Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0498
Tivoli Fed Id Mgr Business Gateway v6.2.1, Fix Pack 4,
6.2.1-TIV-TFIMBG-FP0004
9 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Tivoli Federated Identity Manager
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
z/OS
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-1377 CVE-2010-4476
Reference: ASB-2012.0099
ASB-2011.0070
ASB-2011.0031
ESB-2013.0466
ESB-2012.1012
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg24033364
- --------------------------BEGIN INCLUDED TEXT--------------------
Tivoli Fed Id Mgr Business Gateway v6.2.1, Fix Pack 4,
6.2.1-TIV-TFIMBG-FP0004
Downloadable files
Abstract
This is a cumulative Fix Pack (FP) for a variety of problems in the
components that compose the TFIMBG 6.2.1 product. It upgrades a TFIMBG 6.2.1
installation to TFIMBG 6.2.1.4.
Download Description
This cumulative fix pack corrects problems in IBM Tivoli Federated Identity
Manager Business Gateway (Federated Identity Manager Business Gateway),
Version 6.2.1. It requires that Federated Identity Manager Business Gateway,
Version 6.2.1, be installed. After installing this fix pack, your Federated
Identity Manager Business Gateway installation will be at level 6.2.1.4.
IMPORTANT NOTICE
Potential cross-site scripting vulnerabiltity via macros in event page
template files
Some IBM Tivoli Federated Identity Manager page macros might be
vulnerable to cross site scripting attacks when their values are not
properly encoded. Contact IBM Support for the list of macros that might
be subjected to this issue. To remediate this, add the macros provided by
IBM Support to the list of comma-separated tokens in the runtime custom
property SPS.PageFactory.HtmlEscapedTokens. Add these macro so that their
values are HTML-escaped in the template files. For example, if the list
of macros provided is:
@EXAMPLE_MACRO1@
@EXAMPLE_MACRO2@
@EXAMPLE_MACRO3@
the value of the runtime custom property SPS.PageFactory.HtmlEscapedTokens
with the above macros added can be:
@REQ_ADDR@,@DETAIL@,@EXCEPTION_STACK@,@EXCEPTION_MSG@,@RESPONSE@,@TARGET@,
@DETAIL@,@SAMLSTATUS@,@EXAMPLE_MACRO1@,@EXAMPLE_MAC,RO2@,@EXAMPLE_MACRO3@
NOTE: Other macros that are prone to cross site scripting vulnerability
can also be added to SPS.PageFactory.HtmlEscapedTokens. The value of
this runtime custom property will be revised periodically and update as
needed. For more information regarding the runtime custom property, access
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.tivoli.fim.doc_6.2.1/reference/CustomPropsSPS.html.
Possible security exposure with IBM WebSphere Application Server with
WS-Security enabled applications using LTPA tokens (CVE-2011-1377)
The security that the IBM WebSphere Application Server provides might be
weaker than expected when using web services security (WS-Security). A user
might randomly gain elevated privileges on the provider system. WS-Security
might assign the identity of a previously processed LTPA token to a new
inbound LTPA token after authentication. This impacts applications using
either JAX-WS and JAX-RPC.
Versions affected:
IBM WebSphere Application Server, all platforms, Versions 8.0 through
8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through
6.0.2.43.
IBM WebSphere Application Server Feature Pack for Web Services Versions
6.1.0.9 through 6.1.0.39.
The same fix applies to the IBM WebSphere Application Server Standalone,
Network Deployment and Embedded (eWAS) versions. It also applies to
the eWAS version that is included with IBM Tivoli Federated Identity
Manager. For more information regarding the vulnerability and the fix,
access http://www.ibm.com/support/docview.wss?uid=swg21587536
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the
WUI has not been previously installed, the WUI can be downloaded from
http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed
instructions on how to install the IBM WebSphere Update Installer, see
the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager
environments that use the affected versions of IBM WebSphere Application
Server as soon as possible. Select the fix that applies to your IBM WebSphere
Application Server environment and reference the corresponding readme file
for detailed fix installation instructions.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting
2.2250738585072012e-308 number (CVE-2010-4476)
This security alert addresses a serious security issue: CVE-2010-4476
(Java Runtime Environment hangs when converting "2.2250738585072012e-308"
to a binary floating-point number). This vulnerability might cause the
Java Runtime Environment to hang, go into an infinite loop, and/or crash
resulting in a denial of service exposure. The JRE might hang if the number
is written without scientific notation (324 decimal places). In addition to
the Application Server being exposed to this attack, any Java program using
the Double.parseDouble method is also at risk of this exposure including
any customer written application or third party written application.
The following products contain affected versions of the Java Runtime
Environment:
IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for
Distributed, i5/OS and z/OS operating systems.
IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for
Distributed, i5/OS and z/OS operating systems.
IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for
Distributed, i5/OS and z/OS operating systems.
The same iFix applies to the IBM WebSphere Application Server Standalone,
Network Deployment and Embedded (eWAS) versions. It also applies to
the eWAS version that is included with IBM Tivoli Federated Identity
Manager. For more information regarding the vulnerability and the iFix
access http://www.ibm.com/support/docview.wss?uid=swg21462019
Use the IBM WebSphere Update Installer (WUI) to apply the fix. If the
WUI has not been previously installed, the WUI can be downloaded from
http://www.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed
instructions on how to install the IBM WebSphere Update Installer, see
the WebSphere Update Installer documentation.
