Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
Version
5.1
GI11-0957-01
���
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
Version
5.1
GI11-0957-01
���
Note
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
“Notices,”
on
page
25.
Second
Edition
(November
2003)
This
edition
applies
to
Version
5.1
of
IBM
Tivoli
Access
Manager
for
Business
Integration
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
2001,
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Who
Should
Read
This
Guide
.
.
.
.
.
.
.
. v
What
This
Guide
Contains
.
.
.
.
.
.
.
.
. v
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
IBM
Tivoli
Access
Manager
for
Business
Integration
Publications
.
.
.
.
.
.
.
.
. v
Prerequisite
Publications
.
.
.
.
.
.
.
.
. v
Related
Publications
.
.
.
.
.
.
.
.
.
. vi
Accessing
Publications
Online
.
.
.
.
.
.
. vi
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
. vi
Contacting
Software
Support
.
.
.
.
.
.
.
.
. vi
Conventions
Used
in
This
Book
.
.
.
.
.
.
. vii
Chapter
1.
About
This
Release
.
.
.
.
. 1
IBM
Tivoli
Access
Manager
for
Business
Integration
CD-ROM
Distribution
.
.
.
.
.
.
.
.
.
.
. 1
IBM
Tivoli
Access
Manager
for
Business
Integration
CD-ROM
Set
.
.
.
.
.
.
.
.
. 1
CD-ROM
Directory
Content
Description
.
.
.
. 2
IBM
Tivoli
Access
Manager
for
Business
Integration
Documentation
Set
.
.
.
.
.
.
.
.
.
.
.
. 2
Chapter
2.
Software
Requirements
.
.
. 5
System
Requirements
.
.
.
.
.
.
.
.
.
.
. 5
Supported
Platforms
.
.
.
.
.
.
.
.
.
.
.
. 5
Software
Infrastructure
Dependencies
.
.
.
.
.
. 5
Host
System
Software
Dependencies
.
.
.
.
.
. 6
Compatible
MQ
Family
Products
.
.
.
.
.
.
. 7
Chapter
3.
Known
Problems
and
Workarounds
.
.
.
.
.
.
.
.
.
.
.
. 9
General
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Use
the
Latest
Patch
Bundle
.
.
.
.
.
.
.
. 9
Runtime
Problems
on
SPARCstation-5
Running
Solaris
8
(28153)
.
.
.
.
.
.
.
.
.
.
.
. 9
Make
Sure
Two
Environment
Variables
Were
Set
on
Solaris
Platform
(24173)
.
.
.
.
.
.
.
. 10
Two
Queue
Managers
Cannot
Have
the
Same
Name
(27898)
.
.
.
.
.
.
.
.
.
.
.
.
. 10
NDS
Server
User
Registry
Cannot
Handle
Spaces
in
the
Mapping
(38774)
.
.
.
.
.
.
.
.
. 10
Use
Latest
Patch
Bundle
for
HP-UX
.
.
.
.
. 10
Queue
Names
Longer
than
47
Characters
Are
Not
Supported
.
.
.
.
.
.
.
.
.
.
.
. 11
Installation
and
Configuration
.
.
.
.
.
.
.
. 11
svrsslcfg
SSL
Timeout
During
Configuration
or
Easy
Installation
.
.
.
.
.
.
.
.
.
.
.
. 11
Canceling
the
Easy
Installation
on
Windows
Does
Not
Remove
the
Directory
It
Created
During
the
Process
(26194)
.
.
.
.
.
.
.
.
.
.
.
. 11
No
Reboot
Message
from
GSKit
on
Windows
.
. 11
The
Easy
Installation
Does
Not
Upgrade
the
LDAP
Client
on
Solaris
.
.
.
.
.
.
.
.
. 12
psapi.dll
Missing
on
Windows
NT
(35259)
.
.
. 12
Runtime
Problems
on
SPARCstation-5
Running
Solaris
8
(28153)
.
.
.
.
.
.
.
.
.
.
.
. 12
pdmqsvrcfg
Not
Adding
Local
Queues
to
IBM
Tivoli
Access
Manager
Object
Space
.
.
.
.
. 12
When
to
Use
New
Style
Audit
Configuration
.
. 12
ICC
Configuration
.
.
.
.
.
.
.
.
.
.
. 13
The
Easy
Installation
on
Windows
Does
Not
Issue
a
Reminder
Message
after
Successful
Completion
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Installation
of
IBM
Tivoli
Access
Manager
for
Business
Integration
Host
Edition,
Version
4.1
Fails
with
CSQFMNFM
Not
Found
.
.
.
.
. 13
Library
Link
Errors
on
AIX
.
.
.
.
.
.
.
. 13
Write
Permissions
for
the
Tivoli
Common
Directory
on
Windows
(40402)
.
.
.
.
.
.
. 13
Interoperability
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Installation
of
IBM
Tivoli
Access
Manager
for
Business
Integration
Host
Edition,
Version
4.1
Fails
with
CSQFMNFM
Not
Found
.
.
.
.
. 14
Interoperability
Between
the
4.1
and
5.1
Versions
of
IBM
Tivoli
Access
Manager
for
Business
Integration
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Limitations
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition
Interoperability
.
.
.
.
.
.
.
.
.
.
.
. 14
A
Protection
Exception
Occurs
During
Unprotect
Processing
in
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition
.
. 14
gsk_read_enveloped_data_content
Error
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition
Running
with
IBM
MQ
5.3
.
.
.
.
.
.
.
.
.
.
. 14
Server
Interceptor
.
.
.
.
.
.
.
.
.
.
.
. 15
Privacy
Protection
Is
Not
Available
to
Some
Dynamic
Queues
.
.
.
.
.
.
.
.
.
.
. 15
MQPUT
Is
Not
Allowed
When
One
or
More
of
the
Q-Recipients
Is
Using
an
Expired
Certificate
. 15
Quality
of
Protection
for
Application
Initiation
Queues
Must
Be
Set
to
None
.
.
.
.
.
.
. 15
Setting
the
Quality
of
Protection
for
an
Alias
Queue
Referring
to
a
SYSTEM
Queue
(19546)
.
. 16
Support
for
Distribution
Lists
(17094)
.
.
.
.
. 16
Subscriber
Queues
Cannot
Be
Dynamic
Queues
When
Quality
of
Protection
Is
Set
to
Privacy
(18794)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Support
for
MQRMH
Header
(17134)
.
.
.
.
. 16
Limited
Support
for
Report
Messages
(17098)
.
. 17
Persistent
Messages
on
Queues
.
.
.
.
.
.
. 17
Very
Large
Messages
May
Cause
a
GSKit
Error
Message
on
AIX
(18799)
.
.
.
.
.
.
.
.
. 17
Do
Not
Use
Remote
Administration
Interface
to
Browse
Protected
Queues
.
.
.
.
.
.
.
.
. 18
MQSI
Broker
2.1
on
Solaris:
mqsistop
-i
Fails
to
Stop
bipbroker
and
bipservice
Processes
Because
of
C
Runtime
Incompatibilities
(38520)
.
.
.
. 18
©
Copyright
IBM
Corp.
2001,
2003
iii
Server
Interceptor:
Shared
Connections
not
Supported
(33163,
33164,
WMQ
74060)
.
.
.
. 19
IBM
WebSphere
MQ
Workflow
3.4
Client
with
Windows
Might
Display
Access
Violations
(43695)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Socket
Errors
in
IBM
WebSphere
MQ
Workflow
3.4
Client
on
Windows
when
Auditing
Is
Set
to
Maximum
or
to
Include
Admin
.
.
.
.
.
.
. 19
Failure
to
Get
the
Recipient
Certificate
from
the
LDAP
Server,
Error
Code
81
(44385)
.
.
.
.
. 19
JMS
Interceptor
.
.
.
.
.
.
.
.
.
.
.
.
. 19
JMS
Interceptor
Fails
When
Duplicate
Q-Recipients
Are
Specified
on
the
Policy
(43899)
. 20
Privacy
Protection
Is
Not
Available
to
Some
Dynamic
Queues
.
.
.
.
.
.
.
.
.
.
. 20
Setting
the
Quality
of
Protection
for
an
Alias
Queue
Referring
to
a
SYSTEM
Queue
(19546)
.
. 20
IBM
WebSphere
InterChangeServer
on
Solaris
or
AIX
Must
Have
Cache
Refresh
Interval
of
20000000
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
C
Client
Interceptor
.
.
.
.
.
.
.
.
.
.
. 20
MQPUT
Is
Not
Allowed
When
One
or
More
of
the
Q-Recipients
Is
Using
an
Expired
Certificate
. 20
Privacy
Protection
Is
Not
Available
to
Some
Dynamic
Queues
.
.
.
.
.
.
.
.
.
.
. 20
Setting
the
Quality
of
Protection
for
an
Alias
Queue
Referring
to
a
SYSTEM
Queue
(19546)
.
