Download
Abstract
This is a cumulative fix pack patch for a variety of problems in the components that compose the Tivoli Federated Identity Manager 6.2.0 product.
Download Description
This cumulative fix pack corrects problems in IBM Tivoli Federated Identity Manager, Version 6.2.0. It requires that Version 6.2.0 be installed. After installing this fix pack, your installation will be at level 6.2.0.3.
Fix pack contents and distribution
This fix pack package contains:
- The fix pack zip file
- This README.
This fix pack is distributed as an electronic download from the IBM Support Web Site.
Architectures
This fix pack package supports the same operating system releases that are listed in the Hardware and software requirements topic for Federated Identity Manager Version 6.2.0.
ATTENTION: In April 2009, FP0002 added support for z/OS Release 1 Version 10. To obtain the PTF (UA47064) that corresponds to FP0002 and Activation instructions click here.
ATTENTION: In April 2009, FP0002 added support for WebSphere Application Server Release 7.0 Fix Pack 3 (release date March 27, 2009)
ATTENTION: In May 2009, FP0002 added support for Windows 2003 Server x86-64.
ATTENTION: In July 2009, FP0002 added support for Oracle 10g.
ATTENTION: In September 2009, FP0002 added support for Suse Linux Enterprise Server 11 (SLES 11) x86, x86-64, zSeries, pSeries. Note: Defect 91189, Webseal not configuring on SLES 11
ATTENTION: In November 2009, FP0003 added support for Internet Explorer 8 (IE8). Note: IE8 throws a certificate error while accessing secure sites (through https). This can be worked around by clicking on ‘Continue’
ATTENTION: In November 2009, FP0003 added support for Windows 2008 R2 Server (x86-64). Note: 90900: GUI not thrown on GUI install for WIN2K8 R2 (workaround: -console mode is required on Windows 2008 R2) & 94583:- TFIMBG install does not put ivtapp.bat in Win 2K8 R2 GA
ATTENTION: In December 2009, FP0003 added support for Mozilla FireFox 3.5. Note: Firefox 3.5 throws a certificate error while accessing secure sites (through https). This can be worked around by clicking on ‘Add an Exception’.
Fix packs superseded by this fix pack
6.2.0-TIV-TFIM-FP0001
6.2.0-TIV-TFIM-FP0002
Federated Identity Manager consists of the following components that can be installed separately:
- Administration console
- Management service and runtime component
- Web services security management (WSSM)
- WS-provisioning runtime
- Internet information services (IIS) Web plug-in
- Apache/IBM HTTP Server Web plug-in
- IBM Support Assistant plugin
This fix pack applies only to the administration console, management service and runtime component, and Web services security management (first three components listed above). These three components must be at the same level. For example, if you install a fix pack for the management service and runtime component, you must install the corresponding fix packs for the administration console and WSSM components. If all three components are not at the same fix pack level, they are not guaranteed to interoperate with each other as designed.
APARs and defects fixed
Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0003
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Federated Identity Manager support site.
- APAR IZ66695
- SYMPTOM: JDBC alias service is case sensitive for username.
- APAR IZ40010
- SYMPTOM: TFIM IDP displays blank page when initiating solicited SSO for a second time.
- APAR IZ41865
- SYMPTOM: The solution was to passed the relay state to the url so the customers can use the capability to override the target url using the credential attribute we already support.
- APAR IZ44890
- SYMPTOM: When sending a Kerberos token to the Security Token Service the following error gets returned
- APAR IZ46723
- SYMPTOM: When upgrading an expired validation and encryption certificate that the keystore "view keys" shows the certificate as expired
- APAR IZ46765
- SYMPTOM: The Where Are You From (WAYF) Cookie lifetime needs to be configurable via the gui.
- APAR IZ47454
- SYMPTOM: Passticket module incorrect logging verbosity.
- APAR IZ47952
- SYMPTOM: When using samlsso and adding a target url with query string the parameters are lost and don't make it to the SP.
- APAR IZ50906
- SYMPTOM: SOAP faults are returned for WS-Trust validates request types.
