IBM^®Tivoli^® Federated Identity Manager Business Gateway, Fix Pack 6.1.1-TIV-TFIMBG-FP0001 README

©Copyright International Business Machines Corporation 2007. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under Notices in this document.

About the fix pack

This fix pack corrects problems in IBM Tivoli Federated Identity Manager Business Gateway, Version 6.1.1. It requires that IBM Tivoli Federated Identity Manager Business Gateway, Version 6.1.1, be installed. After installing this fix pack, your installation will be at level 6.1.1.1.

Patch contents and distribution

This fix pack package contains:

The Update Installer installation program
Fix pack zip file

This fix pack is distributed as an electronic download from the IBM Support Web Site.

Architectures

This fix pack package supports the same operating system releases as the Tivoli Federated Identity Manager Business Gateway 6.1.1 release that are listed in the Hardware and software requirements document.

ATTENTION: In March 2007, the following versions of HP-UX Integrity on Itanium^® were added to the list of supported operating systems:

HP-UX 11iv2 (release date Sept 2006)
HP-UX 11iv3 (release date Feb 2007)

If you installed Tivoli Federated Identity Manager Business Gateway on either of these versions, the administration console will display the version number "6.1.1.1." However, this fix pack must be installed to ensure that the version is recognized by all components and future fix packs as 6.1.1.1.

Fix packs superseded by this fix pack

None.

Fix pack structure

Tivoli Federated Identity Manager Business Gateway consists of three components that can be installed separately:

Administration console
Management service and runtime component
Microsoft Internet Information Service plug-in

All components must be at the same level. Therefore, if you install a fix pack for one of the components, you must install that fix pack for the rest of the components. Components at one release level are not guaranteed to interoperate with components at a different release or fix pack level.

APARs and defects fixed

Problems fixed by fix pack 6.1.1-TIV-TFIMBG-FP0001

The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager Business Gateway support site.

APAR IY92604: SYMPTOM: After redeploying the runtime in Federated Identity Manager Business Gateway, the WebSphere role mappings are updated incorrectly. Authentication can be adversely affected.
Internal defect 74200: SYMPTOM: A memory leak might occur under a heavy load.
Internal defect 74201: SYMPTOM: The Federated Identity Manager Business Gateway console does not provide a way for custom map module plug-in to be used.
Internal defect 74203: SYMPTOM: In a custom map module, the setPrincipalName method does not update the STSUser instance correctly.
Internal defect 74217: SYMPTOM: Single sign-on fails when a SAML 1.x service provider has more than one identity provider partner configured.
Internal defect 74346: SYMPTOM: A VPD file cannot be created when using HP-UX 11i version 2.
Internal defect 74459: SYMPTOM: Thread issues occur during Liberty and SAML single sign-on actions.
Internal defect 74779: SYMPTOM: Using the WSSM wsdl2tfim tool with WebSphere Application Server 6.1.0.3 causes errors to occur.
Internal defect 74855: SYMPTOM: Sending SAML requests to the artifact service can cause an exception.
Internal defect 74909: SYMPTOM: Signature validation fails if the document contains two elements with the same ID.

Before installing the fix pack

Be aware of the following considerations before installing this fix pack:

Prerequisites

This fix pack requires that you have Tivoli Federated Identity Manager Business Gateway 6.1.1 and its prerequisites installed.

Update Installer

This fix pack requires the use of the Tivoli Federated Identity Manager Update Installer. You will need to install the Update Installer for your operating system on each computer where you will install the fix pack. Details about the Update Installer are described in Installing the update installer.

Fix pack packaging

The fix pack package is provided in a zip file for each supported platform. The downloadable zip file contains:

The Update Installer installation file
A zip file that contains the Tivoli Federated Identity Manager Business Gateway fix pack 1. The contents of the zip file are used by the Update Installer to apply the fixes to all of the installed Tivoli Federated Identity Manager Business Gateway components on the system you are updating.

Automatic creation of a backup directory

The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Tivoli Federated Identity Manager Business Gateway files.

