am51_relnotes

7/28/2019 am51_relnotes

http://slidepdf.com/reader/full/am51relnotes 1/74

IBM Tivoli Access Manager for e-business

Release Notes

Version 5.1

GI11-4156-00





IBM Tivoli Access Manager for e-business

Release Notes

Version 5.1

GI11-4156-00



NoteBefore using this information and the product it supports, read the information in Appendix B, “Notices,” on page 53.

First Edition (November 2003)

This edition applies to version 5, release 1, modification 0 of IBM Tivoli Access Manager (product number 5724-C08)and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1999, 2003. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.







Configuration of policy server might fail after installation of Microsoft Security updates (43306) . . . . . . 38Microsoft Internet Explorer specifies an incorrect value for the Host header on redirects (43398) . . . . . . 38Use of the authorization server (pdacld) as an authentication enforcement server (43511) . . . . . . . . 38Home directories are not automatically deleted when Tivoli Access Manager for WebSphere Application Serveris uninstalled using Windows Add or Remove Programs function (43612) . . . . . . . . . . . . . 39Tivoli Access Manager Java runtime environment successfully configures even when an invalid domain nameis entered during installation or configuration (43896) . . . . . . . . . . . . . . . . . . . . 39Erroneous error message during uninstallation of Tivoli Access Manager runtime environment (43904) . . . . 39Tivoli Access Manager might not recognize suffixes added after starting the daemons (43933) . . . . . . . 39Incorrect error message displayed for SvrSslCfg error (43701). . . . . . . . . . . . . . . . . . 40After configuring Tivoli Access Manager on SuSE Linux Enterprise Server 8, the policy server (pdmgrd) andthe authorization server (pdacld) fail to start (36687, 37558) . . . . . . . . . . . . . . . . . . 40Tivoli Access Manager for WebSphere Application Server migration tool might fail to migrate application(28418) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Migration tool error with WebSphere Application Server (21935). . . . . . . . . . . . . . . . . 41The migration tool fails when using a Tivoli Access Manager domain other than the default domain (43748) . . 41Migration tool incorrectly reports successful migration of ACLs (44245) . . . . . . . . . . . . . . 42Migration tool incorrectly reports successful migration of policy (44410) . . . . . . . . . . . . . . 42Warning messages displayed when using the pdbackup command on a UNIX-based platform (44285) . . . . 42 jlog.properties file not created when using pdwascfg (44410) . . . . . . . . . . . . . . . . . . 42Startup of WebSphere Application Server fails Linux on zSeries (44540) . . . . . . . . . . . . . . 42NoSuchMethodErrors might be generated when running Java applications compiled against previous versionsof Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Chapter 4. Internationalization notes . . . . . . . . . . . . . . . . . . . . . . . 45Known problems and workarounds . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuration change needed on some internationalized versions of Red Hat Linux 7.1 . . . . . . . . . 45Group name might be truncated on DBCS systems using Active Directory (44415, 44312) . . . . . . . . 45 Japanese locale and language setting supported on Linux systems . . . . . . . . . . . . . . . . 45Considerations when using certain locales on Linux systems . . . . . . . . . . . . . . . . . . 46Some text appears incorrectly in installation wizard (28420, 28422) . . . . . . . . . . . . . . . . 46Resizing installation wizard panels could result in truncated text (28453) . . . . . . . . . . . . . . 46LANG variable used with Windows overrides locale setting in Control Panel . . . . . . . . . . . . 47Command output displayed using wrong code page on Windows systems (26899) . . . . . . . . . . 47Avoid non-ASCII characters in server names (26985). . . . . . . . . . . . . . . . . . . . . 47

Reconfiguration of Web Portal Manager requires reinstallation of language packages (IY32306) . . . . . . 47Fonts necessary to display characters correctly in Java (IY31894) . . . . . . . . . . . . . . . . . 47Policy server fails to start on AIX boot (12584) . . . . . . . . . . . . . . . . . . . . . . . 47Double-byte recorded response files for installation wizard contain corrupted text (37601, 39896, 43907) . . . 48Recorded option files in multi-byte languages display corrupted text in the explanatory field (39896) . . . . 48Installation wizard for the Plug-in for Web Servers fails on a German Windows system (44565) . . . . . . 48Apostrophes are not displayed correctly when using the installation wizard in French (44080) . . . . . . . 48Garbled text in installation wizard when installing BEA WebLogic Server (44219, 44398). . . . . . . . . 48After configuring Tivoli Access Manager on SuSE Linux Enterprise Server 8, the policy server (pdmgrd) andthe ACL server (pdacld) fail to start (36687, 37558) . . . . . . . . . . . . . . . . . . . . . 48

Chapter 5. Known documentation updates . . . . . . . . . . . . . . . . . . . . 49IBM Tivoli Access Manager Upgrade Guide. . . . . . . . . . . . . . . . . . . . . . . . . . 49IBM Tivoli Access Manager Base Administration Guide . . . . . . . . . . . . . . . . . . . . . . 49

IBM Tivoli Access Manager for e-business Authorization C API Developer Reference . . . . . . . . . . . . . 49IBM Tivoli Access Manager for e-business Administration C API Developer Reference . . . . . . . . . . . . 50

Appendix A. Tips for building Tivoli Access Manager applications on Linux . . . . . . 51

Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Contents v



vi IBM Tivoli Access Manager for e-business: Release Notes



Preface

Welcome to the IBM® Tivoli® Access Manager for e-business Release Notes. Thisdocument contains new and revised technical information for IBM Tivoli Access

Manager for e-business, Version 5.1.

Tivoli Access Manager is the base software that is required to run applications inthe IBM Tivoli Access Manager product suite. It enables the integration of IBMTivoli Access Manager applications that provide a wide range of authorization andmanagement solutions. Sold as an integrated solution, these products provide anaccess control management solution that centralizes network and applicationsecurity policy for e-business applications.

Note: IBM Tivoli Access Manager is the new name of the previously releasedsoftware entitled Tivoli SecureWay® Policy Director. Also, for users familiarwith the Tivoli SecureWay Policy Director software and documentation, themanagement server is now referred to as the policy server.

IBM Tivoli Access Manager for e-business is a complete authorization solution forcorporate Web, client/server, MQSeries®, and existing legacy applications. TivoliAccess Manager authorization allows an organization to securely control useraccess to protected information and resources. You use Tivoli Access Manager inconjunction with standard Internet-based applications to build highly secure andwell-managed network-based applications.

Internal defect numbers often appear in the titles of release note items relating tosoftware problems and workarounds.

Attention: Release notes are not updated after they have been translated. For

known product defects, limitations, and workarounds found after the release of this document, see the TechNotes Web site.

Who should read this book

This guide is for system administrators responsible for the installation,deployment, and administration of Tivoli Access Manager.

Readers should be familiar with the following:

v UNIX® operating system

v Internet protocols, including HTTP, TCP/IP, FTP, Telnet, SSL

v Security management

v Authenticationv Authorization

v IBM Tivoli Access Manager Base

v Lightweight Directory Access Protocol (LDAP) and directory services

© Copyright IBM Corp. 1999, 2003 vii



What this book contains

This book contains the following sections:

v Chapter 1, “About this release,” on page 1

v Chapter 2, “System requirements,” on page 5

v Chapter 3, “Known problems and workarounds,” on page 21

v Chapter 4, “Internationalization notes,” on page 45v Chapter 5, “Known documentation updates,” on page 49

Publications

Review the descriptions of the Tivoli Access Manager library, the prerequisitepublications, and the related publications to determine which publications youmight find helpful. After you determine the publications you need, refer to theinstructions for accessing publications online.

Additional information about the IBM Tivoli Access Manager for e-businessproduct itself can be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/

The Tivoli Access Manager library is organized into the following categories:

v “Release information”

v “Base information”

v “Web security information” on page ix

v “Developer references” on page ix

v “Technical supplements” on page x

Release informationv

IBM Tivoli Access Manager for e-business Read This First (GI11-4155-00)Provides information for installing and getting started using Tivoli AccessManager.

v IBM Tivoli Access Manager for e-business Release Notes (GI11-4156-00)

Provides late-breaking information, such as software limitations, workarounds,and documentation updates.

Base informationv IBM Tivoli Access Manager Base Installation Guide (SC32-1362-00)

Explains how to install and configure the Tivoli Access Manager base software,including the Web Portal Manager interface. This book is a subset of IBM Tivoli

Access Manager for e-business Web Security Installation Guide and is intended foruse with other Tivoli Access Manager products, such as IBM Tivoli AccessManager for Business Integration and IBM Tivoli Access Manager for OperatingSystems.

v IBM Tivoli Access Manager Base Administration Guide (SC32-1360-00)

Describes the concepts and procedures for using Tivoli Access Manager services.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin command.

viii IBM Tivoli Access Manager for e-business: Release Notes





Web security informationv IBM Tivoli Access Manager for e-business Web Security Installation Guide

(SC32-1361-00)

Provides installation, configuration, and removal instructions for the TivoliAccess Manager base software as well as the Web Security components. This

book is a superset of IBM Tivoli Access Manager Base Installation Guide.

v IBM Tivoli Access Manager Upgrade Guide (SC32-1369-00)Explains how to upgrade from Tivoli SecureWay Policy Director Version 3.8 orprevious versions of Tivoli Access Manager to Tivoli Access Manager Version5.1.

v IBM Tivoli Access Manager for e-business WebSEAL Administration Guide(SC32-1359-00)

Provides background material, administrative procedures, and technicalreference information for using WebSEAL to manage the resources of yoursecure Web domain.

v IBM Tivoli Access Manager for e-business IBM WebSphere® Application ServerIntegration Guide (SC32-1368-00)

Provides installation, removal, and administration instructions for integratingTivoli Access Manager with IBM WebSphere® Application Server.

v IBM Tivoli Access Manager for e-business IBM WebSphere Edge Server IntegrationGuide (SC32-1367-00)

Provides installation, removal, and administration instructions for integratingTivoli Access Manager with the IBM WebSphere Edge Server application.

v IBM Tivoli Access Manager for e-business Plug-in for Web Servers Integration Guide(SC32-1365-00)

Provides installation instructions, administration procedures, and technicalreference information for securing your Web domain using the plug-in for Webservers.

v IBM Tivoli Access Manager for e-business BEA WebLogic Server Integration Guide

(SC32-1366-00)Provides installation, removal, and administration instructions for integratingTivoli Access Manager with BEA WebLogic Server.

v IBM Tivoli Access Manager for e-business IBM Tivoli Identity Manager ProvisioningFast Start Guide (SC32-1364-00)

Provides an overview of the tasks related to integrating Tivoli Access Managerand Tivoli Identity Manager and explains how to use and install theProvisioning Fast Start collection.

Developer referencesv IBM Tivoli Access Manager for e-business Authorization C API Developer Reference

(SC32-1355-00)Provides reference material that describes how to use the Tivoli Access Managerauthorization C API and the Tivoli Access Manager service plug-in interface toadd Tivoli Access Manager security to applications.

v IBM Tivoli Access Manager for e-business Authorization Java™ Classes DeveloperReference (SC32-1350-00)

Provides reference information for using the Java™ language implementation of the authorization API to enable an application to use Tivoli Access Managersecurity.

Preface ix



v IBM Tivoli Access Manager for e-business Administration C API Developer Reference(SC32-1357-00)

Provides reference information about using the administration API to enable anapplication to perform Tivoli Access Manager administration tasks. Thisdocument describes the C implementation of the administration API.

v IBM Tivoli Access Manager for e-business Administration Java Classes Developer

Reference (SC32-1356-00)Provides reference information for using the Java language implementation of the administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager for e-business Web Security Developer Reference(SC32-1358-00)

Provides administration and programming information for the cross-domainauthentication service (CDAS), the cross-domain mapping framework (CDMF),and the password strength module.

Technical supplementsv IBM Tivoli Access Manager for e-business Command Reference (SC32-1354-00)

Provides information about the command line utilities and scripts provided withTivoli Access Manager.

v IBM Tivoli Access Manager Error Message Reference (SC32-1353-00)

Provides explanations and recommended actions for the messages produced byTivoli Access Manager.

v IBM Tivoli Access Manager for e-business Problem Determination Guide(SC32-1352-00)

Provides problem determination information for Tivoli Access Manager.

v IBM Tivoli Access Manager for e-business Performance Tuning Guide (SC32-1351-00)

Provides performance tuning information for an environment consisting of TivoliAccess Manager with the IBM Tivoli Directory server as the user registry.

Related publicationsThis section lists publications related to the Tivoli Access Manager library.

