©Copyright International Business Machines Corporation 2007. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
This fix pack corrects problems in IBM Tivoli Federated Identity Manager, Version 6.1.0, by upgrading its installed components to Tivoli Federated Identity Manager 6.1.1.1. It requires that IBM Tivoli Federated Identity Manager, Version 6.1.0, be installed. After installing this fix pack, your installation will be at level 6.1.1.1.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases as the Tivoli Federated Identity Manager 6.1.0 release that are listed in the Release Notes.
None.
Tivoli Federated Identity Manager consists of three components that can be installed separately:
All components must be at the same level. Therefore, if you install a fix pack for one of the components, you must install that fix pack for the rest of the components. Components at one release level are not guaranteed to interoperate with components at a different release or fix pack level.
Changes made by this fix pack
This fix pack upgrades your Tivoli Federated Identity Manager, version 6.1.0, to Tivoli Federated Identity Manager, version 6.1.1 with fix pack 1 (6.1.1.1).
For details about what's new in version 6.1.1, see the What's new description.
The Tivoli Federated Identity Manager 6.1.1 console component requires WebSphere Application Server 6.1. For this reason, the fix pack will automatically install the embedded version of WebSphere Application Server 6.1. However, the old console will not be removed or deactivated.
The embedded version will be installed with administrative security enabled and the administrator user information will be stored in a local WebSphere user registry.
The administrator user name will be fimadmin and, by default, the password will be ewasadmin.
For information about working with the new console, refer to the online help and the Tivoli Federated Identity Manager 6.1.1 information center.
The following problems in Tivoli Federated Identity Manager version 6.1.0 and 6.1.1 are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager support site.
Note: Some APARs listed here have two numbers. The first number is the APAR assigned to version 6.1.0. The second number is the APAR assigned to version 6.1.1.
Be aware of the following considerations before installing this fix pack:
The installation of this fix pack requires the use of the Tivoli Federated Identity Manager Update Installer. You must install the Update Installer before you can install the fix pack.
The zip file contains:
For HP-UX, Linux®, Solaris®, and
AIX®, turn on the installer's execute bit by executing
chmod a+x *.bin.
For graphical installation mode, type the appropriate installation command for your operating system:
./install_linux_ppc.bin./install_linux_x86.bin./install_linux_s390.bin./install_aix_ppc.bin./install_sol_sparc.bin./install_hpux_ia64.bininstall_win32.exeFor text-only installation mode, type the appropriate installation command for your operating system:
./install_linux_ppc.bin -console./install_linux_x86.bin -console./install_linux_s390.bin -console./install_aix_ppc.bin -console./install_sol_sparc.bin -console./install_hpux_ia64.bin -consoleinstall_win32.exe -consoleFor silent installation mode:
Change the following variables, as needed:
-P installLocation="/opt/IBM/FIMUI"
The location where you want the Update Installer to be installed.
-W FIMLocation.TFIMLocationPath="$D(install)/IBM/FIM"
The location of Tivoli Federated Identity Manager.
$D(install) is the default installation path (such
as C:\Program Files for Windows®; /opt
for HP-UX, Linux®, Solaris®, and AIX®).
To specify a different path, replace $D(install)/IBM/FIM
with the correct absolute path.
./install_linux_ppc.bin -silent -options
response.rsp./install_linux_x86.bin -silent -options
response.rsp./install_linux_s390.bin -silent -options
response.rsp./install_aix_ppc.bin -silent -options response.rsp./install_sol_sparc.bin -silent -options
response.rsp./install_hpux_ia64.bin -silent -options
response.rsp./install_win32.exe -silent -options response.rspThe progress of the installation is shown.
Note: If you use the text-only installation mode, several exceptions might be displayed, such as:
exception: java.lang.SecurityException:
java.lang.Exception - protected system package 'java.lang'
However, these messages are for informational purposes only and do not adversely affect the installation of the Update Installer.
On each computer where you have a Tivoli Federated Identity Manager component installed, repeat these steps. Then, continue with the instructions in Installing the fix pack.
NOTE: Although it will not affect the installation of this fixpack, there is a defect in the TFIM Update Installer that could prevent installing any future fix packs for TFIM or TDI. Go to the TFIM Support page and search for a Technote entitled "TFIM Update Installer may fail for future fix packs" to see the corrective actions.
NOTE: Before installing this fix pack, be sure that you have reviewed the prerequisites in Before installing the fix pack.
