T l Access Manager e-business

Tivoli® Access Manager for e-business

Release Notes

Version 6.1

GC23-6501-00

��

Tivoli® Access Manager for e-business

Release Notes

Version 6.1

GC23-6501-00

��

Note

Before using this information and the product it supports, read the information in “Notices” on page 53.

Edition notice

This edition applies to version 6, release 1 of IBM Tivoli Access Manager (product number 5724-C08) and to all

subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2005, 2008. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Contents

Chapter 1. About this release . . . . . 1

New features for base and other components . . . 1

New WebSEAL features . . . . . . . . . . 2

New Session Management Server (SMS) features . . 3

New Plug-in for Web Servers features . . . . . . 4

Versions added or removed for this release . . . . 4

Software download page for Tivoli Access Manager . 6

Backward compatibility . . . . . . . . . . . 6

Backward compatibility with previous Web ADK

versions . . . . . . . . . . . . . . . 7

Product compatibility . . . . . . . . . . . 7

Chapter 2. Installation, configuration,

upgrade, and migration information . . . 9

Operating systems . . . . . . . . . . . . 10

Supported operating systems and required

patches . . . . . . . . . . . . . . . 10

Tivoli Access Manager components by operating

systems . . . . . . . . . . . . . . . 24

Web application servers supported by operating

systems . . . . . . . . . . . . . . . . 26

IBM WebSphere servers . . . . . . . . . 26

Single or cluster IBM WebSphere Application Server 27

Session Management Server on IBM WebSphere

Application Server . . . . . . . . . . . 27

Web Portal Manager on IBM WebSphere

Application Server . . . . . . . . . . . 27

Software requirements . . . . . . . . . . . 28

Tivoli Access Manager software prerequisites . . 28

Tivoli Access Manager supported Web browsers 29

Installation and configuration notes . . . . . . 30

Upgrade notes . . . . . . . . . . . . . 30

Supported registries . . . . . . . . . . . 30

IBM Tivoli Directory Server . . . . . . . . 30

IBM z/OS LDAP Server . . . . . . . . . 32

IBM Lotus Domino Server . . . . . . . . 32

Microsoft Active Directory Application Mode

(ADAM) . . . . . . . . . . . . . . 33

Microsoft Active Directory . . . . . . . . 33

Novell eDirectory . . . . . . . . . . . 33

Sun Java System Directory Server . . . . . . 33

Disk space requirements . . . . . . . . . . 35

Memory requirements . . . . . . . . . . . 37

Chapter 3. Internationalization notes . . 39

Chapter 4. Uninstallation information 41

Chapter 5. Known limitations,

problems, and workarounds . . . . . 43

Limitations, known problems and workarounds . . 43

Chapter 6. Deprecated items . . . . . 47

Chapter 7. Documentation updates . . 49

Chapter 8. Contacting software support 51

Notices . . . . . . . . . . . . . . 53

Trademarks . . . . . . . . . . . . . . 55

© Copyright IBM Corp. 2005, 2008 iii

iv Release Notes

Chapter 1. About this release

IBM Tivoli Access Manager for e-business (Tivoli Access Manager) version 6.1 builds on previous

versions of Tivoli Access Manager and IBM® SecureWay® Policy Director to provide a complete

authentication and authorization solution for corporate e-business environments.

New features for base and other components

New features for base and other components in this release include:

Active Directory Application Mode (ADAM) support

Tivoli® Access Manager supports the use of Microsoft® Active Directory Application Mode

(ADAM) as a user registry.

Password change using LDAP APIs supported in Active Directory

When using an Active Directory user registry in a Tivoli Access Manager configuration with

blade servers that use LDAP APIs to communicate with the Active Directory server, Access

Manager supports user password change requests using either the Policy Server or LDAP APIs.

Change user password requests using the LDAP APIs do not require the Policy Server to be

up-and-running.

Active Directory alternate user principal name support

Tivoli Access Manager supports the use of an email address or other alternate format of the

userPrincipalName attribute of the Active Directory registry user object as a Tivoli Access

Manager user identity. This is an optional enhancement; when it is enabled, both the default and

the email address or other alternate format of the userPrincipalName can coexist in the Tivoli

Access Manager environment.

Multiple Tivoli Access Manager configurations on a single LDAP server

Provides the ability to specify the name of the management domain and the location for the

Access Manager management domain metadata within the LDAP server Directory Information

Tree (DIT). This ability allows support for multiple, concurrent Access Manager configurations

using the same LDAP server.

Tivoli Common Reporting used as Tivoli Access Manager audit (CARS) reporting mechanism

Tivoli Access Manager Version 6.1 uses Tivoli Common Reporting and the Business Intelligence

Reporting Tool (BIRT) to generate, format, view, and print report data. BIRT replaces report

functionality that required third-party Crystal licenses. Tivoli Common Reporting integrates

open-source reporting interfaces into a common tool that provides a consistent appearance across

Tivoli applications, and improves the quality of the report content.

Configurable option to provide a suffix to search for Tivoli Access Manager domain information

Provides a suffix under which the secAuthorityInfo object is located; this parameter serves as a

starting search location for the secAuthorityInfo object when Tivoli Access Manager is started. If

this parameter is set, the specified suffix will be searched first to locate the secAuthorityInfo

object for the domain. If this parameter is not set, or if the secAuthorityInfo object is not located

within the suffix specified by the parameter, then the entire set of suffixes will be searched.

Default maximum age for cache entries

A new configuration option was added to provide the ability to specify a default maximum age

based on mime-type for cache entries when a cached response is missing expiry information.

Session fixation prevention

Enhances security to prevent session fixation attacks.

Web Portal Manager implemented as a plug-in to the IBM Integrated Solutions Console.

The Web Portal Manager is implemented as a plug-in to the IBM Integrated Solutions Console.

© Copyright IBM Corp. 2005, 2008 1

The Integrated Solutions Console is a graphical administration console that provides a framework

for administering multiple products. For example, your console enables you to administer Tivoli

Access Manager and WebSphere® Application Server. Web Portal Manager is not installed as part

of the Tivoli Access Manager runtime. To use Web Portal Manager, you must install it separately.

The Integrated Solutions Console is automatically installed when you install WebSphere

Application Server.

Number of LDAP handles opened per Active Directory domain configurable

The ability to configure the number of LDAP handles opened per Active Directory domain

provides the flexibility to change to a number that fits your environment.

New configuration option allows NamingContext searching for Novell eDirectory

The novell-suffix-search-enabled option was added to the [ldap] stanza for ldap.conf in the

configuration file to allow naming context searches when Novell eDirectory is used as the user

registry. The value of the option determines whether to search the entire directory namespace for

user, group, and policy information using a global root search or to automatically determine the

set of naming contexts hosted by the LDAP server and search each defined naming context

individually for user, group, and policy information.

Configurable option for TAM to return registry stored IDs instead of keyed in value IDs

New configurable options, cache-return-registry-id and uraf-return-registry-id, were

introduced to allow Tivoli Access Manager to return the user ID in the same case as the

registry-stored value rather than the user keyed-in user ID value.

New WebSEAL features

Application Response Measurement (ARM) Enablement

Enables WebSEAL to dynamically load the ARM API library and report significant transactions,

pass on transaction correlators to junctions and CGI, and optionally accept correlators from

clients.

Single-signoff enhancements for eCSSO

Design changes ensure that all hosts use the master authentication server (MAS) for vouch-for

requests, which allows customers to track them and log them all out. Authentication failures are

no longer redirected back to the requesting host, but are instead handled at the MAS. These

additional options in WebSEAL enable customers to implement their own single-signoff solutions

for e-Community Single Sign On (eCSSO).

Junction local address binding

A new option was added to the server task create command to specify the local IP address over

which WebSEAL will communicate with the junctioned back-end server.

Online Certificate Status Protocol (OCSP) Enablement

WebSEAL includes additional configuration settings that allow administrators to enable GSKit

OCSP support for client-to-WebSEAL and WebSEAL-to-junction SSL connections. The WebSEAL

options directly correspond to nine new GSKit options.