. 20
Support
for
MQRMH
Header
(17134)
.
.
.
.
. 20
Persistent
Messages
on
Queues
.
.
.
.
.
.
. 20
IBM
Tivoli
Access
Manager
for
Business
Integration
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Listening
Mode
Might
Prevent
the
Server
from
Getting
Updates
from
the
Policy
Server
.
.
.
. 21
The
Tivoli
Access
Manager
for
Business
Integration
Server
Might
Fail
If
System
Resources
Are
Insufficient
.
.
.
.
.
.
.
.
.
.
.
. 21
Tools
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Message
When
Certificate’s
DN
Is
Not
Restricted
to
LDAP
Attributes
CN,
OU,
and
O
.
.
.
.
. 21
pdmqzchk
Error
Message
(41450)
.
.
.
.
.
. 22
IBM
Global
Security
Tool
Kit
(GSKit)
iKeyman
.
. 22
gsk7ikm
Fails
to
Export
from
JKS
to
CMS
Keystores
(41935)
.
.
.
.
.
.
.
.
.
.
. 22
Misleading
Message
Exporting
Between
Keystores
with
gsk7ikm
.
.
.
.
.
.
.
.
. 22
Chapter
4.
Additional
Guidelines
for
Use
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Appendix.
Notices
.
.
.
.
.
.
.
.
.
. 25
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
iv
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Preface
Welcome
to
the
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes.
This
document
contains
new
and
revised
technical
information
for
IBM®
Tivoli®
Access
Manager
for
Business
Integration,
Version
5.1.
Who
Should
Read
This
Guide
This
guide
is
for
system
administrators
responsible
for
the
deployment
and
administration
of
IBM
Tivoli
Access
Manager
for
Business
Integration
software
and
its
related
components.
What
This
Guide
Contains
This
book
contains
the
following
sections:
v
Chapter
1,
“About
This
Release,”
on
page
1
v
Chapter
2,
“Software
Requirements,”
on
page
5
v
Chapter
3,
“Known
Problems
and
Workarounds,”
on
page
9
v
Chapter
4,
“Additional
Guidelines
for
Use,”
on
page
23
v
“Notices,”
on
page
25
Publications
Read
the
descriptions
of
the
IBM
Tivoli
Access
Manager
for
Business
Integration
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
IBM
Tivoli
Access
Manager
for
Business
Integration
Publications
The
following
publications
are
provided
in
the
Tivoli
Access
Manager
for
Business
Integration
library:
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
Card
(GI11-4202-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes®
(GI11-0957-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide
(SC23-4831-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide
(GC32-1328-00)
Prerequisite
Publications
The
following
documents
provide
information
specific
to
IBM
Tivoli
Access
Manager:
v
IBM
Tivoli
Access
Manager
for
e-business
Read
This
First
Card,
Version
5.1
(GI11-4155-00)
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes,
Version
5.1
GI11-4156-00)
v
IBM
Tivoli
Access
Manager
Upgrade
Guide,
Version
5.1
(SC32-1369-00)
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide,
Version
5.1
(SC32-1362-00)
©
Copyright
IBM
Corp.
2001,
2003
v
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide,
Version
5.1
(SC32-1360-00)
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference,
Version
5.1
(SC32-1354-00)
Related
Publications
Information
related
to
Tivoli
Access
Manager
for
Business
Integration
is
available
as
follows:
v
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
v
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
Accessing
Publications
Online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
also
can
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
Contacting
Software
Support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
vi
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
Used
in
This
Book
This
guide
uses
several
typeface
conventions
for
special
terms
and
actions.
These
conventions
have
the
following
meaning:
Bold
Commands,
keywords,
authorization
roles,
and
other
information
that
you
must
enter
exactly
as
shown
appear
in
this
guide
in
bold
type.
Also,
the
names
of
other
controls
appear
in
bold
type.
Italics
Variables
and
values
that
you
must
provide
and
words
and
phrases
that
are
emphasized
appear
in
italics.
Monospace
Code
examples,
output,
file
names,
and
system
messages
appear
in
monospace
font.
[
]
Identifies
optional
arguments.
Arguments
not
enclosed
in
brackets
are
required.
|
Indicates
mutually
exclusive
information.
You
can
use
the
argument
to
the
left
of
the
separator
or
the
argument
to
the
right
of
the
separator.
You
cannot
use
both
arguments
in
a
single
use
of
the
command.
Preface
vii
viii
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Chapter
1.
About
This
Release
This
chapter
describes
the
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
CD-ROM
distribution
and
available
documentation.
IBM
Tivoli
Access
Manager
for
Business
Integration
CD-ROM
Distribution
This
section
contains
a
list
of
the
various
components
included
in
the
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
CD-ROM
set.
IBM
Tivoli
Access
Manager
for
Business
Integration
CD-ROM
Set
The
IBM
Tivoli
Access
Manager
for
Business
Integration
distribution
includes
the
following
Version
5.1
CD-ROMs:
IBM
Tivoli
Access
Manager
for
Business
Integration
v
IBM
Tivoli
Access
Manager
for
Business
Integration
for
AIX®
v
IBM
Tivoli
Access
Manager
for
Business
Integration
for
HP-UX
v
IBM
Tivoli
Access
Manager
for
Business
Integration
for
Linux
on
xSeries®
v
IBM
Tivoli
Access
Manager
for
Business
Integration
for
Solaris
v
IBM
Tivoli
Access
Manager
for
Business
Integration
for
Windows®
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
v
IBM
Tivoli
Access
Manager
for
WebSphere®
Business
Integration
Brokers
for
AIX
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
for
Windows
IBM
Tivoli
Access
Manager
for
Business
Integration
Support
for
Languages
Other
than
English
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Language
Support
IBM
Tivoli
Access
Manager
Base
v
IBM
Tivoli
Access
Manager
Base
for
AIX
v
IBM
Tivoli
Access
Manager
Base
for
HP-UX
v
IBM
Tivoli
Access
Manager
Base
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Base
for
Solaris
v
IBM
Tivoli
Access
Manager
Base
for
Windows
NT®,
Windows
XP,
Windows
2000
and
Windows
2003
IBM
Tivoli
Access
Manager
Directory
Server,
Version
5.2
v
IBM
Tivoli
Access
Manager
Directory
Server
for
AIX
v
IBM
Tivoli
Access
Manager
Directory
Server
for
HP-UX
v
IBM
Tivoli
Access
Manager
Directory
Server
1
of
2
for
Solaris
v
IBM
Tivoli
Access
Manager
Directory
Server
2
of
2
for
Solaris
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Windows
2000
and
Windows
2003
©
Copyright
IBM
Corp.
2001,
2003
1
IBM
Tivoli
Access
Manager
Directory
Server
Web
Administration
Tool
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
AIX
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
HP-UX
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Solaris
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Windows
2000
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
AIX
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
HP-UX
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Solaris
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Windows
2000
IBM
Tivoli
Access
Manager
Support
for
Languages
Other
than
English
v
IBM
Tivoli
Access
Manager
Language
Support
for
AIX
v
IBM
Tivoli
Access
Manager
Language
Support
for
HP-UX
v
IBM
Tivoli
Access
Manager
Language
Support
for
Solaris
v
IBM
Tivoli
Access
Manager
Language
Support
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Language
Support
for
Windows
NT,
Windows
XP,
Windows
2000
and
Windows
2003
CD-ROM
Directory
Content
Description
This
section
describes
the
organization
of
the
IBM
Tivoli
Access
Manager
for
Business
Integration
and
IBM
Tivoli
Access
Manager
Base
CD-ROMs.
IBM
Tivoli
Access
Manager
for
Business
Integration
CD-ROMs
The
IBM
Tivoli
Access
Manager
for
Business
Integration
CD-ROMs
have
these
subdirectories:
v
/doc,
which
contains
the
following:
–
the
pdmqsamples.zip
file
containing
command
files
referenced
in
the
Quick
Start
Appendix
of
the
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide.v
/rspfile,
which
contains
the
template
file
for
using
the
easy
installation
in
silent
mode.
IBM
Tivoli
Access
Manager
for
Business
Integration
Documentation
Set
The
IBM
Tivoli
Access
Manager
for
Business
Integration
documents
and
related
Tivoli
Access
Manager
documents
are
available
on
the
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
support
page.
These
documents
are
listed
in
the
following
table.
Installation
and
Administration
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First,
Version
5.1
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide,
Version
5.1
IBM
Tivoli
Access
Manager
Base
Installation
Guide,
Version
5.1
IBM
Tivoli
Access
Manager
Base
Administration
Guide,
Version
5.1
2
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Diagnosing
Problems
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide,
Version
5.1
Supplemental
Documentation
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes,
Version
5.1
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes,
Version
5.1
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference,
Version
5.1
IBM
Tivoli
Access
Manager
Upgrade
Guide,
Version
5.1
Chapter
1.