After you have downloaded the fix pack and installed the Update Installer, you need to perform a few steps before you can run the installation program.
Unzipping the fix pack file
If you are using AIX, HP-UX, Linux, or Solaris, the
execute permission flag is turned off on all the scripts (all .sh
files). Before invoking any of these scripts make sure you turn on the
execute permisison for all the scripts by executing chmod +x *.sh
in the /script directory.
If you are using Windows, TFIM 6.1.0 stored the runtime's Websphere path incorrectly. Before applying the fixpack this path needs to be manually corrected to point to the proper location of WAS.
<FIM INSTALL DIR>\pkg\software.properties.C:\Program Files\IBM\FIM\pkg\software.properties.com.tivoli.am.fim.was.home=C\:Program
FilesIBMWebSphereAppServer.com.tivoli.am.fim.was.home=C\:\\Program
Files\\IBM\\WebSphere\\AppServer.Note that the colon is also escaped. After fixing that line you can proceed with the fixpack installation
variables file
Before installing the fix pack, you must:
variables
file.The fix pack variables file contains the
following passwords:
TFIMRuntimeWASSecurityEnabled=TFIMRuntimeWASAdmin=TFIMRuntimeWASPassword=TFIMRuntimeWASTrustStorePath=TFIMRuntimeTrustedJksPassword=TFIMRuntimeJksPassword=TFIMConsoleWASPassword=ewasadminewasadmin.
To change this default value, uncomment this variable by removing the #
symbol and change ewasadmin to a new password. Note that the userid for
the new console is always fimadmin.To provide the appropriate passwords:
variables in the fix
pack /script directory. ewasadmin to a new password. Take
care not to add trailing blanks to the password field, otherwise they
will be included as part of the password. ATTENTION: If you added passwords to the variables
file, as described here, the passwords are in plain text in this file.
Be sure to remove the passwords from this file to prevent a security
breach.
When installing the fix pack on a system where the console component is installed, ensure that the assigned ports for the installation of the embedded version of WebSphere Application Server will not conflict with the ports of any other running program on the system.
The following ports are defined in the variables
file:
WC_defaulthost=9085
WC_adminhost=9065
WC_defaulthost_secure=9448
WC_adminhost_secure=9048
BOOTSTRAP_ADDRESS=2814
SOAP_CONNECTOR_ADDRESS=8885
SAS_SSL_SERVERAUTH_LISTENER_ADDRESS=9406
CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS=9408
CSIV2_SSL_MUTUALAUTH_LISTENER_ADDRESS=9407
ORB_LISTENER_ADDRESS=9105
DCS_UNICAST_ADDRESS=9358
SIB_ENDPOINT_ADDRESS=7281
SIB_ENDPOINT_SECURE_ADDRESS=7291
SIB_MQ_ENDPOINT_ADDRESS=5563
SIB_MQ_ENDPOINT_SECURE_ADDRESS=5583
SIP_DEFAULTHOST=5065
SIP_DEFAULTHOST_SECURE=5066
To change these port settings:
variables file in the fix pack /script
directory.
Running the Update Installer
acsisrv is running, as
follows:
ps -ef|grep acsisrv/usr/ibm/common/acsi/bin/acsisrv.sh
-start. Then ensure the service is running./script subdirectory of the
directory where you unzipped the fix pack zip file.install.bat on Windows systems./install.sh for AIX, Solaris, Linux, or
HP-UX ATTENTION: If you added passwords to the variables
file, as described in Preparing the variables
file, the passwords are in plain text in this file. Be sure to
remove the passwords from this file to prevent a security breach.
The Tivoli Federated Identity Manager 6.1.1 console component requires WebSphere Application Server 6.1. For this reason, the fix pack will automatically install the embedded version of WebSphere Application Server 6.1. However, the old console will not be removed or deactivated.
ATTENTION:
To deactivate the console, run the following command:
<ISC_install_dir>/PortalServer/bin/stopISC.sh
ISC_Portal <username> <password><ISC install dir>\PortalServer\bin\stopISC.bat
ISC_Portal <username> <password><ISC_install_dir> is the directory where the
6.1.0 console was installed.<username> is the administrator user name for
the console, such as iscadmin.<password> is the administrator password for the
console.To reactivate the console, run the following command:
<ISC_install_dir>/PortalServer/bin/startISC.sh
ISC_Portal<ISC_install_dir>/PortalServer/bin/startISC.bat
ISC_Portal<ISC_install_dir> is the directory where the
6.1.0 console was installed.After you have successfully installed the fix pack, you will need to redeploy the Tivoli Federated Identity Manager runtime.