WebSEAL: Improved integration with Session Management Server (SMS)

Changes to session state information, including new configuration stanzas for clustered

environments. Multiple Session Management Server instances may now be configured allowing

for load balancing and automatic failover/recovery.

WebSEAL separate certificate key store

This feature enables WebSEAL to be configured with a separate key store, and thus a separate list

of trusted CA signer certificates, for junctioned SSL server certificate validation.

WebSEAL Multi-domain support

Multiple instances of WebSEAL can be hosted on a single machine; each WebSEAL instance can

access a separate Tivoli Access Manager management domain.

2 Release Notes

WebSEAL Token service groundwork

Provides the infrastructure necessary for WebSEAL to consume Tivoli Federated Identity Manager

(TFIM) tokens, which allows SPNEGO single-signon for authenticated users to access

downstream applications.

Mismatching client protocol support

This feature provides additional WebSEAL configuration settings that specify the perceived

protocol and port of the TCP interface for client browsers. In this configuration, WebSEAL

behaves as if the browser were directly communicating using HTTPS even though requests are

being received via TCP.

Support alternate UPN for SPNEGO

To add support for the use of alternate User Principal Names (UPNs), a new configuration option

was added to WebSEAL allowing administrators to specify a list of mappings from Kerberos

realm names to user ID suffixes.

HttpOnly cookie support

This feature allows WebSEAL to be configured to add the HttpOnly attribute to the Set-Cookie

headers it uses for Sessions and Failover and to pass on the HttpOnly Set-Cookie header attribute

from back-end junction servers to browsers.

WebSEAL Miscellaneous auditing changes

This change is designed to minimize audit events for extraneous requests and responses. It

enables certain audit events to be filtered by MIME-type and by HTTP response code.

WebSEAL HTTP cookie authentication

This feature enhances the existing HTTP Header mechanism in WebSEAL to allow it to support

authentication using HTTP Cookies.

WebSEAL reauthentication at any level

WebSEAL now includes a configuration option that enables the administrator to specify whether

re-authentication is allowed to take place at a different authentication level and mechanism than

that which is currently held for the session. If enabled, the user can reauthenticate at a different

authentication level/mechanism with the same user ID; the authentication operation is allowed to

complete and the new credential replaces the old credential.

New Session Management Server (SMS) features

New Session Management Server features in this release include:

Configuration

GUI administration and configuration provided as a plug-in to the IBM Integrated Solutions

Console

Simplified administration using extended Integrated Solutions Console (ISC) GUI menu,

easily installed onto the WebSphere ISC. Session Management Server deployment can

now be handled through smscfg or the new Session Management Server ISC.

Command line configuration

The smscfg tool is now a console based Java™ application and does not require a GUI

display. GUI configuration of the Session Management Server is supported through the

new ISC extension.

Dynamic configuration

The Session Management Server application no longer requires a restart within

WebSphere in order to apply any configuration changes. These configuration updates are

now applied on-the-fly.

New pdsmsadmin command line

An alternative command line to pdadmin which simplifies SMS tasks and does not require full

integration with Tivoli Access Manager.

Chapter 1. About this release 3

Simplified fixpack upgrade management

New smscfg commands for installing and managing fix-pack upgrades.

Support for multiple instances

Multiple session management server installations (called instances) are now supported on a single

WebSphere Application Server. Each session management server instance can contain one or more

session realms, and each session realm can contain one or more replica sets. Using the session

management server administrative tools, you can easily view all available instances, deploy and

configure new instances, or swap from one instance to another to perform administrative tasks.

Session realm limits

You can now limit the maximum number of sessions for a particular session realm. Once the

maximum number of sessions has been reached, further session requests will be denied until the

number of sessions has dropped below the set threshold.

New Plug-in for Web Servers features

Session fixation prevention

Enhances security to prevent session fixation attacks.

HttpOnly cookie support

This feature allows WebSEAL to be configured to add the HttpOnly attribute to the Set-Cookie

headers it uses for Sessions and Failover and to pass on the HttpOnly Set-Cookie header attribute

from back-end junction servers to browsers.

Single-signoff enhancements for eCSSO

Design changes ensure that all hosts use the master authentication server (MAS) for vouch-for

requests, which allows customers to track them and log them all out. Authentication failures are

no longer redirected back to the requesting host, but are instead handled at the MAS. These

additional options enable customers to implement their own single-signoff solutions for

e-Community Single Sign On (eCSSO).

Improved integration with Session Management Server (SMS)

Changes to session state information, including new configuration stanzas for clustered

environments. Multiple Session Management Server instances may now be configured allowing

for load balancing and automatic failover/recovery.

HTTPOnly flag

Support for the HttpOnly flag (recognized by Internet Explorer version 6 and above) reduces the

risk of internal cookie information being exposed to client-side scripts.

Versions added or removed for this release

The following tables detail which versions have been added as supported and which versions are no

longer supported for this release.

Supported operating systems

Tivoli Access Manager supports updated versions of the following operating systems.

Operating systems Added this release Removed this release

AIX® None None

HP-UX 11iv3 11iv1

HP-UX on Integrity 11iv3 None

Linux® on x86 and Linux on x86_64 Red Hat Enterprise Linux

Server 5.0, SUSE LINUX

Enterprise 10

Red Hat Enterprise Linux 3.0,

SUSE LINUX Enterprise 8

4 Release Notes

Operating systems Added this release Removed this release

Linux on System z™ Red Hat Enterprise Linux


Enterprise 10



Linux on POWER™ Red Hat Enterprise Linux


Enterprise 10



Solaris None 8

Solaris on x86_64 None None

Windows® Windows Vista None

Supported user registries

Tivoli Access Manager supports updated versions of the following user registries:

User registries Added this release Removed this release

IBM Tivoli Directory Server 6.1 None, previous versions can

coexist with 6.1

Sun Java System Directory Server 6.1 None

SunOne Directory Server None None

IBM Lotus® Domino® Server 8.0 6.0.x

Microsoft Active Directory 6.0 5.0

Microsoft Active Directory Application

Mode (ADAM)

1.0 None

Novell eDirectory 8.8.x 8.6.2

z/OS® Security Server LDAP Server None None

z/OS Integrated Security Services

LDAP Server (ISS)

None None

IBM Tivoli Directory Server for z/OS 1.8 None


Upgrades to the supported prerequisite product versions

Tivoli Access Manager supports updated versions of prerequisite products. The Tivoli Access

Manager installation wizards include an integrated installation of the updated versions of the

prerequisite products.

Prerequisite products Added this release Removed this release

IBM Java Runtime 1.5.0 SR5 1.4.2 SR2

IBM WebSphere Application Server 6.1 6.0.2

Global Security Kit (GSKit) v HP-UX on Integrity: 7.0.4.12

v All other platforms: 7.0.4.11

7.0-3.17

IBM Tivoli Directory Server 6.1 None, previous versions can

coexist with 6.1

DB2 Universal Database™ Enterprise

Server Edition (DB2®)

9.1 8.1

Upgrades to the supported Web server product versions

Tivoli Access Manager supports updated versions of the following servers. These servers are not

provided with Tivoli Access Manager and must already be installed before installing Tivoli Access

Manager.

Platform Added this release Removed this release

Apache Web Server 2.0.x 1.3.x

IBM HTTP Server 6.0, 2.0.x and 1.3.x None

Microsoft Internet Information

Services (IIS)

6.0 None

Sun servers Sun Java System Web Server 7.0 SunONE Web Server 6.0

IBM WebSphere Network Deployment

Edge component

6.1 6.0

Software download page for Tivoli Access Manager

Links to supplemental software downloads for Tivoli products can be found at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliAccessManagerfore-business.html

Follow the Software downloads (for registered users) link and then select IBM Tivoli Access Manager.

Enter your registered user name and password when prompted.

