Release Notes
IBM® Security Verify Governance Adapter for
Broadcom Top Secret
Version
10.0.4
Second Edition (December 13, 2023)
This edition applies to the current release of IBM Security Verify Governance Adapter for Top Secret and to all subsequent releases and modifications until otherwise indicated in new editions.
Copyright
International Business Machines Corporation 2003, 2022.
All rights reserved.
US
Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Table of Contents
Adapter Features and Purpose 4
IBM Security Verify Service Groups Management 4
Installation and Configuration Notes 13
Upgrading to the current release 13
Profiles contained in this package 13
Starting and stopping the adapter 14
Customizing or Extending Adapter Features 14
Support for Customized Adapters 14
Installing the adapter language pack 14
IBM Security Verify Resources: 15
Updates to the Broadcom Top Secret for z/OS Adapter installation and Configuration Guide 16
Troubleshooting Broadcom Top Secret Adapter errors 18
Welcome to the IBM Security Verify Governance Broadcom Top Secret Adapter.
These
Release Notes contain information for the following products that was
not available when the IBM Security Verify Governance Adapter manuals
were created:
IBM Security Verify Governance Broadcom Top Secret Adapter Installation and Configuration Guide
The Broadcom Top Secret Adapter is designed to create and manage Broadcom Top Secret accounts. The adapter runs in ”agent” mode and must be installed on z/OS. One adapter is installed per Broadcom Top Secret Database, but the Broadcom Top Secret Adapter may be configured to support a subset of the accounts through the scope of authority feature on the Broadcom Top Secret Service Form.
The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity Provisioning Policies and Approval Workflow process. Please refer to the IBM Knowledge Center for a discussion of these topics.
The Verify Governance Adapters are powerful tools that require administrator level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Verify server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative permissions.
By service groups, IBM Security Verify Governance - Identity Manager is referring to any logical entity that can group accounts together on the managed resource.
Managing
service groups implies the following:
Create service groups on the managed resource.
Modify attribute of a service group.
Delete a service group.
Note that service group name change is not supported in the current IBM Security Verify Governance
Adapter editions.
The Broadcom Top Secret Adapter does not support service groups management.
Review and agree to the terms of the IBM Security Verify Governance product license prior to using this product. The license can be viewed from the "license" folder included in the product package.
Component |
Version |
Build Date |
June 13, 2022 |
Adapter Version |
10.0.4 |
Component Versions |
Adapter Build 10.0.004000 Profile 10.0.004.00 ADK 10.0.003.00 z/OS |
Documentation |
Please check out the latest documentation on the IBM Security Verify Governance Documentation Center. Select the latest server release to navigate to the latest adapter guides. |
Internal# |
RFE/CASE# |
Description |
|
|
Items included in the current release |
RTC 190581 |
|
Support for z/OS 2.5 |
SVGAD-1095 |
ADAPT-140 |
Support for z/OS 3.1 |
|
|
Items included in release 10.0.3 |
|
|
No items included in this release |
|
|
Items included in release 10.0.2 |
RTC 189230 |
|
Remove APPC dependency from Top Secret adapter |
RTC 189232 |
|
abort if tag is missing |
|
|
Items included in release 10.0.1 |
RTC 187573 |
|
Rebranding IBM Security Identity to IBM Security Verify |
|
|
Items included in release 7.1.21 |
RFE 61969 |
RFE 142733 |
Add department full name to support automated employee transfer between branches. |
RTC 187271 |
N/A |
Add managed resource version. |
RTC 187270 |
N/A |
Define full Top Secret Profile name as the Master Description for entitlement type CATSSGroupProfile in IGI. |
RFE 62721 |
RFE 144798 |
Add PHRASEONLY attribute |
|
|
Items included in release 7.1.20 |
|
|
No items included in this release |
|
|
Items included in release 7.1.19 |
|
|
No items included in this release |
|
|
Items included in release 7.1.18 |
|
|
No items included in this release |
|
|
Items included in release 7.1.17 |
|
|
No items included in this release |
|
|
Items included in release 7.1.16 |
RTC 182213 |
|
IGI 5.2.5 support - As an adapter developer for z/OS I need to add support for supporting data and canonical values to the IGI profiles |
|
|
Items included in release 7.1.15 |
|
|
No items included in this release |
|
|
Items included in release 7.1.14 |
|
|
No items included in this release |
|
|
Items included in release 7.1.13 |
|
|
No items included in this release |
|
|
Items included in release 7.1.13 |
RTC 52661 RTC 173352 |
115005 |
As an AD for z/OS developer I need to offer the ability to explicitly disable TLS1.0 in all ADK based adapters. |
RTC 173354 |
TS000074249 |
As an ADK for z/OS developer I need to add diagnostic messages to the ADK that allow troubleshooting 2-way ssl connections |
