IBM^® Tivoli^® Compliance Insight Manager, Fix Pack 7.0.0-TIV-TCIM-FP006 README

©Copyright International Business Machines Corporation 2008. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

NOTE: Before using this information and the product it supports, read the general information under Notices in this document.

Date: 2009 March 27

About the Fix Pack

This Fix Pack corrects problems in Consul Insight Security Manager, Version 7.0.0. It requires that Consul Insight Security Manager, Version 7.0.0, is installed. After installing this Fix Pack, your Consul Insight Security Manager installation will be at level 7.0.0.6.

Patch contents and distribution

This Fix Pack package contains:

• 7.0.0-TIV-TCIM-Win32-FP006.exe (for Windows systems, both server and actuator systems)
• 7.0.0-TIV-TCIM-Multi-FP006.README.html (this file)

This Fix Pack is distributed as an electronic download from the IBM Support Web Site.

Architectures

This Fix Pack package supports the same operating system releases as the Consul InSight Security Manager release that are listed in the chapter 2 ("System Requirements") of the Consul InSight Security Manager 7.0 Installation Guide.

Fix Packs superseded by this Fix Pack

This fix pack supersedes the Windows 7.0.0-TIV-TCIM-FP005. The z/OS actuator last fix pack is 7.0.0-TIV-TCIM-FP005, the UNIX actuators last fix pack is 7.0.0-TIV-TCIM-FP002.

Fix Pack structure

Consul Insight Security Manager supports multiple platforms, for each platform requiring updates a separate package is installed. The package will contain the updates for all components installed on that platform.

APARs and defects fixed

The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Consul Insight Security Manager support site.

Problems fixed by fix pack 7.0.0-TIV-TCIM-FP006

APAR IZ40682

SYMPTOM: Fix PE07080 fails to apply in some cases.

APAR IZ33864

SYMPTOM: It was possible to create a corrupt policy using the management console.

APAR IZ20150

SYMPTOM: Error while adding more than one Windows Machine with Windows Event Sources at once.

APAR IZ16883

SYMPTOM: When adding more than one machine the custom properties are applied only to the first event source.

Problems fixed by fix pack 7.0.0-TIV-TCIM-FP005

APAR IZ29684

SYMPTOM: When creating a new GEM database after applying FP004, it's not seen by the new users except the default one.

APAR IZ23459

SYMPTOM: When 2 GEM names differ by an underscore, the GEM name with '_' cannot be read from the database.

Internal defect UE070B001

SYMPTOM: zSecure 1.8.1 or newer are not supported.

APAR IZ23907

SYMPTOM: A mapping error occurs when mapping an empty z/OS chunk.

APAR IZ24308

SYMPTOM: When a user drills down in an iView Report on a value that contains a dollar sign, a tomcat error is shown instead of the correct report.

APAR IZ23167

SYMPTOM: After some period of time, the TCIM mapper will stop working.

Problems fixed by fix pack 7.0.0-TIV-TCIM-FP004

APAR IZ03732

SYMPTOM: Mapping for the AIX event source is not correct.

APAR IZ09908

SYMPTOM: Scoping shows empty report when it contains the event detail column.

Internal defect PE06540

SYMPTOM: Duplicated users appears in the AD Event source.

APAR IZ15383

SYMPTOM: When connecting via HPUX SSH, TCIM server cannot find the gzip or sudo utilities.

APAR IZ17154

SYMPTOM: iView dashboard shows error when creating a node grid with mode than 1000 objects.

APAR IZ18098

SYMPTOM: "Unavailable" appears as the "Who" field, ObjectType in the OnWhat or Eventclass in the What field doesn't correspond to the gvs subtype of object, for the iSeries Event Source.

APAR IZ22396

SYMPTOM: It's not possible to login in scoping after applying fix pack 3 when a non-default EPRISEDB name was used.

Problems fixed by fix pack 7.0.0-TIV-TCIM-FP003

APAR IZ03868

SYMPTOM: Platform plugs cannot be applied due to "timeout" errors.

APAR IZ05654

SYMPTOM: An HTTP error 500 happens when attempting to move a large number of groups in the scoping policy.

Problems fixed by fix pack 7.0.0-TIV-TCIM-FP002

Internal defect PE05430

SYMPTOM: Novell UIS Event Source fails to collect.

Internal defect PE05570

SYMPTOM: When upgrading from version 6.0, the System Name for some Even Sources may be empty.