Installing the update installer

The installation of this fix pack requires the use of the Tivoli Federated Identity Manager Update Installer. You must install the Update Installer before you can install the fix pack.

Locate the appropriate zip file for your operating system in the Download section of the Support page where the fix pack download is located.

Download the file to each computer where you will install the fix pack.

Unzip the file using the unzip utility for your operating system. On HP-UX either use jar -xvf to unzip the file or download an unzip utility from the HPUX Connect site.

The zip file contains:

The update installer installation files
The fix pack zip file

Open a command prompt.

Change to the directory where you unzipped the file, and then:

For HP-UX, Linux^®, Solaris^®, and AIX^®, turn on the installer's execute bit by executing
chmod a+x *.bin.

For graphical installation mode, type the appropriate installation command for your operating system:
- ./install_linux_ppc.bin
- ./install_linux_x86.bin
- ./install_linux_s390.bin
- ./install_aix_ppc.bin
- ./install_sol_sparc.bin
- ./install_hpux_ia64.bin
- install_win32.exe
For text-only installation mode, type the appropriate installation command for your operating system:
- ./install_linux_ppc.bin -console
- ./install_linux_x86.bin -console
- ./install_linux_s390.bin -console
- ./install_aix_ppc.bin -console
- ./install_sol_sparc.bin -console
- ./install_hpux_ia64.bin -console
- install_win32.exe -console
For silent installation mode:
1. Modify the response.rsp file in the directory where you unzipped the fix pack:
  Change the following variables, as needed:
  
  -P installLocation="/opt/IBM/FIMUI"
  The location where you want the Update Installer to be installed.
  
  -W FIMLocation.TFIMLocationPath="$D(install)/IBM/FIM"
  The location of Tivoli Federated Identity Manager Business Gateway.
  $D(install) is the default installation path (such as C:\Program Files for Windows^®; /opt for HP-UX, Linux^®, Solaris^®, and AIX^®).
  To specify a different path, replace $D(install)/IBM/FIM with the correct absolute path.
2. Save and close the response.rsp file.
3. Type the appropriate installation command for your operating system:
  - ./install_linux_ppc.bin -silent -options response.rsp
  - ./install_linux_x86.bin -silent -options response.rsp
  - ./install_linux_s390.bin -silent -options response.rsp
  - ./install_aix_ppc.bin -silent -options response.rsp
  - ./install_sol_sparc.bin -silent -options response.rsp
  - ./install_hpux_ia64.bin -silent -options response.rsp
  - install_win32.exe -silent -options response.rsp
Follow the installation instructions as prompted. For example, you will be prompted to specify the directory where Tivoli Federated Identity Manager Business Gateway is installed if you are using the graphical or console installation methods.

The progress of the installation is shown.

Note: If you use the text-only installation mode, several exceptions might be displayed, such as:

exception: java.lang.SecurityException: java.lang.Exception - protected system package 'java.lang'

However, these messages are for informational purposes only and do not adversely affect the installation of the Update Installer.

On each computer where you have a Tivoli Federated Identity Manager Business Gateway component installed, repeat these steps. Then, continue with the instructions in Installing the fix pack.

NOTE: Although it will not affect the installation of this fixpack, there is a defect in the TFIM Update Installer that could prevent installing any future fix packs for TFIM or TDI. Go to the TFIM Support page and search for a Technote entitled "TFIM Update Installer may fail for future fix packs" to see the corrective actions.

Installing the fix pack

NOTE: Before installing this fix pack, be sure that you have reviewed the prerequisites in Before installing the fix pack.

After you have downloaded the fix pack and installed the Update Installer, you need to perform a few steps before you can run the installation program.

Unzipping the fix pack file
1. Locate the directory where you unzipped the file that contains the Update Installer and the fix pack zip file.
2. Use the unzip option of the zip program for your operating system to unzip the fix pack zip file. On HP-UX either use jar -xvf to unzip the file or download an unzip utility from the HPUX Connect site.
3. If you are using AIX, HP-UX, Linux, or Solaris, the execute permission flag is turned off on all the scripts (all .sh files). Before invoking any of these scripts make sure you turn on the execute permisison for all the scripts by executing chmod +x *.sh in the /script directory.
Preparing the variables file

If security is enabled on the WebSphere Application Server where Tivoli Federated Identity Manager Business Gateway is installed, you must provide the appropriate passwords in the fix pack variables file.