Backward compatibility

The following Tivoli Access Manager components can communicate with a version 6.1 policy server or

authorization server:

v Access Manager Runtime versions 6.1, 6.0 and 5.1

v Access Manager Runtime for Java versions 6.1, 6.0 and 5.1

The binary backward compatibility supported by Tivoli Access Manager version 6.1, 6.0 and 5.1

applications is as follows:

v Access Manager Runtime version 6.1 supports applications compiled against Tivoli Access Manager

version 6.0 and 5.1 ADKs for all platforms.

6 Release Notes



Notes:

1. Because the AZN servers use the runtime for communication, the servers are backward compatible.

2. All components on a single machine must be at the same version.

3. When using Active Directory or Lotus Domino as the user registry, all Tivoli Access Manager

components must be at the version 6.1 level.

4. When using IBM Tivoli Directory Server as the user registry, you are not required to upgrade all

Tivoli Access Manager components in your secure domain to a 6.1 level.

Backward compatibility with previous Web ADK versions

The backward compatibility supported by Tivoli Access Manager WebSEAL versions 6.1, 6.0, 5.1 and 4.1

applications is as follows:

1. Access Manager Web Runtime version 6.1 supports applications compiled against Tivoli Access

Manager version 6.0, 5.1 and 4.1 Web ADKs for all platforms except Solaris.

2. Access Manager Web Runtime version 6.1 for Solaris supports applications compiled against the Tivoli

Access Manager version 6.0 and 5.1 Web ADK only.

Product compatibility

Tivoli Access Manager 6.1 is compatible with the following products:

v IBM Lotus Domino

v IBM Tivoli Access Manager for Operating Systems

v IBM Tivoli Configuration Manager

v IBM Tivoli Directory Server

v IBM Tivoli Federated Identity Manager

v IBM Tivoli Identity Manager

v IBM WebSphere Portal Server

v IBM Tivoli Directory Integrator

v Tivoli Compliance Insight Manager

v Tivoli Security Operations Manager


8 Release Notes

Chapter 2. Installation, configuration, upgrade, and migration

information

This section is organized based on the following industry-standard definitions:

Installation

The process of adding a program, program option, or piece of hardware to an existing system in

a manner such that it runs and interacts properly with all affected parts of the system.

Migration

The process of replacing a component with another component.

Configuration

The process of implementing software and hardware in a way that allows the system as a whole

to operate properly. For a software product, configuration includes tasks such as choosing the

proper settings, setting up communication protocols, or setting up a printer. For hardware,

configuration might include setting up the hardware to optimize its performance for a particular

system. Sometimes referred to as customization.

Upgrade

The process of changing from one version of a product to a later or improved version of the same

product.

The line between installation and configuration is sometimes blurred. Installation information describes

what you need to do to start or run the program or machine. Configuration information describes what

you must do to make the program or machine operate appropriately now that the program or machine is

running.


Operating systems

The following sections provide tables that identify supported operating systems and required patches and

tables that identify which operating systems on which the Tivoli Access Manager components are

supported.

Supported operating systems and required patches

Attention: Apply the changes for daylight saving time (DST) 2007 and later for your operating system.

AIX

Tivoli Access Manager components for AIX are supported on 32-bit and 64-bit kernels in 32-bit

compatibility mode.

Table 1. AIX: Supported Tivoli Access Manager components

Architecture

Supported

operating systems

Tivoli Access Manager systems Required patches

RS/6000® AIX 5.2 v Attribute Retrieval Service

v Authorization server

v Development (ADK)

v Plug-in for Apache Web Server 2.0.x

v Plug-in for IBM HTTP Server (v2.0.x/6.x)

v Plug-in for Sun Java Systems Web Server

v6.1, SP1

v Plug-in for WebSphere Application Server

Network Deployment Edge Server 6.1

v Policy server

v Policy proxy server

v Runtime

v Runtime for Java

v Session management command line

v Session management server

v Web Portal Manager

v Web Security development (ADK)

v Web Security runtime

v WebSEAL

v Service Pack (SP) 5200-08-2 or

above

v Technology Level (TL) 5200-08

or above

10 Release Notes

Table 1. AIX: Supported Tivoli Access Manager components (continued)

Architecture

Supported

operating systems


AIX 5.3 v Attribute Retrieval Service


v Development (ADK)

v Plug-in for Apache Web Server v2.0.x

(Apache compiled in 31-bit mode only)



v Plug-in for IBM HTTP Server (v2.0.x/6.x)

v Plug-in for Sun Java System Web Server

v6.1, SP1)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

v Service Pack (SP) 5200-04-02

or above

v Technology Level (TL) 5300-04

or above

Chapter 2. Installation, configuration, upgrade, and migration information 11

HP-UX

Table 2. HP-UX: Supported Tivoli Access Manager components

Architecture

Supported

operating systems


PA-RISC HP-UX 11iv2

(B.11.23)

v Attribute Retrieval Service


v Development (ADK)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

v PHSS_33449

v PHSS_33450

v PHSS_33405

HP-UX 11iv3

(B.11.31)



v Development (ADK)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

HP-UX on

Integrity

HP-UX 11iv2

(B.11.23)


v Development (ADK)

v Policy server


v Runtime

v Runtime for Java




v WebSEAL

v PHSS_34859

v PHSS_35978

12 Release Notes

Table 2. HP-UX: Supported Tivoli Access Manager components (continued)

Architecture

Supported

operating systems


HP-UX 11iv3

(B.11.31)


v Development (ADK)

v Policy server


v Runtime

v Runtime for Java




v WebSEAL

Linux on x86

Table 3. Linux on x86: Supported Tivoli Access Manager components

Architecture

Supported

operating systems


x86 Red Hat

Enterprise Linux

Server 4.0



v Development (ADK)

v Plug-in for IBM HTTP Server (v1.3.x)

v Plug-in for IBM HTTP Server (v2.0.x or 6.0)



v Policy server


v Runtime

v Runtime for Java






v WebSEAL

Update 5


Table 3. Linux on x86: Supported Tivoli Access Manager components (continued)

Architecture

Supported

operating systems


Red Hat

Enterprise Linux

Server 5.0



v Development (ADK)





v Policy server


v Runtime

v Runtime for Java






v WebSEAL

SUSE LINUX

Enterprise Server

9



v Development (ADK)





v Policy server


v Runtime

v Runtime for Java






v WebSEAL

Service Pack 1

14 Release Notes

Table 3. Linux on x86: Supported Tivoli Access Manager components (continued)

Architecture

Supported

operating systems


SUSE LINUX

Enterprise Server

10



v Development (ADK)





v Policy server


v Runtime

v Runtime for Java






v WebSEAL


Linux on x86-64

Tivoli Access Manager components for Linux on x86–64 are supported on 64-bit AMD64/EM64T systems.

Table 4. Linux on x86–64: Supported Tivoli Access Manager components

Architecture

Supported

operating systems


x86-64 Red Hat Enterprise

Linux Server 4.0



v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


Update 5

Red Hat Enterprise

Linux Server 5.0



v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


SUSE LINUX

Enterprise Server 9



v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


Service Pack 2

SUSE LINUX

Enterprise Server 10



v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


16 Release Notes

Linux on System z

Tivoli Access Manager components for Linux on System z are supported on 64-bit System z kernels in

31-bit compatibility mode.