This task is identical to the deployment task you completed after initial installation of the management service and runtime component. For example, in a WebSphere cluster environment you must ensure that the new runtime component is deployed to each WebSphere node.
See the Runtime node management chapter of the Tivoli Federated Identity Manager Configuration Guide. Complete the topic "Deploying the runtime as a WebSphere Application Server application."
NOTES
Runtime Information
----------------------------------------------
Current deployed version 6.1.1.1 [070406a]
Note: The number within the brackets [070406a]
might be different from this example.
In Tivoli Federated Identity Manager 6.1.1, the Tivoli Federated Identity Manager Runtime application provides security roles for controlling access to the Trust Service for applications using the WSSM component.
If you are using the WSSM component, then after you have deployed the runtime, you need to update the 'security role to user/group mapping'.
See the Web Services Security Management Guide, Chapter 2, the Section titled "Trust Service authorization access" for details on using security roles to control access to the trust service.
To update the demonstration application (itfim-ivtapp), you will need to uninstall the 6.1.0 version and deploy the 6.1.1 version that was installed by the fix pack.
To uninstall the 6.1.0 version:
To deploy the 6.1.1 version, refer to the instructions in "Deploying the demonstration application onto an existing WebSphere server", which is a section in the Tivoli Federated Identity Manager 6.1.1 Single Sign-On Guide.
If you want to return your installation to the state it was in prior to installing the fix pack, you can uninstall the fix pack.
The uninstallation process removes the fix pack, including the embedded version of WebSphere Application Server, if that version was installed by the fix pack.
ATTENTION -- When you remove the management service and runtime component fix pack, you will lose any configuration (domains, federations, and so on) that you added after the fix pack was installed.
acsisrv is running, as
follows:
ps -ef|grep acsisrv/usr/ibm/common/acsi/bin/acsisrv.sh
-start. Then ensure the service is running. variables
file that was used when the fix pack was installed, edit the file and
add the appropriate passwords. Then save and close the file./script directory and the type the
uninstall command:
uninstall.bat on Windows systems./uninstall.sh for AIX, Solaris, Linux, or HP-UXThe uninstall process will remove the fix pack and revert to the previous versions of files that were changed by the fix pack.
<ISC_install_dir>/PortalServer/bin/startISC.sh
ISC_Portal<ISC_install_dir>/PortalServer/bin/startISC.bat
ISC_PortalISC_install_dir is the directory where the 6.1.0
console was installed.For example, since you installed fix pack 1 onto a Tivoli Federated Identity Manager 6.1.1.0 system, after uninstalling fix pack 1 you would see the following:
Suite Name Version
----------------------------------------------------------
Tivoli Federated Identity Manager 6.1.0.0 [060524a]
Runtime Information
----------------------------------------------
Current deployed version 6.1.0.0 [060524a]
ATTENTION: Uninstalling the Update Installer will not remove the fix pack. See Uninstalling the fix pack for those instructions. Also, because the Update Installer will be used for future maintenance of Tivoli Federated Identity Manager, uninstalling the Update Installer is NOT recommended.
/_uninst subdirectory
where the Update Installer was installed.uninstall.bin on Windows systems./uninstall.bin for AIX, Solaris, Linux, or HP-UXThe product documentation for Tivoli Federated Identity Manager, Version 6.1.1, can be found at this location .
Updates to the documentation follow:
To locate the white paper:
If you install a Tivoli Federated Identity Manager 6.1.0 component to the system after the fix pack has been applied, you must reinstall the fix pack on that system, so that all components are at the same level.
To re-apply the fixpack:
<TFIM UPDATE INSTALLER>/DE/test/
<TFIM UPDATE INSTALLER> is the directory
where the update installer was installed../addconsolefeat.sh on AIX, Linux, Solaris, or
HP-UXaddconsolefeat.bat on Windows./addmgmtfeat.sh on AIX, Linux, Solaris, or HP-UXaddmgmtfeat.bat on Windows./addwssmfeat.sh on AIX, Linux, Solaris, or HP-UXaddwssmfeat.bat on Windows./addwspfeat.sh on AIX, Linux, Solaris, or HP-UX
addwspfeat.bat on WindowsNone.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
AIX
IBM
IBM logo
iSeries
pSeries
S/390
Tivoli
Tivoli logo
xSeries
zSeries
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.