Internal defect PE05630

SYMPTOM: For the OpenVMS Event Source, deletion events are always registered as "failure".

APAR IZ05070

SYMPTOM: SYSDBA events are not processed in Oracle Event Source.

APAR IZ06416

SYMPTOM: Collect in iSeries failed when sequence number was bigger than 2^31-1.

APAR IZ06758

SYMPTOM: GEM database may enter an inconsistent state if a database error occurs while sliding the database.

APAR IZ08681

SYMPTOM: Data collected by a UIS which is used as 'realname' field could cause an error in the case it exceeded the column length of the database.

APAR IZ08467

SYMPTOM: AD Event source is not stripping the @domain from the logonname and name.

Problems fixed by fix pack 7.0.0-TIV-TCIM-FP001

APAR IZ01641

SYMPTOM: Because of the Energy Policy Act of 2005 the dates on which the Daylight Saving Time (DST) starts en end is not correctly implemented in the version of java that is shipped with Consul Insight Security Manager.

APAR IZ01642

SYMPTOM: Consul Insight Security Manager has several issues with Aggregation and Consolidation:

1. Sometimes aggregation does return "no data found" while events were actually to be aggregated. The problem occurs when the summarization of events did not take place.
2. Problems with constraint violations (ORA-00001)
3. Problems in relations of tables (ORA-02298)
4. The count of events in AggrDB is not the same as in GEM DB that was loaded by schedule
5. The aggregation fails with the following error (ORA-01438: value larger than specified precision allows for this column)
6. When groupnames contains a quote sign then the consolidation step fails events were actually to be aggregated (the problem occurs when the summarization of events did not take place), problems with constraint violations ORA-00001, problems in relations of tables (ORA-02298), the count of events in AggrDB is not the same as in GEM DB (that was loaded by schedule), the aggregation fails with the following error (ORA-01438: value larger than specified precision allows for this column", or when groupnames contains a quote sigh then the consolidation step fails.)

Internal defect PE04170

SYMPTOM: During aggregation sometimes it occurs that a dimension has to be summarized, while it's corresponding type does not. As a result the code will not handle the dimension type. The result is that the summarized dimension will always get the default type-index : -1. This will result in a "parent keys not found" error message in the function "AggrDb.insertaggregation.main_procedure" while running Aggregation.

Internal defect PE04180

SYMPTOM: Reindexing gsl is configured to run every minute by default. This is a problem if there are many chunks, when it could easily take minutes to complete the check.

Internal defect PE04230

SYMPTOM: The Investigate page stores all results returned by the Searcher in the Session object, which will result in a out-of-memory condition with large result sets.

Internal defect PE04270

SYMPTOM: Sun Solaris DB2 doesn't work with the DB2/UDB Event Source (ES).

Internal defect PE04290

SYMPTOM: During the upgrade to version 7.0 the system names of most Event Sources are updated. The system name of the windows log api based Event Sources should not be changed, however, when the OS version is not "Microsoft Windows" the Event Source is not recognized as "windows log api based", and the system name will be updated to the hostname of the Point of Presence.

Internal defect PE04300

SYMPTOM: In the case the archive contains log files with overlapping timestamps, the Log Continuity Report could show incorrect data (end time earlier than the starttime).

Internal defect PE04410

SYMPTOM: Several issues may occur in the Log Manager:

1. Caching all search results in a session can lead to an out of memory condition.
2. Running a search on the Investigate page causes \iview\tomcat\logs\stderrlog.txt to grow, eventually degrading performance, because the searcher logs every found event.
3. Syntax error in 1st query causes exception instead of error message.
4. Re-searching after "stop search" does not work.
5. Forensic search includes User Information Sources.

Internal defect PE04440

SYMPTOM: After upgrade to InSight 7.0 it is impossible to create a new user with access to the Investigate report. An error message is shown: no ‘CEAINVST’ role in Management console.

Internal defect PE04450

SYMPTOM: When in the Add UIS wizard there are no (visible) UIS properties the wizard cannot be continued. When pressing next button in the properties window of the wizard the wizard does not continue.

Internal defect PE04460

SYMPTOM: After installation of InSight Server and/or InSight windows actuator the password of the Windows cearoot account has expired after a certain period. This behavior is not desired for a user account belonging to the InSight service.

Internal defect PE04490

SYMPTOM: Oracle can store its audit records either in the (audit)files, or in the database. When database audit trail is used, InSight should support collection of Oracle Audit events from the database's system audit tables. This mechanism should be supported in addition to the existing collection from audit files.