About
This
Release
3
4
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Chapter
2.
Software
Requirements
This
chapter
provides
information
about
all
supported
platforms,
system
requirements,
software
infrastructure
dependencies,
and
IBM
MQ
products
that
are
compatible
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1.
Note:
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
includes
the
Server
Interceptor,
C
Client
Interceptor,
API
exit
Interceptor,
and
JMS
Interceptor
modules.
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
supports
any
hardware
acceleration
cards
that
support
PKCS#11
2.01
APIs.
System
Requirements
The
minimum
system
requirements
for
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
are:
v
Physical
memory:
512
MB
v
Disk
space:
40
MB
For
specific
requirements
for
your
operating
system,
refer
to
the
“Host
System
Software
Dependencies”
on
page
6.
You
must
monitor
the
disk
space
usage
of
the
directories
where
the
logs
are
created.
For
further
information,
refer
to
the
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide.
Supported
Platforms
The
following
is
a
list
of
supported
platforms:
v
AIX
4.3.3,
5.1,
and
5.2
v
Solaris
8
and
9
v
HP-UX
11
and
11i
v
SuSE
Linux
Enterprise
Server
(SLES)
8
for
IA32
v
Windows
NT
4.0,
SP6a
v
Windows
2000
Professional,
Server,
and
Advanced
Server,
SP2
v
Windows
XP,
Professional
(for
IBM
MQ
5.3
only)
It
is
recommended
that
you
have
the
latest
patches
for
your
operating
system.
Software
Infrastructure
Dependencies
The
following
is
a
list
of
software
infrastructure
dependencies:
v
IBM
Lightweight
Directory
Access
Protocol
(LDAP)
Servers
(as
user
registry)
–
IBM
Tivoli
Directory
Server,
Version
5.1
and
5.2
–
Sun
ONE
Directory
Server,
Version
5.1
–
Novell
eDirectory
8.7v
IBM
Global
Security
Tool
Kit
(GSKit)
7a
v
IBM
Tivoli
Access
Manager
Base,
Version
5.1
©
Copyright
IBM
Corp.
2001,
2003
5
Host
System
Software
Dependencies
The
following
is
a
list
of
software
dependencies
for
the
host
system,
the
machine
on
which
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
runs:
v
IBM
Directory
Client,
Version
5.2
v
IBM
GSKit
7a
on
Windows
and
Linux
v
IBM
GSKit
6g
on
AIX,
HP-UX,
and
Solaris
v
Access
Manager
Runtime,
Version
5.1
and
Access
Manager
Java
Runtime
Environment,
Version
5.1
v
IBM
MQSeries,
Version
5.2,
CSD
5,
6
(no
API
exit
Interceptor
support)
v
IBM
WebSphere
MQ,
Version
5.3,
CSD
3
and
4
(no
Server
Interceptor
support)
v
Java
Runtime
Environments
(JREs)
–
Windows
NT
Java
Version
1.4.1_02
Java
2
Runtime
Environment,
Standard
Edition
(build
1.4.1_02–b06)
Java
HotSpot
Client
VM
(build
1.4.1_02–b06,
mixed
mode)
–
Windows
2000
Java
Version
1.3.1
Java
2
Runtime
Environment,
Standard
Edition
(build
1.3.1
Classic
VM
(build
1.3.1,
J2RE
1.3.1
IBM
Windows
32
build
cn131–20030329
(JIT
enabled:
jitc))
Java
Version
1.4.1_02
Java
2
Runtime
Environment,
Standard
Edition
(build
1.4.1_02–b06)
Java
HotSpot
Client
VM
(build
1.4.1_02–b06,
mixed
mode)
–
Solaris
Java
Version
1.3.1_07
Java
2
Runtime
Environment,
Standard
Edition
(build
1.3.1_07–b02)
Java
HotSpot
Client
VM
(build
1.3.1_07–b02,
mixed
mode)
Java
Version
1.4.1_02
Java
2
Runtime
Environment,
Standard
Edition
(build
1.4.1_02–b06)
Java
HotSpot
Client
VM
(build
1.4.1_02–b06,
mixed
mode)
–
Linux
(SuSE)
Java
Version
1.3.1
Java
2
Runtime
Environment,
Standard
Edition
(build
1.3.1)
Classic
VM
(build
1.3.1,
J2RE
1.3.1
IBM
build
cxia32131–20021102
(JIT
enabled:
jitc))
Java
Version
1.4.0
Java
2
Runtime
Environment,
Standard
Edition
(build
1.4.0
Classic
VM
(build
1.4.0,
J2RE
1.4.0
IBM
build
cxia32140–20020917a
(JIT
enabled:
jitc))
–
AIX
Java
Version
1.3.1
6
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Java
2
Runtime
Environment,
Standard
Edition
(build
1.3.1)
Classic
VM
(build
1.3.1,
J2RE
1.3.1
IBM
AIX
build
ca131-20021102
(JIT
enabled:
jitc))
Java
Version
1.4.0
Java
2
Runtime
Environment,
Standard
Edition
(build
1.4.0
Classic
VM
(build
1.4.0,
J2RE
1.4.0
IBM
AIX
build
ca1401–20030211a
(JIT
enabled:
jitc))
–
HP
Java
Version
1.3.1.08
Java
2
Runtime
Environment,
Standard
Edition
(build
1.3.1.08-021127-23:13)
Java
HotSpot
Server
VM
(build
1.3.1
1.3.1.08-_28_nov_2002_00_09
PA2.0,
mixed
mode)
Java
Version
1.4.1.01
Java
2
Runtime
Environment,
Standard
Edition
(build
1.4.1.01-030304-15:40)
Java
HotSpot
Server
VM
(build
1.4.1
1.4.1.01-030304–17:08–PA_RISC2.0
PA2.0,
mixed
mode)
Compatible
MQ
Family
Products
The
following
is
a
list
of
IBM
MQ
family
products
that
are
compatible
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1:
v
IBM
WebSphere
MQSeries
Integrator,
Version
2.1
v
IBM
WebSphere
MQ
Integrator
Brokers,
Version
2.1
(formerly
IBM
WebSphere
MQSeries
Integrator,
Version
2.1)
v
IBM
WebSphere
MQ
Event
Broker,
Version
2.1
v
IBM
WebSphere
MQ
Workflow,
Version
3.4
(formerly
IBM
MQSeries
Workflow)
v
IBM
WebSphere
InterChange
Server,
Version
4.2
(formerly
IBM
CrossWorlds)
v
IBM
WebSphere
Application
Server,
Version
5.02
(see
note
below)
Note:
The
JMS
Interceptor
is
fully
supported
by
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
for
Java
applications
executing
in
a
standalone
(non-application
server)
Java
environment.
The
use
of
the
JMS
Interceptor
in
the
IBM
WebSphere
Application
Server
environment
has
not
been
fully
certified
and
therefore
not
officially
supported.
The
JMS
Interceptor
support
for
the
IBM
WebSphere
Application
Server
environment
for
the
Windows
and
AIX
platforms
is
provided
as
a
″technology
preview″
for
early
trial
only.
To
use
the
JMS
Interceptor
in
the
context
of
distributed
transactions,
the
iFix
PQ80078
needs
to
be
applied
to
the
IBM
WebSphere
Application
Server
environment.
Contact
your
IBM
product/marketing
representative
for
the
latest
information
on
General
Availability
of
support
for
the
JMS
Interceptor
in
the
IBM
WebSphere
Application
Server
environment.
Chapter
2.
Software
Requirements
7
8
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Chapter
3.
Known
Problems
and
Workarounds
In
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1,
some
problems
and
limitations
are
known
to
exist,
and
this
information
is
categorized
as
follows:
v
General
v
“Installation
and
Configuration”
on
page
11
v
“Interoperability”
on
page
14
v
“Server
Interceptor”
on
page
15
v
“JMS
Interceptor”
on
page
19
v
“C
Client
Interceptor”
on
page
20
v
“IBM
Tivoli
Access
Manager
for
Business
Integration
Server”
on
page
21
v
“Tools”
on
page
21
v
“IBM
Global
Security
Tool
Kit
(GSKit)
iKeyman”
on
page
22
Workarounds
are
provided
if
they
are
available.
Some
entries
include
an
internal
five-digit
CMVC
defect
tracking
number
in
parenthesis.
LA
fixes
and
Fix
Packs
that
address
these
problems
will
reference
these
tracking
numbers
in
the
README
files.
Report
any
other
problems
to
your
IBM
service
representative.
Note:
If
a
problem
applies
to
more
than
one
category,
it
is
explained
in
the
first
applicable
category
and
referenced
subsequently.
General
The
following
are
descriptions
of
problems
that
apply
to
most
components.
Use
the
Latest
Patch
Bundle
Problem:
If
you
do
not
have
the
latest
set
of
operating
system
patches,
you
might
experience
problems
when
running
IBM
Tivoli
Access
Manager
for
Business
Integration.