If security is not enabled, you can skip this step.

The file contains the following passwords:

TFIMRuntimeWASPassword=

The administrator login password to the WebSphere Application Server where the runtime is installed.

TFIMRuntimeTrustedJksPassword=

The password to the runtime's trust.p12 file.

TFIMRuntimeJksPassword=

The password to the runtime's Java keystore file.

TFIMConsoleWASPassword=

The administrator login password to the WebSphere Application Server where the console is installed.

TFIMConsoleTrustedJksPassword=

The password to the console's trust.p12 file.

TFIMConsoleJksPassword=

The password to the console's Java keystore file.

If the TFIM runtime is installed on the system, then the three TFIMRuntime passwords must be specified. If the TFIM console is installed on this system then the three TFIMConsole passwords must be specified. If both the runtime and the console are anywhere on this system then both sets of passwords must be given.

To provide the appropriate passwords:
1. Locate the file called variables in the fix pack /script directory.
2. Open the file in a text editor.
3. Specify the passwords that are used on the system on which you are installing the fix pack. Take care not to add trailing blanks to the password field; otherwise they will be included as part of the password.
ATTENTION: If you added passwords to the variables file, as described here, the passwords are in plain text in this file. Be sure to remove the passwords from this file to prevent a security breach.

Running the Update Installer
1. Ensure that the WebSphere Application Server that hosts the Tivoli Federated Identity Manager Business Gateway runtime and management service component is running.
2. Ensure that the WebSphere Application Server that hosts the Tivoli Federated Identity Manager Business Gateway console component is running.
3. Ensure that the service acsisrv is running, as follows:
  - For Windows:
    Check the Services console. If the IBM ADE service is not running, start it with the Start button.
  - For HP-UX, Linux, Solaris, or AIX:
    1. Open a command prompt.
    2. Type ps -ef|grep acsisrv
    3. If the service is running, you will see the process and an associated PID. Close the command prompt window.
      If the service is not running, type: /usr/ibm/common/acsi/bin/acsisrv.sh -start. Then ensure the service is running.
4. Open a command prompt.
5. Change to the /script subdirectory of the directory where you unzipped the fix pack zip file.
6. Type the installation command:
  - install.bat on Windows systems
  - ./install.sh for AIX, Solaris, Linux, or HP-UX
7. Press Enter.
8. The progress of the installation is shown. When the installation has completed, repeat these steps on each computer where the fix pack must be installed. Then continue with Deploying the fix pack runtime component.
ATTENTION: If you added passwords to the variables file, as described in Preparing the variables file, the passwords are in plain text in this file. Be sure to remove the passwords from this file to prevent a security breach.

Deploying the fix pack runtime component

The fixpack install automatically deploys the newly installed Tivoli Federated Identity Manager Business Gateway runtime. However, you should verify that the current deployed version is 6.1.1.1.

Log in to the console and click Tivoli Federated Identity Manager ->Manage Configuration ->Domain Properties. The details of the components installed in the domain are listed.

Review the Runtime Information.
For example:

    Runtime Information
    ----------------------------------------------
    Current deployed version       6.1.1.1 [070406a]

Note: The number within the brackets [070406a] might be different from this example.

Uninstalling the fix pack

If you want to return your installation to the state it was in prior to installing the fix pack, you can uninstall the fix pack.

ATTENTION -- When you remove the management service and runtime component fix pack, you will lose any configuration (domains, federations, and so on) that you added after the fix pack was installed.