The Tivoli Software Library provides a variety of Tivoli publications such as whitepapers, datasheets, demonstrations, redbooks, and announcement letters. The TivoliSoftware Library is available on the Web at:http://www.ibm.com/software/tivoli/library/

The Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available, in English only,from the Glossary link on the left side of the Tivoli Software Library Web page

http://www.ibm.com/software/tivoli/library/

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the IBM GlobalSecurity Kit (GSKit) Version 7.0. GSKit is included on the IBM Tivoli Access ManagerBase CD for your particular platform, as well as on the IBM Tivoli Access ManagerWeb Security CDs, the IBM Tivoli Access Manager Web Administration Interfaces CDs,and the IBM Tivoli Access Manager Directory Server CDs.

The GSKit package provides the iKeyman key management utility, gsk7ikm, whichis used to create key databases, public-private key pairs, and certificate requests.

x IBM Tivoli Access Manager for e-business: Release Notes







The following document is available on the Tivoli Information Center Web site inthe same section as the IBM Tivoli Access Manager product documentation:

v IBM Global Security Kit Secure Sockets Layer and iKeyman User’s Guide(SC32-1363-00)

Provides information for network or system security administrators who plan toenable SSL communication in their Tivoli Access Manager environment.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, Version 5.2, is included on the IBM Tivoli Access Manager Directory Server CD for the desired operating system.

Note: IBM Tivoli Directory Server is the new name for the previously releasedsoftware known as:

v IBM Directory Server (Version 4.1 and Version 5.1)

v IBM SecureWay Directory Server (Version 3.2.2)

IBM Directory Server Version 4.1, IBM Directory Server Version 5.1, and IBM TivoliDirectory Server Version 5.2 are all supported by IBM Tivoli Access ManagerVersion 5.1.

Additional information about IBM Tivoli Directory Server can be found at:

http://www.ibm.com/software/network/directory/library/

IBM DB2 Universal Database™

IBM DB2® Universal Database Enterprise Server Edition, Version 8.1 is provided onthe IBM Tivoli Access Manager Directory Server CD and is installed with the IBMTivoli Directory Server software. DB2 is required when using IBM Tivoli DirectoryServer, z/OS®, or OS/390® LDAP servers as the user registry for Tivoli AccessManager.

Additional information about DB2 can be found at:

http://www.ibm.com/software/data/db2/

IBM WebSphere Application ServerIBM WebSphere Application Server, Advanced Single Server Edition 5.0, isincluded on the IBM Tivoli Access Manager Web Administration Interfaces CD for thedesired operating system. WebSphere Application Server enables the support of

both the Web Portal Manager interface, which is used to administer Tivoli AccessManager, and the Web Administration Tool, which is used to administer IBM TivoliDirectory Server. IBM WebSphere Application Server Fix Pack 2 is also required byTivoli Access Manager and is provided on the IBM Tivoli Access Manager WebSphereFix Pack CD.

Additional information about IBM WebSphere Application Server can be found at:

http://www.ibm.com/software/webservers/appserv/infocenter.html

IBM Tivoli Access Manager for Business IntegrationIBM Tivoli Access Manager for Business Integration, available as a separatelyorderable product, provides a security solution for IBM MQSeries®, Version 5.2,and IBM WebSphere® MQ for Version 5.3 messages. IBM Tivoli Access Manager forBusiness Integration allows WebSphere MQSeries applications to send data withprivacy and integrity by using keys associated with sending and receivingapplications. Like WebSEAL and IBM Tivoli Access Manager for Operating

Preface xi









Systems, IBM Tivoli Access Manager for Business Integration, is one of theresource managers that use the services of IBM Tivoli Access Manager.

Additional information about IBM Tivoli Access Manager for Business Integrationcan be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/

The following documents associated with IBM Tivoli Access Manager for BusinessIntegration Version 5.1 are available on the Tivoli Information Center Web site:

v IBM Tivoli Access Manager for Business Integration Administration Guide(SC23-4831-01)

v IBM Tivoli Access Manager for Business Integration Problem Determination Guide(GC23-1328-00)

v IBM Tivoli Access Manager for Business Integration Release Notes (GI11-0957-01)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for WebSphere Business IntegrationBrokers

IBM Tivoli Access Manager for WebSphere Business Integration Brokers, availableas part of IBM Tivoli Access Manager for Business Integration, provides a securitysolution for WebSphere Business Integration Message Broker, Version 5.0 andWebSphere Business Integration Event Broker, Version 5.0. IBM Tivoli AccessManager for WebSphere Business Integration Brokers operates in conjunction withTivoli Access Manager to secure JMS publish/subscribe applications by providingpassword and credentials-based authentication, centrally-defined authorization,and auditing services.

Additional information about IBM Tivoli Access Manager for WebSphereIntegration Brokers can be found at:


The following documents associated with IBM Tivoli Access Manager forWebSphere Integration Brokers, Version 5.1 are available on the Tivoli InformationCenter Web site:

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers AdministrationGuide (SC32-1347-00)

v IBM Tivoli Access Manager for WebSphere Business Integration Brokers Release Notes(GI11-4154-00)

v IBM Tivoli Access Manager for Business Integration Read This First (GI11-4202-00)

IBM Tivoli Access Manager for Operating SystemsIBM Tivoli Access Manager for Operating Systems, available as a separately

orderable product, provides a layer of authorization policy enforcement on UNIXsystems in addition to that provided by the native operating system. IBM TivoliAccess Manager for Operating Systems, like WebSEAL and IBM Tivoli AccessManager for Business Integration, is one of the resource managers that use theservices of IBM Tivoli Access Manager.

Additional information about IBM Tivoli Access Manager for Operating Systemscan be found at:

http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/

xii IBM Tivoli Access Manager for e-business: Release Notes









The following documents associated with IBM Tivoli Access Manager forOperating Systems Version 5.1 are available on the Tivoli Information Center Website:

v IBM Tivoli Access Manager for Operating Systems Installation Guide (SC23-4829-00)

v IBM Tivoli Access Manager for Operating Systems Administration Guide(SC23-4827-00)

v

IBM Tivoli Access Manager for Operating Systems Problem Determination Guide(SC23-4828-00)

v IBM Tivoli Access Manager for Operating Systems Release Notes (GI11-0951-00)

v IBM Tivoli Access Manager for Operating Systems Read Me First (GI11-0949-00)

IBM Tivoli Identity ManagerIBM Tivoli Identity Manager Version 4.5, available as a separately orderableproduct, enables you to centrally manage users (such as user IDs and passwords)and provisioning (that is providing or revoking access to applications, resources, oroperating systems.) Tivoli Identity Manager can be integrated with Tivoli AccessManager through the use of the Tivoli Access Manager Agent. Contact your IBMaccount representative for more information about purchasing the Agent.

Additional information about IBM Tivoli Identity Manager can be found at:

http://www.ibm.com/software/tivoli/products/identity-mgr/

Accessing publications onlineThe publications for this product are available online in Portable Document Format(PDF) or Hypertext Markup Language (HTML) format, or both in the Tivolisoftware library: http://www.ibm.com/software/tivoli/library

To locate product publications in the library, click the Product manuals link on theleft side of the library page. Then, locate and click the name of the product on theTivoli software information center page.

Product publications include release notes, installation guides, user’s guides,administrator’s guides, and developer’s references.

Note: To ensure proper printing of PDF publications, select the Fit to page check box in the Adobe Acrobat Print window (which is available when you clickFile → Print).

Accessibility

Accessibility features help a user who has a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You also canuse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Contacting software support

Before contacting IBM Tivoli Software Support with a problem, refer to the IBMTivoli Software Support site by clicking the Tivoli support link at the followingWeb site: http://www.ibm.com/software/support/

Preface xiii



http://www.ibm.com/software/support/

http://www.ibm.com/software/support/





If you need additional help, contact software support by using the methodsdescribed in the IBM Software Support Guide at the following Web site:http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:

v Registration and eligibility requirements for receiving support

v

Telephone numbers, depending on the country in which you are locatedv A list of information you should gather before contacting customer support

Conventions used in this book

This reference uses several conventions for special terms and actions and foroperating system-dependent commands and paths.

Typeface conventionsThe following typeface conventions are used in this reference:

Bold Lowercase commands or mixed case commands that are difficult todistinguish from surrounding text, keywords, parameters, options, names

of Java classes, and objects are in bold.

Italic Variables, titles of publications, and special words or phrases that areemphasized are in italic.

MonospaceCode examples, command lines, screen output, file and directory namesthat are difficult to distinguish from surrounding text, system messages,text that the user must type, and values for arguments or commandoptions are in monospace.

Operating system differencesThis book uses the UNIX convention for specifying environment variables and for

directory notation. When using the Windows®

command line, replace $variablewith %variable% for environment variables and replace each forward slash (/) witha backslash (\) in directory paths. If you are using the bash shell on a Windowssystem, you can use the UNIX conventions.

xiv IBM Tivoli Access Manager for e-business: Release Notes

http://techsupport.services.ibm.com/guides/handbook.html

http://techsupport.services.ibm.com/guides/handbook.html



Chapter 1. About this release

IBM Tivoli Access Manager for e-business (Tivoli Access Manager) Version 5.1 builds on previous versions of IBM Tivoli Access Manager and IBM SecureWay

Policy Director to provide a complete authentication and authorization solution forcorporate e-business environments.

New features in this release include:

Authorization RulesTivoli Access Manager can make authorization decisions based on real-timedynamic information in addition to using access control lists.

Hosting SupportTivoli Access Manager supports an environment where a single centralizedTivoli Access Manager infrastructure provides authorization services to anumber of distinct internal or external customers.

Policy Proxy ServerTivoli Access Manager supports a policy proxy server, which among otherthings, allows incoming Tivoli Access Manager replication andadministration requests to be terminated in a DMZ. Optional in-memorycaching of policy database at the proxy also allows for traffic reductionover slow network links.

Support for Microsoft® Active DirectoryTivoli Access Manager supports an environment where Tivoli AccessManager components on UNIX-based platforms can join a Tivoli AccessManager domain that is using Microsoft Active Directory as the userregistry. The policy server is the only component that must be onWindows.

Support for dynamic groups in IBM Tivoli Directory Server and Sun ONEDirectory servers

Tivoli Access Manager can import dynamic groups that have been definedin IBM Directory Server and Sun ONE servers.

WebSEAL support for Windows Desktop Single Sign-onTivoli Access Manager includes Windows Desktop Single Sign-on(SPNEGO) support to the WebSEAL component. This is available on bothWindows and UNIX-based platforms.

Password Synchronization between Tivoli Access Manager and Tivoli IdentityManager

Tivoli Access Manager supports password synchronization in integratedenvironments. You can set up Tivoli Identity Manager and Tivoli AccessManager such that passwords are synchronized, and when passwords arechanged through password change mechanisms, the same set of passwordrules apply across the integrated environment.

Tracing and Logging facility supports log file rolloverTivoli Access Manager supports log file rollover based on the configurationof file counts and sizes. The new PDJLog facility provides configurationparameters in the PDJLog.properties file for each of the tracing andlogging file handlers.

© Copyright IBM Corp. 1999, 2003 1



Support for Lotus® Domino® Server clusteringTivoli Access Manager supports Domino environments where clustering isused for load balancing and failover of multiple Domino servers. TivoliAccess Manager now detects this type of environment, and can switch overto another Domino server in the cluster if the server it is configured to

becomes unresponsive. In this case, Tivoli Access Manager also replicatesthe Tivoli Access Manager database to other cluster members.

Linux SupportTivoli Access Manager supports the policy server, WebSEAL, and Plug-infor Web Servers on Red Hat and SuSE Linux. For a complete list bycomponent, see the IBM Tivoli Access Manager for e-business Web SecurityInstallation Guide.

Updated Command Reference manualThe Command Reference has been updated for this release to includeinformation about the new error handling, return codes, and messagenumbering schemes to improve serviceability. The reference also includesinformation about blade utilities and policy proxy servers.

New pdadmin commands described in the reference include:

v new pdadmin -d domain flag to specify a domain other than Defaultv new padadmin -m flag to specify the management domain

v new pdadmin -l (local login) flag

v new pdadmin context command

v new pdadmin domain commands

v new pdadmin authzrule (authorization rule) commands

v new pdadmin config commands: config modify and config show

v new pdadmin object commands: object access and object exists

v new permissions (ACL bits): Bypass AuthzRule (R) and Bypass Pop (B)

CD distributionIBM Tivoli Access Manager (Tivoli Access Manager) is provided on the followingCDs.