- APAR IZ51243
- SYMPTOM: The init url for unsolicited AuthnResponse has a Target query string parameter that is allowing for requester to inject javascript that will be executed when the request is sent to the service provider.
- APAR IZ51457
- SYMPTOM: When a runtime node is not configured a NullPointerException will be displayed in the browser when a sign-on transaction is attempted.
- APAR IZ51459
- SYMPTOM: An incorrect ByteArrayOutputStream class was used that is not supported on all platforms.
- APAR IZ52979
- SYMPTOM: TFIM Fails to enforce signature policy properly for assertion.
- APAR IZ53517
- SYMPTOM: When calling the artifact service and passing in an assertion to get back an artifact, if a custom module encounters an error and generates an exception stack trace that includes some special characters the Artifact service fails to include the exception on the SOAP Fault.
- APAR IZ54678
- SYMPTOM: SAML 2.0 Configuration objects did not implement the Serializable interface.
- APAR IZ55551
- SYMPTOM: The Management Console fixpack installation appears to complete successfully but the console doesn't operate correctly.
- APAR IZ56179
- SYMPTOM: UPDATING THE PARTNER VIA PROPERTIES PAGE CORRUPTS THE CONFIG
- APAR IZ56265
- SYMPTOM: TFIM fails to split url properly if "sps" is in the hostname.
- APAR IZ56459
- SYMPTOM: After unlinking account, under some circumstances the Alias entry will not be removed.
- APAR IZ56548
- SYMPTOM: TFIM supported Oracle database for the TFIM alias service and that attempts to use Oracle displayed errors
- APAR IZ60816
- SYMPTOM: Federation stops at https://ecarl16.bc/fim/sps/wssoi screen
- APAR IZ62620
- SYMPTOM: Authorization decision query returning invalid decision query
- APAR IZ62955
- SYMPTOM: SAML 1.X module does not validate recipient value on response
- APAR IZ63597
- SYMPTOM: WS-TRUST 1.2 RequestSecurityTokenResponse message is different than TFIM 6.0.0 response message.
- APAR IZ63967
- SYMPTOM: When TFIM returns HTTP Cookies to the browser none of the secure bits are set.
- APAR IZ47754
- SYMPTOM: ManageNameID defederate to an SP where the alias does not exist
- APAR IZ48248
- SYMPTOM: SAML 2.0 IDP incorrectly process unspecified nameid format and always treats unspecified as a persistent id.
- APAR IZ49157
- SYMPTOM: OpenID Caches are not per-federation
- APAR IZ48258
- SYMPTOM: OpenID relying-party association cache indexing error
- APAR IZ48262
- SYMPTOM: SOAP Client fails to initialize if using trust store with password
- APAR IZ66903
- SYMPTOM: HMAC-SHA256 ASSOC TYPE FAILS WITH NO-ENCRYPTION SESSION TYPE
- APAR IZ66905
- SYMPTOM: INCORRECT HANDLING OF LOST ASSOCIATION
- APAR IZ66908
- SYMPTOM: POST MESSAGE TO RETURN_TO URL SHOULD USE QUERY STRING IF POSSIBLE
- APAR IZ66770
- SYMPTOM: Form Post parameters should always be HTML encoded.
- APAR IZ66769
- SYMPTOM: INTERNAL APAR FOR STS CONFORMANCE UPDATES
- APAR IZ66771
- SYMPTOM: INTERNAL APAR FOR TFIM 620 BUILD UPDATES
- APAR IZ66772
- SYMPTOM: INTERNAL APAR FOR TFIM 620 POINT OF CONTACT UPDATES
- APAR IZ66773
- SYMPTOM: Internal apar for SAML conformance updates
- APAR IZ52557
- SYMPTOM: The Event Handler extension point does not have access to event trail id.
- APAR IZ52563
- SYMPTOM: tfimcfg tool doesn't work correctly in a multi-TAM domain
- APAR IZ48249
- SYMPTOM: SAML 2.0 Service Provider cannot validate SSL certificate on a list of trusted signers
- APAR IZ41018
- SYMPTOM: When triggering MNIDS operation, user does not have an alias stored in LDAP alias repository causes WebSEAL to return a server error.