Apply the fix provided here to all Tivoli Federated Identity Manager
environments that use the affected versions of IBM WebSphere Application
Server as soon as possible. Select the fix that applies to your IBM WebSphere
Application Server environment and reference the corresponding readme file
for detailed iFix installation instructions.
JAVA.LANG.RUNTIMEEXCEPTION: SRV.8.2: REQUESTWRAPPER OBJECTS MUST EXTEND
SERVLETREQUESTWRAPPER OR HTTPSERVLETREQUESTWRAPPER (PM10357)
This APAR PM10357 is reported for WebSphere Application Server (WAS)
v6.1. As a result of this APAR, operations in the IBM Tivoli Federated
Identity Manager Management Console can fail with the following exception
observed in the log if the Management Console is deployed on an affected
version of WAS v6.1:
java.lang.RuntimeException: SRV.8.2: RequestWrapper objects must extend
ServletRequestWrapper or HttpServletRequestWrapper
Examples of operations that can fail include:
Importing a keystore file
Loading a mapping rule
Apply the fix provided here to all Tivoli Federated Identity Manager
environments that use the affected versions of IBM WebSphere Application
Server. Select the fix that applies to your IBM WebSphere Application Server
environment and reference the corresponding readme file for detailed iFix
installation instructions.
The same fix applies to the IBM WebSphere Application Server Standalone,
Network Deployment and Embedded (eWAS) versions. It also applies to the
eWAS version that is included with IBM Tivoli Federated Identity Manager.
The IBM WebSphere Update Installer (WUI) must be used to apply the
fix. If the WUI has not previously installed, download the WUI from
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For
detailed instructions on how to install the IBM WebSphere Update Installer
access here.
Fix pack contents and distribution
This fix pack package contains:
The fix pack zip file
This README.
This fix pack is distributed as an electronic download from the IBM Support
Web Site.
Architecture
Software requirements for IBM Tivoli Federated Identity Manager Business
Gateway version 6.2.1 can be found here.
Fix packs superseded by this fix pack
6.2.1-TIV-TFIMBG-FP0002
6.2.1-TIV-TFIMBG-FP0001
Fix pack structure
Federated Identity Manager Business Gateway consists of the following
components that can be installed separately:
Administration console
Management service and runtime component
Internet information services (IIS) Web plug-in
Apache/IBM HTTP Server Web plug-in
IBM Support Assistant plugin
This fix pack applies only to the administration console and management
service and runtime components (first two components listed above). These
two components must be at the same level. Therefore, if you install a fix
pack for either the administration console component or the management
service and runtime component, you must install the corresponding fix pack
for the other of these two components.
If the administration console and management service and runtime components
are not at the same fix pack level, they are not guaranteed to interoperate
with each other as designed.
APARs and defects fixed
Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0004
The following problems are corrected by this fix pack. For more information
about the APARs listed here, see the IBM Tivoli Federated Identity Manager
Business Gateway support site for details.
APAR IV08525
SYMPTOM: SLO fails when 2 Service Providers are authenticated using the
same session index and both Service Provider federations are in the same
Tivoli Federated Identity Manager domain.
APAR IV16022
SYMPTOM: Unable to customised the error page for FBTSPS061E error. When
this event occurred, there is no event mapping associated with it.
APAR IV19139
SYMPTOM: Federate this account link is generated as null?RelayState=
in the federations.jsp (ivtapp) of the SAML 2.0 Identity Provider.
APAR IV20677
SYMPTOM: The STSUUSER principal does not match the incoming subject name
id of the assertion when there is an existing WebSEAL session.
APAR IV15299
SYMPTOM: Requests to Tivoli Federated Identity Manager's WSTrust 1.3
endpoint URL using the ?WSDL parameter to get the WSDL document results
in subsequent SOAP services to fail.
APAR IV13427
SYMPTOM: Certain point of contacts that use external authentication
interface do not recognize the identity of the user that is set by
Tivoli Federated Identity Manager in the response HTTP header (typically,
"am-fim-eai-user-id"), since these point of contacts are not aware that
Tivoli Federated Identity Manager URL encodes this identity. Tivoli
Federated Identity Manager should not URL encode this identity.
APAR IV14481
SYMPTOM: SYMPTOM: The BASE64 encoded token generated by the IVCred STS
module is split into multiple lines. This is not desirable in some cases.
APAR IV17522
SYMPTOM: No error message is reported when importing SAML 2.0 IDP or SP
whose metadata contains Organization element with no OrganizationURL element.
APAR IV15425
SYMPTOM: The Tivoli Federated Identity Manager STS does not support the
RequestType and KeyType elements on the RequestSecurityTokenResponse
message. The RequestType value should be set to the value received on the
request and the KeyType should be set on one of the values supported by
WS-Trust based on an attribute in the STS universal structure.
APAR IV12418
SYMPTOM: The STS obtains the base security token for execution from either
the base element on the RequestSecurityToken message or from the WS-Security
tokens included on the soap headers. Tivoli Federated Identity Manager
will take the first WS-Security token found on the soap header. After this
modification the SAML STS modules will look for the appropriate token type
included on the WS-Security headers when the change is enabled.