Base CDs:

v IBM Tivoli Access Manager Base for AIX

v IBM Tivoli Access Manager Base for Solaris

v IBM Tivoli Access Manager Base for HP-UX

v IBM Tivoli Access Manager Base for Linux on xSeries

v IBM Tivoli Access Manager Base for Linux on zSeries

v IBM Tivoli Access Manager Base for Linux on pSeries and iSeries

v IBM Tivoli Access Manager Base for Windows NT, Windows XP, Windows 2000 andWindows 2003

Web Administration CDs:

v IBM Tivoli Access Manager Web Administration Interfaces for AIX

v IBM Tivoli Access Manager Web Administration Interfaces for Solaris

v IBM Tivoli Access Manager Web Administration Interfaces for HP-UX

v IBM Tivoli Access Manager Web Administration Interfaces for Linux on xSeries

v IBM Tivoli Access Manager Web Administration Interfaces for Linux on zSeries

2 IBM Tivoli Access Manager for e-business: Release Notes



v IBM Tivoli Access Manager Web Administration Interfaces for Linux on pSeries andiSeries

v IBM Tivoli Access Manager Web Administration Interfaces for Windows 2000

v IBM Tivoli Access Manager Web Administration Interfaces for Windows 2003

Web Security CDs:

v

IBM Tivoli Access Manager Web Security for AIX v IBM Tivoli Access Manager Web Security for Solaris

v IBM Tivoli Access Manager Web Security for HP-UX

v IBM Tivoli Access Manager Web Security for Linux on xSeries

v IBM Tivoli Access Manager Web Security for Linux on zSeries

v IBM Tivoli Access Manager Web Security for Windows 2000 and Windows 2003

Directory Server CDs:

v IBM Tivoli Access Manager Directory Server for AIX

v IBM Tivoli Access Manager Directory Server 1 of 2 for Solaris

v IBM Tivoli Access Manager Directory Server 2 of 2 for Solaris

v IBM Tivoli Access Manager Directory Server for HP-UX

v IBM Tivoli Access Manager Directory Server for Linux on xSeries

v IBM Tivoli Access Manager Directory Server for Linux on zSeries

v IBM Tivoli Access Manager Directory Server for Linux on pSeries and iSeries

v IBM Tivoli Access Manager Directory Server for Windows 2000 and Windows 2003

WebSphere Fix Pack CDs:

v IBM Tivoli Access Manager WebSphere Fix Pack for AIX

v IBM Tivoli Access Manager WebSphere Fix Pack for Solaris

v IBM Tivoli Access Manager WebSphere Fix Pack for HP-UX

v

IBM Tivoli Access Manager WebSphere Fix Pack for Linux on xSeriesv IBM Tivoli Access Manager WebSphere Fix Pack for Windows 2000

Attribute Retrieval Service CDs:

v IBM Tivoli Access Manager Attribute Retrieval Service for AIX

v IBM Tivoli Access Manager Attribute Retrieval Service for Solaris

v IBM Tivoli Access Manager Attribute Retrieval Service for HP-UX

v IBM Tivoli Access Manager Attribute Retrieval Service for Linux on xSeries

v IBM Tivoli Access Manager Attribute Retrieval Service for Linux on zSeries

v IBM Tivoli Access Manager Attribute Retrieval Service for Windows 2000

v IBM Tivoli Access Manager Attribute Retrieval Service for Windows 2003

Language Support CDs:

v IBM Tivoli Access Manager Language Support for AIX

v IBM Tivoli Access Manager Language Support for Solaris

v IBM Tivoli Access Manager Language Support for HP-UX

v IBM Tivoli Access Manager Language Support for Linux on xSeries

v IBM Tivoli Access Manager Language Support for Linux on zSeries

v IBM Tivoli Access Manager Language Support for Linux on pSeries and iSeries

Chapter 1. About this release 3



v IBM Tivoli Access Manager Language Support for Windows NT, Windows XP,Windows 2000, and Windows 2003

Software download page for IBM Tivoli Access Manager

Links to supplemental software downloads for Tivoli products can be found at:

http://www.tivoli.com/support/downloads/

Follow the ″Software downloads (for registered users)″ link and then select ″IBMTivoli Access Manager″. Enter your registered user name and password whenprompted.






Chapter 2. System requirements

This section describes the minimum product levels you should have installed.

The following sections are included:

v “Supported registries”

v “Disk space and memory requirements” on page 10

v “Backward compatibility” on page 19

Supported registries

Tivoli Access Manager supports the following user registries, their supportedoperating systems, and any necessary prerequisite software.

IBM Tivoli Directory Server

Tivoli Access Manager supports the use of IBM Tivoli Directory Server, Versions4.1, 5.1, and 5.2.

Note: IBM Tivoli Directory Server, Version 5.2, is shipped with Tivoli AccessManager, Version 5.1. Only a single version of IBM Directory Server canexist on a system at a time and because IBM Tivoli Access Manager, Version5.1, uses the Version 5.2 IBM Directory client for the LDAP registry, youshould install the IBM Tivoli Directory Server on a separate system if usingeither Version 4.1 or 5.1.

Supported platforms are as follows:

v AIX platforms:

– AIX 5.1– AIX 5.2

Note: On AIX 5.1, you must install AIX Maintenance Level 4 or higher. On AIX5.2, you must install AIX Maintenance Level 1 or higher.

v HP-UX platforms:

– HP-UX 11

– HP-UX 11i with the following patches:

- December 2001 GOLDBASE11i bundle

- December 2001 GOLDAPPS11i bundle

- patch PHSS_26560

v

Linux on xSeries platforms:– UnitedLinux 1.0 with Service Pack 2

– SuSE Linux Enterprise Server 8

– Red Hat Enterprise Linux 3.0

v Linux on zSeries platforms:


– Red Hat Enterprise Server 3.0

v Linux on pSeries and iSeries platforms:

– Red Hat Enterprise Server 3.0





v Solaris platforms:

– Solaris Operating Environment Software, Versions 8 and 9

– Trusted Solaris, Version 8

v Windows platforms:

– Windows 2000

– Windows Server 2003, Standard or Enterprise

– Windows NT 4.0 with Service Pack 6 or later; a Windows NT file system(NTFS) is required for security support.

Attention:

v If you have an existing IBM Directory Server that you want to use for TivoliAccess Manager, ensure that you upgrade the server to a supported level. Forupgrade instructions, see the IBM Tivoli Access Manager Upgrade Guide.

v If you have a preexisting version of Lightweight Directory Access Protocol(LDAP) from a vendor other than IBM, you must remove it before installing IBMTivoli Directory Server.

IBM Tivoli Directory Server Web Administration ToolIBM Tivoli Directory Server supports the use of the IBM Tivoli Directory ServerWeb Administration Tool, Version 5.2. You can install the Web Administration Toolon a computer with or without the IBM Tivoli Directory Server client or server.The Web Administration Tool can be used to administer LDAP servers of thefollowing types:

v IBM Tivoli Directory Server, Version 5.2

v IBM Directory Server, Version 5.1

v IBM Directory Server, Version 4.1

v OS/400 V5R3

v z/OS™ R4

Note: For z/OS R4, only the following setups are supported by the WebAdministration Tool:

– A single TDBM backend

– A single SDBM backend

– One TDBM and SDBM backend

The Web Administration Tool is supported on the following platforms:

v AIX platforms:

– AIX 4.3.3

– AIX 5.1

– AIX 5.2v HP-UX platforms:

– HP-UX 11

– HP-UX 11i

v Linux on xSeries platforms:

– UnitedLinux 1.0

– SuSE Linux Enterprise Server 7 and 8

– Red Hat Advanced Server 2.1

v Linux on zSeries platforms:




– SuSE Linux Enterprise Server 8.0

v Linux on pSeries and iSeries platforms:

– UnitedLinux 1.0

– SuSE Linux Enterprise Server 8.0

v Solaris platforms:

– Solaris Operating Environment Software, Versions 7, 8, and 9

– Trusted Solaris, Version 8

v Windows platforms:

– Windows 2000

– Windows XP

– Windows Server 2003, Standard or Enterprise

– Windows NT 4.0 with Service Pack 6 or later

To use the Web Administration Tool, you also need the following:

v One of the following application servers:

– The embedded version of WebSphere Application Server — Express V5.0 or

later.– IBM WebSphere Application Server, Version 5.0 or later. IBM WebSphere

Application Server, Version 5.0.2, is provided with Tivoli Access Manager,Version 5.1.

v One of the following Web browsers on the computer from which you will usethe Web Administration Tool. (This might or might not be the computer wherethe Web Administration Tool is installed):

– AIX platforms: Mozilla 1.3 or 1.4

– HP-UX platforms: Mozilla 1.3 or 1.4

– Linux on xSeries platforms: Mozilla 1.3 or 1.4

– Linux on iSeries, pSeries, and zSeries platforms: No browser support isavailable. You must use another system to access the Web Administration Tool

on these Linux platforms.

– Solaris platforms: Mozilla 1.3 or 1.4

– Windows platforms: Internet Explorer, Version 6.0

IBM Security Server for OS/390Tivoli Access Manager supports the use of IBM Security Server for OS/390®,Version 2, Release 10. For product information, see the OS/390 Internet LibraryWeb site at:

http://www.s390.ibm.com/os390/bkserv/

IBM z/OS Security Server LDAP ServerTivoli Access Manager supports the use of IBM z/OS Security Server LDAP Server,Version 1, Release 2 or higher. For product information, see the z/OS InternetLibrary Web site at:

http://www.ibm.com/servers/eserver/zseries/zos/bkserv/

Customers can also obtain softcopy publications on CD-ROM, z/OS: Collection,SK3T-4269.

Chapter 2. System requirements 7







Lotus DominoTivoli Access Manager on Windows platform supports the use of Lotus® Domino,Version 5.0.10 and 6.0 as a user registry. The Domino server can run on anyplatform supported by Tivoli Access Manager, Version 5.1.

Attention: When Lotus Domino is used as the registry:

v

The IBM Tivoli Directory Client is not required.v You must install a Lotus Notes® client prior to installing the Access Manager

Runtime component. Tivoli Access Manager supports Lotus Notes client, Version5.0.10, and Version 6.0 or higher.

Microsoft Active DirectoryTivoli Access Manager supports the use of Active Directory for Windows 2000 andWindows 2003 as a user registry.

In previous releases of Tivoli Access Manager, Active Directory support wasavailable on the Windows 2000 Advanced Server platform only. New to version5.1, Active Directory users can run Tivoli Access Manager on all Windows and

UNIX platforms currently supported in the Tivoli Access Manager product (withthe exception of Windows NT).

UNIX platforms make use of the IBM Tivoli Directory Client to communicate withActive Directory. This LDAP client is also used in cases where the policy serverdomain differs from the domain of the local host name.

Note that the Tivoli Access Manager policy server is supported on Windows 2000and 2003 systems only.

Netscape iPlanet and Sun ONE Directory ServerTivoli Access Manager supports the use of Netscape iPlanet Directory Server,

Version 5.1, and Sun ONE Directory Server, Version 5.2, as a user registry.

For installation information, consult the product documentation that came withyour iPlanet or Sun ONE Directory Server.

Attention:

v If you have an existing iPlanet or Sun ONE Directory Server that you want touse for Tivoli Access Manager, ensure that you upgrade the server to asupported level. For upgrade instructions, see Sun documentation at thefollowing Web address:

http://docs.sun.com/db/prod/s1dirsrv

v The iPlanet and Sun ONE Directory Server has built-in SSL capability. You mustinstall GSKit only if the Access Manager Runtime component is installed on thesame system as the directory server.

Novell eDirectoryTivoli Access Manager supports the use of Novell eDirectory 8.6.2 and 8.7 as a userregistry.

For installation information, consult the product documentation that came withyour Novell eDirectory server. Novell eDirectory product documentation isavailable at:






http://www.novell.com/documentation/a-z.html

The latest patches to these products are available at:

http://support.novell.com/filefinder/5069/index.html

Attention:

v If you have an existing Novell eDirectory server that you want to use for TivoliAccess Manager, ensure that you upgrade the server to a supported level.

v The Novell eDirectory server has built-in SSL capability. You must install GSKitonly if the Access Manager Runtime component is installed on the same systemas the directory server.








Disk space and memory requirements

Tivoli Access Manager binaries and libraries can require a large amount of diskspace. You should ensure that there is enough disk space in the file systems whereyou are going to install these files. As each Tivoli Access Manager component orsystem is added to a secure domain, additional disk space is required. Ensure thatthere is enough available disk space to allow for future installation of Tivoli Access

Manager software.

This section includes:

v “Tivoli Access Manager Base components” on page 11

v “Tivoli Access Manager Web Security components” on page 12

Note: These tables list disk space and memory requirements for Tivoli AccessManager components only. Keep in mind that you must also factor inadditional requirements, such as operating system or Web server estimates(if installing a plug-in).