Workaround:
Make
sure
that
you
have
the
latest
operating
system
patches
on
your
machine.
Runtime
Problems
on
SPARCstation-5
Running
Solaris
8
(28153)
Problem:
A
problem
has
been
encountered
running
IBM
Tivoli
Access
Manager,
Version
5.1
executables
on
a
SPARCstation-5
installed
with
Solaris
8.
For
instance,
pdversion,
a
Tivoli
Access
Manager
executable,
fails
as
follows:
#
pdversion
id.so.1:/opt/PolicyDirector/sbin/ivprintmsg:fatal:/usr/lib/libCstd.so.1:
bad
ELF
flags
value:
256
It
appears
that
the
system
file
/usr/lib/libCstd.so.1
is
not
compatible
with
this
hardware.
Therefore,
IBM
Tivoli
Access
Manager,
Version
5.1
and
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
are
not
supported
on
SPARCstation-5
hardware
installed
with
Solaris
8.
Workaround:
None
©
Copyright
IBM
Corp.
2001,
2003
9
Make
Sure
Two
Environment
Variables
Were
Set
on
Solaris
Platform
(24173)
Problem:
On
Solaris
platforms,
if
TISDIR
and
NLSPATH
environment
variables
are
not
set,
the
program
might
core
dump
or
hang.
These
two
environment
variables
are
contained
in
/etc/profile,
but
some
programs
might
not
get
the
environment
variables
from
there.
Workaround:
Make
sure
the
TISDIR
and
NLSPATH
settings
as
they
are
specified
in
the
/etc/profile,
which
is
updated
during
configuration.
Two
Queue
Managers
Cannot
Have
the
Same
Name
(27898)
Problem:
IBM
Tivoli
Access
Manager
for
Business
Integration
cannot
distinguish
between
two
queue
managers
with
the
same
name
in
the
IBM
Tivoli
Access
Manager
object
space.
Workaround:
Make
sure
there
are
no
queue
manager
name
conflicts
in
the
same
Tivoli
Access
Manager
server.
As
an
alternative,
you
can
configure
the
two
queue
managers
in
different
environments
of
IBM
Tivoli
Access
Manager
for
e-business.
NDS
Server
User
Registry
Cannot
Handle
Spaces
in
the
Mapping
(38774)
Problem:
If
you
are
using
a
Novell
edirectory
server
for
your
user
registry,
the
mapping
entry
for
IBM
Tivoli
Access
Manager
Business
Integration
cannot
have
spaces
between
the
component
names
in
the
distinguished
name
(DN).
For
IBM
Tivoli
Access
Manager
users,
the
mapping
entry
is
the
secCertDN
entry.
For
instance,
if
you
want
to
map
a
Tivoli
Access
Manager
user
to
a
certificate
with
a
DN
of
cn=tester,o=ibm,c=us
the
following
example
is
correct:
cn=tester,o=ibm,c=us
Versus
the
same
example
with
spaces,
which
cause
errors:
cn=tester,
o=ibm,
c=us
Note
that
running
pdmqzchk
will
cause
this
type
of
error
to
be
flagged
via
the
following
message:
DRQDZ3618E
The
program
could
NOT
find
PKI
label
’tester’,
DN
’CN=tester;
o=ibm;C=us’
mapped
to
an
IBM
Tivoli
Access
Manager
user
in
LDAP.
Workaround:
Map
the
Tivoli
Access
Manager
user
to
the
certificate
without
using
spaces
when
specifying
the
distinguished
name
of
the
certificate.
Use
Latest
Patch
Bundle
for
HP-UX
Problem:
If
you
do
not
have
the
latest
set
of
operating
system
patches,
you
might
experience
problems
when
running
IBM
Tivoli
Access
Manager
for
Business
Integration
on
HP-UX.
For
instance,
a
core
dump
might
occur
when
you
are
running
the
pdmqzchk
command.
Workaround:
Make
sure
that
you
have
the
latest
operating
system
patches
on
your
HP-UX
machine.
These
patches
are
available
on
the
HP
Web
site.
10
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Queue
Names
Longer
than
47
Characters
Are
Not
Supported
Problem:
IBM
WebSphere
Interchange
Server,
an
IBM
WebSphere
MQ
family
product,
allows
queue
names
to
be
48
characters
long.
However,
IBM
Tivoli
Access
Manager
for
Business
Integration
cannot
support
48-character-long
queue
names
because
of
internal
limitations.
Workaround:
IBM
WebSphere
Interchange
Server
allows
customization
of
queue
names.
Change
queue
names
to
be
shorter
than
48
characters.
Installation
and
Configuration
The
following
problems
apply
to
installation
and
configuration.
If
a
platform
is
not
specified,
the
problem
applies
to
all
platforms.
svrsslcfg
SSL
Timeout
During
Configuration
or
Easy
Installation
Problem:
Due
to
network
connectivity,
you
might
experience
an
SSL
timeout
when
configuring
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1.
Workaround:
Modify
the
following
line
in
the
pd.conf
file
as
specified:
ssl-io-inactivity-timeout
=
0
Set
the
ssl-io-inactivity-timeout
parameter
to
0
instead
of
90,
which
is
the
default.
The
pd.conf
file
is
located
in
the
access_manager_install_path/etc.
directory.
Then
run
the
following
command
to
remove
the
server
from
IBM
Tivoli
Access
Manager:
svrsslcfg
-unconfig
-f
pdmq_install_path/etc/pdmqazn.conf
-n
pdmqazn
-h
hostname
-A
domain_master_user_id
-P
domain_password
Modify
-h
hostname
option
depending
on
your
environment.
At
this
point,
native
configuration
or
easy
installation
can
be
run
again
in
order
to
complete
configuration.
Canceling
the
Easy
Installation
on
Windows
Does
Not
Remove
the
Directory
It
Created
During
the
Process
(26194)
Problem:
When
you
specify
directories
to
install
IBM
Tivoli
Access
Manager
for
Business
Integration
or
its
prerequisites,
the
easy
installation
attempts
to
validate
the
specified
directory
by
creating
the
directory.
Later,
if
you
cancel
the
installation,
the
directory
is
not
removed.
Workaround:
You
can
manually
delete
the
directory.
No
Reboot
Message
from
GSKit
on
Windows
Problem:
If
you
are
upgrading
IBM
Global
Security
Tool
Kit
(GSKit)
on
a
Windows
machine
where
the
GSKit
libraries
are
in
use,
GSKit
copies
the
new
libraries
to
your
machine
with
a
.1
extension.
You
need
to
reboot
the
machine
so
that
the
old
files
can
be
replaced
with
the
new
files.
However,
GSKit
does
not
tell
you
to
reboot
and
you
get
GSKit
errors
until
the
machine
is
rebooted.
Workaround:
Reboot
your
machine
to
finish
the
updating
process.
Chapter
3.
Known
Problems
and
Workarounds
11
The
Easy
Installation
Does
Not
Upgrade
the
LDAP
Client
on
Solaris
Problem:
The
easy
installation
does
not
upgrade
the
Lightweight
Directory
Access
Protocol
(LDAP)
client
on
Solaris
to
version
5.2.
In
addition,
the
easy
installation
fails.
Workaround:
If
you
have
an
existing
LDAP
client
with
a
version
earlier
than
5.1,
the
easy
installation
will
not
upgrade
it.
You
must
manually
upgrade
the
LDAP
client
or
remove
it
completely
before
running
the
easy
installation
again.
psapi.dll
Missing
on
Windows
NT
(35259)
Problem:
Some
Windows
machines
do
not
have
the
psapi.dll
library.
IBM
Tivoli
Access
Manager
for
Business
Integration
configuration
uses
this
library
to
check
whether
any
IBM
WebSphere
MQ
processes
are
running
on
a
Windows
machine.
Workaround:
If
you
do
not
have
this
library,
you
can
get
it
from
the
Microsoft
Web
site.
Runtime
Problems
on
SPARCstation-5
Running
Solaris
8
(28153)
For
the
explanation
of
this
problem,
see
“General”
on
page
9.
pdmqsvrcfg
Not
Adding
Local
Queues
to
IBM
Tivoli
Access
Manager
Object
Space
Problem:
With
IBM
MQSeries
5.2
with
no
CSD
on
Linux,
when
the
following
command
is
being
run,
pdmqsvrcfg
does
not
add
a
queue
manager’s
local
queues
to
the
IBM
Tivoli
Access
Manager
Object
Space:
pdmqsvrcfg
-action
add
-qm
QMname
Workaround:
Install
the
latest
CSD.
After
CSD
6
was
installed
for
MQSeries
5.2,
the
local
queues
were
added
to
the
object
space
with
no
problems.
When
to
Use
New
Style
Audit
Configuration
Problem:
By
default,
legacy
audit
configuration
is
enabled
for
IBM
Tivoli
Access
Manager
for
Business
Integration
server.
