©Copyright International Business Machines Corporation 2007. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
This fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway, Version 6.1.1. It requires that IBM Tivoli Federated Identity Manager Business Gateway, Version 6.1.1, be installed. After installing this fix pack, your installation will be at level 6.1.1.1.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases as the Tivoli Federated Identity Manager Business Gateway 6.1.1 release that are listed in the Hardware and software requirements document.
ATTENTION: In March 2007, the following versions of HP-UX Integrity on Itanium® were added to the list of supported operating systems:
If you installed Tivoli Federated Identity Manager Business Gateway on either of these versions, the administration console will display the version number "6.1.1.1." However, this fix pack must be installed to ensure that the version is recognized by all components and future fix packs as 6.1.1.1.
None.
Tivoli Federated Identity Manager Business Gateway consists of three components that can be installed separately:
All components must be at the same level. Therefore, if you install a fix pack for one of the components, you must install that fix pack for the rest of the components. Components at one release level are not guaranteed to interoperate with components at a different release or fix pack level.
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager Business Gateway support site.
Be aware of the following considerations before installing this fix pack:
The installation of this fix pack requires the use of the Tivoli Federated Identity Manager Update Installer. You must install the Update Installer before you can install the fix pack.
jar -xvf
to unzip the file or
download an unzip utility from the HPUX Connect site.The zip file contains:
For HP-UX, Linux®, Solaris®, and
AIX®, turn on the installer's execute bit by executing
chmod a+x *.bin
.
For graphical installation mode, type the appropriate installation command for your operating system:
./install_linux_ppc.bin
./install_linux_x86.bin
./install_linux_s390.bin
./install_aix_ppc.bin
./install_sol_sparc.bin
./install_hpux_ia64.bin
install_win32.exe
For text-only installation mode, type the appropriate installation command for your operating system:
./install_linux_ppc.bin -console
./install_linux_x86.bin -console
./install_linux_s390.bin -console
./install_aix_ppc.bin -console
./install_sol_sparc.bin -console
./install_hpux_ia64.bin -console
install_win32.exe -console
For silent installation mode:
Change the following variables, as needed:
-P installLocation="/opt/IBM/FIMUI"
The location where you want the Update Installer to be installed.
-W FIMLocation.TFIMLocationPath="$D(install)/IBM/FIM"
The location of Tivoli Federated Identity Manager Business Gateway.
$D(install)
is the default installation path (such
as C:\Program Files
for Windows®; /opt
for HP-UX, Linux®, Solaris®, and AIX®).
To specify a different path, replace $D(install)/IBM/FIM
with the correct absolute path.
./install_linux_ppc.bin -silent -options
response.rsp
./install_linux_x86.bin -silent -options
response.rsp
./install_linux_s390.bin -silent -options
response.rsp
./install_aix_ppc.bin -silent -options response.rsp
./install_sol_sparc.bin -silent -options
response.rsp
./install_hpux_ia64.bin -silent -options
response.rsp
install_win32.exe -silent -options response.rsp
The progress of the installation is shown.
Note: If you use the text-only installation mode, several exceptions might be displayed, such as:
exception: java.lang.SecurityException:
java.lang.Exception - protected system package 'java.lang'
However, these messages are for informational purposes only and do not adversely affect the installation of the Update Installer.
On each computer where you have a Tivoli Federated Identity Manager Business Gateway component installed, repeat these steps. Then, continue with the instructions in Installing the fix pack.
NOTE: Although it will not affect the installation of this fixpack, there is a defect in the TFIM Update Installer that could prevent installing any future fix packs for TFIM or TDI. Go to the TFIM Support page and search for a Technote entitled "TFIM Update Installer may fail for future fix packs" to see the corrective actions.
NOTE: Before installing this fix pack, be sure that you have reviewed the prerequisites in Before installing the fix pack.
After you have downloaded the fix pack and installed the Update Installer, you need to perform a few steps before you can run the installation program.
jar
-xvf
to unzip the file or download an unzip utility from the
HPUX Connect site.chmod +x *.sh
in the /script
directory.
variables
file
If security is enabled on the WebSphere Application Server
where Tivoli Federated Identity Manager Business Gateway is installed,
you must provide the appropriate passwords in the fix pack variables
file.
If security is not enabled, you can skip this step.
The file contains the following passwords:
TFIMRuntimeWASPassword=
TFIMRuntimeTrustedJksPassword=
TFIMRuntimeJksPassword=
TFIMConsoleWASPassword=
TFIMConsoleTrustedJksPassword=
TFIMConsoleJksPassword=
If the TFIM runtime is installed on the system, then the three TFIMRuntime passwords must be specified. If the TFIM console is installed on this system then the three TFIMConsole passwords must be specified. If both the runtime and the console are anywhere on this system then both sets of passwords must be given.
To provide the appropriate passwords:
variables
in the fix
pack /script
directory. ATTENTION: If you added passwords to the variables
file, as described here, the passwords are in plain text in this file.
Be sure to remove the passwords from this file to prevent a security
breach.
acsisrv
is running, as
follows:
ps -ef|grep acsisrv
/usr/ibm/common/acsi/bin/acsisrv.sh
-start
. Then ensure the service is running./script
subdirectory of the
directory where you unzipped the fix pack zip file.install.bat
on Windows systems./install.sh
for AIX, Solaris, Linux, or
HP-UX ATTENTION: If you added passwords to the variables
file, as described in Preparing the variables
file, the passwords are in plain text in this file. Be sure to
remove the passwords from this file to prevent a security breach.