APAR IV26604
SYMPTOM: The Tivoli Federated Identity Manager Single Sign On protocol
service (SPS) SAML 2.0 protocol implementation allows a customer to use the
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier for
single sign on. By default, Tivoli Federated Identity Manager will treat
a urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier as
urn:oasis:names:tc:SAML:2.0:nameidformat:persistent name identifier unless
the default name identifier is set to another type like emailAddress. The
Single Logout operation incorrectly queries the alias service if the
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified name identifier is
used and the default name identifier is set to emailAddress.
APAR IV26770
SYMPTOM: In the federation properties page in the Tivoli Federated Identity
Manager Management Console, updating the default artifact resolution
service unexpectedly updates the SOAP Endpoint URL value.
APAR IV26961
SYMPTOM: FIM is incorrectly processing SAML aliases with certain directory
servers.
APAR IV26775
SYMPTOM: If an invalid clusterId is used when creating a domain using the
Tivoli Federated Identity Manager CLI, the command succeeds but no runtime
can be deployed.
APAR IV26777
SYMPTOM: In the scenario where an identity provider federation is created
with Attribute Query enabled, if Attribute Query is disabled afterwards,
adding a service provider partner still creates an Attribute Query chain.
APAR IV26804
SYMPTOM: The partner entity is not cleaned from feds.xml after removing
a custom STS chain through console.
APAR IV26815
SYMPTOM: Multiple SAML 2.0 Attribute Query fixes.
APAR IV26817
SYMPTOM: Single Sign-On fails when feds.xml (partner section) contains
empty value for the delegationmodule_active_delegate_id.
APAR IV26818
SYMPTOM: The activate operation in manageItfimPointOfContact CLI for
WebSphere as Point of Contact does not behave correctly.
APAR IV26761
SYMPTOM: Unable to modify the encryption key transport algorithm for SAML
2.0 protocol.
APAR IV26960
SYMPTOM: The SAML 1.1 STS Token Module fails to populate the STSUU's
Principal correctly when the inbound SAML Assertion contains an
AuthenticationStatement with a type attribute that is set to something
other than "saml:AuthenticationStatement".
APAR IV26819
SYMPTOM: The macro "@TOKEN:SPDisplayName@" in
pages/C/saml20/consent_to_federate.html is incorrectly replaced with the
macro "@TOKEN:SPProviderID@".
APAR IV17313
SYMPTOM: If Tivoli Federated Identity Manager is configured to generate
IV Credential tokens without using pdacld and WebSEAL is configured to
support failover, failover cookies do not work.
APAR IV26763
SYMPTOM: RelayState URL encoding and decoding in SAML 2.0 unsolicited SSO
can only be configured at the global level. Support for federation and
partner level configuration is required.
APAR IV26820
SYMPTOM: Installation of the Tivoli Federated Identity Manager fails
with the following error message: javax.management.JMRuntimeException:
ADMN0022E: Access is denied for the getPlatformVersion operation on Server
MBean because of insufficient or empty credentials.
APAR IV26821
SYMPTOM: When connecting to an existing domain, the Point of Contact
profile is reset to WebSEAL.
APAR IV24202
SYMPTOM: Tivoli Federated Identity Manager does not provide 2048 bit option
as key size when generating certificate request or self-signed certificate
through Management Console.
APAR IV26765
SYMPTOM:
1. When defining a text field in GUIXML, and setting its default value to a
string containing a quotation mark, Tivoli Federated Identity Manager throws
an exception when loading the GUIXML page saying that the XML is invalid.
2. In an STS module which has an 'init' page widget which has a multi-valued
TextField, only the first value of the multiple values is displayed when
viewing the module instance properties.
APAR IV26822
SYMPTOM: Update log traces in FSSO and STS.
APAR IV26825
SYMPTOM: Update deployment descriptor for the Tivoli Federated Identity
Manager Management Console servlets.
APAR IV10813
SYMPTOM: Improve SAML Signature Conformance
APAR IV23430
SYMPTOM: Improve SAML signature conformance
APAR IV23442
SYMPTOM: Improve signature conformance
APAR IV23452
SYMPTOM: Improve OpenID signature conformance
APAR OA38176
SYMPTOM: NullPointerException is thrown when sending SAML 2.0 messages
(e.g. Logout Request) with invalid IssueInstant attribute.
APAR IV24378
SYMPTOM: Improve XML Signature Conformance
Problems fixed by fix pack 6.2.1-TIV-TFIM-FP0002
APAR IV10793
SYMPTOM: Improve SAML Signature Conformance
APAR IV09511
SYMPTOM: IBM Tivoli Federated Identity Manager SAML 2.0 SSO plugin
will generate an "invalid_message_timestamp" error when it receives an
AuthnRequest message with a IssueInstant where the second fractions are
higher than 999. The following is an example of a timestamp that generates
the issue: "2011-07-01T13:30:50.830773Z".
APAR IV09216
SYMPTOM: Enabling and disabling RelayState URL encoding and decoding in
SAML 2.0 unsolicited authentication response.
APAR IV07933
SYMPTOM: RelayState in the authentication request sent by the SAML 2.0
Service Provider into the Identity Provider is not available as query
string parameter in the redirect URL to the custom login page.
APAR IV07716
SYMPTOM: Security update for TFIM Runtime.
APAR IV06369
SYMPTOM: Configuration information related to keystore is removed from
kessjks.xml when SAML 1.1 or SAML 2.0 partner is added through CLI, no
metadata file is specified in the response file or metadata file specified
does not contain signing and encryption key, and keystore password provided
is wrong.