Tivoli Access Manager Base components

Table 1. Base components — Disk space and memory requirements

Component MinimumDiskSpace(MB)

RecommendDisk Space(MB)

Disk Spacefor ACLdatabase(MB)

Add DiskSpace forLog Files(MB)

MinimumMemory(MB)

RecommendMemory (MB)

Memoryper

additionaldomain

Access ManagerApplicationDevelopment Kit

3 5 — — — — —

Access ManagerAuthorizationServer

2 4 15 2 5 30 40 —

Access Manager Java RuntimeEnvironment

8 10 — — — — —

Access ManagerPolicy Proxy Server

1 2 — 40 —

Access Manager

Policy Server 2 4 51, 2

101

30 40 52

Access ManagerRuntime

36 40 — — — — —

Access ManagerWeb Portal Manager

1 2 — — 35 3 70 4 —

Global Security Kit 18 20 — — — — —

IBM TivoliDirectory Client

46 50 — — 6 6

IBM TivoliDirectory Server(including

prerequisitesoftware)

145 7 245 7 — 10 256 5 512–1GB 5 —

IBM WebSphereApplication Server,Version 5.0.2

552 552 — — 256 512 —

Notes:1 The size is for the default domain only. For each additional domain, increase the recommended disk space bythis amount.2 This is based on the approximate requirement for an ACL database with 10,000 objects, equally spread across10 object spaces and about 30 ACLs attached to 10% of the objects. Except for the policy server, the size is tripledto account for a backup copy and an additional copy created during replication.3 The minimum for WPM represents the memory requirement for each connected browser.4

This recommendation for WPM represents two connected browsers.5 256MB (minimum) and 512MB–1GB (recommended) memory are for less than one million Tivoli AccessManager users. For more than one million users, increase this amount to 512 (minimum) and 1GB–2GB(recommended) memory.6 Memory requirements for the IBM Tivoli Directory Client are part of the memory requirements of the serversthat use it.7 IBM Tivoli Directory Server estimates include an empty database. Add an additional 10KB per Tivoli AccessManager user.




Tivoli Access Manager Web Security components

Table 2. Web Security components — Disk space and memory requirements

Component MinimumDisk Space(MB)

RecommendDisk Space(MB)

Disk Spacefor ACLdatabase(MB)

Add DiskSpace forLog Files(MB)

MinimumMemory(MB)

RecommendMemory (MB)

Memory peradditionaldomain

Access ManagerWebSEAL

20 25 15 1 200 2 80 250 3 —

Access ManagerWebSEALApplicationDevelopment Kit

3 5 — — — — —

Access Manager forWebLogic Server

2 4 — 5 64 128 —

Access Manager forWebSphere

2 4 — 5 64 128 —

Access ManagerPlug-in for IBM

HTTP Server

15 25 15 1 10 60 120 —

Access ManagerPlug-in for ApacheWeb Server

15 25 15 1 10 60 120 —

Access ManagerPlug-in for SunONE Web Server

15 25 15 1 10 70 140 —

Access ManagerPlug-in for InternetInformationServices

15 25 15 1 10 165 225 —

Access Manager

Attribute RetrievalService

6 10 — — 10 14 —

Access ManagerPlug-in for EdgeServer

15 25 15 1 10 15 30 —

Notes:1 This is based on the approximate requirement for an ACL database with 10,000 objects, equally spread across10 object spaces and about 30 ACLs attached to 10% of the objects. Except for the policy server, the size is tripledto account for a backup copy and an additional copy created during replication.2 This includes space for the www (web servers access) logs.3 Includes memory for maximum default cache growth. Increase this amount if cache parameters are increased.




Supported platforms, including required patches

Table 3 lists required patches or service levels for supported operating systems.

Note: SuSE Linux is one of four partner companies whose products are based onUnitedLinux 1.0; other companies being the SCO Group, Turbolinux, andConectiva. When SuSe Linux Enterprise Server (SLES) is listed as supported,

other partner companies’ products based on UnitedLinux 1.0 support isimplied as well. For more information, consult the UnitedLinux Web site at:

http://www.unitedlinux.com

Table 3. Table 1. Patches required by supported operating system platform

Operating System Platform Tivoli Access Manager 5.1 supportedsystems

Required Patches or Service Level

AIX 4.3.3

v Development (ADK)

v Java runtime environment

v Runtime

Latest patches and the following:

v bos.rte.libpthreads at level4.3.3.51 or higher

v xlC.rte (6.0.0.0 C Set ++ Runtime)

vxlC.aix43.rte (6.0.0.3 C Set ++Runtime)

AIX 5.1

v Attribute Retrieval Service

v Authorization server

v Development (ADK)


v Plug-in for Edge Server, Version 5.1

v Plug-in for IBM HTTP Server,Version 1.3.26

v Plug-in for Sun ONE Web Server,Version 6.0

v

Policy serverv Policy proxy server

v Runtime

v Tivoli Access Manager forWebLogic

v Tivoli Access Manager forWebSphere

v Web Portal Manager

v WebSEAL server

v WebSEAL development (ADK)

Maintenance Level 4 or higher andthe following:

v xlC.rte (6.0.0.0 C Set ++ Runtime)

v xlC.aix50.rte (6.0.0.3 or higher CSet ++ Runtime)


http://www.unitedlinux.com/

http://www.unitedlinux.com/





Table 3. Table 1. Patches required by supported operating system platform (continued)



Red Hat Enterprise Linux 2.1

v Plug-in for Edge Server, Version 5.1 The following patch is required onlyif you are installing the GSKitiKeyman utility (gsk7ikm):

pdksh-5.2.14-13.i386.rpm

Red Hat Enterprise Linux 3.0


v Development (ADK)


v Policy server

v Policy proxy server

v Runtime

v WebSEAL server

v WebSEAL Development (ADK)

None

SuSE SLES8 for IA32



v Development (ADK)



v Policy server


v Runtime



v WebSEAL server


libstdc++-3.2.2-5

v SuSE SLES8 for S/390 and zSeries(31–bit systems)

v SuSE SLES8 for zSeries (64–bitsystems)



v Development (ADK)


v Plug-in for Apache Web Server,Version 1.3.26–36, with mod SSL(31–bit only)


v Policy server

vPolicy proxy server

v Runtime



v WebSEAL server


Kernel levels supported:

v 31–bit: k_deflt-2.4.19-32

v 64–bit kernel: k_deflt-2.4.19-34

Service Pack 2 update:

v 31–bit kernel:

– k_deflt-2.4.19-79

v 64–bit kernel:

– k_deflt-2.4.19-80







SuSE SLES8 for pSeries and iSeries

v Development (ADK)


v Runtime


Kernel levels supported:

v kernel-iseries64-2.4.19-104

v kernel-ppc64-2.4.19-108

Service Pack 1 update:

v kernel-iseries64-2.4.19-194

v kernel-ppc64-2.4.19-186

Solaris Operating Environment 7

v Development (ADK)


v Runtime

32–bit packages:

v 106327-18

v 106541–24

v 106950-22

v 106980–22

v 107544–03

64–bit packages:

v

106300-19v 106327-18

v 106541–24

v 107544–03

v 106950-22

v 106980–22




v Development


v Plug-in for Apache Web Server,

Version 1.3.27, with mod SSLv Plug-in for Edge Server, Version 5.1



v Policy server


v Runtime


v Tivoli Access Manager for

WebSphere


v WebSEAL server


32–bit packages:

v 109147-15

v 108434-05

v 108528–24

v 108827–40

v 111327–02v SUNWuiu8

v SUNWjiu8

64–bit packages:

v 109147-15

v 108434–05

v 108435–06

v 108528–24

v 108827–40

v 111327–02

v SUNWuiu8

v SUNWjiu8










v Development (ADK)


v Plug-in for Apache Web Server,Version 1.3.27, with mod SSL




v Policy server


v Runtime

v

Tivoli Access Manager forWebLogic

v Tivoli Access Manager forWebSphere (Version 5.0.2 only)


v WebSEAL server


11711–06

Windows NT 4.0

v Development (ADK)


v Runtime

Service Pack 6a

Windows XP and 2000 Pro

v Development (ADK)


v Runtime

None

Windows 2000 Server and AdvancedServer



v Development (ADK)



v Plug-in for Internet InformationServices, Version 5.0

v Policy server


v Runtime




v WebSEAL server


Service Pack 3







Windows 2003 Standard Server andEnterprise Server



v Development (ADK)


v Plug-in for Internet InformationServices, Version 6.0

v Policy server


v Runtime

v Tivoli Access Manager forWebSphere (Version 5.0.2 only) onWindows 2003 Enterprise Server


v WebSEAL server

v

WebSEAL development (ADK)

None




Backward compatibility

The following Tivoli Access Manager components can communicate with a Version5.1 policy server or authorization server:

v Access Manager Runtime, Versions 3.8, 3.9, 4.1, and 5.1

v Access Manager Java Runtime Environment, Versions 3.9, 4.1, and 5.1

Notes:

1. Because the AZN servers use the runtime for communication, the servers are backward compatible.

2. All components on a single system must be at the same version.

3. When using Active Directory or Lotus Domino as the user registry, all TivoliAccess Manager components must be at the Version 5.1 level.

The binary backward compatibility supported by Tivoli Access Manager, Version5.1, for Tivoli Access Manager, Version 3.9 and 4.1, applications is as follows:

v Access Manager Runtime, Version 5.1, supports applications compiled againstTivoli Access Manager, Version 4.1 and 3.9 ADKs for all platforms (exceptSolaris).

v Access Manager Runtime, Version 5.1, for Solaris supports applications compiledagainst the Tivoli Access Manager, Version 4.1 ADK only.




Hardware acceleration card support

Table 4 lists platform-specific hardware accelerator cards have been verified toperform successfully with Tivoli Access Manager WebSEAL, Version 5.1.

Table 4. Hardware acceleration card support

Operating system Supported Hardware Acceleration Cards

AIX 5.1v nCipher nForce 300 RSA BSAFE, Version 5.32

v nCipher nForce 300 PKCS#11, Version 5.32

v IBM 4758–023 PKCS#11, Version 2.41

v Eracom Orange PKCS#11, Version 2.11

v IBM 4960 PKCS#11, Version 5.1.0.25

AIX 5.2v IBM 4758–023 PKCS#11, Version 2.41


v IBM 4960 PKCS#11, Version 5.1.0.25

HP-UX 11 Rainbow Crypto Swift RSA BSAFE, Version 3.2.0

HP-UX 11i Not supported

Red Hat Enterprise Linux 3.0v Eracom Orange PKCS#1, Version 2.11

SuSE SLES8 for IA32v Eracom Orange PKCS#11, Version 2.11

SuSE SLES8 for zSeries (31-bitnative and 31-bit compat. modein 64-bit native) and S/390 (31-bitnative)

v PCICA - zSeries Feature code 0862

v PCICC - zSeries Feature code 0861, S/390 Featurecode 0860

Solaris 8v Rainbow Crypto Swift RSA BSAFE, Version 3.2.0

v nCipher nForce 300 RSA BSAFE, Version 8.0



Solaris 9 v nCipher nForce 300 RSA BSAFE


Windows 2000 Server andAdvanced Server

v Rainbow Crypto Swift RSA BSAFE, Version 3.2.0

v nCipher nForce 300 RSA BSAFE, Version 8.0


v IBM 4758–023 PKCS#11, Version 2.41


Windows 2003 Standard Serverand Enterprise Server

Not supported

Install the appropriate vendor’s device drivers on the machine where WebSEAL isrunning, per the instructions accompanying the card. In the case of the BSAFEcards, no additional configuration for WebSEAL is required. GSKit automaticallydetects the cards. Therefore, any Tivoli Access Manager component that uses GSKit(such as WebSEAL) automatically uses the acceleration. In the case of the PKCS11cards, WebSEAL must be enabled to use PKCS11, using the PKCS11 directives inthe WebSEAL configuration file.




Chapter 3. Known problems and workarounds

The following problems and limitations are known to exist in IBM Tivoli AccessManager (Tivoli Access Manager). Workarounds are provided if they are available.

Some entries include an internal tracking number. Report any other problems toIBM Customer Support for Tivoli products.

Note: If you are using a version of IBM Tivoli Access Manager for e-business in alanguage other than English, be sure to also review the information inChapter 4, “Internationalization notes,” on page 45.

Considerations before installation

Consider the following problems or limitations before installation.

Installation wizard fails on Windows 2003 server with Active

Directory (44369)The installation wizard fails on a Windows 2003 server with Active Directory asthe user registry.

Workaround: Consider using the native installation method instead. Otherwise, touse the installation wizard, you must first install the IBM Tivoli Directory client. Toinstall the client, change to CD drive:\Windows\Directory and run setup.exe. Theinstallation program will start. Follow the instructions on the wizard panels butselect the Client SDK 5.2 only. After installation is complete, continue with theinstallation wizard.

Installation wizard does not provide SSL option for Plug in for

Web Servers for an LDAP server (44336)If you plan to use SSL communication with an LDAP server, do not use theinstallation wizard to install the Plug-in for Web Servers. Use native installationinstead. The installation wizard for the Plug-in for Web Servers does not providean option for SSL communication with an LDAP server.