- APAR IZ35877
- SYMPTOM: A NullPointerException occurs when the SAML 2.0 Response does not contain an issuer.
- APAR IZ47906
- SYMPTOM: TFIM complains "invalid_message_timestamp" when it receives an AuthnRequest with a SAML 2.0 IssueInstant with the date time format of "2008-07-01T13:30:50.830773Z"
- APAR IZ44577
- SYMPTOM: STSMessageLogger does not work with multiple custom extensions. If two different chains utilize the STSMessageLogger, each with its own custom extension, only one of the extensions is used, and it is used by both chains.
- APAR IZ44576
- SYMPTOM: STSMessageLogger does not work with Information Card IDP trust chain. When the STSMessageLogger is used as the first element in a trust chain for an Information Card IDP federation, and a card is used at a RP, the retrieval of a security token from the IDP fails. The IDP's WebSphere log shows the exception com.ibm.ws.webservices.engine.InternalException java.lang.IllegalArgumentException.
- APAR IZ44575
- SYMPTOM: STSMessageLogger leaves open files locked on every TFIM single-sign-on. When the STSMessageLogger is used in a trust chain for federated single sign-on, a new message logger file is created on every request. This rapidly results in file handle starvation.
- APAR IZ44573
- SYMPTOM: When using the STSMessageLogger in a trust chain, a new file is created each time the "Reload Configurations" operation is performed (i.e. an OSGi runtime restart). These file handles are left open until WebSphere is restarted.
- APAR IZ44572
- SYMPTOM: STSMessageLogger does not work when using WS-Trust 1.3 requests to the Tivoli Federated Identity Manager (TFIM) Security Token Service.
- APAR IZ44571
- SYMPTOM: If an OP returns an OP-Identifier as the claimed identifier then the Relying-Party does not reject the login and allows authentication to succeed. The Replying-Party should reject the login This issue affects only OpenID relying-party configurations during OP-identifier login.
- APAR IZ44569
- SYMPTOM: OpenID Identity Provider hangs for long time when the relying-party sends an empty association handle. This results in a 30-second login time from this type of relying-party.
- APAR IZ44567
- SYMPTOM: Some OpenID relying-party logins fail if an empty OpenID invalidate_handle value is sent in the login response. This problem is discovered when testing with WebSphere sMash.
- APAR IZ44562
- SYMPTOM: If any page template that contains repeatable replacements is called with a replacement string that contains a single backslash or a dollar sign ($) then the replacement will not function correctly and will cause an IllegalArgumentException.
- APAR IZ44560
- SYMPTOM: When tracing is turned on for the class com.tivoli.am.fim.infocard.delegates.InfoCardSTSDelegate and username/password information card is presented at the IDP to exchange for a SAML assertion, the user's password is exposed in clear text in trace.
- APAR IZ44570
- SYMPTOM: OpenID Identity Provider SREG Namespace handling is broken. This problem is discovered when testing with WebSphere sMash The OpenID identity provider should return the same SREG namespace as it received
- APAR IZ44555
- SYMPTOM: If a user trusts an OpenID relying party site, then deletes the trust from the site manager, and re-accesses the site, the consent-to-authenticate page is not being displayed when it should. This affects OpenID identity provider installations.
- APAR IZ44557
- SYMPTOM: The OpenID 2.0 flows are non-conformant with the specification regarding a claimed identifier of identifier_select.
- APAR IZ44559
- SYMPTOM: The closing macro delimiter, @OPTIONAL_ATTRIBUTE@, is missing from the consent.html template file for the label for optional SREG attributes. This only applies to OpenID identity provider federations.
- APAR IZ44563
- SYMPTOM: OpenID RP in white-list scenario has severely slow performance.
- APAR IZ35057
- SYMPTOM: The SAML Assertion token generator was not issuing Assertions correctly with SubjectConfirmation methods of holder-of-key and sender-vouches.
