IBM^® Tivoli^® Compliance Insight Manager, Fix Pack 6.0.0-TIV-TCIM-FP004 README

©Copyright International Business Machines Corporation 2008. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under Notices in this document.

Date: 2008 August 29

About the Fix Pack

This Fix Pack corrects problems in Consul Insight Security Manager, Version 6.0.0. It requires that Consul Insight Security Manager, Version 6.0.0, is installed. After installing this Fix Pack, your Consul Insight Security Manager installation will be at level 6.0.0.4.

If upgrading to version 7.0, make sure this Fix Pack is installed on the system.

Patch contents and distribution

This Fix Pack package contains:

• 6.0.0-TIV-TCIM-Win32-FP004.exe (for Windows systems, both server and actuator systems)
• 6.0.0-TIV-TCIM-zOS-FP004.tar.gz (for IBM z/OS actuators)
• 6.0.0-TIV-TCIM-Multi-FP004.README.html (this file)

This Fix Pack is distributed as an electronic download from the IBM Support Web Site.

Architectures

This Fix Pack package supports the same operating system releases as the Consul InSight Security Manager release that are listed in the chapter 2 ("System Requirements") of the Consul InSight Security Manager 6.0 Installation Guide.

Fix Packs superseded by this Fix Pack

This Fix Pack supersedes the Windows and zOS part of fix packs 6.0.0-TIV-TCIM-FP001, 6.0.0-TIV-TCIM-FP002 and 6.0.0-TIV-TCIM-FP003. The last UNIX actuators fix pack is 6.0.0-TIV-TCIM-FP002.

Fix Pack structure

Consul Insight Security Manager supports multiple platforms, for each platform requiring updates a separate package is installed. The package will contain the updates for all components installed on that platform.

APARs and defects fixed

The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Consul Insight Security Manager Support site.

Problems fixed by Fix Pack 6.0.0-TIV-TCIM-FP004

APAR IZ03732

SYMPTOM: Mapping for the AIX event source is not correct.

Internal defect UE070B002

SYMPTOM: zSecure 1.8.1 or newer are not supported.

APAR IZ23817

SYMPTOM: Valid accesses are not visible in iView for the STRATUS ES.

Problems fixed by Fix Pack 6.0.0-TIV-TCIM-FP003

APAR IZ10038

SYMPTOM: Management Console hangs with invalid argument code after adding 3 or more event sources.

Internal defect PE06210

SYMPTOM: It's not possible to create PDF report after applying a Fix Pack.

Problems fixed by Fix Pack 6.0.0-TIV-TCIM-FP002

Internal defect PE05560

SYMPTOM: After upgrade to version 7.0, "Audited Machine" column doesn't contain the correct value.

APAR IZ05031

SYMPTOM: The object deletion in the HP OpenVMS event source is always reported as "failure".

APAR IZ05070

SYMPTOM: SYSDBA events are not processed in Oracle Event Source.

Problems fixed by Fix Pack 6.0.0-TIV-TCIM-FP001

Internal defect PE03630

SYMPTOM: When exporting (archiving) old data chunks, the default committed policy (of Jan 1, 2000) is exported and removed for the system.

Internal defect PE03680

SYMPTOM: AIX merge does not display information correctly if there are commas in the "gecos" field.

Internal defect PE03770

SYMPTOM: Email Excerpts not working after upgrade to InSight 6.0.

Internal defect PE03830

SYMPTOM: Linux Syslog is not supported correctly in some platforms.

Internal defect PE03840

SYMPTOM: It is not possible to collect logs correctly when collecting multiple SAP instances on a single non-Windows machine to one Insight Server.

Internal defect PE03880

SYMPTOM: File level auditing and Obj_Read, Obj_Write & Obj_Execute events are not supported by the AIX actuator.

Internal defect PE03890

SYMPTOM: Some issues with the Raptor event source may occur:

1. When loading log files from different Raptor instances into 1 GEM database, InSight gets in an out-of-memory situation
2. The "where" field doesn't contain the system name from the Raptor instance.

Internal defect PE03910

SYMPTOM: Logs are not collected properly when collecting multiple SAP instances via a single Windows Point of Presence.

Internal defect PE03930

SYMPTOM: Logon Failures for OS390 platform (RACF) are not mapped correctly.

Internal defect PE04000

SYMPTOM: The remote actuator install activated by the Management Console Add Machine Wizard breaks off when the remote install cannot ping the Insight server machine.