If
a
large
number
of
audit
events
are
generated,
then
you
might
notice
a
large
amount
of
memory
used
on
the
system
with
this
legacy
configuration.
Workaround:
The
new
style
of
auditing
can
be
used
when
a
large
number
of
audit
events
are
generated
and
you
want
to
contain
the
memory
growth.
This
is
set
in
pdmq_install_path/pdmqazn.conf
file,
and
you
can
uncomment
these
lines
in
the
aznapi-configuration
stanza:
#logcfg
=
EventPool:queue_size=1000
#logcfg
=
audit.pdmq:filepath=/var/pdmq/audit/audit.log,
queue_size=1000,rollover_size=2000000
In
addition
to
this,
you
set
logaudit
=
no
to
disable
legacy
auditing
configuration.
The
queue_size
parameter
in
these
lines
controls
the
maximum
number
of
events
to
queue
in
memory.
For
Windows,
the
file
path
must
be
changed
to
the
pdmq_install_path\audit\audit.log
12
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
ICC
Configuration
Problem:
It
is
recommended
that
ICC
be
enabled
only
on
AIX
to
improve
cryptographic
performance.
Workaround:
None.
The
Easy
Installation
on
Windows
Does
Not
Issue
a
Reminder
Message
after
Successful
Completion
Problem:
The
Easy
Installation
on
Windows
completes
successfully
for
the
Server
Interceptor
but
does
not
issue
the
following
reminder
message
on
IBM
WebSphere
MQ,
Version
5.3.
DRQDT25271
The
IBM
Tivoli
Access
Manager
for
Business
Integration
API
exit
is
configured.
Additional
tasks
are
required
to
enable
the
API
exit
for
one
or
more
queue
managers.
Workaround:
Per
the
message,
enable
the
Server
Interceptor.
For
additional
information,
refer
to
the
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide.
Installation
of
IBM
Tivoli
Access
Manager
for
Business
Integration
Host
Edition,
Version
4.1
Fails
with
CSQFMNFM
Not
Found
Problem:
When
IBM
MQ
5.3.1
is
installed,
the
installation
of
IBM
Tivoli
Access
Manager
for
Business
Integration
Host
Edition,
Version
4.1
fails
with
the
following
message:
IEW2470E
9511
ORDERED
SECTION
CSQFMNFM
NOT
FOUND
IN
MODULE
Workaround:
Apply
APAR
OA05341
for
JCLIN
update.
Library
Link
Errors
on
AIX
Problem:
When
you
configure
or
enable
IBM
Tivoli
Access
Manager
Integration
server
on
AIX,
you
might
see
the
following
errors:
ln:
0653-421
/usr/lib/liborigmqm_r.a
exists.
Specify
-f
to
remove
/usr/lib/liborigmqm_r.a
before
linking.
ln:
0653-421
/usr/lib/liborigmqm.a
exists.
Specify
-f
to
remove
/usr/lib/liborigmqm.a
before
linking.
Workaround:
These
error
messages
mean
that
the
links
already
exist
on
the
system,
and
the
messages
can
be
safely
ignored.
Write
Permissions
for
the
Tivoli
Common
Directory
on
Windows
(40402)
Problem:
On
Windows,
if
you
have
enabled
Tivoli
Common
Directory
during
IBM
Tivoli
Access
Business
Runtime
configuration,
you
might
see
logs
in
the
default
location
pdmq_install_path/log.
Workaround:
IBM
WebSphere
MQ
applications
must
have
write
permissions
to
the
Tivoli
Common
Directory
and
to
its
subdirectory
DRQ/logs
to
ensure
that
the
directory
is
used.
An
ACL
can
be
added
to
allow
write
access
for
each
user
or
for
the
mqm
group.
Chapter
3.
Known
Problems
and
Workarounds
13
Interoperability
The
following
problems
relate
to
interoperability.
Installation
of
IBM
Tivoli
Access
Manager
for
Business
Integration
Host
Edition,
Version
4.1
Fails
with
CSQFMNFM
Not
Found
For
a
full
explanation
of
this
problem,
see
“Installation
and
Configuration”
on
page
11.
Interoperability
Between
the
4.1
and
5.1
Versions
of
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem:
The
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
release
will
not
interoperate
with
the
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
GOLD
installation.
Workaround:
The
4.1-PDM-0004LA
fix
needs
to
be
applied
after
installing
PDMQ4.1
GOLD
for
it
to
interoperate
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1.
Limitations
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition
Interoperability
Problem:
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition
will
only
support
interoperability
when
the
IBM
LDAP
product
is
used.
It
is
also
important
to
note
that
the
IBM
Policy
Director
Authorization
Services
for
z/OS
and
OS/390
product
will
only
interoperate
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
when
the
default
access
manager
domain
is
used.
Workaround:
None.
A
Protection
Exception
Occurs
During
Unprotect
Processing
in
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition
Problem:
A
protection
exception
occurs
during
the
unprotect
processing
in
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition.
The
exception
is
generated
when
the
system
is
trying
to
parse
the
secDN
coming
back
from
the
IBM
LDAP.
The
exception
occurs
in
the
module
drqservd
when
the
SSL
ipdmq_get_secDN
routine
is
being
called.
Workaround:
This
problem
is
fixed
by
installing
APAR
OA04264.
Contact
your
IBM
service
representative
for
assistance.
gsk_read_enveloped_data_content
Error
with
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition
Running
with
IBM
MQ
5.3
Problem:
A
gsk_read-enveloped_data_content
error
might
occur
when
the
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
4.1
Host
Edition,
running
with
IBM
MQ
5.3,
communicates
with
an
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
distributed
platform,
which
is
also
running
IBM
MQ
5.3.
14
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Workaround:
None.
This
problem
may
never
be
encountered
in
a
customer
environment.
The
problem
does
not
occur
when
IBM
MQ
5.2
is
running
on
the
distributed
platform.
Server
Interceptor
The
following
problems
apply
to
the
Server
Interceptor
and
to
other
interceptors,
if
specified.
Privacy
Protection
Is
Not
Available
to
Some
Dynamic
Queues
Problem:
IBM
Tivoli
Access
Manager
for
Business
Integration
does
not
attach
extended
attributes
to
system
queues
in
the
protected
object
space,
so
you
cannot
define
recipients
for
dynamic
queues
that
are
inherited
from
SYSTEM.DEFAULT.MODEL.QUEUE.
Privacy
protection,
which
includes
key-based
data
signing
and
encryption,
is
not
available
to
these
queues.
Workaround:
If
applications
are
using
dynamic
queues
that
need
Tivoli
Access
Manager
for
Business
Integration
privacy
protection,
these
queues
must
be
inherited
from
a
non-system
model
queue.
Note:
This
problem
also
applies
to
the
C
Client
Interceptor
and
to
the
JMS
Interceptor.
MQPUT
Is
Not
Allowed
When
One
or
More
of
the
Q-Recipients
Is
Using
an
Expired
Certificate
Problem:
If
one
or
more
users
in
a
list
of
Q-recipients
on
a
queue
has
an
expired
certificate,
a
call
to
MQPUT
will
be
rejected
by
the
IBM
Tivoli
Access
Manager
for
Business
Integration
interceptor.
This
occurs
even
if
there
might
be
other
Q-recipients
with
valid
certificates
in
the
same
list.
Workaround:
In
order
to
call
MQPUT
successfully,
all
Q-recipients
need
to
have
valid
certificates
associated
with
them.
If
the
problem
occurs,
the
user
needs
to
either
be
removed
or
use
a
valid
certificate.
Quality
of
Protection
for
Application
Initiation
Queues
Must
Be
Set
to
None
Problem:
Some
MQSeries®
applications
(for
example,
MQSeries
Workflow)
send
explicit
trigger
messages
to
application
initiation
queues.
IBM
Tivoli
Access
Manager
for
Business
Integration
expects
that
trigger
messages
will
not
have
any
data
protection
when
the
trigger
monitor
receives
them.
If
you
send
the
trigger
message
to
an
application
initiation
queue
with
a
protected
object
policy
that
specifies
a
quality
of
protection
of
integrity
or
privacy,
IBM
Tivoli
Access
Manager
for
Business
Integration
will
encapsulate
the
trigger
message
data
in
a
secure
fashion.
However,
when
the
trigger
monitor
retrieves
the
message
from
the
queue,
it
is
not
able
to
process
it
correctly
because
the
message
contains
data
that
IBM
Tivoli
Access
Manager
for
Business
Integration
has
encapsulated.
As
a
result,
the
trigger
monitor
fails
to
launch
the
process
associated
with
the
trigger
message.
Workaround:
Ensure
that
the
application
initiation
queues
do
not
have
a
protected
object
policy
that
specifies
a
quality
of
protection
(QOP)
of
integrity
or
privacy.
The
QOP
must
be
set
to
None.