- APAR IZ47911
- SYMPTOM: The publish plugins MBean action requires a domain to be passed in which causes a problem on systems where a TFIM fix pack is applied before TFIM is configured.
- APAR IZ47912
- SYMPTOM: Calls to IDMappingExtUtils.AddAliasForUser (which is typically made from a mapping rule) appear to succeed for non-existent users when they actually do not succeed. No alias is added. This problem is only applicable on systems with the TFIM Alias service set to LDAP using TAM.
- APAR IZ35742
- SYMPTOM: IDP source validation can not be done because the SAML 1.x browser-artifact doesn't contain the IDP source. Relying-parties must be able to check in the mapping rule that the Issuer contained in an assertion comes from the expected IDP partner. Without this capability rouge IDP's can spoof other IDP's assertion issuers.
- APAR IZ47913
- SYMPTOM: When making STS requests to the WS-T 1.3 endpoint and authentication is enabled the requestor is not challenged to authenticate. This is because the WS-T 1.3 endpoint is missing the security constraint definition.
- APAR IZ47917
- SYMPTOM: When uninstalling a fixpack, the process might fail at the very end. The UPDI log shows that the backup pak file for the fixpack could not be removed from the system. The problem affects only Windows platform.
- APAR IZ47918
- SYMPTOM: The authentication data used during authentication callback is not made available when WebSeal is the PoC. The authentication mechanism being used for WebSeal PoC will not work because the authentication information such as the federation name, federation id, etc is not available.
- APAR IZ47919
- SYMPTOM: When running TFIM using WAS as the Point of Contact at the SP and WebSEAL at the IDP you will get a null pointer exception when logout is invoked from the Service Provider after successfully SSO.
- APAR IZ48040
- SYMPTOM: The mapping rule example file ip_saml_20_email_nameid.xml is missing the namespace definition.
- APAR IZ48041
- SYMPTOM: Routine build maintenance.
Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0002
Problems fixed by fix pack 6.2.0-TIV-TFIM-FP0001
- APAR IZ32487
- SYMPTOM: SAML 2.0 sessions expire immediately if the Amount of time the assertion is valid property is set to 4294080 seconds or greater (49.7 days or greater).
- APAR IZ31416
- SYMPTOM: The WSSM trust client inserts erroneously a wsse namespace declaration into the wst:Base element when building requests to the trust service.
- APAR IZ25784
- SYMPTOM: When running in a WebSphere 6.0.2.x environment, an error could occur when importing or upgrading a Federated Identity Manager 6.1.1.x domain, if custom token modules were developed for it.
- APAR IZ29211
- SYMPTOM: A failure could occur while performing a SAML 2.0 single logout with the Service Provider, if the assistant name identifier was configured for the federation. The reported error was FBTSML219E.
- APAR IZ29167
- SYMPTOM: The underlying secure protocol of an HTTPS connection created by Tivoli Federated Identity Manager is hard-coded to be SSL. See the README for more information.
- APAR IZ30074
- SYMPTOM: A timestamp is embedded within a passticket, but the time value interval is only granular to a full second. See the README file for more information.
- APAR IZ30083
- SYMPTOM: An error could occur when attempting to run the tfimcfg tool in a Sun Solaris(TM) environment. The error was seen after the WebSEAL hostname was provided. The reported error stated that HTTPS is not a recognized protocol.
- APAR IZ30053
- SYMPTOM: A performance degradation problem could occur when a federated single sign-on is attempted using LDAP registries containing millions of federated users. Depending on system and network conditions, a single sign-on operation could fail due to timeouts. The associated error reported a bad subtree search in LDAP.
- APAR IZ30060
- SYMPTOM: A potential problem could occur with the use of the OpenId Provider local identifier. When using OpenID 2.0, the Relying Party should differentiate between Claimed Identifiers and OP-Local Identifiers. The Federated Identity Manager implementation used the OP-Local identifier, if present, for both values. This APAR fixes this problem by ensuring compliance with the OpenID 2.0 specification.