Table 5. Linux on System z: Supported Tivoli Access Manager components

Architecture

Supported

operating systems


System z Red Hat Enterprise

Linux Server 4.0



v Development (ADK)

v Plug-in for Apache Web Server v2.0 x


v Plug-in for IBM HTTP Server (v1.3.x

v Plug-in for IBM HTTP Server (v.2.0.x or

6.0)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

v Update 5 or above

v compat-libstdc++-295-2.95.3-81.s390.rpm or higher version

v compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version

v compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version

v compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version

Red Hat Enterprise

Linux Server 5.0



v Development (ADK)



v Plug-in for IBM HTTP Server (v1.3.x

v Plug-in for IBM HTTP Server (v.2.0.x or

6.0)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

v compat-libstdc++-295-2.95.3-81.s390.rpm or higher version

v compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version

v compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version

v compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version


Table 5. Linux on System z: Supported Tivoli Access Manager components (continued)

Architecture

Supported

operating systems


SUSE LINUX

Enterprise Server 9



v Development (ADK)




v Plug-in for IBM HTTP Server (v2.0.x or

6.0)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

v Service Pack 3 or above

v compat-2004.7.1-1.2.s390x.rpm or

higher version

v compat-32bit-9-200407011411.s390x.rpm or higher

version

SUSE LINUX

Enterprise Server

10



v Development (ADK)





6.0)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

v compat-2006.1.25-11.2.s390x.rpm

or higher version

v compat-32bit-2006.1.25-11.2.s390x.rpm or higher version

18 Release Notes

Linux on POWER

Tivoli Access Manager components for Linux on POWER are supported on 64-bit kernels in 32-bit

compatibility mode.

Table 6. Linux on POWER: Supported Tivoli Access Manager components

Architecture

Supported

operating

systems


Power Red Hat

Enterprise Linux

Server 4.0


v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


Update 5 or above

Red Hat

Enterprise Linux

Server 5.0


v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


SUSE LINUX

Enterprise Server

9


v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


Service Pack 1

SUSE LINUX

Enterprise Server

10


v Development (ADK)

v Policy server


v Runtime

v Runtime for Java



Solaris

Table 7. Solaris: Supported Tivoli Access Manager components

Architecture

Supported

operating systems


Solaris 9 v Attribute Retrieval Service


v Development (ADK)





6.0)

v Plug-in for Sun Java System Web

Server (v6.1, SP1)


Server (v7.0)

v Plug-in for WebSphere Application

Server Network Deployment Edge

Server 6.1

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

Recommended patch cluster of

December 2007

20 Release Notes

Table 7. Solaris: Supported Tivoli Access Manager components (continued)

Architecture

Supported

operating systems


Solaris 10 v Attribute Retrieval Service


v Development (ADK)




6.0)



Server (v6.1, SP1)


Server (v7.0)



Server 6.1

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

Recommended patch cluster of

October 2005

x86-64 Solaris 10 v Authorization server

v Development (ADK)

v Policy server


v Runtime

v Runtime for Java




v WebSEAL


Windows client

Table 8. Windows client: Supported Tivoli Access Manager components

Architecture Tivoli Access Manager systems Required patches

Windows XP v Development (ADK)

v Runtime

v Runtime for Java

Professional version Service Pack 2

Windows Vista v Development (ADK)

v Runtime

v Runtime for Java

Windows 2003

Table 9. Windows 2003 Server x86: Supported Tivoli Access Manager components

Architecture

Supported

operating systems


x86 Standard Server v Attribute Retrieval Service


v Development (ADK)

v Plug-in for Internet Information

Services 6.0



Server 6.1


6.0)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

Service Pack 1

22 Release Notes

Table 9. Windows 2003 Server x86: Supported Tivoli Access Manager components (continued)

Architecture

Supported

operating systems


Enterprise Server v Attribute Retrieval Service


v Development (ADK)

v Plug-in for Internet Information

Services



Server


6.0)

v Policy server


v Runtime

v Runtime for Java






v WebSEAL

Service Pack 1

Windows 2003 (64-bit)

Table 10. Windows 2003 (64-bit): Supported Tivoli Access Manager components

Architecture

Supported

operating systems


x86-64 Windows for 64-bit

Extended System

Editions



v Development (ADK)

v Policy server


v Runtime

v Runtime for Java


Service Pack 1


Tivoli Access Manager components by operating systems

The following sections provide tables that identify which operating systems on which the Tivoli Access

Manager components are supported.

Base components

AIX

5.2,

5.3

HP-UX

11iV2,

11iV3

HP-UX

on

Integrity

11iV2,

11iV3

Linux

on

System

z

Linux

on

POWER

Linux

on

x86

Linux

on

x86-64

Solaris

9, 10

Solaris

on

x86_64

10

Windows

2003

Adv, Ent

Windows

XP,

Vista

Windows

2003

Server

Adv, Ent

on x86

Windows

2003

Server:

Adv, Ent

on x86_64

Access

Manager

Runtime

U U U U U U U U U U U U U

Access

Manager

Runtime for

Java


Access

Manager

Policy Server

U U U U U U U U U U U U

Access

Manager

Policy Proxy

Server


Access

Manager

Authorization

Server


Access

Manager

Application

Development

Kit


Access

Manager Web

Portal

Manager


Access

Manager

Attribute

Retrieval

Service

U U U U U U U U U U

24 Release Notes

Web security components

AIX

5.2,

5.3

HP-UX

11iV2,

11iV3

HP-UX

on

Integrity

11iV2,

11iV3

Linux

on

System

z

Linux

on

POWER

Linux

on x86

Linux

on

x86_64

Solaris

9, 10

Solaris

10 on

x86_64

Windows

XP,

Vista

Windows

2003

Server

Adv, Ent

on x86

Windows

2003

Server

Adv, Ent

on

x86_64

Access Manager

Web Security

Runtime

U U U U U U U U U

Access Manager

Plug-in for

Edge Server

U U U U

Access Manager

WebSEAL

U U U U U U U U U

Access Manager

Web Security

Application

Development

Kit

U U U U U U U U U

Plug-in for Web Servers

AIX

5.2,

5.3

HP-UX

11iV2,

11iV3

HP-UX

on

Integrity

11iV2,

11iV3

Linux

on

x86

Linux

on

x86-64

Linux

on

System

z

Linux

on

POWER

Solaris

9, 10

Solaris

on

x86_64 9

and 10

Windows

XP, Vista

Windows

2003

Server

Adv and

Ent on x86

Windows

on

x86_64

Apache Web

Server 2.0.x

U U U

IBM HTTP

Server 1.3.x

U U U U

IBM HTTP

Server 2.0.x

and 6.0

U U U U U

Sun Java

System Web

Server 6.1

U U

Sun Java

System Web

Server 7

U

Microsoft

Internet

Information

Services (IIS)

6.0

U

Session management components

AIX

5.2,

5.3

HP-UX

11iV2,

11iV3,

HP-UX

on

Integrity

11iV2,

11iV3,

Linux

on

System

z

Linux

on

POWER

Linux

on

x86

Linux

on

x86_64

Solaris

9, 10

Solaris

on

x86_64

10

Windows

XP,

Vista

Windows

2003 Server

Adv and Ent

on x86

Windows

2003 Server

Adv and Ent

on x86-64

Access

Manager

Session

Management

Server

U U U U U U


AIX

5.2,

5.3

HP-UX

11iV2,

11iV3,

HP-UX

on

Integrity

11iV2,

11iV3,

Linux

on

System

z

Linux

on

POWER

Linux

on

x86

Linux

on

x86_64

Solaris

9, 10

Solaris

on

x86_64

10

Windows

XP,

Vista

Windows

2003 Server

Adv and Ent

on x86

Windows

2003 Server

Adv and Ent

on x86-64

Access

Manager

Session

Management

Command

Line

U U U U U U

Web application servers supported by operating systems

The following sections provide tables that identify which operating systems on which Web application

servers are supported.

IBM WebSphere servers

AIX

5.2

and

5.3

HP-UX

11iV2,

11iV3,

HP-UX

on

Integrity

11iV2,

11iV3,

Linux

on x86

Linux

on

System

z

Linux

on

POWER

Linux

on

AMD64/

EM64T

Solaris

9, and

10

Solaris

on

x86_64

10

Windows

XP, Vista

Windows

2003 Adv

and Ent

on x86

Windows

2003 Adv

and Ent on

x86-64

IBM

WebSphere

Edge

Server

U

RH 3.0,

SLES

8,

SLES 9

8, 9 8, 9 U

IBM

WebSphere

Application

Server

U U U U U U U U U

IBM

WebSphere

Network

Deployment

U U U U U U U U U

Windows 2003 (Windows only if AD registry)

26 Release Notes

Single or cluster IBM WebSphere Application Server

The following sections provide tables that identify which WebSphere environments (single server or

cluster) are supported for Session Management Server and Web Portal Manager.