Installation wizard fails on a multi-domain Active Directorysystem (44046)

If you are running the installation wizard on a multi-domain Active Directorysystem and you do not add the domain extension to the sec_master user ID, aninvalid user ID error is returned and the installation fails.

Workaround: Enter the fully qualified domain extensions on the Access Manageruser ID.

Tivoli Access Manager requires minimum JRE level of 1.3.1.5on AIX (41082)

You must install a minimum of JRE 1.3.1.5 on AIX®, which is provided on theTivoli Access Manager CDs. Refer to the IBM Tivoli Access Manager for e-businessWeb Security Installation Guide for more information.




JDK 1.3.1 failing on Red Hat Enterprise Linux 3 when usingthe installation wizard (40973, 43956)

The new threading library (NPTL) implemented by Red Hat Enterprise Linux 3.0 isnot compatible with the JDK 1.3.1 that is included with Tivoli Access Manager 5.1.It causes an installation failure.

Workaround: Set the LD_ASSUME_KERNEL environment variable prior to running theinstallation script to a value compatible with JDK 1.3.1. For example:

export LD_ASSUME_KERNEL=2.4.0

or

export LD_ASSUME_KERNEL=2.2.5

As an alternate workaround, you could install the latest JRE service pack, which isavailable at the following IBM Web site:http://www.ibm.com/developerworks/java/jdk/index.html

Access Manager Runtime component must be installed before

you can install Tivoli Access Manager Java runtimeenvironment javadocs (43895)

To install the Javadoc information associated with the Tivoli Access ManagerApplication Development Kit, you must have the Tivoli Access Manager runtimecomponent installed. This is due to incorrect prerequisite checking in the AccessManager Application Development Kit.

Web Portal Manager configuration requires IBM Java RuntimeEnvironment 1.3.1 (44178)

Web Portal Manager can only be configured using IBM Java Runtime Environment1.3.1. If other JREs are used (such as the Sun Java Runtime Environment), the

configuration of Web Portal Manager might fail.

Default ports used in WebSphere Application Serverinstallations (44432)

The ports used in the installation of WebSphere Application Server differdepending on the method of installation you choose. In addition, the ports usedmight conflict with ports that are already in use. Refer to the following installationmethod descriptions for more information.

Installation wizard If you use the installation wizard to install WebPortal Manager and as part of that installation youalso installed WebSphere Application Server on amachine that already has an HTTP server running

on port 80, the installation wizard sets the port forits HTTP server to 81. On AIX, the installationwizard also sets the port for WebSphereAdministrative Console to 9091 because by defaultAIX already has a service (wsmserver) running on9090.

Native installation The native installation of WebSphere sets itself touse port 80 for the HTTP server and port 9090 forthe Administrative Console by default even if otherservices are already running on these ports. If other




services are using these ports, change theconfiguration of those services so that they useother ports.

Upgrading an existing WebSEAL installation might overwritelibcdmf.* files (44079)

If you are installing WebSEAL over an existing version of WebSEAL, backup alllibcdmf.* files and make a note of their locations prior to the installation. The newinstallation will overwrite these files. After installing the new version of WebSEAL,copy the backup copies to their previous locations.

Considerations during installation

The following problems or limitations might occur during installation.

Installation wizard fails on Red Hat Enterprise Linux 3.0 forzSeries (42163)

When installing the Access Manager Runtime environment using the install_amrte

installation utility on Red Hat Enterprise Linux 3.0 Beta 2 on Linux for zSeries®,you might receive the following error:

[root@metlnx03 am51-030915]# ./install_amrteInstallShield Wizard

Initializing InstallShield Wizard...

Searching for Java(tm) Virtual Machine..............................................................................No matching JVM was found.

Workaround: Run the installation program as follows:

java -cp install_ xxx_setup.jar run

where the Java version is Java 1.4.1.

Java Runtime Environment cannot be located duringinstallation on Windows 2000 (43948)

On Windows 2000, if you are prompted for the location of the Java RuntimeEnvironment during installation, run the following command:

java -cp install _xxx_setup.jar run

For example, if the installation wizard is install_amacld.exe, you would run

java -cp install_amacld_setup.jar run

The .jar files are in the same directory as the installation wizard.

If a reboot is required, run the above command again to complete theconfiguration.

Chapter 3. Known problems and workarounds 23



Configuration of the policy server fails after reboot during useof installation wizard (43906)

If you install the policy server on the same Windows system where an LDAPServer is installed, the configuration of the policy server will fail after the systemreboots. This happens because the LDAP server does not automatically restart.

Workaround: Start the LDAP server services and then configure the policy server.

Double-byte recorded response files for installation wizardcontain corrupted text (37601, 39896, 43907)

When you attempt to record options files for installation wizard on double-byteoperating systems using —options-record or —options-template, the recordedresponse file contains corrupted text. There is no workaround for this problem.

Exception error displayed when installing Web Portal Manageron Windows using installation wizard (44045)

If an exception is displayed while you are installing Web Portal Manager on

Windows, reboot and rerun the installation.

Removing the ibmjcaprovider.jar file during installation(44323)

When installing the Tivoli Access Manager Java runtime environment component,the installation program might prompt you to remove the$JAVA_HOME/lib/ext/ibmjcaprovider.jar file and restart the installation program.You must physically remove this file from the directory. Do not attempt to just renamethe file, or to place the file in a subdirectory of the ext directory. The JRE opens allfiles in this directory tree (regardless of name or extension) to determine whatclasses are available. The first file encountered by the JRE with a specific class isthe one that is used. However, the algorithm used to locate these files is platform

and JRE specific, thus it can not easily be determined which file will be selected if multiple files exist in the directory tree with the requested class. Removing theexisting ibmjcaprovider.jar file ensures that the proper classes are used byapplications using the Tivoli Access Manager Java runtime environment.

Using Microsoft Active Directory

The following problems and limitations might occur when you are using MicrosoftActive Directory.

Avoid special characters in Active Directory namesWhen using Microsoft Active Directory as a user registry, avoid using special

characters in user names, group names, or Distinguished Names (DN). Forexample, the backslash character (\) is not allowed in a DN in Active Directory.Refer to the Active Directory documentation for additional details.

Enable ″File and Print Sharing″ when using Active DirectoryYou must enable the File and Printer Sharing network component on the MicrosoftWindows 2000 or Windows 2003-based domain controller when using the ActiveDirectory user registry. If this component is not enabled, error messages occurwhen attempts are made to join the domain. For more information, see:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260371


http://support.microsoft.com/default.aspx?scid=kb%3bEN-US%3bq260371

http://support.microsoft.com/default.aspx?scid=kb%3bEN-US%3bq260371





Modifying iPlanet registry look-through limit (14785)Installing Tivoli Access Manager on a system using the iPlanet Directory ServerVersion 5 registry can result in a “search request limit exceeded” error undercertain circumstances. The conditions that trigger the problem include using a userregistry containing more entries than the registry’s “look-through” search limit.

When the look-through limit defined in the iPlanet Directory Server is exceeded,the directory server returns a status of LDAP_ADMINLIMIT_EXCEEDED, which TivoliAccess Manager treats as an error. The look-through limit is a performance relatedparameter that can be customized by the iPlanet LDAP administrator.

In the iPlanet Console, select the Configuration tab and expand the Data entry.Then select the Database Settings item and select the LDBM Plug-in Settings tab.In the Look-through Limit field, enter the maximum number of entries you wantthe server to check in response to a search request. The default look-through limitvalue is 5000. If you do not wish to set a limit, enter -1 in this field.

If you bind to the directory as the Directory Manager, the look-through limit isunlimited by default, and overrides any settings you specify in this field.

Error appears when protecting iPlanet administration serverWhen you protect the iPlanet administration server (virtual host name:https-admserv) with the Tivoli Access Manager Plug-in for Web Servers, errormessages similar to the following appear in the pdwebpi.log file:

2002-03-16-07:33:31.901+00:00I----- 0x35F02127 pdwebpi ERRORpic Authorization Server pdwebpi_admin_svc.c 323 0x00000001The administration service could not read the configuration information forvirtual host /PDWebPI/https-admserv: 0x35f02002:The requested data is not currently available (pd / pic)

2002-03-16-07:33:31.902+00:00I----- 0x35F02129 pdwebpi WARNINGpic Authorization Server pdwebpi_admin_svc.c 330 0x00000001The administration service could not initialized for virtual host

/PDWebPI/https-admserv. Administration service features will not beavailable for this virtual host

These error messages are displayed because the iPlanet administration server doesnot have any local file system Web resources and consequently does not have adocument root. For this reason, Tivoli Access Manager cannot perform a “querycontents”-like operation for this virtual server.

pdunconfig does not completely clean up on Sun ONEDirectory Server 5.2 (40621)

After successful unconfiguration of all domain information on an IBM TivoliAccess Manager for e-Business server on a Sun ONE 5.2 system, reconfiguration

fails with an Object does not exist error.

Workaround: Perform the following steps:

1. Unconfigure the server.

2. Go to the Sun ONE 5.2 console.

3. Delete and re-create the secauthority=default suffix.




Using Web Portal Manager

The following problems and limitations might occur when you are using the TivoliAccess Manager Web Portal Manager GUI.

Browse the Web Portal Manager GUI from AIX 5.1

The IBM Tivoli Access Manager Base Installation Guide states that Web PortalManager supports the following Web browsers:

v Netscape Navigator 4.78 and 6.2

v Internet Explorer 5.5 and 6.0

These browser versions are supported on other operating systems; however, youcannot use these browsers to log in to Web Portal Manager on AIX 5.1 systems. Inaddition, you cannot use the version of Netscape packaged in the Bonus Pack(Version 4.79). When this browser client is used to connect to the Web PortalManager server, the text in the pages might not display.

Workaround: Use Netscape 7.0.3 for AIX 5.1 systems.

Do not configure a policy proxy server using default timeoutvalues (30100 and 30128)

If you encounter an error between Tivoli Access Manager and the IBM Directoryserver while a proxy server is being configured, a timeout will occur at the proxyserver. The proxy server is left in a partially-configured state (even though itappears to be configured successfully). In this case, you cannot use the standardTivoli Access Manager runtime unconfiguration procedure.

Workaround: Do the following:

1. In the /opt/PolicyDirector/etc/pd.conf file, change the ssl-io-inactivity-timeout value to 0.

2. In the /opt/PolicyDirector/etc/pdmgrproxyd.conf file, add the followingstatement under the [aznapi-configuration] stanza:

azn-app-host = proxy_hostname

where proxy_hostname is the host name of the proxy server machine.

3. Unconfigure the policy proxy server using the pdconfig utility.

4. Increase the timeout setting to a value higher than the default timeout setting.

5. Reconfigure the policy proxy server.

Authentication slows down when the ACL cache is enabled(29961)

The authentication performance of the IBM Directory (LDAP server, Version 4.1,progressively slows down with the ACL cache enabled.

Workaround: Disable the LDAP ACL cache by adding a line to the/etc/slapd32.conf file, as follows:

dn: cn=Front End, cn=Configurationcn: Front Endobjectclass: topobjectclass: ibm-SlapdFrontEndibm-slapdSetEnv: ACLCACHE=NO




Web Portal Manager can only be configured to the Defaultdomain (43847)

If you attempt to configure Web Portal Manager to any other domain other thanthe Default domain, you will receive an invalid argument error. There is noworkaround for this problem.

Using WebSEALThe following problems and limitations might occur if you are using Tivoli AccessManager WebSEAL.

Expired password in Active Directory (AD_LDAP) mightprevent WebSEAL authentication (43684)

If a user’s password has expired in Active Directory, the user can’t authenticate toWebSEAL. When the authentication fails, an error message is displayed that saysAuthentication failed. You have used an invalid user name, password, orclient certificate. The problem occurs on all UNIX-based platforms and onWindows systems in which the WebSEAL machine is not a member of the Active

Directory domain. However, the problem occurs only if the user’s password is setto expire after a specified time period. Passwords that have been flagged as ″mustchange on next login,″ will perform correctly.

Workaround: Use the Tivoli Access Manager password expiration policy instead of the Active Directory password expiration policy.

Global server ID certificates do not work correctly (IY30623,IY21308)

Global Server IDs do not work with Microsoft Internet Explorer on any supportedversion of Tivoli Access Manager. This problem is caused by a fault in the orderingof the CIPHER list.

Workaround: Perform the following steps for each WebSEAL server that has aGlobal Server ID:

1. Confirm that the ssl-qop-mgmt parameter in the [ssl-qop] stanza of thewebseald.conf configuration file is disabled:

[ssl-qop]ssl-qop-mgmt = no

2. Manually edit the pdweb_start script and place the GSK_V3_CIPHER_SPECSenvironment variable, with the following value, near the beginning of the scriptwhere environment variables are set:

GSK_V3_CIPHER_SPECS=04050A030609020100

3. Save and close the script file, and restart WebSEAL:

UNIX

# /usr/bin/pdweb_start restart

WindowsUse the Services Control Panel to restart WebSEAL.