- APAR IZ30061
- SYMPTOM: The OpenID Claimed Identifier was incorrectly normalized during HTML discovery. While performing an OpenID HTML discovery, the default action in the OpenID Relying Party was to follow redirections automatically which prevented the proper canonicalization of the final Claimed Identifier (claimed_id) URL.
- APAR IZ30076
- SYMPTOM: LTPA v2 issued tokens that were rejected by WebSphere Application Server versions 6.0.2 and 6.1. See the README file for more information.
- APAR IZ30078
- SYMPTOM: Logging and tracing could not be set for identity mapping from within an XSLT rule. See the README file for more information.
- APAR IZ30080
- SYMPTOM: An XSLT identity mapping failure occurred when using the alias server with JDBC. See the README file for more information.
- APAR IZ34569
- SYMPTOM: When an RST is sent to the STS with an empty textnode for either the AppliesTo, PortType or OperationName a null pointer exception is thrown.
- APAR IZ34571
- SYMPTOM: The Higgins Client Jars directory adks/client/sts is missing some dependency JARs and includes unnecessary server JARs.
- APAR IZ34573
- SYMPTOM: In an OpenID exchange the RP cannot display an appropriate login identifier on the screen to end users if the OP-identifier was used to login. See the README file for more information about the fix.
Prerequisites
You must have the following software installed in order to install this fix pack:
- Federated Identity Manager 6.2.0 and its prerequisites
- WebSphere Update Installer version 7.0.0.0 (see Update Installer below)
- Enablement fix for Tivoli Federated Identity Manager (see Preinstallation enablement requirement for installing the fix pack for the first time below)
Installation Instructions
Be aware of the following considerations before installing this patch:
- Installation path specification for the Windows Server 2008 platform
- This preinstallation item applies only to installations on a 64-bit Windows platform like
Windows Server 2008.
Because Federated Identity Manager is a 32-bit application its default path when installing on Windows Server 2008 changes from
C:\Program Files\IBM\FIM
to:
C:\Program Files (x86)\IBM\FIM
Note that this change to the installation path name also affects a 32-bit WebSphere Application Server on Windows Server 2008:
C:\Program Files\IBM\WebSphere
changes to:
C:\Program Files (x86)\IBM\WebSphere
- Update Installer
- This fix pack requires the use of the WebSphere Update Installer version 7.0.0.0. Ensure that you have installed the correct version of the WebSphere Update Installer on each computer where you will install the fix pack. You can download the WebSphere Update Installer version 7.0.0.0 from the WebSphere Application Server Update Installer Web site. Installation instructions are on the download page.
- Fix pack packaging
-
This Tivoli Federated Identity Manager 6.2.0-TIV-TFIM-FP0003 patch package is provided on the Tivoli Support
Web site as a single downloadable zip file for each supported platform. After you select the
package that is appropriate for the target platform, download the package and unzip the contents into a
target directory, typically the default WebSphere Update Installer directory, either
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
You must unzip the downloaded file before you attempt to apply the patch. The unzipped contents are one or more pak files. Each pak file corresponds to one or more product components. For example, a fix pack might contain two pak files: one for the administration console and management service and runtime components, and one for the WSSM component. The full list of product components is described in Fix pack structure.You use WebSphere Update Installer to apply the fixes of each pak file to the target component on the system that you are updating. Apply all of the pak files that are required by your installation to ensure that the software levels in your environment are identical for all of the components for which a pak file is supplied. The fixes are tested against all affected components; therefore, to minimize any possible issue that can arise from applying a partial fix, ensure the you apply the complete set of files. See
Installing the fix pack for specific instructions on using Update installer to apply the fixes. - Automatic creation of a backup directory
- The Update Installer saves backup copies of the files that it replaces during the installation. You do not need to manually backup the Federated Identity Manager files.
Preinstallation enablement requirement for installing the fix pack for the first time
If this is the first time you are applying the fix pack to Federated Identity Manager, you must download and install the enablement fix for Tivoli Federated Identity Manager.