Ensure that the WebSphere Application Server that hosts the Tivoli Federated Identity Manager Business Gateway runtime and management service component are running.
Ensure that the WebSphere Application Server that hosts the Tivoli Federated Identity Manager Business Gateway console component is running.
Ensure that the service acsisrv is running, as follows:
- For Windows:
  Check the Services console. If the IBM ADE service is not running, start it with the Start button.
- For HP-UX, Linux, Solaris, or AIX:
  1. Open a command prompt.
  2. Type ps -ef|grep acsisrv
  3. If the service is running, you will see the process and an associated PID. Close the command prompt window.
    If the service is not running, type: /usr/ibm/common/acsi/bin/acsisrv.sh -start. Then ensure the service is running.
Open a command prompt.
Change to the directory where the fix pack was unzipped.
If security was enabled and you removed the passwords from the variables file that was used when the fix pack was installed, edit the file and add the appropriate passwords. Then save and close the file.
Change to the /script directory and the type the uninstall command:
- uninstall.bat on Windows systems
- ./uninstall.sh for AIX, Solaris, Linux, or HP-UX
The uninstall process will remove the fix pack and revert to the previous versions of files that were changed by the fix pack.
Verify successful uninstallation of the fix pack:
1. Log in to the administration console.
2. In the Welcome panel, verify that the version number is not 6.1.1.1 and corresponds to the software level on which you installed fix pack 1.
  For example, if you had installed fix pack 1 onto a Tivoli Federated Identity Manager Business Gateway 6.1.1.0 system, then after uninstalling fix pack 1 you would see the following:
```
        Suite Name                           Version
    ----------------------------------------------------------
    Tivoli Federated Identity Manager       6.1.1.0 [050428a]
```
  Note: If you uninstalled the fix pack on an Itanium system, the version number displayed will be 6.1.1.1 even after you uninstall the fix pack.
Redeploy the runtime for each domain:
1. Log in to the administration console.
2. Select Domain Management -> Runtime Node Management.
3. Click Deploy Runtime.
4. Restart WebSphere Application Server.
Verify that the current deployed version is the version you had prior to installing the fix pack.
1. In the administration console, go to the Runtime Node Management panel.
2. Look in the Runtime Management section of the Runtime Nodes portlet in the right panel. Review the Runtime Information.
  For example:
```
       Runtime Information
    ----------------------------------------------
    Current deployed version       6.1.1.0 [061110a]
```
  Note: The number within the brackets [061110a] might be different from this example.
  
  Note: If you uninstalled the fix pack on an Itanium system, the version number displayed will be 6.1.1.1 even after you uninstall the fix pack.
3. Repeat this step for each node in a WebSphere cluster environment.

Uninstalling the update installer

ATTENTION: Uninstalling the Update Installer will not remove the fix pack. See Uninstalling the fix pack for those instructions. Also, because the Update Installer will be used for future maintenance of Tivoli Federated Identity Manager Business Gateway, uninstalling the Update Installer is NOT recommended.

Open a command prompt.
Change the directory to the /_uninst subdirectory where the Update Installer was installed.
Type the uninstall command:
- uninstall.bin on Windows systems
- ./uninstall.bin for AIX, Solaris, Linux, or HP-UX

Documentation updates

The product documentation for Tivoli Federated Identity Manager Business Gateway, Version 6.1.1, can be found on the information center for IBM Tivoli Federated Identity Manager Business Gateway .

Adding a custom mapping module (defect 74201)

The management console for Tivoli Federated Identity Manager Business Gateway Version 6.1.1 does not have a GUI interface for adding a custom mapping module into a federation or partner trust chain. Fix pack 6.1.1-TIV-TFIMBG-FP0001 provides this GUI interface.

Background

Tivoli Federated Identity Manager Business Gateway provides wizards that build trust chains for SAML 1 federations. You must define trust chains when creating a federation and when adding a partner to a federation.

Trust chains convert user identity information from one token type to another token type. The conversion task includes use of an identity mapping module. Administrators use this module to define identity mapping tasks that are specific to their deployments.

Tivoli Federated Identity Manager Business Gateway provides a default mapping module that uses XSLT code to perform identity mapping. You have the option of replacing the default mapping module with a custom mapping module.

You must first develop the custom mapping module and then use the management console to add the module to the trust chain.

Solution summary

To add a custom mapping module:

Develop your custom mapping module.
Use the management console to create a new module type.
Use the management console to create a new module instance.
Use the management console to configure the custom mapping module instance into a trust chain.