Attention: Session Management Server requires WebSphere Application Server 6.1.0.13 or greater

Session Management Server on IBM WebSphere Application Server

Single server Cluster

IBM WebSphere Express U

IBM WebSphere Application Server U

IBM WebSphere Network Deployment U U

Web Portal Manager on IBM WebSphere Application Server

Single server Cluster

IBM WebSphere Application Server U

IBM WebSphere Network Deployment U


Software requirements

This section includes information about the Tivoli Access Manager software prerequisites and the Web

browsers tested and supported on Tivoli Access Manager 6.1.

Tivoli Access Manager software prerequisites

The versions supported on Tivoli Access Manager are provided in the following table:

IBM DB2 Universal Database Enterprise Server

Edition

9.1 fix pack 2 or above

IBM Tivoli Directory Server (client and server) 6.1, fix pack 1 or above and fix 6.1.0.6 or above

IBM Global Security Kit (GSKit) 7.0.4.11 (HP-UX on Integrity: 7.0.4.12)

IBM Java Runtime 1.5.0 SR5

IBM WebSphere Application Server 6.1

IBM WebSphere Application Server Network

Deployment

6.1

IBM WebSphere Network Deployment Edge

component

6.1

Microsoft Internet Information Services (IIS) 6.0

SunONE Web server 5.1

Sun Java System Web Server 5.2 and 6.x

IBM HTTP Server 1.3.x

IBM HTTP Server 2.0.x

IBM HTTP Server 6.0

Apache Web Server 1.3.x with mod SSL

Apache Web Server 2.0.x

28 Release Notes

Tivoli Access Manager supported Web browsers

Although other Web browsers might work with Tivoli Access Manager, the following versions of Web

browsers have been tested for Tivoli Access Manager 6.1:

v AIX platforms: Mozilla 1.7.8, Firefox 1.5

v HP-UX platforms: Mozilla 1.7.8, Firefox 1.5

v Linux: Mozilla 1.7.8, Firefox 1.5

v Solaris platforms: Mozilla 1.7.8, Firefox 1.5

v Windows platforms: Mozilla 1.7.8, Firefox 1.5, Internet Explorer versions 6.0 Service Pack 1

Note: If you are using the Mozilla browser on AIX, Linux on x86, Solaris, or HP-UX operating systems,

you might see incorrect results when using the keyboard in the Web Administration Tool. See the

systems requirements for IBM Tivoli Directory Server 6.1 for more information.


Installation and configuration notes

This section provides additional details about some of the installation and configuration fixes.

Upgrade notes

v If you have a version of DB2 that is not supported, you must upgrade to a supported version. On AIX,

you must upgrade to a 64-bit version.

v Migrating WebSEAL to 6.1 on AIX 5.1 is supported only with an LDAP registry and an Active

Directory registry.

v Upgrade of a previous Web Portal Manager system is not supported. You must install Web Portal

Manager 6.1.

v Access Manager Runtime requires the Tivoli Directory Server client 6.1 and GSKit 7.0.4.11 (7.0.4.12 on

HP-UX on Integrity) for all platforms unless the directory server is Lotus Domino or Microsoft Active

Directory. For Lotus Domino, the Notes client is required and it is only available on Windows. For

Microsoft Active Directory, Tivoli Directory Server client 6.1 is required for all servers except the policy

server, which must be on a Windows server.

Supported registries

Tivoli Access Manager supports the following user registries, their supported operating systems, and any

necessary prerequisite software.

v Microsoft Active Directory

v IBM Lotus Domino Enterprise Server

v Supported Lightweight Directory Access protocol (LDAP) servers.

The following servers are supported LDAP servers that use LDAP for storing user and group

information:

– IBM Tivoli Directory Server

– IBM z/OS LDAP Server

– Novell eDirectory

– Sun Java System Directory Server (Sun ONE Directory Server)

– Microsoft Active Directory Application Mode (ADAM)

Special support has been added to allow for IBM Tivoli Directory Server multi-domain support and to

enable Tivoli Access Manager for e-business to import Sun ONE Directory Server dynamic groups.

IBM Tivoli Directory Server

Tivoli Access Manager supports the use of IBM Tivoli Directory Server 6.1, 6.0 and 5.2.

Notes:

1. IBM Tivoli Directory Server 6.1 is included with Tivoli Access Manager 6.1.

2. Only a single version of Tivoli Directory Server can exist on a system at a time.

3. The Tivoli Directory Server client is required when an LDAP type of user registry is selected during

installation.

4. You can install the Tivoli Directory Server client 6.1 on the same system with previous Tivoli

Directory Server client versions.

5. If you have an existing Tivoli Directory Server that you want to use for Tivoli Access Manager, ensure

that you upgrade the server to a supported level. For upgrade instructions, see the IBM Tivoli Access

Manager for e-business: Upgrade Guide.

6. If you have a pre-existing version of an LDAP client from a vendor other than IBM, remove it before

installing the IBM Tivoli Directory Server client provided with Tivoli Access Manager. If you attempt

30 Release Notes

to install the Tivoli Directory Server client without removing the other vendor’s version, the resulting

file name conflicts might prevent either version from working.


IBM Tivoli Directory Server Web Administration Tool

IBM Tivoli Directory Server supports the use of the IBM Tivoli Directory Server Web Administration Tool

6.1. You can install the Web Administration Tool on a computer with or without the Tivoli Directory

Server client or server. The Web Administration Tool can be used to administer the following types of

LDAP servers:

v IBM Tivoli Directory Server, Versions 6.1, 6.0 and 5.2

v z/OS Security Server LDAP Server Version 1.4

v z/OS Integrated Security Services LDAP Server (ISS) 1.6

v IBM Tivoli Directory Server for z/OS 1.8.

To find out the supported platforms for IBM Tivoli Directory Server Web Administration Tool 6.1, see the

online release notes at this Web site:

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc= /com.ibm.IBMDS.doc/toc.xml

To use the Web Administration Tool, you also need IBM WebSphere Application Server Version 6.1, which

is provided with Tivoli Access Manager 6.1.

IBM Tivoli Directory Server supported Web browsers

One of the following Web browsers on the computer from which you will use the Web Administration

Tool. (This computer might or might not be where the Web Administration Tool is installed):

v AIX platforms: Mozilla 1.6, 1.7, 1.75 (Firefox 1.0)

v HP-UX platforms: 1.6, 1.7, 1.75 (Firefox 1.0)

v Linux on x86 platforms: 1.6, 1.7, 1.75 (Firefox 1.0)

v Linux on iSeries®, POWER, and System z platforms: No browser support is available. You must use

another system to access the Web Administration Tool on these Linux platforms.

v Solaris platforms: 1.6, 1.7, 1.75 (Firefox 1.0)

v Windows 2003 platforms: Internet Explorer, Version 5.5+, 6.x

v Windows XP Professional platform: Internet Explorer 5.5+, 6.x; Mozilla 1.6, 1.7, 1.75 (Firefox 1.0)

IBM z/OS LDAP Server

Tivoli Access Manager supports the use of z/OS Security Server LDAP Server version 1.4, z/OS

Integrated Security Services LDAP Server (ISS) 1.6 and IBM Tivoli Directory Server for z/OS 1.8.

For product information, see the z/OS Internet Library Web site at:

http://www.ibm.com/servers/eserver/System z/zos/bkserv/

Customers can also obtain softcopy publications on the CD-ROM z/OS: Collection, SK3T-4269.

IBM Lotus Domino Server

Tivoli Access Manager supports the use of IBM Lotus Domino Version 6.5, 7.0.1, 7.0.2 or 8.0 as a user

registry only on the Windows platform. The Domino server runs on all supported Domino platforms.

Attention: When Lotus Domino is used as the registry:

v The IBM Tivoli Directory Server client is not required.

v If you install a Lotus Notes® client, it must be installed prior to installing the Access Manager Runtime

component.

v Tivoli Access Manager supports the Lotus Notes client 6.5, 7.0.1, 7.0.2 or 8.0.