Chapter
3.
Known
Problems
and
Workarounds
15
Setting
the
Quality
of
Protection
for
an
Alias
Queue
Referring
to
a
SYSTEM
Queue
(19546)
Problem:
When
an
alias
queue
refers
to
a
SYSTEM
queue
and
the
quality
of
protection
attached
to
the
queue
is
integrity
or
privacy,
some
applications
may
not
work.
For
example,
in
Publisher/Subscriber
applications,
the
publisher
may
put
a
message
on
a
queue
using
the
alias
queue
name.
This
will
result
in
the
message
being
either
signed
or
signed
and
encrypted
based
on
the
quality
of
protection
setting.
If
it
attempts
to
get
the
message
using
the
SYSTEM
queue
name
instead
of
the
alias
queue
name,
the
Subscriber
will
fail,
because
messages
to
or
from
SYSTEM
queues
are
not
intercepted
by
Tivoli
Access
Manager
for
Business
Integration.
Workaround:
The
quality
of
protection
for
such
queues
must
be
set
to
None
so
that
quality
of
protection
is
consistent
during
MQPUT
and
MQGET
operations.
Note:
This
problem
also
applies
to
the
C
Client
Interceptor
and
to
the
JMS
Interceptor.
Support
for
Distribution
Lists
(17094)
Problem:
A
user
can
send
IBM
WebSphere
MQ
messages
by
using
a
distribution
list,
whereby
a
message
is
sent
to
multiple
queues.
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1
does
not
support
this
feature.
Workaround:
None
Note:
This
problem
also
applies
to
the
C
Client
Interceptor.
Subscriber
Queues
Cannot
Be
Dynamic
Queues
When
Quality
of
Protection
Is
Set
to
Privacy
(18794)
Problem:
In
the
Publisher/Subscriber
model,
IBM
WebSphere
MQ
allows
a
subscriber
application
to
create
a
dynamic
queue
from
a
model
queue
as
a
response
queue.
This
dynamic
queue
name
is
then
sent
to
an
MQSeries
Broker
as
the
NameValueData
part
of
MQRFH2.
Because
recipients
are
attached
to
model
queues,
Tivoli
Access
Manager
for
Business
Integration
and
the
broker
cannot
determine
the
recipients
and
therefore
cannot
send
a
response
to
dynamic
queues.
Workaround:
Set
the
quality
of
protection
to
integrity
or
none
for
such
queues.
Support
for
MQRMH
Header
(17134)
Problem:
The
MQRMH
header
(reference
message
header)
is
used
in
conjunction
with
user-written
message
channel
exits
to
send
extremely
large
amounts
of
data
called
bulk
data
from
one
queue
manager
to
another.
The
difference
compared
to
normal
messaging
is
that
the
bulk
data
is
not
stored
on
a
queue;
instead,
only
a
reference
to
the
bulk
data
is
stored
on
the
queue.
This
reduces
the
possibility
of
MQ
resources
being
exhausted
by
a
small
number
of
extremely
large
messages.
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1,
does
not
support
this
feature.
Workaround:
Set
the
quality
of
protection
to
none
on
queues
where
such
messages
would
be
sent.
Note:
This
problem
also
applies
to
the
C
Client
Interceptor.
16
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Limited
Support
for
Report
Messages
(17098)
Problem:
The
MQMD
structure
contains
the
control
information
that
accompanies
the
application
data
when
a
message
travels
between
the
sending
and
receiving
applications.
The
structure
is
an
input/output
parameter
on
the
MQGET,
MQPUT,
and
MQPUT1
calls.
Applications
can
set
the
MsgType
field
of
the
MQMD
structure
to
MQMT_REPORT
and
receive
report
messages.
The
report
messages
could
be
of
type
Exceptions,
Expiration,
Confirm
on
arrival
(COA),
Confirm
on
delivery
(COD),
etc.
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1,
does
not
support
any
report
messages
such
as
COA
and
COD,
because
they
are
sent
by
destination
queue
managers
and
not
by
the
receiving
applications.
Workaround:
Set
the
quality
of
protection
to
none
on
the
destination
queues
for
the
original
message
and
the
report
message.
Note:
This
problem
also
applies
to
the
C
Client
Interceptor.
Persistent
Messages
on
Queues
Problem:
Persistent
messages
on
queues
can
outlive
machine
reboots
and
application
shutdowns.
These
messages
have
been
put
on
the
queue
with
no
protection
or
a
protection
level
of
integrity
or
privacy
depending
on
the
QOP
setting
in
the
protected
object
policy
for
the
queue.
Users
are
cautioned
against
raising
the
QOP
level
on
persistent
queues
while
there
are
messages
on
them,
or
more
generally,
while
they
are
being
used
by
applications
for
the
following
reason:
if
the
messages
on
the
queue
are
protected
with
a
QOP
of
integrity
or
none,
changing
the
QOP
on
the
queue
to
privacy
will
cause
MQGET
to
fail
with
a
QOP
mismatch
error.
The
undelivered
message
will
be
sent
to
the
dead
letter
queue.
Workaround:
If
you
want
to
raise
the
protection
level
on
a
queue,
you
have
the
following
two
options:
v
Stop
the
application,
clear
the
queue
using
the
MQSC
command
CLEAR
and
then
change
the
QOP
setting
in
the
protected
object
policy
for
the
queue.
–
Run
pdmqd
-update
to
update
the
QOP
in
the
Tivoli
Access
Manager
for
Business
Integration
server
and
restart
the
application.
Attention:
In
this
case,
you
lose
all
the
persistent
messages
that
remained
on
the
queue
when
the
application
was
stopped.
v
Make
sure
that
all
the
messages
on
the
queue
are
retrieved
using
the
same
or
lower
QOP.
–
When
all
the
persistent
messages
are
retrieved,
you
can
change
the
QOP.
–
Stop
the
application
and
change
the
QOP
in
the
protected
object
space
for
the
queue.
–
Run
pdmqd
-update
to
update
the
QOP
in
the
Tivoli
Access
Manager
for
Business
Integration
server
and
restart
the
application.
(In
this
case,
the
messages
in
the
queue
are
delivered
to
the
recipients
and
there
is
no
loss
of
data.
However,
the
feasibility
of
this
option
depends
on
your
control
on
the
application.)
Note:
This
problem
also
applies
to
the
C
Client
Interceptor.
Very
Large
Messages
May
Cause
a
GSKit
Error
Message
on
AIX
(18799)
Problem:
On
AIX,
IBM
Tivoli
Access
Manager
for
Business
Integration
applications
attempting
to
perform
an
MQPUT
of
a
very
large
message
may
cause
a
GSKit
Chapter
3.
Known
Problems
and
Workarounds
17
error
message.
This
is
due
to
a
limitation
in
the
current
version
of
GSKit.
This
limitation
is
applicable
even
when
the
MAXMSGL
parameter
of
a
queue
manager
and
a
queue
is
set
to
a
limit
that
is
higher
than
the
message
size.
When
the
quality
of
protection
was
set
to
integrity
in
the
test
lab,
the
largest
message
that
could
be
successfully
put
on
a
message
queue
was
approximately
16
MB.
Similarly,
when
the
quality
of
protection
was
set
to
privacy,
the
largest
message
that
could
be
successfully
put
on
a
message
queue
was
approximately
8
MB.
The
maximum
message
limit
may
vary
on
end
user
machines.
Workaround:
The
following
might
alleviate
the
problem.
Update
the
system
limits
to
the
maximum
allowed.
Modify
the
/etc/environment
to
contain
the
following
line.
LDR_CNTRL=MAXDATA=0x80000000
After
this
change,
start
the
system
again.
Note:
This
problem
also
applies
to
the
C
Client
Interceptor.
Do
Not
Use
Remote
Administration
Interface
to
Browse
Protected
Queues
Problem:
The
MQ
remote
administration
interface
enables
you
to
manage
remote
MQ
systems
and
perform
various
kinds
of
administrative
tasks,
such
as
adding
and
deleting
queues,
and
browsing
messages
in
a
particular
queue.
The
remote
administration
is
done
by
sending
MQ
programmable
command
format
(PCF)
messages
to
the
remote
queue
manager’s
SYSTEM.ADMIN.COMMAND.QUEUE.
The
remote
queue
manager’s
command
server
performs
the
task
requested
in
the
PCF
message
and
sends
back
the
result.
The
authorization
model
of
remote
administration
is
based
on
OAM,
and
the
authentication
is
based
on
the
user
ID
passed
from
the
PCF
message.
Workaround:
You
should
use
remote
administration
cautiously,
because
the
authentication
is
weak,
and
there
is
no
data
protection
for
the
PCF
messages
and
response
messages.
If
you
use
the
remote
administration
interface
to
browse
a
protected
queue,
you
will
receive
messages
in
protected
format,
because
the
remote
queue
manager’s
command
server
will
not
unprotect
the
message
on
your
behalf.