Solution details:

Step 1: Develop your custom mapping module

This is a programming task that must be completed prior to configuring the module into the federation. You must write a Java(R) class for a new module type and install the class into the plug-ins directory for your domain.

For more information, see:

IBM Tivoli Federated Identity Manager Business Gateway Version 6.1.1 Administration Guide, Appendix D "Developing custom identity mapping rules"
IBM Tivoli Federated Identity Manager version 6.1.1 Configuration Guide:
1. Chapter 6, "Trust service modules"
2. Chapter 8, "Identity mapping"

information center for IBM Tivoli Federated Identity Manager

Step 2: Use the management console to create a new module type.

Log in to the Tivoli Federated Identity Manager management console.
Click Tivoli Federated Identity Manager -> Configure Trust Service -> Module Types. The Module Types panel is displayed.
Select Create. The Module Types wizard displays the Module Configuration panel.
Enter the requested values and click Finish.

Step 3: Use the management console to create a new module instance.

Click Tivoli Federated Identity Manager -> Configure Trust Service -> Module Instances. The Module Instances panel displays module instances that are created by default, and also displays any module instances that you have added.
Click Create. The Token Type panel displays the module types that have been defined. The list includes the default token types and any custom token types that you have defined.
Select your new token type and click Next. The Module Instances wizard displays the Module Instances Name panel.
Enter values for the requested properties and click Finish.

Step 4: Use the management console to configure the custom mapping module instance into a trust chain

If you are configuring a new federation or adding a new partner, use Step 4a.
If you are modifying properties for an existing federation or partner, use Step 4b.

Step 4a: Create a new trust chain that contains the custom mapping module. Use this step when you are either:

Creating the initial trust chain for a SAML federation
Adding a new partner to a SAML federation

The IBM Tivoli Federated Identity Manager Business Gateway Version 6.1.1 Administration Guide contains the necessary instructions. Use (search for) the instructions entitled "Use Custom Mapping Module Instance" that apply to your task and deployment. (Page numbers refer to the PDF^® image):

Task and Deployment	Page #
Creating your federation as the service provider	123
Adding an identity partner to a federation	129
Adding an identity provider partner manually	134
Creating your federation as the identity provider	137
Adding a service provider partner using metadata	141
Adding a service provider partner manually	144

Step 4b: Modify an existing trust chain to use the custom mapping module

Use this task when you want to modify an existing trust chain by replacing the default mapping module with your custom mapping module.

Task and Deployment	Page #
Modifying federation properties	162
Modifying partner properties	166

Software limitations

Installing a component after installing the fix pack

If you install a Tivoli Federated Identity Manager Business Gateway component to the system after the fix pack has been applied, you must reinstall the fix pack on that system, so that all components are at the same level.

To re-apply the fixpack:

Run the registration script for the component that was added from the 6.1.1 installation media:
1. Open a command prompt on the system where the component was installed.
2. Change to the following directory where the Tivoli Federated Identity Manager Update Installer was installed:
  
  <TFIM UPDATE INSTALLER>/DE/test/
  
  where <TFIM UPDATE INSTALLER> is the directory where the update installer was installed.
Run the appropriate script for the installed component. The scripts are:

Console component:: ./addconsolefeat.sh on AIX, Linux, Solaris, or HP-UX
addconsolefeat.bat on Windows
Runtime and Management Services component:: ./addmgmtfeat.sh on AIX, Linux, Solaris, or HP-UX
addmgmtfeat.bat on Windows
IIS plug-in component: addiisplugin.bat on Windows

After running the script, the added component has been registered. Install the fix pack as described in Installing the fix pack and Deploying the fix pack runtime component.

Known problems and workarounds

None.

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

Trademarks

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

AIX
IBM
IBM logo
iSeries
pSeries
S/390
Tivoli
Tivoli logo
xSeries
zSeries

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.

IBM®Tivoli® Federated Identity Manager Business Gateway, Fix Pack 6.1.1-TIV-TFIMBG-FP0001 README