32 Release Notes

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml


http://www.ibm.com/servers/eserver/zseries/zos/bkserv

Microsoft Active Directory Application Mode (ADAM)

Tivoli Access Manager supports the use of Microsoft Active Directory Application Mode (ADAM) as a

user registry.

ADAM users can run Tivoli Access Manager with Windows Server 2003 Standard Edition, Windows

Server 2003 Enterprise Edition, Windows XP Professional Edition and Windows Vista. See Microsoft

documentation for the complete list of supported systems.

ADAM is available with the Microsoft Server 2003 R2 product and as a separate download, including

example lab testing files.

Microsoft Active Directory

Tivoli Access Manager supports the use of Active Directory for Windows 2003 Enterprise Server as a user

registry.

Active Directory users can run Tivoli Access Manager on all Windows, UNIX® or Linux platforms

currently supported in the Tivoli Access Manager product.

UNIX or Linux platforms make use of the Tivoli Directory Server client to communicate with Active

Directory. This LDAP client is also used in cases where the policy server domain differs from the domain

of the local host name.

Note that the Tivoli Access Manager policy server is supported on Windows 2003 systems only.

Novell eDirectory

Tivoli Access Manager supports the use of Novell eDirectory 8.7.x and 8.8.x as a user registry.

For installation information, consult the product documentation that came with your Novell eDirectory

server. Novell eDirectory product documentation is available at:

http://www.novell.com/documentation/a-z.html

The latest patches to these products are available at:

http://support.novell.com/filefinder/5069/index.html

Attention:

v If you have an existing Novell eDirectory server that you want to use for Tivoli Access Manager,

ensure that you upgrade the server to a supported level.

v The Novell eDirectory server has built-in SSL capability. You must install GSKit onto the directory

server system only if the Access Manager Runtime component is installed on the same system.

v The IBM Tivoli Directory Server client is required.

Sun Java System Directory Server

Tivoli Access Manager supports the use of Sun Java System Directory Server 5.2 and 6.x, or SunONE

Directory Server 5.1 as a user registry.

For installation information, consult the product documentation that came with your server.

Attention:

v If you have an existing iPlanet Directory Server or a SunONE Directory Server that you want to use for

Tivoli Access Manager, ensure that you upgrade the server to a supported level. For upgrade

instructions, see Sun documentation at the following Web address:


http://www.novell.com/documentation/a-z.html

http://support.novell.com/patches.html

http://docs.sun.com/db/prod/s1dirsrv

v The Sun Java System Directory Server and SunONE Directory Server have built-in SSL capability. You

must install GSKit onto the directory server system only if the Access Manager Runtime component is

installed on the same system.

34 Release Notes

http://docs.sun.com/app/docs/prod/entsys

Disk space requirements

Tivoli Access Manager binaries and libraries can require a large amount of disk space. You should ensure

that there is enough disk space in the file systems where you are going to install these files. As each

Tivoli Access Manager component or system is added to a secure domain, additional disk space is

required. Ensure that there is enough available disk space to allow for future installation of Tivoli Access

Manager software.

Note: This table lists the disk space for Tivoli Access Manager components only. Keep in mind that you

must also factor in additional requirements, such as operating system or Web server estimates (if

installing a plug-in).

Table 11. Disk space requirements

Component Recommend Disk

Space (MB)

Disk Space for ACL

database (MB)

Add Disk Space for

Log Files (MB)

Tivoli Access Manager prerequisite software

Global Security Kit 20 — —

IBM Tivoli Directory Server client 10 — —

Tivoli Security Utilities 20 — —

IBM Java Runtime Solaris 200

non-Solaris 100

— —

Tivoli Access Manager base components

Access Manager Runtime 60 — —

Access Manager Runtime for Java 4 — —

Access Manager Policy Server 2 5

1, 2 10

Access Manager Policy Proxy Server 1 — 10

Access Manager Authorization

Server

2 15

2 10

Access Manager Application

Development Kit

5 — —

Access Manager Web Portal Manager 15 — —

Tivoli Access Manager—provided servers


(including prerequisite software)

650–1000

4 — 10

IBM WebSphere Application Server 1200 — —

Tivoli Access Manager Web security components

Access Manager Web Security

Runtime

3 —

Access Manager WebSEAL 20 15

2 200

3


Application Development Kit

3 — —

Access Manager Plug-in for IBM

HTTP Server

25 15

2 10

Access Manager Plug-in for Apache

Web Server

25 15

2 10

Access Manager Plug-in for Sun Java

System Web Server

25 15

2 10


Table 11. Disk space requirements (continued)

Component Recommend Disk

Space (MB)

Disk Space for ACL

database (MB)

Add Disk Space for

Log Files (MB)

Access Manager Plug-in for Internet

Information Services

25 15

2 10

Access Manager Plug-in for Edge

Server

15 — —

Access Manager Attribute Retrieval

Service

5 — —

Tivoli Access Manager session management components

Access Manager Session

Management Command Line

2 — 10


Management Server

5

5 — 10

Common Auditing and Reporting Service

Common Auditing and Reporting

Service Server

30

7 — 15 GB

8

Notes:

1 The size is for the default domain only. For each additional domain, increase the recommended disk

space by this amount.

2 This number is based on the approximate requirement for an ACL database with 10,000 objects,

equally spread across 10 object spaces and about 30 ACLs attached to 20% of the objects. Except for

the policy server, the size is tripled to account for a backup copy and an additional copy created

during replication.

3 This number includes Web server request logs. The WebSEAL web server request logs are not

automatically pruned by WebSEAL. The logs will grow until manually pruned or the file system in

which they are placed becomes full. The specified disk space is sufficient to record about a million

requests.

4 IBM Tivoli Directory Server estimates include an empty database. Add an additional 10KB per Tivoli

Access Manager user.

5 This number does not include disk space for the SMS user login and session information, which

varies depending upon the configurations options chosen. At minimum the SMS user login

information takes about 100 bytes per Tivoli Access Manager user. If a database is chosen for session

information, the disk requirements grow to approximately 15KB per logged in user.

7 Additional disk space (2 GB) is recommended to install the IBM WebSphere and DB2 prerequisites

for the Common Auditing and Reporting Service Server, if not already installed.

8 This number (15 GB) is the additional disk space needed for every 10 million events that are stored.

36 Release Notes

Memory requirements

This table lists memory requirements for Tivoli Access Manager components only. Keep in mind that you

must also factor in additional requirements, such as operating system or Web server estimates (if

installing a plug-in).

Table 12. Memory requirements

Component Minimum Memory

(MB)

Recommend Memory

(MB)

Memory per additional

domain

Tivoli Access Manager prerequisite software

Global Security Kit

3 3 —

Tivoli Directory Server client

3 3 —

Tivoli Security Utilities

3 3 —

IBM Java Runtime

3 3 —

Tivoli Access Manager base components

Access Manager Runtime

3 3 —

Access Manager Runtime for Java

3 3 —

Access Manager Policy Server 40 50 5

Access Manager Policy Proxy Server 40 50 —

Access Manager Authorization

Server

40 50 —

Access Manager Application

Development Kit

— — —

Access Manager Web Portal

Manager

64

1 128

1 —

Tivoli Access Manager—provided servers


(including prerequisite software)

768

2 2048

2 —

IBM WebSphere Application Server 512 1024 —

Tivoli Access Manager Web security components


Runtime

3 3 —

Access Manager WebSEAL 100 300

4 —


Application Development Kit

— — —

Access Manager Plug-in for IBM

HTTP Server

75

5 150

5 —

Access Manager Plug-in for Apache

Web Server

75

5 150

5 —

Access Manager Plug-in for Sun Java

System Web Server

75

5 150

5 —

Access Manager Plug-in for Internet

Information Services

200

5 250

5 —

Access Manager Plug-in for Edge

Server

15 30 —

Access Manager Attribute Retrieval

Service

10 15 —

Tivoli Access Manager distributive session management components


Table 12. Memory requirements (continued)

Component Minimum Memory

(MB)

Recommend Memory

(MB)

Memory per additional

domain


Management Command Line

3 3 —


Management Server

7 7 —

Common Auditing and Reporting Service

Common Auditing and Reporting

Service Server

1 GB9 2–4 GB —

Notes:

1 The WPM memory requirements are in addition to those for WebSphere.

2 768 MB (minimum) and 2 GB (recommended) memory are for less than one million Tivoli Access

Manager users. For more than one million users, increase this amount to 2 GB (minimum) and 4 GB

(recommended) memory.