APAR IV07706
SYMPTOM: The STSUniversalUser java class does not preserve attributes with
empty values.
APAR IV01254
SYMPTOM: In cases where a SAML validation error occurs and there is no
message detail, the error page handler throws a NullPointerException.
APAR IZ96105
SYMPTOM: The TFIM SPS fails to return the appropriate page template when
a HTTP GET request does not specify the content encoding. Most browsers
do not send the Content-Type: header with the charset value defined for
GET requests.
APAR IZ94653
SYMPTOM: Ability for IVCRED STS Module to return error (default) or map
to special user account for unauthenticated user token.
APAR IZ98683
SYMPTOM: ADD ADDITONAL TRACES FOR FBTSPS061E ERROR.
APAR IZ98685
SYMPTOM: When no Format attribute for the NameIDPolicy element is found
in the SAML 2.0 AuthnRequest message, the Identity Provider will treat
the Format as "urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The
Identity Provider should instead refer to the "DefaultNameIDFormat"
parameter configured for the Federation/Partner, which is what it does
when the Format for the NameIdPolicy element in AuthnRequest message is
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
APAR IZ92853
SYMPTOM: The Audit Event Handler of an Audit Client Profile cannot be
changed into CARSAuditClientEventHandler using IBM Tivoli Federated Identity
Manager Management Console. This causes the CARSAuditClientEventHandler
setting to be not displayed in the Event Handler Setting tab in the Audit
Client Profile Properties page. This also causes the Audit Client Profile
Properties page to be reloaded when clicking the OK button in that page,
but without saving the Audit Client Profile.
APAR IZ97199
SYMPTOM: ClassCastException is thrown when exporting a key from a keystore
using IBM Tivoli Federated Identity Manager Command Line. This problem
happens when the parameter "exportPrivateKey" is not specified, or is
specified with value "false". CommandException is thrown when exporting
a key from a keystore using IBM Tivoli Federated Identity Manager Command
Line. This problem happens when the parameter "exportPrivateKey" is specified
with no value, or is speficied with value "true". ClassCastException is
thrown when importing a keystore using IBM Tivoli Federated Identity Manager
Command Line. This problem happens when the parameter "trustedKeystore"
is not specified, or is specified with value "false".
APAR IZ97766
SYMPTOM: ChainableRuntimeException is thrown when exporting a key from
a keystore using the IBM Tivoli Federated Identity Manager Management
Console. This problem happens if the IBM Tivoli Federated Identity Manager is
deployed in certain WebSphere Application Server versions (e.g., WebSphere
Application Server 7 Fix Pack 11).
APAR IV00810
SYMPTOM: String "???????? Web ??????!" is returned when accessing the URL
http://hostname:9080/Info/InfoService using web browser. This problem might
happen when the language of the browser is different from the language of
the operating system where IBM Tivoli Federated Identity Manager Runtime
is installed.
APAR IV01646
SYMPTOM: Error message FBTCON366E is displayed when importing JavaScript
mapping rule using IBM Tivoli Federated Identity Manager Management
Console. This problem happens when the mapping rule contains statements
that throw exception.
APAR IV03152
SYMPTOM: Security update for IBM Tivoli Federated Identity Manager Runtime.
APAR IV07710
SYMPTOM: The IBM Tivoli Federated Identity Manager LTPA STS module support
code is not thread safe. The code uses an static instance of a JDK class that
is not thread safe causing undetermined results while verifying or generating
the ltpa token signature on environments with high volume of transaction.
APAR IV07696
SYMPTOM: KERBEROS STS MODULE TO ENFORCE TOKEN ONE TIME USE.
APAR IV07684
SYMPTOM: The CBEXMLAuditEvent audit profile event handler is not setting
the sequence number and global instance id on the audit records.
APAR IV07712
SYMPTOM: The IBM Tivoli Federated Identity Manager generates a
NullPointerException when the SAMLResponse received from the Identity
Provider does not include a Issuer value though the Issuer value is included
in the assertion.
APAR IV07708
SYMPTOM: SAML 2.0 SPS Module is setting the Destination attribute on
LogoutReponse message when the request is received through SOAP binding
at the Identity Provider and there is more than one service provider
session that was authenticated based on the Identity Provider session. The
Destination field might have the url for the incorrect partner that is
not the one that send the LogoutRequest.
APAR IV07694
SYMPTOM: SAML 2.0 STS Module fails to validate the subject confirmation
method correctly when the assertion is received as part of the SAML
2.0 Single Sign On operation. The specification requires that an
assertion that is generated as part of a Single Sign On flow should
at least include one of the subject confirmation methods of value
urn:oasis:names:tc:SAML:2.0:cm:bearer.
APAR IV07713
SYMPTOM: The SAML 2.0 SPS module, during a Single Logout operation on
Service Provider side, invokes the alias service even if the email name
id format was used to single sign on the user. While the Single Logout
Operation is successful, an error is included on the logs though the alias
operation is not required.