Improving SSL encryption performance in WebSEAL onSolaris (43387)

To improve WebSEAL HTTPS SSL encryption performance on an UltraSparc Solarisplatform, enable the use RSA option in the webseald.conf file.

To use WebSEAL HTTPS SSL encryption on a Solaris platform other than

UltraSparc, the use RSA option must be enabled. If not, WebSEAL HTTPSencryption will fail and messages will not be logged to the WebSEAL error log.

WebSEAL on Red Hat Linux 3.0 crashes during a junctiondelete operation

This problem occurs only when the WebSEAL binary (webseald) is started from acommand line. One method to start WebSEAL is to run the pdweb_start script. Thepdweb_start script sets some necessary environment variables before executingwebseald. On Red Hat Linux 3.0, the script sets the environment variableLD_ASSUME_KERNEL. When webseald is run without first settingLD_ASSUME_KERNEL, the junction delete operation can cause WebSEAL to crash.

Workaround: Always use pdweb_start to start WebSEAL on Red Hat Linux 3.0. If you need to run webseald manually (without using pdweb_start), you must firstset and export LD_ASSUME_KERNEL: export LD_ASSUME_KERNEL= ″2.4.19″

Error messages displayed after removing WebSEAL from aLinux platform (44078)

When WebSEAL has been removed from a Linux platform, the error messages suchas the following are displayed:

error: cannot remove /var/pdweb/www/log - directory not emptyerror: cannot remove /var/pdweb/www - directory not emptyerror: cannot remove /var/pdweb/log - directory not emptyerror: cannot remove /var/pdweb - directory not empty

Workaround: Ignore these error messages. You can remove these directoriesmanually.

Error messages incorrectly refer to ″session inactivitytimestamp″ (44086)

Error messages that refer to a ″session inactivity timestamp″ should refer to a″session activity timestamp.″ For example, the following message:

"The session inactivity timestamp is missing from the failover cookie."

should read as follows:

"The session activity timestamp is missing from the failover cookie."

The help message for server task remove is incorrect (44083)The help message for the server task remove command in WebSEAL is incorrect.The portion that reads <server-id> in the current message should read<server-UUID>. Refer to the IBM Tivoli Access Manager for e-business CommandReference for the complete syntax.




No error message for failover cookie update failure (44084)When an su-admin has switched user and a credential refresh is performed, thefailover cookie will not be updated. However, no error message is displayedwarning that the failover cookie was not updated.

Certificate login prompt displayed inappropriately (44088)

When the certificate stanza is set to prompt_as_needed and users authenticate usingcertificates and then try to access a resource that has a reauth POP applied, theusers get a certificate login prompt when they should really get a ″Reauthrequired″ error page.

BASE HREF tags not preserved when missing the trailingslash (44090)

When preserve-base-href is set to yes in the WebSEAL configuration file thefollowing behavior exists:

If an HTML page has a BASE tag like this: BASE HREF="http://server.ibm.com/",where junction /jct points to server.ibm.com, WebSEAL maps the HREF to /jct/

and the BASE tag resolves to: BASE HREF="https://webseal/jct/"

However, if an HTML page has a BASE tag like this: <BASEHREF="http://server.ibm.com">, with no trailing slash, where junction /jctpoints to server.ibm.com, WebSEAL maps the HREF to /jct and eliminates thejct because there is no trailing slash. In this case, the BASE tag is resolved to:<BASE HREF="https://webseal/">

WebSEAL help messages incomplete (44095)The help messages that are displayed when you run the help command areincomplete. Use the IBM Tivoli Access Manager for e-business Command Referenceinstead of the help command.

WebSEAL error messages for the wsadmin library are missingfrom the message catalogs (44100)

When WebSEAL is started and the wsadmin library cannot be loaded, one of thefollowing error messages will be printed in English to standard out:

Unable to load shared library ’<libname>’

Unable to resolve symbol ’<symbol>’ from shared library ’<libname>’

These error messages are not in the message catalog and are not documented inthe IBM Tivoli Access Manager for e-business Problem Determination Guide. If you seethese messages without a corresponding ID at the front of the message, yourwsadmin library is damaged or cannot be loaded. This library should be in the

following locations:

UNIX

/opt/pdweb/lib

Windows

C:\Progra~1\Tivoli\PDWeb\bin

Workaround: To fix the problem, reinstall WebSEAL or copy the library fromanother machine where WebSEAL is installed and running correctly. This error




applies to only the wsadmin library. All other shared libraries list errors correctly if they cannot be loaded or symbols cannot be resolved.

Incorrect error code displayed when a container cannot befound during AMWebARS request (44134)

When a request is made of the AMWebARS Web service for a container that cannot

be found, the DynADI internal error code that is printed in the webseald log file is1005b3b2. This error code is not a valid Tivoli Access Manager error, and cannot beused to reference any additional data on the error itself.

Workaround: Use the error message that is displayed at the time the error occursto help diagnose this error.

WebSEAL might crash if the Active Directory server isunavailable or slow to respond (44386)

WebSEAL might crash in the following environments:

v In a UNIX environment, when using Active Directory as the user registry.

v In a Windows environment, when using Active Directory as the user registry,and in which the WebSEAL machine is not a member of the Active Directorydomain.

The problem does not occur if IBM Tivoli Directory Server is used as the userregistry.

WebSEAL fails to authenticate (44082)When the webseald.conf file contains accept-client-certs = optional, and anattempt to authenticate with a certificate fails, the client receives an SSL error andis unable to perform any other type of authentication or to proceed asunauthenticated when accessing resources through the WebSEAL system. Thisproblem occurs only if the client chooses to present a certificate, and something is

wrong with the certificate itself, such as the expiration dates being invalid. Theproblem does not occur if the client does not present a certificate at all.

Workaround: As an immediate workaround, the client can close and reopen the browser, then re-access the resource, this time not selecting a certificate whenprompted. A longer-term solution is for the client to obtain a valid certificate.

Using Plug-in for Web Servers

The following problems or limitations might occur if you are using the Plug-in forWeb Servers.

Redirected URL not displayed in Internet Explorer addressfield (37028)With BA and login-redirect configured, an authenticated request after sessiontimeout or inactivity timeout results in the display of an incorrect URL in theAddress field of Internet Explorer 6.0 browsers.

This behavior is unique to Internet Explorer 6.0, and there is no workaround toforce the browser to display the redirected URL.




Recorded option files in multi-byte languages displaycorrupted text in the explanatory field (39896)

When you record an option file using -options-record or -options-template in anydouble byte language operating system, the explanatory text appears corrupted.There is no workaround for this issue.

Dynamically generated hidden fields not passed by FormsSingle Sign-On (39924)

Current implementation of Forms Single Sign On (FSSO) in web plug-ins does notsupport text in <script> blocks. Hidden fields from the Access Manager login formare not passed through by FSSO. Only standard HTML within the <forms> block isrecognized.

Use of non-default user identities with application pools on aWindows Domain Controller causes service unavailable errors(42351)

When running IBM Tivoli Access Manager for e-Business Plug-in for Microsoft IIS

on a Windows 2003 Domain Controller, you must configure IIS to use one of thedefault identities to successfully access the application pool. Failure to use one of these identities results in all requests to URIs on protected virtual hosts usingapplication pools receiving 503 Service Unavailable errors.

Workaround: On Windows 2003 Domain Controller systems, configure IIS to useone of the following user identities:

v NETWORK SERVICE

v LOCAL SERVICE

v LOCAL SYSTEM

v <domain>\IWAM_<domain>-<machine>

This is only necessary for Windows 2003 Domain Controller systems.

SPNEGO behavior differs depending on where the browser isoperating from within the Active Directory Domain (41078)

When the Internet Explorer browser is operated from the Domain Controllermachine, SPNEGO behavior is not the same as when the browser is operated froma another machine within the Active Directory Domain. For example the browserwill not renegotiate or fall back to another form of authentication if an incorrectusername or password is entered at the SPNEGO login prompt. There is noworkaround for this limitation.

Modifying the pdwebpi.conf file before upgrading the

Microsoft IIS Plug-in (44361)Before upgrading the Tivoli Access Manager Microsoft IIS Plug-in, you need tomodify the pdwebpi.conf file as follows:

1. Edit the pdwebpi.conf file.

2. Locate the iis stanza.

3. Comment out the map-ba-users-to-anonymous entry.

After you have successfully upgraded the Microsoft IIS Plug-in, you can re-enablethe entry.




Relative URLs on Web Page not returned with request (44209)When you are using the Plug-in for Web Servers with Microsoft IIS 6.0, referencesthat are specified relative to the page are not displayed. For example, as tagged inthe following reference, pagerror.gif is not displayed:

<body bgcolor=white><table><tr><td ID=tableProps width=70 valign=top align=center><img ID=pagerrorImg src="pagerror.gif" width=36 height=48>

To resolve this problem, make all references relative to the Web site rather thanrelative to the page. For example, the corrected version of the previous examplewould be as follows:

<body bgcolor=white><table><tr><td ID=tableProps width=70 valign=top align=center><img ID=pagerrorImg src="/pagerror.gif" width=36 height=48>

Cancelled certificate authentication might result in timeout

when using Apache Web Server (44273, 44286)On an Apache Web Server, when authenticating using a client certificate, the useris presented with a dialog box showing the available certificates. If the user clicksthe Cancel button on this dialog box, then no certificate authentication isperformed. However, the browser might time out waiting for a response from theWeb server, rather than displaying the correct response. The correct response inthis situation is either an authentication challenge from the next configuredauthentication module, or a 403 Forbidden response if there are no otherauthentication modules configured.

Using IBM Tivoli Directory Server

Using IBM Tivoli Directory Server Version 5.2 on Linux forzSeries (44406)

When IBM Tivoli Directory Server Version 5.2 is installed on Linux for zSeries, adirective is included in the ibmslapd.conf file to keep IBM Tivoli Directory Serverfrom hanging when a Tivoli Access Manager workload is running. However, whenIBM Tivoli Directory Server is configured to use a database, the ibm-slapdSetenvdirective is overlaid with a new directive, which might cause the hang to occuragain. To correct this problem, edit the ibmslapd.conf and add the followingdirective:

ibmslapdSetenv: LDAP_MAXCARD=NO

Following is an example of an ibmslapd.conf file with the directive added in theproper location:

dn: cn=Front End, cn=Configurationcn: Front Endibm-slapdACLCache: TRUEibm-slapdACLCacheSize: 25000ibm-slapdEntryCacheSize: 25000ibm-slapdFilterCacheBypassLimit: 100ibm-slapdFilterCacheSize: 25000ibm-slapdIdleTimeOut: 300ibm-slapdSetenv: DB2CODEPAGE=1208








v Authorization API server in local mode and policy server

v Authorization API server in remote mode and policy server

v Authorization API server in remote mode and authorization server

v pdadmin utility and policy server

v Administration API and policy server

v Policy server and any Authorization API server, such as the authorization server,

or WebSEAL

v svrsslcfg utility and policy server

Workaround: Set the PD_FIXED_CLIENT_IP environment variable to the IPaddress of a valid interface on the AIX system. The value should be in Internetaddress form, such as 192.168.51.79.

You also can avoid this problem by changing the routes available using routecommands and metrics such that the same route is always selected. For example, if three routes exist to a server, two of those routes could be downgraded so that oneroute is always chosen. Refer to the AIX documentation for more information onusing this type of solution.

IBM HTTP Server reauthentication limitation with directoryindexing (19559)

The IBM HTTP Server mod_dir module detects accesses to directories in the Webspace. If the access does not contain a trailing forward slash character ( / ), thismodule appends the forward slash character and sends a redirect (HTTP status302) to the client.

In the case of reauthentication, this action forces the client to reauthenticate firstagainst the initial URL (for example, http://server/dirname) and then against themod_dir-modified URL (for example, http://server/dirname/). Thus, the clientexperiences two reauthentication attempts instead of the typical one

reauthentication attempt when accessing other reauthentication protected objects.

This is a limitation in the behavior of the IBM HTTP Server mod_dir module, andthis behavior is not configurable. However, this configuration (a reauthenticationPOP attached to a directory and URL access direct to the directory) is not common.

No workaround is available. It is recommended that the above configuration beavoided.

HTTP redirection affects reauthentication behavior (20633,20631, 20735)

Web servers can perform redirections, as defined by the HTTP standard, to obtain

certain behaviors. This release note describes the impact redirection can have onTivoli Access Manager reauthentication policy.