3 Memory requirements for these components are part of the memory requirements of the servers that

use them.

4 Includes memory for maximum default cache growth. Increase this amount if cache parameters are

increased.

5 This is in addition to the memory required for the Web server into which the plug-in is configured.

6 Included with the memory requirements for the Web Portal Manager.

7 Does not include memory for SMS session information, which varies depending upon the

configurations options chosen. At minimum, the SMS session information is configured to reside on

disk, such as in a DB2 or Cloudscape™ database, and takes no additional memory. If the session

information is configured to reside in memory, the memory requirements grow to 40KB per user

session.

9 This number includes memory required to run both CARS and its prerequisites.

38 Release Notes

Chapter 3. Internationalization notes

This chapter provides information related to installing and using versions of Tivoli Access Manager in a

language other than English.


40 Release Notes

Chapter 4. Uninstallation information

The following uninstallation problems are known to exist in Tivoli Access Manager. Workarounds are

provided if they are available. Report any other problems to IBM Customer Support for Tivoli products.


42 Release Notes

Chapter 5. Known limitations, problems, and workarounds

The following problems and limitations are known to exist in Tivoli Access Manager. Workarounds are

provided if they are available. Report any other problems to IBM Customer Support for Tivoli products.

Note: If you are using a version of IBM Tivoli Access Manager for e-business in a language other than

English, be sure to also review the information in Chapter 3, “Internationalization notes,” on page

39.

Limitations, known problems and workarounds

Installation wizard fails with an unhandled error while searching for Java Virtual Machine

If an installation wizard fails with an unhandled error while searching for Java Virtual Machine,

ensure that IBM Java Runtime 1.5.0 SR5 is set in the PATH environment variable.

Note: To determine if IBM Java Runtime 1.5.0 SR5 is already in the path, use the java –version

command.

Errors occur with Java 2 security enabled

Under certain circumstances, exceptions may occur on application startup when Java 2 security is

enabled. On startup, Tivoli Access Manager for Java ensures that the JVM is properly configured

for refreshing certificate expirations. If Java 2 security is enabled, some security methods need to

be invoked with privileged security enabled. The solution is to update the JVM java.policy file (or

was.policy file if running in a WebSphere application server) with the following entries:

permission java.security.SecurityPermission "insertProvider.IBMJCE";

permission java.security.SecurityPermission "putProviderProperty.IBMJCE";

Error occurs during IBM Tivoli Directory Server White Pages installation

If an error occurs during installation of IBM Tivoli Directory Server White Pages on Solaris from

CD, run the installer with the following path:

# /cdrom/cdrom0/solaris/itds_whitepages/install_SolarisWp.bin

WebSEAL fails to start when configured to use Hardware Cryptographic devices

WebSEAL can fail to start when configured to use hardware cryptographic devices on SUSE

Linux Enterprise Server Version 9 for IBM System z. A similar error can occur if gsk7ikm fails to

open CMS Cryptographic Token when running on the same platform. A message similar to the

following is written to the WebSEAL log:

DPWIV1210W Function call, gsk_environment_init, failed error: 000001af GSK_ERR

OR_PKCS11_TOKEN_NOTPRESENT.

A message similar to the following is written to /var/log/messages:

openCryptokiModule[4422]: DL_Load: dlload of [/usr/lib/

pkcs11/stdll/PKCS11_ICA.so] failed; dlerror = [/usr/lib/libica.so: undefined sym

bol: AES_set_decrypt_key].

This problem can occur because of conflicting cryptographic libraries (/usr/lib/libcrypto.so.0.9.7)

that are used by GSKit versions 7.0 through 7.4 and openSSL, and because SUSE Linux Enterprise

Server Version 9 allows the GSKit version to be used by other libraries, even though the files are

loaded for local use.

To avoid this problem, when starting a WebSEAL instance that is configured to use hardware

cryptographic devices on SUSE Linux Enterprise Server Version 9 for IBM System z, specify

LD_PRELOAD as follows:


LD_PRELOAD=/usr/lib/libcrypto.so.0.9.7 pdweb start default

On a 64-bit SUSE Linux Enterprise Server Version 9 system, several messages similar to the

following examples will appear, which can be ignored:

ERROR: ld.so: object ’/usr/lib/libcrypto.so.0.9.7’ from LD_PRELOAD cannot be pre loaded:

ignored.

An alternative is to start WebSEAL by specifying the webseald binary directly:

# LD_PRELOAD=/usr/lib/libcrypto.so.0.9.7 /opt/pdweb/bin/webseald -config

etc/webseald-default.conf

For the GSKit IKEYMAN program, the workaround is to specify LD_PRELOAD when starting:

# LD_PRELOAD=/usr/lib/libcrypto.so.0.9.7 gsk7ikm

xmllogviewer installation error on Solaris or Solaris on x86_64

During the install of xmllogviewer on Solaris or Solaris on x86_64, the following error might

occur:

ERROR: cannot find product /product.xml

If you encounter this error, perform the following workaround:

v Solaris:

Go to the /cdrom/cdrom0/solaris/xmllogviewer directory and issue the java command with

the fully qualified path to setup.jar; for example:

#pwd

/cdrom/cdrom0/solaris/xmllogviewer

#java -cp /cdrom/cdrom0/solaris/xmllogviewer/setup.jar run

v Solaris on x86_64

Go to the /cdrom/cdrom0/solaris_x86/xmllogviewer directory and issue the java command

with the fully qualified path to setup.jar; for example:

#pwd

/cdrom/cdrom0/solaris_x86/xmllogviewer

#java -cp /cdrom/cdrom0/solaris_x86/xmllogviewer/setup.jar run

IBM ObjectGrid toolkit patch required

Problem: The Tivoli Session Management Server makes use of the IBM ObjectGrid toolkit to

manage and distribute session information across the various nodes within a WebSphere cluster.

A patch to the Tivoli Access Manager-supplied version of ObjectGrid is required in order to fix a

problem with the toolkit.

Workaround: Obtain the ObjectGrid v6.1.0.1 cumulative fix 2 (or later) patch from the following

Web site:

http://www-128.ibm.com/developerworks/wikis/display/objectgridprog/Release+notes

Using the WebSphere Update Installer, apply the patch to all nodes within the WebSphere cluster.

Installation wizard panel help incorrect for session management server command line SSL

configuration

During a wizard installation of the session management server command line, you might

encounter a wizard panel that allows you to configure Secure Sockets Layer (SSL) communication

between the IBM Tivoli Access Manager session management command line and the Web service.

The panel is titled "Configuring SSL communication." The help text associated with the

"Configuring SSL communication" panel is incorrect. The correct help text is:

Configuring SSL communication

Set the configuration options for Secure Sockets Layer (SSL) communication between the IBM

Tivoli Access Manager session management command line and the Web service.

Complete these fields. An asterisk by the field name indicates that the field is required.

44 Release Notes

http://www-128.ibm.com/developerworks/wikis/display/objectgridprog/Release+notes

SSL key file with full path

The fully qualified path where the existing SSL client key file is located. The key file

holds the client-side certificates that are used in SSL communication. The key file is used

when communicating with the IBM Tivoli Access Manager session management server.

The file extension is always .kdb. For example: c:\keytab\mykeys.kdb

If you plan to enable SSL, copy the SSL key file to any directory on your local system.