MQSI
Broker
2.1
on
Solaris:
mqsistop
-i
Fails
to
Stop
bipbroker
and
bipservice
Processes
Because
of
C
Runtime
Incompatibilities
(38520)
Problem:
On
Solaris
systems,
when
IBM
WebSphere
MQ
Event
Broker,
Version
2.1
and
IBM
Tivoli
Access
Manager
for
Business
Integration
Server
Interceptor
are
enabled,
mqsistop
does
not
stop
the
bipbroker
and
bipservice
processes.
The
command
ps
-ef|grep
’broker
name’
shows
that
bipbroker
and
bipservice
processes
are
still
running.
A
subsequent
mqsistart
fails.
The
likely
cause
is
incompatibility
in
C
runtime
libraries.
Workaround:
To
force
the
termination
of
the
bipbroker
and
bipservice
processes,
use
the
UNIX
command
kill
-9
and
specify
the
PIDs
obtained
from
using
the
command
18
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
ps
-ef|grep
’broker
name’
Server
Interceptor:
Shared
Connections
not
Supported
(33163,
33164,
WMQ
74060)
Problem:
Due
to
limitations
in
IBM
WebSphere
MQ,
IBM
Tivoli
Access
Manager
for
Business
Integration
Server
Interceptor
cannot
support
shared
connections
in
multi-threaded
applications
(shared
connections
are
connection
handles
used
by
multiple
threads).
This
IBM
WebSphere
MQ
feature
is
relatively
new,
and
no
major
IBM
WebSphere
MQ
applications
use
it.
Note
that
non-shared
connections
in
multi-threaded
applications
are
supported
and
that
shared
connections
are
supported
on
IBM
WebSphere
MQ
clients.
Workaround:
None
at
this
time.
IBM
WebSphere
MQ
Workflow
3.4
Client
with
Windows
Might
Display
Access
Violations
(43695)
Problem:
When
using
IBM
WebSphere
MQ
Workflow
3.4
Client
on
Windows
with
server
APIs,
you
might
see
″Access
Violation″
errors
in
IBM
WebSphere
MQ
logs.
Note
that
the
workflow
processes
will
complete
to
execution.
Workaround:
These
messages
can
be
safely
ignored.
Socket
Errors
in
IBM
WebSphere
MQ
Workflow
3.4
Client
on
Windows
when
Auditing
Is
Set
to
Maximum
or
to
Include
Admin
Problem:
On
Windows,
when
IBM
WebSphere
MQ
Workflow
3.4
Client
is
running
using
server
APIs
with
the
auditing
level
set
to
all
or
to
include
admin,
you
might
see
socket
errors.
The
errors
are
displayed
in
the
logs
for
workflow
programs.
DRQDM1816E
IBM
Tivoli
Access
Manager
for
Business
Integration
internal
error:
Socket
could
not
be
created.
OS
error
(10093)
Workaround:
These
messages
can
be
safely
ignored.
As
an
alternative,
setting
audit
level
to
not
include
admin
eliminates
this
problem.
Failure
to
Get
the
Recipient
Certificate
from
the
LDAP
Server,
Error
Code
81
(44385)
Problem:
The
IBM
Tivoli
Access
Manager
for
Business
Integration
server
might
get
LDAP
error
code
81.
This
error
occurs
when
you
are
trying
to
get
a
recipient
certificate
that
is
stored
in
the
LDAP
registry.
The
following
message
is
logged
in
the
msg__pdmqd-pid.log
file:
DRQDD0230E
IBM
Tivoli
Access
Manager
for
Business
Integration
Server
could
not
find
directory
entry
for
user
<user
DN>.LDAP
error
code
81.
Workaround:
This
might
happen
because
the
LDAP
server
was
temporarily
unavailable.
Once
the
connection
is
broken,
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server
cannot
automatically
rebind
to
the
LDAP
server.
Start
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server
again.
JMS
Interceptor
The
following
problems
apply
to
the
JMS
Interceptor.
Chapter
3.
Known
Problems
and
Workarounds
19
JMS
Interceptor
Fails
When
Duplicate
Q-Recipients
Are
Specified
on
the
Policy
(43899)
Problem:
The
JMS
Interceptor
fails
to
retrieve
the
recipient
certificates
when
duplicate
Q-recipients
are
specified
on
the
protected
object
space.
Workaround:
Make
sure
that
no
duplicate
Q-recipients
are
specified
for
any
protected
object,
for
instance
Queue.
Privacy
Protection
Is
Not
Available
to
Some
Dynamic
Queues
For
the
explanation
of
this
problem,
see
“Server
Interceptor”
on
page
15
Setting
the
Quality
of
Protection
for
an
Alias
Queue
Referring
to
a
SYSTEM
Queue
(19546)
For
the
explanation
of
this
problem,
see
“Server
Interceptor”
on
page
15
IBM
WebSphere
InterChangeServer
on
Solaris
or
AIX
Must
Have
Cache
Refresh
Interval
of
20000000
Problem:
On
Solaris
or
AIX
platforms,
when
you
are
running
IBM
WebSphere
InterChangeServer
with
IBM
Tivoli
Access
Manager
for
Business
Integration
JMS
Interceptor,
you
might
see
access
denied
error
messages.
This
might
be
due
to
the
server
cache
refresh
interval
setting
of
3600.
Workaround:
In
the
pdmq
stanza
in
the
pdmq_install_path/etc/pdmqazn.conf
file,
set
the
pdmq-cache-interval
to
20000000
seconds.
If
the
cache
requires
updating
before
the
time
expires,
you
must
run
pdmqd
-update
to
refresh
the
cache.
C
Client
Interceptor
The
following
problems
apply
to
the
C
Client
Interceptor.
MQPUT
Is
Not
Allowed
When
One
or
More
of
the
Q-Recipients
Is
Using
an
Expired
Certificate
For
the
explanation
of
this
problem,
see
“Server
Interceptor”
on
page
15.
Privacy
Protection
Is
Not
Available
to
Some
Dynamic
Queues
For
the
explanation
of
this
problem,
see
“Server
Interceptor”
on
page
15.
Setting
the
Quality
of
Protection
for
an
Alias
Queue
Referring
to
a
SYSTEM
Queue
(19546)
For
the
explanation
of
this
problem,
see
“Server
Interceptor”
on
page
15.
Support
for
MQRMH
Header
(17134)
For
the
explanation
of
this
problem,
see
“Server
Interceptor”
on
page
15.
Persistent
Messages
on
Queues
For
the
explanation
of
this
problem,
see
“Server
Interceptor”
on
page
15.
20
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
IBM
Tivoli
Access
Manager
for
Business
Integration
Server
The
following
problems
apply
to
the
IBM
Tivoli
Access
Manager
for
Business
Integration
Server.
Listening
Mode
Might
Prevent
the
Server
from
Getting
Updates
from
the
Policy
Server
Problem:
The
IBM
Tivoli
Access
Manager
for
Business
Integration
server
is
configured
to
listen
on
port
9898
to
receive
updates
from
the
Tivoli
Access
Manager
policy
server.
If
port
9898
is
in
use
by
another
application,
the
server
will
not
receive
any
updates.
Also,
if
either
the
client
or
the
IBM
Tivoli
Access
Manager
server
is
behind
a
firewall
and
port
9898
is
blocked,
the
server
will
not
receive
any
updates.
Workaround:
If
port
9898
is
in
use
by
another
application,
replace
9898
with
an
available
port
number
in
the
following
entry
within
the
pdmq_install_path\etc\pdmqazn.conf
file:
ssl-listening-port
=
9898
Restart
the
Tivoli
Access
Manager
for
Business
Integration
server.
If
all
of
the
available
port
numbers
are
blocked
by
a
firewall,
ask
your
administrator
to
open
a
port
for
you.
If
opening
an
additional
port
is
not
an
option,
you
must
reconfigure
the
Tivoli
Access
Manager
for
Business
Integration
server
to
use
the
polling
mode.
Enter
the
following
commands
to
switch
to
polling
mode:
svrsslcfg
–unconfig
–f
pdmq_install_path\etc\pdmqazn.conf
–n
pdmqazn
–A
access_manager_admin_ID
-P
access_manager_admin_password
svrsslcfg
–config
–f
pdmq_install_path\etc\pdmqazn.conf
–d
pdmq_install_path\keytab
–n
pdmqazn
–s
local
–A
access_manager_admin_ID
-P
access_manager_admin_password
-r
0
Specify
a
user
password
for
the
server
and
press
Enter.
Then
restart
the
Tivoli
Access
Manager
for
Business
Integration
server
so
that
it
will
pick
up
the
changes
in
the
configuration
file.
The
Tivoli
Access
Manager
for
Business
Integration
Server
Might
Fail
If
System
Resources
Are
Insufficient
Problem:
The
lack
of
sufficient
resources
causes
IBM
Tivoli
Access
Manager
for
Business
Integration
to
fail.