Internal defect PE04530

SYMPTOM: RC=11 (SIGSEGV) terminates start of agent on z/OS, message "Collect groups error occurred in C2RCARLA" but C2RCARLA.SYSPRINT is empty, attention rule description exceeds 128 chars, reading "Write Sensitive Data" should be allowed, or z/OS event source fails when two UISes with different complex values specified both use the live database.

Internal defect PE04570

SYMPTOM: Some new functionality of MSSQL version 2005 is not supported.

Internal defect PE04610

SYMPTOM: On SEM events, saving alert configuration not always successful, content of WhatVerb and WhatNoun columns are wrong on SEM events, the value for OnwhatName is wrong (it should be just the objectname), RuleIDs columns has incorrect format, ManConsole reports about errors after hotfix application, the timestamp of the InSight SEM ES events in iView is not from log set but is the same as timestamp of mapping, or deselecting Severity-Delay support check box in Edit Alert Recipient window doesn't work.

Internal defect PE04620

SYMPTOM: In some cases the aggregation shows errors which is caused by invalid queries to the database. This was discovered but not limited to a z/OS aggregation during a scheduled load..

Internal defect PE04630

SYMPTOM: Some issue might occur with the Active Directory User Information Source (UIS):

1. The grouping does not work for certain event types where there is a mismatch between the WHO and originator
2. The machines (platform names) are not grouped into the correct domain name
3. Certain standard groups such "Users" and "Domain Users" are not populated (it is empty).
4. The UIS information for the following userids are not collected :Anonymous logon user id with SID: S-1-5-7, Local System account: SID S-1-5-18

Internal defect PE04660

SYMPTOM: The Oracle mapper used to fill the Who field with data from the db namespace mixed - in an indeterministic way - with data from the os namespace.

Internal defect PE04710

SYMPTOM: Same as internal defect PE04610.

Internal defect PE04740

SYMPTOM: When installing the agent, the server checks if the machine defined from the Management Console corresponds to the machine the agent is installed on. When there are DNS problems (like double entries on the DNS server) or multiple IP addresses the IP check will fail and logs will not be accepted..

Internal defect PE04750

SYMPTOM: When collecting events through SSH connection, a root account is required, while it is not always possible to use the root account in Consul Insight Security Manager to collect with.

Internal defect PE04780

SYMPTOM: The original Event Source for Oracle does not support events for Oracle Fine Grained audit. Customers that use Fine Grained Audit also want to see the results back in InSight.

Internal defect PE04810

SYMPTOM: Some issues might occur with the Active Directory User Information Source (UIS):

1. When creating a UIS using the Domain Controller as POP the UIS for Active Directory does not list any users while the Windows UIS list them all
2. When the data is loaded the Originator is shown instead of User Id in Management Console.

Internal defect PE04830

SYMPTOM: Sun Java System Identity Manager version 6.0 is not supported by the event source.

Internal defect PE04840

SYMPTOM: Collection directory becomes full during collection, the output file produced by oracle log collector exceeds the soft file size limit, Oracle log collector hangs scanning for that non-existing instance name, Oracle log collector hangs when it encounters incomplete oracle audit trail files or records, or sort command runs out of space and results in collect failure.

Internal defect PE04880

SYMPTOM: The shutdown.bat (seaman.exe) is not able to shutdown the InSight server service.

Internal defect PE04900

SYMPTOM: The aggregation terminates with an Out-of-Memory error for Windows GEM databases (daily and weekly). As cause of this problem is the assignment of memory to the aggregation.

Internal defect PE04930

SYMPTOM: When mapped data contains a percentage character, a drilldown link related to that data is rejected by iView causing a blank browser screen.

Internal defect PE04950

SYMPTOM: In some cases log files are locked when there is an attempt to move it, this might prevent in some cases that chunks are moved to the depot. The previous method used for calling subprocesses did pass the file handling to the subprocesses. The improvement is to use a different method in which this call to a subprocess has an explicit parameter to not pass the handles to the child.

Internal defect PE05020

SYMPTOM: In order to address the full needs tools are provided to to utilize the InSight Log Manager to investigate ubiquitous logs. The main goal is to provide a toolkit which supports log-parsing customization; customers can apply their own rules for log parsing through a custom GSL file. This ability is available for "Ubiquitous Log" eventsources only.