NOTE: Perform the following steps only if this is the first time you are applying a fix pack. You will not need to perform these steps for subsequent product updates.
- Download the enablement fix into the Federated Identity Manager installation directory (typically C:\Program Files\IBM\FIM on a Windows system or /opt/IBM/FIM on a UNIX-based system) by clicking here.
-
Use the unzip option of the zip program for your operating system to unzip the file.
On HP-UX, either use
jar -xvf
to unzip the file or download an unzip utility from the HPUX Connect site.NOTE: If you are prompted to overwrite an existing file, accept it so that the target file is overwritten.
Once the above pre-installation instructions have been followed you are ready to actually install the fix pack..
To obtain the fix pack:
- Go to the IBM Tivoli Federated Identity Manager Support Web site.
- Click Download. The fix pack (6.2.0-TIV-TFIM-FP0003) should be listed under Latest by date. If you do not see this fix pack listed, enter "6.2.0-TIV-TFIM-FP0003" in the Search field to access the link to the download window.
- In the fix pack download window, scroll to the bottom of the window to view a listing of the download packages by platform.
- Select the platform that corresponds to the target platform where you will apply the fixes. To ensure a secure download, you can select the DD (Download Director) option. If you have not used Download Director before, you will need to configure your browser to use Java security. Click What is DD? for configuration instructions.
Setting the WebSphere security passwords
If security is enabled on the WebSphere Application Server
where Federated Identity Manager is installed, you must set
the appropriate password values in the fim.appservers.properties
file before you can
apply the fix pack.
If security is not enabled, you can skip this step.
NOTE: If you add passwords to the fim.appservers.properties
file, as described below,
you specify these passwords using plain text. However, at the end of the fix pack
installation process these passwords are obfuscated and will no longer be available in
plain text format.
To specify security passwords, use the following procedure:
- Using a text editor, open the file
FIM_INSTALL_DIR/etc/fim.appservers.properties
. - If the
was.security.enabled
property is present in thefim.appservers.properties
file and is set totrue
then you must add two password properties to the file:- the
was.admin.user.pwd
property with a value of the administrator login password for the WebSphere Application Server where Federated Identity Management is deployed - the
was.truststore.pwd
property with a value of the password for the trust store used for client-side SSL authentication in that WebSphere Application Server
was.admin.user.pwd=was_admin_pw
was.truststore.pwd=truststore_pw
- the
- If the
ewas.security.enabled
property is present in thefim.appservers.properties
file and is set totrue
then you must add two password properties to the file:- the
ewas.admin.user.pwd
property with a value of the administrator login password for the Embedded WebSphere Application Server where Federated Identity Management is deployed - the
ewas.truststore.pwd
property with a value of the password for the trust store used for client-side SSL authentication in that Embedded WebSphere Application Server
ewas.admin.user.pwd=ewas_admin_pw
ewas.truststore.pwd=truststore_pw
- the
- Save and close the
fim.appservers.properties
file
- Unzip the file you downloaded in
Downloading the fix pack, preferably
into the default WebSphere Update Installer's maintenence directory,
C:\Program Files\IBM\WebSphere\UpdateInstaller\maintenance
for Windows.or
/opt/IBM/WebSphere/UpdateInstaller/maintenance
for Unix/Linux
- Ensure that the WebSphere Application Server that hosts the Federated Identity Manager runtime and management service component is running.
- Ensure that the WebSphere Application Server that hosts the Federated Identity Manager console component is running.
- Start the appropriate WebSphere Update Installer
(typically located in
C:\Program Files\IBM\WebSphere\UpdateInstaller
on Windows systems, or in/opt/IBM/WebSphere/UpdateInstaller
on UNIX-based systems). - In the Welcome window click Next. Federated Identity Manager will not be listed, but is supported.
- Specify the path to the installation directory for Federated Identity Manager (typically
C:\Program Files\IBM\FIM
on Windows systems, or/opt/IBM/FIM
on UNIX-based systems), then click Next. - Select Install maintenance in the dialog.