Internal defect PE04020

SYMPTOM: The bbbin.exe (bluebook) crashes as soon as the Insight server is started when real time actuators and/or a real time mapper are present.

Internal defect PE04030

SYMPTOM: Timestamps are parsed incorrectly for "RealTime Linux" event source.

Internal defect PE04040

SYMPTOM: OS/390 data sometimes is displayed with an offset of one hour in iView compared to the original SMF records.

Internal defect PE04050

SYMPTOM: For the Windows Event Source the WhereFrom sometimes does not contain a correct value.

Internal defect PE04080

SYMPTOM: iView uses an undesired sort column. When selection is on date column, it actually sorts on event count.

Internal defect PE04120

SYMPTOM: Some event types are not mapped for the HP-UX event source.

Internal defect PE04130

SYMPTOM: iView is not able to cooperate with the Netegrity Siteminder SSO solution.

Internal defect PE04150

SYMPTOM: When in the SSH Event Source the log file contains the event type "Authentication Failure" the WhereFrom has an invalid value. It shows the value from the Where field instead.

Internal defect PE04160

SYMPTOM: Some alerts that occur during listener close down are not sent, they are flushed instead.

Internal defect PE04220

SYMPTOM: Sybase 12.5.0-12.5.3 is not supported.

Internal defect PE04240

SYMPTOM: Non-unique combos in consolidation are not solved, causing a constraint error.

Internal defect PE04260

SYMPTOM: DB2 UDB event source doesn't support Sun Solaris.

Internal defect PE04360

SYMPTOM: When installing the agent, the InSight server checks if the machine defined from the Management Console corresponds to the machine the agent is installed on. When there are DNS problems (like double entries on the DNS server) or multiple IP addresses the IP check will fail and logs will not be accepted.

Internal defect PE04430

SYMPTOM: Some issues with the Active Directory event source may occur:

1. The grouping does not work for certain event types where there is a mismatch between the WHO and originator
2. The machines (platform names) are not grouped into the correct domain name
3. Certain standard groups such "Users" and "Domain Users" are not populated (they will remain empty)
4. The UIS information some userids are not collected (Anonymous logon user id with SID: S-1-5-7, Local System account: SID S-1-5-18)

Internal defect PE04470

SYMPTOM: MSSQL version 2005 is not supported.

Internal defect PE04540

SYMPTOM: Oracle can store its audit records either in the (audit) files, or in the database. When database audit trail is used, InSight doesn't support collection of Oracle Audit events from the database's system audit tables.

Internal defect PE04580

SYMPTOM: Some issues with the z/OS actuator may occur:

1. Several processes start and then the agentproper process dies
2. The message in the SYSLOG states that a return code occurred in C2RCARLA, but the SYSPRINT is empty
3. The SYSTERM should (also) be written to STDERR
4. One attention rule description exceeding 128 characters
5. Reading "Write Sensitive Data" should be allowed (unless also part of group "Read Sensitive Data")
6. When 2 UISs that both use the active database and with different complex values specified the collect fails

Internal defect PE04600

SYMPTOM: When log files are archived(gzip) and this archive exceeds 2Gb then after being collected the mapping succeeds, but in practice not all content of the chunk is mapped, the last block is left out.

Internal defect PE04640

SYMPTOM: When chunks get a specific size, the chunk should be closed, renamed and the new log files would be entered in a new chunk. This process is called rotation. Due to the fact that the chunk was locked by another process, this rotation doesn't take place.

Internal defect PE04650

SYMPTOM: the Oracle mapper fills the Who field with data from the db namespace mixed - in an indeterministic way - with data from the OS namespace.

Internal defect PE04700

SYMPTOM: MS Exchange server 2000/2003 versions are not supported.

Internal defect PE04760

SYMPTOM: Some issues with the Active Directory User Information Source (UIS) may occur:

1. When creating a UIS using the Domain Controller as POP the UIS for Active Directory does not list any users, while the Windows UIS lists them all
2. When the data is loaded the Originator is shown instead of the User Id in the Management Console

Internal defect PE04770

SYMPTOM: The original Event Source for Oracle does not support events for Oracle Fine Grained audit.

Internal defect PE04820

SYMPTOM: Some issues may occur with the Oracle actuator on UNIX systems:

1. Collection directory becomes full during collection
2. The output file produced by Oracle log collector exceeds the soft file size limit
3. Oracle log collector hangs scanning for that non-existing instance name
4. Oracle log collector hangs when it encounters incomplete Oracle audit trail files or records
5. Sort command runs out of space and results in collect failure

Internal defect PE04870

SYMPTOM: The shutdown.bat (seaman.exe) is not able to shutdown the Insight server service.

