the following Web address (entered as one line): http://www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi?CTY=US&FNC=SRX&PBL=SC23-9802-00 The document contains installation and configuration information, guidance for defining policies, comparison with TAMOS, command reference and information for obtaining support for IBM Products. TAMOS Agent guide Clarification for Global Audit Levels – The TAMOS Agent Administration Guide has incorrect information regarding supported global audit levels in the following sections – 1) TAMOS Agent Auditing Chapter 4 - Comparisons with Tivoli Access Manager for Operating Systems 6.0 Page no.64. The text mentioned is - “Global auditing can be enabled using the pdoscfg or pdosctl commands, exactly as is done with the Tivoli Access Manager for Operating System product. The TAMOS Agent supports a limited set of global audit levels. The following audit levels are supported: a. admin b. all c. deny d. logindeny e. info f. none g. permit h. verbose and 2) Appendix A. Command Reference Section pdoscfg –audit_level The text mentioned is – pdoscfg –audit_level audit_levels Specifies a comma-separated list of audit levels. The following values are valid: a. admin b. all c. deny d. logindeny e. loginpermit f. info g. none h. permit i. trace_file j. verbose It should be read as – … The following audit levels are supported or The following values are valid: a. admin b. all c. deny d. logindeny e. loginpermit f. info g. none h. permit i. verbose 8.0 SOFTWARE LIMITATIONS ------------------------ 8.1 SWAP Filesystems do not support extended access control lists (ACLs) On Solaris, the /tmp file system is often a swap file system. Swap file systems do not support extended ACLs. Therefore the TAMOS Agent will not be able to map access control policy to files or directories residing in a swap file system. 8.2 Globalization The TAMOS Agent endpoint assumes that for policy branches to which the endpoint is configured, the defined policy is encoded in the same code page as the local code page on the system. For example, if policy is authored using UTF-8 multibyte character strings, the target TAMOS Agent systems using that policy must be running in the UTF-8 code page. 8.3 Solaris login activity policy for the root user As a special case, the default login failure limit is not applied to the root user. The intention is to avoid locking the root user out of the system, which may be difficult to recover from. A login failure limit may be applied to the root user by creating a user exception in the policy specifically for root. 8.4 AIX GPFS™ The TAMOS Agent product does not support managing the access control policy for the AIX GPFS file system. 8.5 AIX Clogin and Solaris Zlogin Behavior On AIX, a clogin(1) from the global WPAR to a non-global WPAR appears as a remote login to the non-global WPAR. Therefore, remote login location policy is applied. On Solaris, a zlogin(1) from the global Zone to a non-global Zone appears as a local login to the non-global Zone. Therefore, local login location policy is applied. 9.0 KNOWN PROBLEMS AND WORKAROUNDS ------------------------------------------------ 9.1 Known issues and limitations 9.1.1 System resource usage during policy application When TAMOS Agent is processing a large number of policy objects (such as during policy reconciliation, after policy branch reconfiguration, or after policy changes that affect many files or users on the system), you may observe high CPU usage on 1 or 2 CPUs as well as I/O activity when updating file ACLs. This may continue for a few minutes, depending on the size of the policy and the machine specifications. On low end systems or systems with limited RAM or CPU resources, this may impact other applications running on the system 9.2 Workarounds/Troubleshooting 9.2.1 Pluggable Authentication Module Parameters The TAMOS Agent Pluggable Authentication Module (PAM) has two parameters that can be useful for troubleshooting Login enforcement: trace_string and allow_relative_hostnames. These parameters are set in the /etc/pam.conf file. The fifth and subsequent columns in the pam.conf file can be used to set parameters to pass to the module. The pam_pdos_account entry may appear multiple times in the /etc/pam.conf file, so it may be necessary to update these parameters in multiple places in order to have a consistent experience. The allow_relative_hostnames parameter controls whether the login will be evaluated against the policy or immediately denied based on whether a relative hostname is provided to the TAMOS Agent PAM module. If this value is set to yes, remote login attempts that contain relative host names will not be automatically denied. Instead, the relative host name will attempt to be resolved and login policy will be evaluated. If the value is not set to no, or not set, login attempts that contain relative host names will be automatically denied. When TAMOS Agent module is added to the /etc/pam.conf file, this value is set to no. The trace_string parameter is used to configure dynamic trace for the pdosauthorize utility, which is used to perform the authorization decision for the login event. The value of the trace string must be a valid trace routing entry. An example TAMOS Agent /etc/pam.conf entry that sets trace would be as follows: other account requisite pam_pdos_account allow_relative_hostnames=no trace_string=out:pdosauthorize.9:FILE:/tmp/trace__other_pam.log If a file is specified as the trace destination, the user that the login program is running as must have permission to write to the file specified. 10.0 NOTICES ------------ This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. 10.1 Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX IBM IBM logo Tivoli Tivoli logo Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. End of IBM Tivoli Access Manager for Operating Systems, Patch 6.0.0-TIV-PDOAG-FP0001 README