APAR IV07689
SYMPTOM: LDAP ALIASES NOT DELETED FOR SAML 20 DEFEDERATE OPERATION
APAR IZ95850
SYMPTOM: TFIM Management Service and Runtime fail to start on WAS 6.0.2. The
following is observed in the logs: javax.management.MBeanException: null
nested exception is javax.management.ServiceNotFoundException: Cannot find
ModelMBeanOperationInfo for operation getInternalClassAccessMode
APAR IV07705
SYMPTOM: The STSMapDefault module in the sts.modules package allows the
following global variables to be available to Javascript mapping rules: -
stsuu (The STSUniversalUser), - stsrequest (the entire STSRequest object),
and - stsresponse (the entire STSResponse object). The validation of the
javascript fails if the javascript mapping rule references stsrequest
and/or stsresponse.
APAR IV07701
SYMPTOM: When the Format attribute for the NameID element in the SAML 2.0
Assertion is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
the Service Provider treats the Format as
"urn:oasis:names:tc:SAML:2.0:nameidformat:persistent". The Service Provider
must instead refer to the "DefaultNameIDFormat" parameter configured for
the Federation/Partner.
APAR IV03083
SYMPTOM: Provider ID and assertion consumer service URL of an existing
partner of a SAML2 federation are not updated after changing the partner
using a response file through the command modifyItfimPartner with the
operation 'modify'.
APAR IV07681
SYMPTOM: When adding a SAML2.0 Identity Provider federation as a partner to
a Service Provider federation through CLI, although signing key identifier
is specified, a "FBTADM072E A key with alias 'null' was not found in the
keystore ''" appears and prevents the user from adding the partner.
APAR IV06765
SYMPTOM: Property doIntrospection of STS chain mapping is set to false
after updating the STS chain mapping by using the CLI.
APAR IV07683
SYMPTOM: The value of the attribute "IsDefault" of all assertion consumer
services of the SAML 2.0 Service Provider partner is changed to "true"
after clicking the OK or Apply button in the Partner Properties page in
the IBM Tivoli Federated Identity Manager Management Console.
APAR IV03048
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager
Management Console.
APAR IV03050
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager
Management Console.
APAR IV03038
SYMPTOM: Security update for the IBM Tivoli Federated Identity Manager
Runtime.
APAR IV05549
SYMPTOM: An HTML page, instead of a SOAP Fault, is returned as a response
when sending Request Security Token SOAP request to SAML 1.1 Artifact Service
endpoint. This problem happens when the request has invalid "Issuer" or
"AppliesTo".
APAR IV07725
SYMPTOM: Duplicate STS chain mappings are created when adding a SAML 2.0
Service Provider as a partner. This problem happens if the metadata of
the Service Provider contains at least three distinct assertion consumer
services with at least three distinct URLs.
APAR IV07714
SYMPTOM: Mapping from single logout URL to protocol is deleted from the
configuration file after clicking the OK or Apply button in the Federation
Properties page in Tivoli Federated Identity Manager Management Console. This
problem happens if the single logout bindings that are enabled are only
HTTP-Redirect and SOAP. The missing mapping causes single logout operation
to fail.
APAR IV07700
SYMPTOM: ClassCastException is thrown when adding or modifying LDAP host
using the IBM Tivoli Federated Identity Manager Command Line. This problem
happens if the parameter "hostPort" is 389, or the parameter "minConnections"
is 2, or the parameter "maxConnections" is 10, or the parameter "hostOrder"
is -1.
Problems fixed by fix pack 6.2.1-TIV-TFIMBG-FP0001
APAR IZ91383
SYMPTOM: SECURENONCEGENERATOR NOT READING THE RIGHT AMOUNT OF TIME BYTES
APAR IZ91348
SYMPTOM: NPE TRYING TO LOAD CONFIG INSTANCE IN TDI MAPPING RULE.
APAR IZ91413
SYMPTOM: CONSOLE WILL NOT SHOW LIST OF KEYS ON WEBSPHERE 7.0.0.11.
APAR IZ91349
SYMPTOM: SAML1.1 ARTIFACT RESOLUTION FAILURE NEEDS ERROR INFO IN MSG.
Internal defect 100956
SYMPTOM: NPE MODIFYING XSLT MAP MODULE IN CUSTOM TRUST CHAIN
APAR IZ91350
SYMPTOM: Missing InResponseTo attribute in samlp:Response error responses.
Internal defect 102832
SYMPTOM: DEFAULT NAMEID FORMAT NOT WORKING WHEN NO CLAIMS PASSED.
Internal defect 101623
SYMPTOM: NPE in console editing mapping rule.
APAR IZ91352
SYMPTOM: FEDERATION PARTNER UPDATE MODIFIES NON-ZERO ACS URL INDEX.
APAR IZ91414
SYMPTOM: XML PARSING OF INCOMING SAML MESSAGE FAILS WHEN MACHINE LOCALE
IS NOT UTF8-COMPATIBLE AND UTF-8 EXTENDED CHARACTERS APPEAR IN MSG.
APAR IZ91343
SYMPTOM: STATE INFORMATION IN SOME FEDERATION PROTOCOLS INVALID.
APAR IZ91344
SYMPTOM: PROVIDER NAME NEEDS TO BE PART OF THE AUTHENTICATION REQUEST.
APAR IZ91347
SYMPTOM: NULL EXCEPTION OCCURS DURING CLAIMS PROCESSING.
APAR IZ91258
SYMPTOM: The Management Console fixpack installation appears to complete
successfully but the console does not operate correctly.