Workaround:
You
must
monitor
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server
for
resource
consumption.
If
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server
fails,
free
enough
resources
for
the
server
to
run
correctly,
and
restart
the
server.
Tools
The
following
problems
apply
to
the
pdmqzchk
tool.
Message
When
Certificate’s
DN
Is
Not
Restricted
to
LDAP
Attributes
CN,
OU,
and
O
Problem:
The
pdmqzchk
tool
issues
messages
when
the
certificate’s
distinguished
name
(DN)
does
not
restrict
itself
to
LDAP
attributes
CN,
OU,
and
O.
The
message
Chapter
3.
Known
Problems
and
Workarounds
21
is
issued
although
the
DN
might
exist
in
LDAP.
The
pdmqzchk
message
issued
is
DRDQZ3618E.
The
message
text
is
similar
to
the
following:
DRQDZ3618E
The
program
could
NOT
find
PKI
label
’AMBI
Verisign
Cert2’.
DN
’CN=AMBI
Verisign
Cert2,OU=Security
and
Privacy
Practice
USC
Test
CA;O=IBM’
mapped
to
an
IBM
Tivoli
Access
Manager
for
e-business
user
in
LDAP.
Workaround:
If
the
certificate
DN
exists
in
LDAP,
ignore
the
pdmqzchk
message.
For
more
information
on
certificates
stored
in
LDAP,
see
the
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide.
pdmqzchk
Error
Message
(41450)
Problem:
The
pdmqzchk
tool
correctly
issues
messages
when
the
key
database
(KDB)
file
specified
in
the
map.conf
file
canot
be
opened.
Messages
such
as
the
following
are
issued:
DRQDZ3610E
PKI
Sender
label
’ca7d938d22fe728fb85b650bd5996_a798e3dc-d441-4a’
is
not
found
in
KDB
file
’/pdmq/keyfile/ambiu1.kdb’.
GSKIT
return
code
117.
DRQDZ3609E
The
program
cannot
open
KDB
file
’/pdmq/keyfile/ambiu1.kdb’
GSKIT
return
code
101.
Workaround:
Make
sure
that
the
KDB
file
specified
in
the
map.conf
file
exists,
and
update
the
map.conf
file
with
the
correct
path
to
the
valid
KDB
file,
if
necessary.
IBM
Global
Security
Tool
Kit
(GSKit)
iKeyman
The
following
problems
relate
to
using
GSKit.
gsk7ikm
Fails
to
Export
from
JKS
to
CMS
Keystores
(41935)
Problem:
You
might
experience
problems
using
iKeyman
to
export
a
certificate
from
a
JKS
keystore
type
into
a
CMS
keystore
type.
In
this
case,
it
is
recommended
that
you
use
the
import
function,
by
importing
the
certificate
into
the
CMS
keystore
from
the
JKS
keystore.
Workaround:
None
Misleading
Message
Exporting
Between
Keystores
with
gsk7ikm
Problem:
When
you
use
iKeyman
to
export
a
key
or
a
certificate,
a
misleading
message
is
displayed
warning
you
that
the
target
keystore
will
be
replaced.
However,
no
destructive
action
will
be
performed
against
the
keystore,
and
the
key
or
certificate
will
be
added
correctly
if
the
Replace
button
is
clicked.
Workaround:
None
22
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Chapter
4.
Additional
Guidelines
for
Use
Here
are
some
additional
guidelines
for
running
IBM
Tivoli
Access
Manager
for
Business
Integration,
Version
5.1:
v
On
Windows
platforms,
there
is
not
a
monitor
process
for
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server.
So,
if
it
fails,
it
will
not
restart
automatically,
as
it
does
on
UNIX
platforms.
Restart
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server
manually
using
the
Windows
Services
panel.
v
The
system
administrator
must
set
the
limit
on
the
number
of
maximum
file
descriptors
per
process
to
be
at
least
255.
This
higher
limit
might
be
needed
for
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server
as
well
as
for
other
IBM
WebSphere
MQ
processes.
Refer
to
the
UNIX
shell
command
ulimit
for
further
details.
v
If
you
run
IBM
Tivoli
Access
Manager
for
Business
Integration
on
a
single
system
that
hosts
all
components
(IBM
Tivoli
Access
Manager,
Lightweight
Directory
Access
Protocol
Directory
(LDAP),
DB2®,
and
IBM
Tivoli
Access
Manager
Web
Portal
Manager),
you
must
manually
restart
the
IBM
WebSphere
Application
Server
and
LDAP
after
you
reboot
the
system.
v
On
the
Sun
Solaris
platform,
the
operating
system
puts
a
limit
of
512
bytes
on
the
group
line
in
/etc/group
file.
If
there
is
an
attempt
to
add
a
user
to
the
group
that
might
cause
the
group
entry
to
exceed
512
bytes,
the
operating
system
issues
a
warning
and
causes
the
usermod
command
to
fail.
The
installation
of
IBM
Tivoli
Access
Manager
for
Business
Integration,
using
pkgadd,
involves
creating
new
users
and
adding
them
to
the
mqm
group.
If
the
mqm
group
entry
in
the
/etc/group
file
is
close
to
its
limit
(512
bytes),
the
installation
of
IBM
Tivoli
Access
Manager
for
Business
Integration
can
cause
it
to
overflow.
The
pkgadd
utility
finishes
successfully,
but
the
Tivoli
Access
Manager
for
Business
Integration
installation
is
not
complete
and
therefore
is
not
usable.
Workaround:
To
remedy
this
situation
or
as
a
preventive
measure,
ensure
that
the
group
entry
does
not
exceed
the
limit.
To
achieve
this,
manually
edit
the
/etc/group
file
and
split
long
group
lines
into
multiple
lines
with
the
same
group
name
and
ID
but
with
different
users.
Then
add
a
new
user
to
a
group
by
manually
editing
the
entry
or
by
using
the
usermod
command,
which
adds
the
user
to
each
line
for
that
group.
v
The
configuration
wizard
and
interactive
login
program,
which
are
included
with
IBM
Tivoli
Access
Manager
for
Business
Integration
on
the
Windows
platform,
are
accessibility-enabled
for
users.
Alternative
keyboard
actions
are
provided
for
all
graphical
user
interface
operations
based
on
the
operating
system
defaults.
IBM
Tivoli
Access
Manager
for
Business
Integration
does
not
interfere
with
the
accessibility
features
built
into
the
operating
system.
v
The
pdmq-cache-interval
value
in
pdmq_install_path\pdmqazn.conf
file
determines
the
duration
in
which
the
IBM
Tivoli
Access
Manager
for
Business
Integration
server
cache
gets
updated.
This
parameter
is
commented
out
in
the
configuration
file.
On
Windows,
the
default
value
for
this
parameter
is
20000000
and
on
UNIX
platforms,
this
defaults
to
3600
seconds.
On
Windows,
if
the
audit-level
is
set
to
all,
then
it
is
recommended
that
the
pdmq-cache-interval
must
be
equal
to
or
greater
than
20000000
seconds.
If
the
cache
needs
to
be
updated
due
to
policy
changes,
then
pdmqd
-update
command
must
be
run
in
order
for
the
new
policy
changes
to
take
effect.
©
Copyright
IBM
Corp.
2001,
2003
23
v
Before
deleting
and
re-creating
an
IBM
WebSphere
MQ
queue
manager,
first
remove
the
queue
manager
from
the
IBM
Tivoli
Access
Manager
protected
object
space.
24
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Appendix.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
″AS
IS″
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2001,
2003
25
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
document
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement
or
any
equivalent
agreement
between
us.
Any
performance
data
contained
herein
was
determined
in
a
controlled
environment.
Therefore,
the
results
obtained
in
other
operating
environments
may
vary
significantly.
Some
measurements
may
have
been
made
on
development-level
systems
and
there
is
no
guarantee
that
these
measurements
will
be
the
same
on
generally
available
systems.
Furthermore,
some
measurement
may
have
been
estimated
through
extrapolation.
Actual
results
may
vary.
Users
of
this
document
should
verify
the
applicable
data
for
their
specific
environment.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
This
information
contains
examples
of
data
and
reports
used
in
daily
business
operations.
To
illustrate
them
as
completely
as
possible,
the
examples
include
the
names
of
individuals,
companies,
brands,
and
products.
All
of
these
names
are
fictitious
and
any
similarity
to
the
names
and
addresses
used
by
an
actual
business
enterprise
is
entirely
coincidental.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
IBM
IBMLink
IBM
logo
MQseries
Tivoli
26
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
Tivoli
logo
WebSphere
xSeries
Microsoft,
Windows,
Windows
NT,
and
the
Windows
logo
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Other
company,
product,
or
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix.
Notices
27
28
IBM
Tivoli
Access
Manager
for
Business
Integration:
Release
Notes
����
Printed
in
USA
GI11-0957-01