Reauthentication policy requires an additional login for every access to an objectprotected by a reauthentication POP policy, either directly applied or inherited. If aclient is redirected to such an object, reauthentication is required. Multipleredirections therefore result in multiple reauthentications.

A simple example is to apply a reauthentication POP to a directory in the Webspace and access the directory: http://servername/directory.




Reauthentication is required to access the object. The Web server redirects the clientto: http://servername/directory/index.html (some servers redirect tohttp://servername/directory/first)

The client follows the redirect by doing a GET on the new URL. A reauthenticationis required for every redirection to objects protected by the reauthentication POP.Therefore it is possible for the client to receive multiple login requests before

receiving the desired object due to redirection.

Redirection might also occur when processing forms, particularly the PasswordChange form returned when a client’s password has expired.

When the processing of a form is completed, a redirect is used to direct the client back to the original object. If this object requires reauthentication, the user is forcedto log in again. In this case, it is possible to perform a reauthentication, a passwordchange, and then another reauthentication, before receiving the original pagerequested.

Sample tutorial for Tivoli Access Manager for WebSphere

Application Server might not work on HP-UX (28015)WebSphere Application Server 4.0 includes a tutorial that describes how to use theWebSphere tools to build a sample WebSphere application. The IBM Tivoli Access Manager for e-business IBM WebSphere Application Server Integration Guide extendsthis tutorial to describe how to add security information to the sample applicationusing Tivoli Access Manager. In some cases, the WebSphere Application Servertutorial might not successfully build WebSphere applications on the HP-UXplatform. If this occurs, it is not possible to use Tivoli Access Manager forWebSphere Application Server to extend the sample application to add securityinformation.

Workaround: You can complete the WebSphere tutorial on a different operatingsystem. See the IBM Tivoli Access Manager for e-business IBM WebSphere ApplicationServer Integration Guide for a list of supported operating systems.

BEA WebLogic Server can run out of heap spaceA java.lang.OutofMemoryError exception is thrown.

When running a large number of Tivoli Access Manager for WebLogic Serversessions, BEA WebLogic Server may run out of heap space.

Workaround: Increase the maximum heap size option for the Java Virtual Machine(JVM) in the startWebLogic script. For example:

%JAVA_HOME%\bin \java -ms64m -mx128m

Consult the BEA product documentation for recommended heap size, based onapplication architecture and the number of memory-intensive processes running onthe host system. Applications should be stress-tested to determine the appropriateheap size for their environment. See the following URL for performance tuningconsiderations for thread counts and heap size:

http://edocs.bea.com/wls/docs61/perform/index.html






Home directories are not automatically deleted when TivoliAccess Manager for WebSphere Application Server isuninstalled using Windows Add or Remove Programs function(43612)

If you use the Microsoft Windows Add or Remove Programs function to remove

IBM Tivoli Access Manager for WebSphere Application Server, the files located inthe c:\Program Files\Tivoli\amwas directory are deleted, but the directory itself isnot deleted.

Workaround: Manually delete the c:\Program Files\Tivoli\amwas directory afteruninstalling IBM Tivoli Access Manager for WebSphere Application Server.

Tivoli Access Manager Java runtime environment successfullyconfigures even when an invalid domain name is enteredduring installation or configuration (43896)

If you enter an invalid domain name during the installation or configuration of theTivoli Access Manager Java runtime environment (PDJRTE), the configuration

completes successfully, but does not function.

Workaround: Edit the PD.properties file and correct the invalid domain name, orunconfigure and reconfigure the Tivoli Access Manager Java runtime environment.

Erroneous error message during uninstallation of TivoliAccess Manager runtime environment (43904)

If new or modified files exist in a Tivoli Access Manager runtime environmentinstallation, running the rpm command will cause the system to display an errormessage stating that these files cannot be removed.

Workaround: None needed. You can ignore this message because the uninstallation

process will eventually remove these files despite the warning.

Tivoli Access Manager might not recognize suffixes addedafter starting the daemons (43933)

When LDAP is selected as the user registry, Tivoli Access Manager queries theLDAP server to determine the set of LDAP suffixes available. Tivoli AccessManager then uses this set of suffixes to search for user and group information. Toavoid querying this information repeatedly, Tivoli Access Manager only retrievesthe available set of suffixes on startup. If a new suffix is added after Tivoli AccessManager has started, the administrator must add the appropriate access controllists (ACLs) manually to give Tivoli Access Manager the appropriate permission toadminister within the new suffix. The steps to accomplish this are documented in

the IBM Tivoli Access Manager Base Installation Guide. Once the ACLs have beenadded, Tivoli Access Manager is able to create users and groups within the newsuffix.

When a user or group is created successfully, Tivoli Access Manager attempts toverify that the user or group was created within a suffix that is already known(one obtained at startup from LDAP). If the user or group is successfully definedin a new suffix, Tivoli Access Manager will add this new suffix to its list of searchable suffixes, without having to restart the daemon.




However, there are some situations where Tivoli Access Manager incorrectlydetermines that the user or group was created in an existing suffix, when in fact itwas created in a new suffix. For example, given the following set of existingsuffixes:

c=nodc=DnB,dc=no

If a new suffix is added:dc=postbanken,dc=no

and the appropriate ACLs are added to allow a user to be created in the newsuffix, Tivoli Access Manager might incorrectly determine that suffix is alreadyknown, when it is actually a new suffix. In this situation, Access Manager will not

be able to locate the newly create user or group. If this occurs, Tivoli AccessManager must be restarted so that it reacquires the set of available suffixes.

Incorrect error message displayed for SvrSslCfg error (43701)When an incorrect file specification is passed to the Java SvrSslCfg utility, thefollowing error is produced:

HPDJA0809E Cannot create the specified configuration or keystore file.

This is an incorrect message. The correct message should be something similar to:

HPDJA... Cannot access the specified configuration or keystore file.

There is no workaround for this problem.

After configuring Tivoli Access Manager on SuSE LinuxEnterprise Server 8, the policy server (pdmgrd) and theauthorization server (pdacld) fail to start (36687, 37558)

After configuring Tivoli Access Manager on SuSE Linux Enterprise Server 8, the

policy server and the ACL server might fail to start.

Workaround: Before configuring Tivoli Access Manager, grant access rights for theuser ivmgr (or all users) to the LDAP SSL key file and to the folder that containsthat key file.

Tivoli Access Manager for WebSphere Application Servermigration tool might fail to migrate application (28418)

The Tivoli Access Manager for WebSphere Application Server migration utilitymigrateEAR requires the specification of the administrative user’s distinguishedname (DN) as a command line option. When the DN contains a space within anyof the suffixes, the migrateEAR utility fails due to problems caused by UNIX shell

command line parsing. For example, the organization portion (o=) of the followingsuffix will cause a failure: o=Sales Division,c=us.

The migrateEAR command assembles a Java command line invocation and thenruns it. You can circumvent the problem of embedded spaces in the DN byentering the Java command directly and placing double quotation marks aroundthe DN suffix. For example, assuming WebSphere Application Server was installedin the /opt/WebSphere/AppServer directory, the following command correctlyspecifies the suffix ″o=Sales Division,c=us″ for the DN:




The complete Java command line is described on the migrateEAR reference pagein Appendix A of the IBM Tivoli Access Manager for e-business IBM WebSphere Application Server Integration Guide.

Migration tool error with WebSphere Application Server(21935)

The migration utility, migrateEAR, may throw the following error:

"Invalid group identification specified"

Applications that have been deployed to work with WebSphere Application Servercan contain security information in deployment descriptors (enterprise archive

files). This security information is migrated to the Tivoli Access Manager securitymodel by the migrateEAR utility.

The user uses the WebSphere console to extract a deployed application fromWebSphere with an LDAP user registry. The extracted enterprise archive file (EAR)can contain groups. These groups will have the full Distinguished Name (DN)instead of just the name. The migration utility is run against the EAR file, and theerror is encountered.

The migration utlity creates an XML file containing the security information.Manually edit this file to delete the portions of the ″name″ definition that refer toorganization and country.

The name of the XML file is:ibm-application-bnd.xmi

For example, if the group entry reads:

.....<groups xml:id="Group_1" name="customer, o=ibm, c=gb"accessId="group:server1.uk.ibm.com:3899/cn=customer, o=ibm, c=gb"/>.....

Modify the entry to read:

.....<groups xml:id="Group_1" name="customer"accessId="group:server1.uk.ibm.com:3899/cn=customer, o=ibm, c=gb"/>

.....

The migration tool fails when using a Tivoli Access Managerdomain other than the default domain (43748)

The -b option is now required by the migrateEAR4 and migrateEAR5 utilities inorder for AMWAS to migrate application security and role info in the AM Objectspace correctly for the new AM domain.

/opt/WebSphere/AppServer/java/jre/bin/java \-Dpdwas.lang=/opt/WebSphere/AppServer/lib:/opt/pdwas/nls/java \-cp /opt/WebSphere/AppServer/lib/xerces.jar:/opt/pdwas/lib/migrate.jar:/opt/pdwas/nls/java \com.tivoli.pdwas.migrate.Migrate -j /opt/WebSphere/AppServer/config/your_application.ear \-a sec_master -p sec_master_password -w wsadmin -d "o=Sales Division,c=us" \-c file:/opt/WebSphere/AppServer/java/jre/PDPerm.properties

Figure 1. Sample Java command line to duplicate migrateEAR processing




Workaround: Specify the -b option while using the migrateEAR utility to ensurethat the WAS application security settings are migrated into the correct area of theAM Object Space.

Migration tool incorrectly reports successful migration ofACLs (44245)

When ACLs are attached to more than one location in the object space, themigration tool might fail because the ACL cannot be deleted. However, themigration tool still returns a successful completion message. To correct thisproblem, do not attach a migrated application ACL to another area in the objectspace.

Migration tool incorrectly reports successful migration ofpolicy (44410)

The migration tool returns a ″Migration completed successfully″ message but someof the policy might not have been migrated. Check the pdwas_migrate.log file toensure that all the policy was migrated for the application. An error in the log fileindicates a possible failure in the migration. Check the last transaction that

occurred and try to fix the migration failure. When the problem has been fixed.Rerun the migration tool.

Warning messages displayed when using the pdbackupcommand on a UNIX-based platform (44285)

If you are using the pdbackup command on a UNIX-based platform, the followingmessages might be displayed:

sh[2]: ./var/PolicyDirector/log/msg__pdmgrd_utf8.log:0403-006 Execute permission denied.sh[3]: ./var/PolicyDirector/log/msg__pdmgrd_utf8.log:0403-006 Execute permission denied.

These messages can be ignored. You can check that the backup command hascompleted successfully, by looking at the last few lines of the msg__pdbackup.logfile. If the archive made through the pdbackup command is extracted or restored,the file is restored properly.

jlog.properties file not created when using pdwascfg (44410)When using the pdwascfg command with the –action_type local option toconfigure WebSphere Application Server, the jlog.properties file might not becreated. To create the file manually, copy the jlog.properties.template file tojlog.properties in the etc directory where WebSphere Application Server isinstalled (also referred to as the PDWAS_HOME directory).

Startup of WebSphere Application Server fails Linux onzSeries (44540)After configuring Tivoli Access Manager for WebSphere Application Server forLinux on zSeries, onto a WebSphere Application Server 5.02 system, the nextstartup might fail with an error in the SystemOut.log similar to:

org.xml.sax.SAXParseException: Element type "properties" must be followed byeither attribute specifications, ">" or "/>".at org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.j

The error is caused by a missing closing angle bracket (>), in the/opt/WebSphere/AppServer/config/cells/hostname/security.xml file.




To correct the error, add the missing ’>’ from the first line of the followingstatement. The location of the missing ’>’ is highlighted in bold. (Note: The linewas formatted into multiple lines to fit on the page.):

<properties xmi:id="Property_1067638223188"name="com.ibm.security.useFIPS"value="false"/><properties xmi:id="Property_222"name="com.ibm.websphere.security.authorizationTable"value="com.tivoli.pdwas.websphere.PDWASAuthzManager"/></security:Security>

NoSuchMethodErrors might be generated when running Javaapplications compiled against previous versions of TivoliAccess Manager

Java applications that have been compiled against the Tivoli Access Manager Javaruntime found in previous versions of the product and that call the followingmethods will encounter a Java NoSuchMethodError when run against the TivoliAccess Manager Version 5.1 Java runtime:

public static void createPop(PDContext context,String id,String description,com.tivoli.mts.PDAttrs attributes,PDMessages messages)

public static void createAcl(PDContext context,String id,String description,HashMap aclEntriesUser,HashMap aclEntriesGroup,PDAclEntryAnyOther aclEntryAnyOther,PDAclEntryUnAuth aclEntryUnAuth,com.tivoli.mts.PDAttrs attributes,PDMessages messages)

public static void createProtObject(PDContext context,String id,

String description,boolean isPolicyAttachable,String aclId,com.tivoli.mts.PDAttrs attributes,PDMessages messages)

There is no workaround for this problem other than to recompile the applicationusing the non-deprecated counterparts to the missing methods. Thenon-deprecated counterparts replace the arguments of datatypecom.tivoli.mts.PDAttrs with arguments of datatypecom.tivoli.pd.jutil.PDAttrs. Otherwise, Java applications that call the missingmethods must have a patch applied in order to interoperate with Tivoli AccessManager Version 5.1 Java runtime. Contact IBM Customer Support for Tivoli

products to obtain this patch.