APAR IZ91415
SYMPTOM: SAML 2.0 BEARER SUBJECT CONFIRMATION DATA PROCESSING NOT CONFORMANT.
APAR IZ91355
SYMPTOM: TDI STS MAP MODULE FAILS TO CACHE CORRECTLY CONFIG INFO
Internal defect 102057
SYMPTOM: STS LTPA TOKEN MODULE READING THE EXPIRATION DATE INCORRECTLY
APAR IZ91356
SYMPTOM: SAML STS MODULES CALCULATES WRONG VALIDITY PERIOD OF ASSERTION.
APAR IZ91357
SYMPTOM: UNABLE TO MODIFY SIGNATURE POLICY SETTINGS FOR SAML 2.0 PARTNER
APAR IZ91358
SYMPTOM: SAML20 SSO FAILS TO DETECT FATAL ERRORS WHILE READING ALIAS
APAR IZ91359
SYMPTOM: NON XML RESPONSE FOR BAD SAML 2.0 AUTHNREQUEST
APAR IZ81005
SYMPTOM: FIM CONSOLE FAILS TO DISPLAY SAML2 PROPS PAGE IF NO ARTIFACT
Internal defect 102887
SYMPTOM: Attribute Query request messages are not reporting timestamp
validation errors.
APAR IZ91416
SYMPTOM: Tivoli Federated Identity Manager SAML 2.0 metadata is not
properly formatted when TFIM is running on the latest versions of the
WebSphere Application Server.
APAR IZ91419
SYMPTOM: SAML 2.0 STS MODULE NOT READING THE DEFAULT NAMEID FORMAT PARAM.
APAR IZ91417
SYMPTOM: TFIM FAILS TO LOAD SAML METADATA WITH ENTITIES DESCRIPTOR
APAR IZ84999
SYMPTOM: Some of Tivoli Federated Identity Manager Console portlet pages
cannot be displayed when it is installed in WAS 7 FP 11.
APAR IZ91360
SYMPTOM: FIM CONSOLE INSTALL SHOULD SET JACL LANG WHEN CALLING WSADMIN
APAR IZ91418
SYMPTOM: For a WS-Trust v1.3 request, FIM Security Token Service returns
a response with multiple status codes, some of which contain WS-Trust v1.2
URI values.
Internal defect 100723
SYMPTOM: New domain created in 6.2.1 does not have all custom
properties. Namely ADMIN.validateFederationName and STS.showUSCChains
are missing.
Internal defect 102338
SYMPTOM: CLI throws a StringIndexOutOfBoundsException when adding a SAML
2.0 service provider partner to a SAML 2.0 federation.
Internal defect 102339
SYMPTOM: ClassCastException is thrown when configuring LDAP alias service
using Tivoli Federated Identity Manager Command Line. This problem happens
if at least one LDAP server exists in the system.
APAR IZ91351
SYMPTOM: Tivoli Federated Identity Manager supported Oracle database for
the Tivoli Federated Identity Manager alias service and that attempts to
use Oracle displayed errors.
Internal defect IV07711
SYMPTOM: Tivoli Federated Identity Manager Configuration Guide does
not describe the steps to enable certificate revocation list checking
for certificates that are used for XML message signing, verification,
encryption, and decryption.
Prerequisites
You must have the following software installed to install this fix pack:
Federated Identity Management Business Gateway 6.2.1 and its
prerequisites
WebSphere Update Installer version 7.0.0.0 (see Update Installer below.)
Installation Instructions
Be aware of the following considerations before installing this fix pack:
Installation path specification for the Windows Server 2008 platform
This preinstallation item applies only to installations on a 64-bit Windows
platform like Windows Server 2008.
Because Federated Identity Manager Business Gateway is a 32-bit application
its default path when installing on Windows Server 2008 changes from
C:\Program Files\IBM\FIM
to:
C:\Program Files (x86)\IBM\FIM
NOTE: This change to the installation path name also affects a 32-bit
WebSphere Application Server on Windows Server 2008:
C:\Program Files\IBM\WebSphere
changes to:
C:\Program Files (x86)\IBM\WebSphere
Update Installer
This fix pack requires the use of the WebSphere Update Installer version
7.0.0.0. Ensure that you have installed the correct version of the WebSphere
Update Installer on each computer where you will install the fix pack.
You can download the WebSphere Update Installer version 7.0.0.0 from
the WebSphere Application Server Update Installer Web site. Installation
instructions are on the download page.
Fix pack packaging
The IBM Tivoli Federated Identity Manager Business Gateway
6.2.1-TIV-TFIMBG-FP0004 patch package is provided on the Tivoli Support
Web site as a single downloadable zip file for each supported platform.
Select the package that is appropriate for the target platform, then
download the package and unzip the contents into a target directory,
typically the default WebSphere Update Installer directory, either
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
Unzip the downloaded file before you attempt to apply the patch. The
unzipped contents are one or more pak files. Each pak file corresponds to
one or more product components. For example, a fix pack might contain two
pak files: one for the administration console and management service and
runtime components, and one for the WSSM component.
The full list of product components is described in Fix pack structure.
Use WebSphere Update Installer to apply the fixes of each pak file to the
target component on the system that you are updating. Apply all of the pak
files that are required by your installation to ensure that the software
levels in your environment are identical for all of the components for
which a pak file is supplied.