Internal defect PE04910

SYMPTOM: The aggregation terminates with an "out of memory" error for Windows GEM databases (daily and weekly).

Internal defect PE04920

SYMPTOM: In some cases log files are locked when there is an attempt to move it this might prevent that chunks are moved to the depot. The previous method used for calling subprocesses did pass the file handling to the subprocesses. The improvement is to use a different method in which this call to a subprocess has an explicit parameter to not pass the handles to the child.

Internal defect PE05100

SYMPTOM: Because of the Energy Policy Act of 2005 the dates on which the Daylight Saving Time (DST) starts and end is not correctly implemented in the version of java that is shipped with Consul Insight Security Manager.

Internal defect PE05110

SYMPTOM: Novell Audit 2.0, which is the new name for Novell NSure Audit, is not supported.

Internal defect PE05160

SYMPTOM: The GEM database reports a java.lang.NullPointerException error while calculating the starting index.

Internal defect PE05170

SYMPTOM: When groupnames exist with single quotes the consolidation fails. The log file then shows "ORA-00933: SQL command not properly ended".

Internal defect PE05280

SYMPTOM: Queries in SCOPING package for Firewall1 GEM database causes the TEMP table space to grow to 16GB.

Internal defect PE05290

SYMPTOM: After upgrading the Tru64 machine, the collected chunks cannot be mapped for the Tru64 event source. There are no errors reported during mapping, however the mapping results in 0 events, although there is data in the chunks.

Internal defect PE05340

SYMPTOM: Improved coverage for selected Windows events (SIDs).

Internal defect PE05420

SYMPTOM: For the Oracle Event Source (ES) the event order is incorrect. This may result in 'unavailable' data fields for logoff events, when the logon and logoff occur in the same second.

Before installing the Fix Pack

Please be aware of the following considerations before installing this Fix Pack:

Prerequisites

This Fix Pack requires that you have Consul Insight Security Manager 6.0.0 and its prerequisites installed.

Fix Pack package

The Fix Pack package is provided as an executable file for the Microsoft Windows platform and as an archive file for each supported non-Windows platform.

Installing the Fix Pack

Installing the Fix Pack on Microsoft Windows

Execute the Fix Pack 6.0.0-TIV-TCIM-Win32-FP004.exe. The Fix Pack will detect any Consul Insight Security Manager components installed in the system, and will install the updates for the detected components.

NOTES

• When applying the Fix Pack, it is important to close the Management Console before applying the Fix Pack, as the fixes for it may fail to apply in that case. If this problem occurs, close any Management Console on the system and reapply the Fix Pack.
• Also, it is important to ensure that the Fix Pack is installed when there is no other process in progress, such as the daily restart task or loads.
• It is preferable to not have iView open while applying the Fix Pack. When iView is open while applying the Fix Pack, it may become unavailable after the Fix Pack is applied. In that case the "InSightTomcat" service needs to be restarted.
• In the case some Interim Fix has already been applied, the Fix Pack will automatically detect if it's necessary to reapply it.

Installing the Fix Pack on z/OS

To apply the Fix Pack for Tivoli Compliance Insight Manager Actuator for z/OS, follow these steps:

1. The actuator comes packaged in a UNIX-style package, so the actuator file needs to be extracted using tar and gzip before transferring it to the z/OS system.
2. For instructions to install the Actuator for z/OS, see the IBM Tivoli zSecure Suite: CARLa Driven Components Installation and Configuration Manual, version 1.8.1, SC23-6556-00.

Documentation updates

None

Software limitations

Installing a component after installing the Fix Pack

If you install a Consul Insight Security Manager component to the system, such as the consolidation component, after the Fix Pack has been applied, you must reinstall the Fix Pack on that system, so that all components are at the same level.

Known problems and workarounds

In order to enable the PDF functionality, the iView 1.0.1 library needs to be present in the iView application. In order to do that you should:

1. Download the iText library Jar file, version 1.0.1. That file is usually named "itext-1.01.jar".
2. Rename the downloaded file to "iText.jar".
3. Copy the renamed file to the iView "Srv" folder. That folder is located at "C:\consul\iView\Srv" by default.
4. Restart the iView service (its full name is "InSight iView 6.0 for IIS (Full)").

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

Trademarks

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

AIX
IBM
IBM logo
iSeries
pSeries
OS/390
Tivoli
Tivoli logo
xSeries
zSeries
z/OS

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.