Chapter 4. Internationalization notes

This chapter provides information related to installing and using versions of IBMTivoli Access Manager (Tivoli Access Manager) in a language other than English.

Known problems and workarounds

The following problems and limitations are known to exist in versions of TivoliAccess Manager other than the English language version. Workarounds areprovided if available. Some entries include an internal tracking number. Report anyother problems to IBM Customer Support for Tivoli products.

Known problems related to all versions of Tivoli Access Manager can be found inChapter 3, “Known problems and workarounds,” on page 21

Configuration change needed on some internationalized

versions of Red Hat Linux 7.1You must change a configuration file if you plan to install Tivoli Access Manageron a Red Hat Linux 7.1 system running in one of the following locales:

v Japanese (eucjp) (ja_JP.eucjp)

v Traditional Chinese (zh_TW)

Edit the /etc/ld.so.conf file and add the following line:

/usr/lib/gconv

This change corrects a problem caused by the implementation of the iconvcharacter set conversion interface.

Group name might be truncated on DBCS systems usingActive Directory (44415, 44312)

When using the pdadmin group list and user show-groups commands, the nameof the group displayed might be truncated on DBCS systems when using ActiveDirectory as the user registry.

Japanese locale and language setting supported on Linuxsystems

The only supported locale and language setting for Japanese on Red Hat Linuxsystems is ja_JP.eucjp. For example:

LANG=ja_JP.eucjp

LC_ALL=ja_JP.eucjp

Note: Notice the case used in the locale name of ja_JP.eucjp. Using a locale namewith different case, such as ja_JP.eucJP, does not work

Japanese SJIS is not supported.




Considerations when using certain locales on Linux systemsThe section describes setting up Tivoli Access Manager on Red Hat Linux systemsusing international locales. The information is appropriate for Japanese EUC andTraditional Chinese (BIG5). Japanese SJIS is not supported.

1. Install Red Hat Linux with Japanese and Traditional Chinese support and withthe XWindows system. Configure X, and then launch X.

2. Install the Tivoli Access Manager runtime component, PDRTE.3. Install the appropriate language pack:

# ./pd_lp

4. Configure the Tivoli Access Manager runtime to a policy server that supportsthe required locale.

For Japanese EUC

1. Run the following commands:

# export LC_ALL=ja_JP.eucjp# export LANG=ja_JP.eucjp# rxvt -km eucj &

2. In the rxvt terminal, run the pdconfig command and ensure that the

configuration menu appears in Japanese.For Traditional Chinese:

An additional package that contains the necessary fonts is required. Thesefonts are not included with Red Hat Linux.

1. Run the following commands:

# rpm -i cxterm-5.1p1-2.i386.rpm# export LANG=zh_TW# export LC_ALL=zh_TW# cxterm -big5

2. In cxterm, run the pdconfig command and ensure that theconfiguration menu appears in Chinese.

The cxterm package can be downloaded from:

http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/cxterm-5.1p1-2.i386.html

Some text appears incorrectly in installation wizard (28420,28422)

Some text in the installation wizard panels appears incorrectly. The followingspecific problems have been identified:

v The text on the panel asking for the Policy Server SSL port is not translatedproperly in the Spanish language version.

v The word directory is not translated in the summary panel in the SimplifiedChinese language version.

Resizing installation wizard panels could result in truncatedtext (28453)

Maximizing an installation wizard panel and then restoring it to its original sizemight result in the text on the panels being truncated. To correct the problem,resize the window until the text is not truncated. This problem occurs on systemsusing English and on languages other than English.








LANG variable used with Windows overrides locale setting inControl Panel

On Windows systems, if the LANG variable is set, it will override the locale settingin the Control Panel Globalization settings.

Command output displayed using wrong code page on

Windows systems (26899)On Microsoft Windows systems, output from system commands, such as svrsslcfg,bassslcfg, mgrsslcfg, and pdjrtecfg, might be displayed using the wrong codepage. This problem has been reported only with single byte languages.

To have the output displayed in the proper code page, do the following:

1. Open a Command Prompt window.

2. Enter the following command:

chcp 1252

3. From the window menu, click Properties and click on the Font tab.

4. Select Lucida Console, or any True Type font, and click OK. Apply this change

to all windows or just the current window, as desired.

Commands entered in this window should now be displayed with the proper codepage.

Avoid non-ASCII characters in server names (26985)Do not use non-ASCII characters in server names. Tivoli Access Manager storescharacter data as strings of Unicode characters. This data is converted fromUnicode to UTF-8 (Universal Character Set Transformation Format-8) before it issent to the policy server. For version 5.1, conversion works for most azn-apiapplications. For WebSEAL, only allowable characters can be used in the servername.

Reconfiguration of Web Portal Manager requires reinstallationof language packages (IY32306)

If you unconfigure the Web Portal Manager component and subsequentlyconfigure it again, you must reinstall your language packages to view text in yournative language.

Fonts necessary to display characters correctly in Java(IY31894)

Fonts are included in the language support packages provided by an operatingsystem. However, in some cases, you might need to install additional fonts to

display characters correctly in Java. For example, when installing aplatform-specific JRE for the Japanese locale, the X11.fnt.ucs.ttf font is required. Thelist of required fonts varies depending on your operating system, the JRE level,and your specific locale.

Policy server fails to start on AIX boot (12584)On systems using a language other than English, the Tivoli Access Manager policyserver, pdmgrd, might fail to start automatically during reboot. If the policy serverdoes not start automatically, start it manually using the pd_start utility:

pd_start start

Chapter 4. Internationalization notes 47



Double-byte recorded response files for installation wizardcontain corrupted text (37601, 39896, 43907)

When you attempt to record options files for the installation wizard on double-byteoperating systems using —options-record or —options-template, the recordedresponse file contains corrupted text. There is no workaround for this problem.

Recorded option files in multi-byte languages displaycorrupted text in the explanatory field (39896)

When you record an option file using -options-record or -options-template in anydouble byte language operating system, the explanatory text appears corrupted.There is no workaround for this issue.

Installation wizard for the Plug-in for Web Servers fails on aGerman Windows system (44565)

The installation of the Plug-in for Web Servers fails on a German-languageWindows system.

Workaround: Specify the following paths as the target installation directory:c:\program files\tivoli\pdwebrtec:\program files\tivoli\pdwebpi

Apostrophes are not displayed correctly when using theinstallation wizard in French (44080)

When using the installation wizard in French, all apostrophes are displayed assquares.

Garbled text in installation wizard when installing BEAWebLogic Server (44219, 44398)

During the installation of the BEA WebLogic Server, if you run the installationwizard in a language other than English, garbled text might be displayed on theWelcome screen. The problem occurs if you are using the JDKs or JRE that areincluded with BEA WebLogic Server. The problem does not affect the actualsoftware installation. However, if you want to fix this problem, install the IBM JDKor JRE 1.3.1 and use it to run install_amwls.

After configuring Tivoli Access Manager on SuSE LinuxEnterprise Server 8, the policy server (pdmgrd) and the ACLserver (pdacld) fail to start (36687, 37558)

After configuring Tivoli Access Manager on SuSE Linux Enterprise Server 8, thepolicy server and the ACL server might fail to start.

Workaround: Before configuring Tivoli Access Manager, grant access rights for theuser ivmgr (or all users) to the SSL key file and to the folder that contains that keyfile.




Chapter 5. Known documentation updates

The following sections describe corrections to books in the IBM Tivoli AccessManager for e-business library.

IBM Tivoli Access Manager Upgrade Guide

The IBM Tivoli Access Manager Upgrade Guide is a white paper and is located in theWhite Paper section of the Tivoli software libraryhttp://www.ibm.com/software/tivoli/library/.

IBM Tivoli Access Manager Base Administration Guide

(44534) In ″Chapter 18. XML output for logging and auditing logs″ the informationfor <source> ... </source> in Table 8 on page 187 is incorrect. The informationshould read as follows.

Output Field Name Description

<source>...</source>

The source event can be one of thefollowing:

cred Applies to any Tivoli AccessManager component.

app Applies only to an authorization(azn) component.

ruleADIApplies only to the authorization(azn) component when evaluating aBoolean rule. The rule ADI value

describes Boolean rule accessdecision information that may have been retrieved from the credential,application, authorization, orthrough an attribute retrievalservice.

Note: In product audit logs, if the dynADIvalue is listed, it should be interpreted asruleADI instead.

IBM Tivoli Access Manager for e-business Authorization C API Developer

Reference

In ″Chapter 1. Authorization API overview″ on page 7, the section about testcompilers should read as follows:

IBM has tested the use of the IBM Tivoli Access Manager Application DeveloperKit (ADK) component with the compilers listed in the table below. Previousversions of the compilers are not supported. Compilers on other supportedplatforms, such as IBM AIX 5.1 or HP-UX 11i, have not been tested.

Operating system platform tested Tested compiler

IBM AIX 4.3.3 IBM Visual Age C/C++ 5.0.2







Sun Solaris Operating Environment 5.7 Forte 6.1 with patches 109505-11, 109508-09,109510-06, 109513-11

Hewlett-Packard HP-UX 11.0–11.01.07 AnsiC/3.30 aC++

Red Hat Enterprise Linux for xSeries® GNU GCC 3.2.2

SuSE Linux Enterprise Server 8 for xSeries GNU GCC 3.2.2

SuSE Linux Enterprise Server 8 for S/390®

and zSeriesGNU GCC 3.2

SuSE Linux Enterprise Server 8 for pSeries® GNU GCC 3.2-32

Microsoft Windows 2000 Advanced Server Microsoft Visual C/C++ 6.0.5

IBM Tivoli Access Manager for e-business Administration C API Developer

Reference

In ″Chapter 1. Introducing the administration API overview″ on page 4, the sectionabout test compilers should read as follows:

IBM has tested the use of the IBM Tivoli Access Manager Application DeveloperKit (ADK) component with the compilers listed in the table below. Previousversions of the compilers are not supported. Compilers on other supportedplatforms, such as IBM AIX 5.1 or HP-UX 11i, have not been tested.


IBM AIX 4.3.3 IBM Visual Age C/C++ 5.0.2

Sun Solaris Operating Environment 5.7 Forte 6.1 with patches 109505-11, 109508-09,109510-06, 109513-11

Hewlett-Packard HP-UX 11.0–11.01.07 AnsiC/3.30 aC++

Red Hat Enterprise Linux for xSeries GNU GCC 3.2.2

SuSE Linux Enterprise Server 8 for xSeries GNU GCC 3.2.2

SuSE Linux Enterprise Server 8 for S/390and zSeries

GNU GCC 3.2

SuSE Linux Enterprise Server 8 for pSeries GNU GCC 3.2-32

Microsoft Windows 2000 Advanced Server Microsoft Visual C/C++ 6.0.5




Appendix A. Tips for building Tivoli Access Managerapplications on Linux

The following information applies to building IBM Tivoli Access Manager (TivoliAccess Manager) applications using either Red Hat Linux on Intel™ platforms, orSuSE Linux Enterprise Server on zSeries.

v Always link with -lpthread.

Use this option even when your application is not threaded, because the TivoliAccess Manager libraries are threaded. The Linux shared library libpthread.sooverrides some of the symbols normally provided by libc such as fork().Failure to explicitly link -lpthread at the upper level, when any of thecomponents contains threaded libraries, can cause unpredictable behavior,including crashes.

v Use of threads in your application.

When your application uses threads heavily, you might encounter problems with

memory usage. The default stack size per thread on current Linux distributionsin 2MB. This stack size limits the number of threads per process. For example,on a system with 256 MB of RAM, the number of threads must be less than 128.

To avoid this problem, do one of the following:

– If source code is available, reduce the default stack size when callingpthread_create().

– If source code is not available, or if the problem affects Tivoli Access Managerprocesses, either install more memory on the target system, or recompile thesystem pthreads library with a reduced default stack size.







Appendix B. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.






Universal DatabaseWebSpherez/OSzSeries

Microsoft and Windows are trademarks of Microsoft Corporation in the UnitedStates, other countries, or both.

Intel is a trademark of Intel Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Appendix B. Notices 55








Date post:	03-Apr-2018
Category:	Documents
Upload:	k4lonk
View:	219 times
Download:	0 times

am51_relnotes

Documents