The fixes are tested against all affected components; therefore, to
minimize any possible issue that can arise from applying a partial fix,
ensure the you apply the complete set of files. See Installing the fix
pack for specific instructions on using Update installer to apply the fixes.
Automatic creation of a backup directory
The Update Installer saves backup copies of the files that it replaces
during the installation. You do not need to manually backup the Federated
Identity Manager Business Gateway files.
Installing the fix pack
NOTE: Before installing this fix pack, ensure that you have reviewed the
prerequisites in Before installing the fix pack.
Downloading the fix pack
To obtain the fix pack:
1. Go to the IBM Tivoli Federated Identity Manager Business Gateway Support
Web site.
2. Click Download. The fix pack (6.2.1-TIV-TFIMBG-FP0004) must be listed
under Latest by date. If you do not see this fix pack listed, enter
"6.2.1-TIV-TFIMBG-FP0004" in the Search field to access the link to the
download window.
3. In the fix pack download window, scroll to the bottom of the window to
view a listing of the download packages by platform.
4. Select the platform that corresponds to the target platform where you
will apply the fixes. To ensure a secure download, you can select the DD
(Download Director) option. If you have not used Download Director before,
you must configure your browser to use Java security. Click What is DD? for
configuration instructions.
NOTE: For z/OS platform, please contact IBM Support to obtain the fix pack.
Setting the WebSphere security passwords
If security is enabled on the WebSphere Application Server where Federated
Identity Manager Business Gateway is installed, you must set the appropriate
password values in the fim.appservers.properties file before you can apply
the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties file, as
described below, specify the passwords using plain text. However, at the
end of the fix pack installation process these passwords are obfuscated
and are no longer be available in plain text format.
To specify security passwords, use the following procedure:
1. Using a text editor, open the file
FIM_INSTALL_DIR/etc/fim.appservers.properties.
2. If the was.security.enabled property is present in the
fim.appservers.properties file and is set to true, then you must add two
password properties to the file:
the was.admin.user.pwd property with a value of the administrator
login password for the WebSphere Application Server where Federated
Identity Management Business Gateway is deployed
the was.truststore.pwd property with a value of the password for the
trust store used for client-side SSL authentication in that WebSphere
Application Server
For example,
was.admin.user.pwd=was_admin_pw
was.truststore.pwd=truststore_pw
3. If the ewas.security.enabled property is present in the
fim.appservers.properties file and is set to true, then you must add two
password properties to the file:
the ewas.admin.user.pwd property with a value of the administrator
login password for the Embedded WebSphere Application Server where
Federated Identity Management Business Gateway is deployed
the ewas.truststore.pwd property with a value of the password for the
trust store used for client-side SSL authentication in that Embedded
WebSphere Application Server
For example,
ewas.admin.user.pwd=ewas_admin_pw
ewas.truststore.pwd=truststore_pw
4. Save and close the fim.appservers.properties file
Applying the fix pack
1. Unzip the file you downloaded in Downloading the fix pack, preferably
into the default WebSphere Update Installer's maintenence directory,
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows.or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
2. Ensure that the WebSphere Application Server that hosts the Federated
Identity Management Business Gateway runtime and management service
component is running.
3. Ensure that the WebSphere Application Server that hosts the Federated
Identity Management Business Gateway console component is running.
4. Start the appropriate WebSphere Update Installer (typically located
in C:\Program Files\IBM\WebSphere\UpdateInstaller on Windows systems,
or in /opt/IBM/WebSphere/UpdateInstaller on UNIX-based systems).
5. In the Welcome window, click Next. Federated Identity Management Business
Gateway is not listed, but is supported.
6. Specify the path to the installation directory for Federated Identity
Management Business Gateway (typically C:\Program Files\IBM\FIM on Windows
systems, or /opt/IBM/FIM on UNIX-based systems), then click Next.
7. Select Install maintenance in the dialog.
8. Specify the path where the fix pack (.pak) files were unzipped. The
Update Installer automatically detects, enables, and displays the FIM fixes
(pak files).
9. Determine which product components are installed on the system that
you are updating. Install only the pak files that correspond to the
components on the target system. To determine the names and version
levels of the product components installed on the target system, view the
contents of the FIM_INSTALL_DIR/etc/version.propeties file with a text
editor. The following list describes how to interpret the properties in
the version.properties file:
itfim.build.version.rte-mgmtsvcs=version
Specifies that the management service and runtime component is installed
at the level specified by version.
itfim.build.version.mgmtcon=version
Specifies that the administration console component is installed at the
level specified by version.
itfim.build.version.wsprov=version
Specifies that the WS-provisioning runtime component is installed at the
level specified by version.
itfim.build.version.wssm=version
Specifies that the Web services security management (WSSM) component is
installed at the level specified by version.
itfim.build.version.fimpi=version
Specifies that the Web plug-in (either the Internet information services
(IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed
at the level specified by version.
Apply the fix packs to the product's components in the following order:
1. Management service and runtime and administration console>
2. Other components
10. Compare the list of installed components to the list of pak files in
the WebSphere Update Installer, and select the pak files that correspond
to the installed components. Then, click Next.
NOTE: The WebSphere Update Installer allows you to select more than one pak
file at a time for execution. Select only the pak files that correspond to
the components that are installed on the system you are updating. If you
accidentally install more pak files than are needed, you can separately
uninstall any fix packs for components that are not installed on the
target system.