Internal defect PE05030

SYMPTOM: In the situation any machine-name was removed and re-applied, the transfer of data from actuator from that ES to the server fails because the logset cannot be registered the depot.

Internal defect PE05040

SYMPTOM: When the LPI and SPI are not synchronous the log retrieval fails, an empty file is downloaded or chunks of other event sources are downloaded, the Log Continuity Report fails when the LPI and SPI are not synchronized, or "Error 1802: Invalid argument in call" appears when user tries to Add Event Source.

Internal defect PE05050

SYMPTOM: Currently an actuator always needs to be installed on the Unix platforms to collect database audit trails. An alternative way is to use SSH.

Internal defect PE05055

SYMPTOM: Following the acquisition by IBM we have made some changes to the InSight product to comply with IBM standards and requirements. These changes are outlined below. This hotfix needs to be applied in normal numerical sequence when next maintaining your InSight system, specifically if you are applying any hot fixes that come after this one to ensure consistency..

Internal defect PE05130

SYMPTOM: All object access events are mapped to Access / Dbobject. This means that read events cannot always be separated from actual modifications.

Internal defect PE05190

SYMPTOM: When the archive mechanism for MSSQL was replaced, the newly introduced archive mechanism missed the feature to create an archive file when there was no existing archive when "append" is used as an option. In the situation no archive exists yet, the original sublog is not sent with the main log data..

Internal defect PE05200

SYMPTOM: AccessManager 4.1 is not supported.

Internal defect PE05210

SYMPTOM: FQDN Hostnames that are > 32 characters long cannot be added to the management console, automatic remote installation using the Netbios name of POP fails due to the IPCheck problem ("Message dropped" reported in the Cesystemlog of InSight server), or the InSight server cannot resolve a Netbios hostname of the POP to a correct IP address.

Internal defect PE05220

SYMPTOM: If "When" groups are created, then it is impossible to select 'in group' or 'not in group' in the policy explorer.

Internal defect PE05250

SYMPTOM: The GEM database reports a java.lang.NullPointerException error while calculating the starting index.

Internal defect PE05270

SYMPTOM: When tried to add a OS/400 Event source followed by Add Machine Wizard there is a kind of mask that prevents user to see what the Wizard is asking for.

Internal defect PE05300

SYMPTOM: After upgrading the Tru64 machine, the collected chunks for the Tru64 event source cannot be mapped. There are no errors reported during mapping, however the mapping results in 0 events, although there is data in the chunks.

Internal defect PE05350

SYMPTOM: Improved coverage for selected Windows events (SIDs).

Internal defect PE05370

SYMPTOM: On iSeries Remote Collect Validator, in some occasions a check of the validator causes the validator not to complete.

Internal defect PE05400

SYMPTOM: For the Oracle Event Source (ES) the event order is incorrect. This may result in 'unavailable' data fields for logoff events, when the logon and logoff occur in the same second.

Before installing the Fix Pack

Please be aware of the following considerations before installing this Fix Pack:

Prerequisites

This Fix Pack requires that you have Consul Insight Security Manager 7.0.0 and its prerequisites installed.

Fix Pack package

The Fix Pack 6 package is provided as an executable file for the Microsoft Windows platform.

Installing the Fix Pack

Installing the Fix Pack on Microsoft Windows

Execute the Fix Pack 7.0.0-TIV-TCIM-Win32-FP006.exe. The Fix Pack will detect any Consul Insight Security Manager components installed in the system, and will install the updates for the detected components.

NOTES

• When applying the Fix Pack, it is important to close the Management Console before applying the Fix Pack, as the fixes for it may fail to apply in that case. If this problem occurs, close any Management Console on the system and reapply the Fix Pack.
• It is preferable to not have iView open while applying the Fix Pack. When iView is open while applying the Fix Pack, it may become unavailable after the Fix Pack is applied. In that case the "InSightTomCat" service needs to be restarted.
• In the case some Interim Fix has already been applied, the Fix Pack will automatically detect if it's necessary to reapply it.

Documentation updates

None

Software limitations

Installing a component after installing the Fix Pack

If you install a Consul Insight Security Manager component to the system after the Fix Pack has been applied, you must reinstall the Fix Pack on that system, so that all components are at the same level.

Known problems and workarounds

None.

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:

IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

Trademarks

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

AIX
IBM
IBM logo
iSeries
pSeries
OS/390
Tivoli
Tivoli logo
xSeries
zSeries

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.