- Specify the path where the fix pack (.pak) files were unzipped. The Update Installer automatically detects, enables, and displays the FIM fixes (pak files).
- Determine which product components are installed on the system that you are updating. You should
install only the pak files that correspond to the components on the target system.
To determine the names and version levels of the product components installed on the target system,
view the contents of the
FIM_INSTALL_DIR/etc/version.propeties
file with a text editor. The following list describes how to interpret the properties in theversion.properties
file:itfim.build.version.rte-mgmtsvcs=version
- Specifies that the management service and runtime component is installed at the level specified by version.
itfim.build.version.mgmtcon=version
- Specifies that the administration console component is installed at the level specified by version.
itfim.build.version.wsprov=version
- Specifies that the WS-provisioning runtime component is installed at the level specified by version.
itfim.build.version.wssm=version
- Specifies that the Web services security management (WSSM) component is installed at the level specified by version.
itfim.build.version.fimpi=version
- Specifies that the Web plug-in (either the Internet information services (IIS) Web plug-in or the Apache/IBM HTTP Server Web plug-in) is installed at the level specified by version.
The recommended order for applying fix packs to the product's components is:
- Management service and runtime and administration console>
- Other components
Note: If a domain is not created before application of TFIM fix pack, the fix pack installation completes successfully with a "Partially Successful" message.
- Compare the list of installed components to the list of pak files
in the WebSphere Update Installer and select the pak files that
correspond to the installed components, then click Next.
Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
- Compare the list of installed components to the list of pak files in the WebSphere Update Installer
and select the pak files that correspond to the installed components, then click Next.
Note: The WebSphere Update Installer allows you to select more than one pak file at a time for execution. Select only the pak files that correspond to the components that are installed on the system you are updating. If you accidentally install more pak files than are needed, you can separately uninstall any fix packs for components that are not installed on the target system.
- If needed (for example, if you need to install multiple pak files on the target system, and you only installed one pak file), repeat the previous step to install any additional pak files on the target system.
Deploying the fix pack runtime component
After you install the fix pack, you need to redeploy the Tivoli Federated Identity Manager runtime. This task is identical to the deployment task you completed after the initial installation of the management service and runtime components. In a WebSphere cluster environment, you must ensure that the new runtime component is deployed to each WebSphere node.
The initial deployment steps are described in Creating and deploying a new domain in the Installation and Configuration Guide. The specific instructions for deploying the runtime begin in step 16.
NOTES:
- You do not have to re-configure the runtime into Tivoli Access Manager. The Tivoli Access Manager configuration is retained when the fix pack is applied.
- During redeployment of the runtime in a cluster environment, you might receive errors, such as, "ClassNotFoundException" in the WebSphere SystemOut.log files. Any such errors should stop after you restart the cluster.
Use the following procedure to deploy the updated Federated Identity Manager runtime:
- Log in to the administration console.
- Select Domain Management-> Runtime Node Management.
- Ensure that the new runtime (version 6.2.0.2) is displayed as available, then click Deploy Runtime.
- Wait for the deployment to finish by selecting Click to refresh runtime deployment status and check for completion...
- Verify that the currently deployed version is now 6.2.0.2 as follows:
- Navigate to the Runtime Node Management window.
- Look in the Runtime Management section of the Runtime Nodes portlet in the right panel and review the runtime information.
Example:
Runtime Information
----------------------------------------------
Current deployed version 6.2.0.2 [090311a]Note: The number within the brackets
[090311a]
might be different from this example. - Repeat the previous step for each node in a WebSphere cluster environment.
Publish the fix pack plug-ins to the runtime and reload the configuration
After you install the fix pack and redeploy the Tivoli Federated Identity Manager runtime you must re-publish the plug-ins to the runtime and reload the configuration.
Use the following procedure to re-publish the plug-ins:
- Log in to the administration console.
- Select Domain Management -> Runtime Node Management.
- Click Publish Plugins.
- After the plug-ins are published, reload the runtime configuration.
Download Package
N/A
Product Synonym
TFIM;FIM
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
07 December 2019
UID
swg24024318