11. If needed (for example, if you must install multiple pak files on the
target system, and you only installed one pak file), repeat the previous
step to install any additional pak files on the target system.
Deploying the fix pack runtime component
The fix pack install automatically deploys the newly installed Federated
Identity Manager Business Gateway runtime. However, you must verify that
the current deployed version is 6.2.1.4 by performing the following steps
1. Log in to the console, and click Tivoli Federated Identity Manager ->
Manage Configuration -> Domain Properties. The details of the components
installed in the domain are listed.
2. Review the Runtime Information. For example:
Runtime Information
- ----------------------------------------------
Current deployed version 6.2.1.4 [101018a]
NOTE: The number in the brackets [101018a] might be different from this
example.
If the automatic deployment fails (see Internal defect 103544), the runtime
can be deployed manually using the console by performing the following steps
1. Log in to the console, and click Tivoli Federated Identity Manager ->
Manage Configuration -> Runtime Node Management. The Runtime Node Management
panel is displayed.
2. To deploy the runtime node, click the Deploy Runtime button. If the
button is inactive, the runtime node is already deployed.
Then, restart the ITFIMManagementService.
Restarting the ITFIMManagementService
1. Log in to the Integrated Solutions Console.
2. Select Applications -> WebSphere enterprise applications.
3. Select ITFIMManagementService from the Enterprise Applications list.
4. Click Stop.
5. Select ITFIMManagementService in the Enterprise Applications list.
6. Click Start.
Publish the fix pack plug-ins to the runtime and reload the configuration
After you install the fix pack and redeploy the Tivoli Federated Identity
Manager runtime you must re-publish the plug-ins to the runtime and reload
the configuration.
Use the following procedure to re-publish the plug-ins:
1. Log in to the administration console.
2. Select Domain Management -> Runtime Node Management.
3. Click Publish Plugins.
4. After the plug-ins are published, reload the runtime configuration.
URL LANGUAGE SIZE(Bytes)
6.2.1-TIV-TFIMBG-FP0004.README-notoc.html English 11111
Download package
NA
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
6.2.1-TIV-TFIMBG-FP0004 03 Sep 2012 English 104923284 FC
Problems (APARS) fixed
IV10793, IV09511, IV09216, IV07933, IV07716, IV06369, IV07706, IV01254,
IZ96105, IZ94653, IZ98683, IZ98685, IZ92853, IZ97199, IZ97766, IV00810,
IV01646, IV03152, IV07710, IV07696, IV07684, IV07712, IV07708, IV07694,
IV07713, IV07689, IZ95850, IV07705, IV07701, IV03083, IV07681, IV06765,
IV07683, IV03048, IV03050, IV03038, IV05549, IV07725, IV07714, IV07700,
IZ91383, IZ91348, IZ91413, IZ91349, IZ91350, IZ91352, IZ91414, IZ91343,
IZ91344, IZ91347, IZ91258, IZ91415, IZ91355, IZ91356, IZ91357, IZ91358,
IZ91359, IZ81005, IZ91416, IZ91419, IZ91417, IZ84999, IZ91360, IZ91418,
IZ91351, IV07711, IV08525, IV16022, IV19139, IV20677, IV15299, IV13427,
IV14481, IV17522, IV15425, IV12418, IV26604, IV26770, IV26961, IV26775,
IV26777, IV26804, IV26815, IV26817, IV26818, IV26761, IV26960, IV26819,
IV17313, IV26763, IV26820, IV26821, IV24202, IV26765, IV26822, IV26825,
IV10813, IV23430, IV23442, IV24378
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product
and service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUWOUi+4yVqjM2NGpAQIHNA/+JhUODWmh7ps1ttThLDdQNBXlTuzWVIJL
sEnMQ2UR0DBvuujVYUeEBgPsTI0U3nuHZg2gmO1IllI7G3NexWWJCuZQaqzkvg/i
BWOSuVZfiOa0AWsdIYTBeEQuoYgYWa8fdQLNTqsBrnswBygB0gCzA40d9Y7olK4G
EosUzm+l9krdcM36Swa50SCOTh904vRUi6HIbCbde4je726qB5YzTZxuUB5e0AT9
viUfb4cWS7UK+fus0F6dL0IlZhMkDMhvaO3EUcFfhcv/pXkEPuQVGkIqSbRsFDo7
z4SNMY8dOCpbu1IrfCJkoKNofJzGXBHgygRp0HmbZiILVWbjKcbE5A1JusyPxaFG
E2jgyRAE0xLeI8qyh+Sn/TiGhX2FibTgXngHlPKm5XKhtKxRLspU8/c+wzgQiF2F
bXGH8+cZNzcD8oMrEnuMT7ep6JrWoEJeD/nUy2sfrNq7Tm9SgTUc+4Y0clIg1QQO
Hbt30AnQ4YOJndsn5gYNG/aiFUWf99MLltYvjRmemoPJGLBT1gtlTLFHuql7lLxL
vpAtDUSkoyyZYznX8DCq8j+01A47SbutbQNc9kqeahaphqNh8RzRkXCHTqejYxPZ
Bd1/sHaNYx+oa0EiOgke6AE+9mQ/25ygxDXvSOiKCv/EcRUP+ld0GJMJWLRoDJHi
jVJDqSRxKEI=
=cBuY
-----END PGP SIGNATURE-----