The fixpack install automatically deploys the newly installed Tivoli Federated Identity Manager Business Gateway runtime. However, you should verify that the current deployed version is 6.1.1.1.
Runtime Information
----------------------------------------------
Current deployed version 6.1.1.1 [070406a]
Note: The number within the brackets [070406a]
might be different from this example.
If you want to return your installation to the state it was in prior to installing the fix pack, you can uninstall the fix pack.
ATTENTION -- When you remove the management service and runtime component fix pack, you will lose any configuration (domains, federations, and so on) that you added after the fix pack was installed.
acsisrv
is running, as
follows:
ps -ef|grep acsisrv
/usr/ibm/common/acsi/bin/acsisrv.sh
-start
. Then ensure the service is running. variables
file that was used when the fix pack was installed, edit the file and
add the appropriate passwords. Then save and close the file./script
directory and the type the
uninstall command:
uninstall.bat
on Windows systems./uninstall.sh
for AIX, Solaris, Linux, or HP-UXThe uninstall process will remove the fix pack and revert to the previous versions of files that were changed by the fix pack.
For example, if you had installed fix pack 1 onto a Tivoli Federated Identity Manager Business Gateway 6.1.1.0 system, then after uninstalling fix pack 1 you would see the following:
Suite Name Version
----------------------------------------------------------
Tivoli Federated Identity Manager 6.1.1.0 [050428a]
Note: If you uninstalled the fix pack on an Itanium system, the version number displayed will be 6.1.1.1 even after you uninstall the fix pack.
Runtime Information
----------------------------------------------
Current deployed version 6.1.1.0 [061110a]
Note: The number within the brackets [061110a]
might be different from this example.
Note: If you uninstalled the fix pack on an Itanium system, the version number displayed will be 6.1.1.1 even after you uninstall the fix pack.
ATTENTION: Uninstalling the Update Installer will not remove the fix pack. See Uninstalling the fix pack for those instructions. Also, because the Update Installer will be used for future maintenance of Tivoli Federated Identity Manager Business Gateway, uninstalling the Update Installer is NOT recommended.
/_uninst
subdirectory
where the Update Installer was installed.uninstall.bin
on Windows systems./uninstall.bin
for AIX, Solaris, Linux, or HP-UXThe product documentation for Tivoli Federated Identity Manager Business Gateway, Version 6.1.1, can be found on the information center for IBM Tivoli Federated Identity Manager Business Gateway .
The management console for Tivoli Federated Identity Manager Business Gateway Version 6.1.1 does not have a GUI interface for adding a custom mapping module into a federation or partner trust chain. Fix pack 6.1.1-TIV-TFIMBG-FP0001 provides this GUI interface.
Background
Tivoli Federated Identity Manager Business Gateway provides wizards that build trust chains for SAML 1 federations. You must define trust chains when creating a federation and when adding a partner to a federation.
Trust chains convert user identity information from one token type to another token type. The conversion task includes use of an identity mapping module. Administrators use this module to define identity mapping tasks that are specific to their deployments.
Tivoli Federated Identity Manager Business Gateway provides a default mapping module that uses XSLT code to perform identity mapping. You have the option of replacing the default mapping module with a custom mapping module.
You must first develop the custom mapping module and then use the management console to add the module to the trust chain.
Solution summary
To add a custom mapping module:
Solution details:
Step 1: Develop your custom mapping module
This is a programming task that must be completed prior to configuring the module into the federation. You must write a Java(R) class for a new module type and install the class into the plug-ins directory for your domain.
For more information, see:
Step 2: Use the management console to create a new module type.
Step 3: Use the management console to create a new module instance.
Step 4: Use the management console to configure the custom mapping module instance into a trust chain
Step 4a: Create a new trust chain that contains the custom mapping module. Use this step when you are either:
The IBM Tivoli Federated Identity Manager Business Gateway Version 6.1.1 Administration Guide contains the necessary instructions. Use (search for) the instructions entitled "Use Custom Mapping Module Instance" that apply to your task and deployment. (Page numbers refer to the PDF® image):
Task and Deployment | Page # |
Creating your federation as the service provider | 123 |
Adding an identity partner to a federation | 129 |
Adding an identity provider partner manually | 134 |
Creating your federation as the identity provider | 137 |
Adding a service provider partner using metadata | 141 |
Adding a service provider partner manually | 144 |
Step 4b: Modify an existing trust chain to use the custom mapping module
Use this task when you want to modify an existing trust chain by replacing the default mapping module with your custom mapping module.
The IBM Tivoli Federated Identity Manager Business Gateway Version 6.1.1 Administration Guide contains the necessary instructions. Use (search for) the instructions entitled "Use Custom Mapping Module Instance" that apply to your task and deployment (Page numbers refer to the PDF image):
Task and Deployment | Page # |
Modifying federation properties | 162 |
Modifying partner properties | 166 |
If you install a Tivoli Federated Identity Manager Business Gateway component to the system after the fix pack has been applied, you must reinstall the fix pack on that system, so that all components are at the same level.
To re-apply the fixpack:
<TFIM UPDATE INSTALLER>/DE/test/
<TFIM UPDATE INSTALLER>
is the directory
where the update installer was installed../addconsolefeat.sh
on AIX, Linux, Solaris, or
HP-UXaddconsolefeat.bat
on Windows./addmgmtfeat.sh
on AIX, Linux, Solaris, or HP-UXaddmgmtfeat.bat
on Windowsaddiisplugin.bat
on WindowsNone.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
AIX
IBM
IBM logo
iSeries
pSeries
S/390
Tivoli
Tivoli logo
xSeries
zSeries
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.