This key file must be obtained (copied) from the Web service, such as the IBM WebSphere

Application Server. To specify the SSL client key file, perform one of the following tasks:

v Type the fully qualified path and file name for the key file. The key file must already

exist.

v Browse and choose an existing key file.

Default: None

SSL stash file with full path

The fully qualified path where the existing SSL client key stash file is located. Typically,

the stash file has the same location and file name as the key file. The file extension is

always .sth. For example: c:\keytab\mykeys.sth

If a password stash file is associated with the key file, the password is obtained from the

password stash file. A stash file can be used by some applications so that the application

does not have to know the password to use the key file. To specify the SSL stash file,

perform one of the following tasks:

v Type a new installation path location and file name for the stash file. The stash file

must already exist.

v Browse for and choose an existing stash file.

Default: None

Certificate label

The label for the SSL client certificate. This label is valid only when SSL is being used and

when the Web service has been configured to require client authentication. The certificate

label is any alphanumeric, case-sensitive string that you choose. String values should be

characters that are part of the local code set. For example: PDSMS

Use a certificate label to distinguish between multiple certificates within the SSL key file

or when using a certificate other than the default certificate in the key file. Otherwise,

leave this field blank.

Default: None

Navigation buttons:

Browse

Click to go to the "Select a directory" window to choose an existing directory.

Back Click to return to the previous installation window. Information is maintained

when you return to this window.

Next Click to accept the configuration settings and continue the installation.

Cancel

Click to stop the installation and exit the installation wizard. No settings are

saved.

Help Click to get help on your current task.

Chapter 5. Known limitations, problems, and workarounds 45

46 Release Notes

Chapter 6. Deprecated items

The following features have been deprecated in Tivoli Access Manager 6.1:

Table 13.

Deprecation Recommended Migration Action

Edge component Load Balancer function that is

associated with the following capabilities:

v Content-based routing (CBR) component

v Site Selector component

v Cisco CSS Controller component

v Nortel Alteon Controller component

v Generic routing encapsulation (GRE)

v Network address translation (NAT) forwarding

method

v CBR forwarding method

v Remote administration

v Rules-based load balancing

v Wide-area load balancing

v Mutual high availability

v Simple Network Management Protocol (SNMP)

subagent support

v User Datagram Protocol (UDP) support

Use the Edge component Load Balancer with Media

Access Control (MAC) forwarding in conjunction with

one of the following:

v WebSphere Application Server Network Deployment

proxy server

v IBM HTTP Server plug-in in WebSphere Application

Server Network Deployment

Edge component Caching Proxy function Use the Edge component Load Balancer with Media

Access Control (MAC) forwarding in conjunction with

one of the following:

v WebSphere Application Server Network Deployment

proxy server

v IBM HTTP Server plug-in in WebSphere Application

Server Network Deployment

ivadmin_pop_getipauth2() API Use the replacement API: ivadmin_pop_getipauth3()

Web Logic Server

Session management Web interface Use the Session Management Server Integrated Solutions

Console (ISC) extension.


48 Release Notes

Chapter 7. Documentation updates

The installation and configuration problems and workarounds specific to the Common Auditing and

Reporting Service are described in the IBM Tivoli Access Manager for e-business: Auditing Guide.

The release notes and Information Center for IBM Tivoli Directory Server 6.1 can be found at these Web

sites:

http://www-306.ibm.com/software/tivoli/products/directory-server/platforms.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc= /com.ibm.IBMDS.doc/toc.xml

The required hardware and software for IBM WebSphere Application Server can be found at this Web

site:

http://www-306.ibm.com/software/webservers/appserv/doc/latest/prereq.html


http://www-306.ibm.com/software/tivoli/products/directory-server/platforms.html



http://www-306.ibm.com/software/webservers/appserv/doc/latest/prereq.html

50 Release Notes

Chapter 8. Contacting software support

Before contacting IBM Tivoli Software Support with a problem, refer to the IBM Tivoli Software Support

site by clicking the Tivoli support link at the following Web address:

http://www.ibm.com/software/support

and selectingIBM Tivoli Access Manager for e-business from the Select a category drop-down menu.

http://www.ibm.com/software/support

If you need additional help, contact software support by using the methods described in the IBM Software

Support Guide at the following Web address:

http://techsupport.services.ibm.com/guides/handbook.html

The guide provides the following information:

v Registration and eligibility requirements for receiving support

v Telephone numbers, depending on the country in which you are located

v A list of information you should gather before contacting customer support


http://www.ibm.com/software/tivoli/support

http://www.ibm.com/software/tivoli/support

http://techsupport.services.ibm.com/guides/handbook.html

52 Release Notes

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the

products, services, or features discussed in this document in other countries. Consult your local IBM

representative for information on the products and services currently available in your area. Any

reference to an IBM product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product, program, or service that

does not infringe any IBM intellectual property right may be used instead. However, it is the user’s

responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this

document. The furnishing of this document does not give you any license to these patents. You can send

license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property

Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other country where such

provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION ″AS IS″

WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR

FITNESS FOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore,

this statement might not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically

made to the information herein; these changes will be incorporated in new editions of the publication.

IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in

any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of

the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without

incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the

exchange of information between independently created programs and other programs (including this

one) and (ii) the mutual use of the information which has been exchanged, should contact:


IBM Corporation

2Z4A/101

11400 Burnet Road

Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases

payment of a fee.

The licensed program described in this document and all licensed material available for it are provided

by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or

any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the

results obtained in other operating environments may vary significantly. Some measurements may have

been made on development-level systems and there is no guarantee that these measurements will be the

same on generally available systems. Furthermore, some measurement may have been estimated through

extrapolation. Actual results may vary. Users of this document should verify the applicable data for their

specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their

published announcements or other publicly available sources. IBM has not tested those products and

cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM

products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of

those products.

All statements regarding IBM’s future direction or intent are subject to change or withdrawal without

notice, and represent goals and objectives only.

All IBM prices shown are IBM’s suggested retail prices, are current and are subject to change without

notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject to change before the

products described become available.

This information contains examples of data and reports used in daily business operations. To illustrate

them as completely as possible, the examples include the names of individuals, companies, brands, and

products. All of these names are fictitious and any similarity to the names and addresses used by an

actual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programming

techniques on various operating platforms. You may copy, modify, and distribute these sample programs

in any form without payment to IBM, for the purposes of developing, using, marketing or distributing

application programs conforming to the application programming interface for the operating platform for

which the sample programs are written. These examples have not been thoroughly tested under all

conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these

programs. You may copy, modify, and distribute these sample programs in any form without payment to

IBM for the purposes of developing, using, marketing, or distributing application programs conforming

to IBM‘s application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, must include a copyright

notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. ©

Copyright IBM Corp. _enter the year or years_. All rights reserved.

54 Release Notes

If you are viewing this information in softcopy form, the photographs and color illustrations might not be

displayed.

Trademarks

IBM, the IBM logo, AIX, DB2, IBMLink™, Informix®, OS/2®, OS/390®, OS/400®, Tivoli, Tivoli Enterprise

Console®, and TME® are trademarks or registered trademarks of International Business Machines

Corporation in the United States, other countries, or both.

Adobe®, Acrobat, PostScript® and all Adobe-based trademarks are either registered trademarks or

trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Cell Broadband Engine™ and Cell/B.E.™ are trademarks of Sony Computer Entertainment, Inc., in the

United States, other countries, or both and is used under license therefrom.

Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrino logo, Celeron®, Intel

Xeon®, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel

Corporation or its subsidiaries in the United States and other countries.

IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications

Agency which is now part of the Office of Government Commerce.

ITIL® is a registered trademark, and a registered community trademark of the Office of Government

Commerce, and is registered in the U.S. Patent and Trademark Office.

Java and all Java-based trademarks and logos are trademarks or registered trademarks

of Sun Microsystems, Inc. in the United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in

the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.

Notices 55

56 Release Notes

��

Printed in USA

GC23-6501-00

Documents

T l Access Manager e-business