RTC 173351 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2n |
|
|
Items included in release 7.1.12 |
RTC163066 |
|
As a Top Secret adapter customer, I would like to use the adapter in an IBM Security Verify Governance and Intelligence (IGI) environment. |
|
|
Items included in release 7.0.11 |
RTC166462 |
32451 |
TSS access FACILITIES as supporting data |
RTC71407 |
|
MATCHLIM support |
RTC163356 |
|
Enable SSL by default in the ISPF installation panels |
|
|
Items included in release 7.0.10 |
RTC154238 |
|
Update OpenSSL to release 1.0.2j |
RTC154263 |
PMR 42182,122,000 |
Disable SSLV3 and RC4 ciphers and certify TLS 1.1 / 1.2 is supported by the ADK |
RTC156347 |
32546
|
Adapter appears to be running while it was unable to connect to the socket. |
RTC149041 |
|
Add two initial lines to CustomLabels.properties which are required for translation and update the profile version to match the adapter version. |
|
|
Items included in release 7.0.9 |
|
|
No items included in this release |
|
|
Items included in release 7.0.8 |
|
|
User lookup APPC configuration (see Configuration notes section below) |
RTC 115559 |
35062 21865 |
ertopzdivisionacid, ertopzdepartmtacid and ertopzzoneacid attributes modification |
RTC 125711 |
33906 |
ISIM Top Secret Adapter compatibility with Passphrase |
|
|
ISIM 6.0.2 release |
Internal# |
APAR/CASE# |
Description
|
|
|
Items closed in the current release |
RTC 190566 |
TS008810700 |
Top Secret TSS0598E errors in the adapter log
|
RTC 190565 |
TS008810700 |
Top Secret Accounts out of sync in ISIM |
|
|
|
|
|
Items included in release 10.0.3 |
RTC 189819 |
TS006522378 |
Add _CEE_RUNOPTS to adapter start script |
RTC 189820 |
|
To remove an ERTOPZSECLABEL we need to specify the label too, not just REM(acid) SECLABEL |
|
|
Items included in release 10.0.2 |
RTC 189233 |
TS005561111 |
invalid servicegroup mapping results in CTGIMU551E/CTGIMF007E directory server error |
RTC 189234 |
TS005537447 |
CEE3204S The system detected a protection exception (System Completion Code=0C4). From entry point _adkRegistryGetSubFolderString at compile unit offset +000001F0 at entry offset +000001F0 at address 121B4110. |
RTC 189235 |
TS004946716 |
CEE3204S The system detected a protection exception (System Completion Code=0C4) From entry point _payloadFree at compile unit offset +00000060 at entry offset +00000060 at address 33E4DE70. |
|
|
Items included in release 10.0.1 |
RTC 187968 |
|
Upgrade to Expat 2.2.10 |
RTC 187969 |
|
DEFECT - remove profile() returns warning |
|
|
Items included in release 7.1.21 |
RTC 187269 |
N/A |
Error in canonical value mapping for erTopzOPCLASS |
|
|
Items included in release 7.1.20 |
RTC 186767 |
TS003554276 |
ISIM_ADAPTER_CIPHER_LIST variable is not having any effect with RACF adapter 6.0.39 |
RTC 186768 |
TS003680545 |
Error when processing unmodified values in reply message |
RTC 186769 |
TS003568847 |
Abend when processing reconciliation request xmls |
|
|
Items included in release 7.1.19 |
RTC 186218 |
TS003341275 |
Adapter STC does not abort when running out of memory required for new connection pthreads. |
RTC 186213 |
TS003405510 |
vulnerability CVE-2016-2183(SWEET32) reported on ISIM V6.0 |
RTC 186214 |
DT040780/TS0 01615497 |
Memory leak in ConnectionTest operations. |
|
|
Items included in release 7.1.18 |
RTC 184015 |
TS002309740 |
Adapter abend 40D, RC10 with the below messages in the CEEDUMP 5 _ermAlloc +00000076 libErmApi.dll Call 6 ErmSBCSStrtoUCS2Str +000000C0 libErmApi.dll
|
RTC 184017 |
TS002309740 |
Excessive non-ISIM server connections causing abend Starting SSL handshake (OpenSSL)... Handshake failed. Error code: 1 SD_SEND to socket Start SSL cleanup Shutting down SSL server... Received a segmentation violation... |
RTC 183205 |
TS000891911 |
Debug output in agentCfg tool causes DAML protocol configuration issues. |
RTC 183798 |
TS001862044 |
Small ListNew allocations result in abend when receiving unexpected results in account Modify output. |
RTC 184032 |
TS002211805 |
APPC class defined as hardcoded A in AGTSJB06 for single account lookup transaction |
|
|
Items included in release 7.1.17 |
RTC 182687 |
|
Disallow external calls to agentCfg port |
RTC 182516 |
IJ12296 |
Reconciliation doesn't return all accounts. |
RTC 182686 |
|
Upgrade to OpenSSL 1.0.2.q |
|
|
Items included in release 7.1.16 |
RTC 182224 |
TS001778432 |
As an adapter for Top Secret adapter developer I need to add service groups definitions for ISIGADI |
RTC 181308 |
|
Upgrade to ICU 3.6 |
RTC 181309 |
TS000891911 |
Hebrew writing direction |
RTC 181310 |
|
Upgrade to Expat 2.2.6 |
RTC 181303 |
|
Upgrade to z/OS ADK 6.0.6 |
|
|
Items included in release 7.1.15 |
RTC 179043 |
|
Upgrade to OpenSSL 1.0.2p |
|
|
Items included in release 7.1.14 |
RTC 174696 |
|
As an ADK for z/OS developer I need to upgrade to OpenSSL 1.0.2o to address PSIRT CVE-2018-0739 |
RTC 176722 |
TS000113385 |
TS 7.1.12 throws "java.lang.NullPointerException"
|
|
|
Items included in release 7.1.13 |
RTC 173353 |
TS000114491 |
As an ADK for z/OS developer I need to ensure that manually dropping the DAML_PORT socket doesn't result in a loop |
RTC 173360 |
TS000013259 |
Since installing 6.0.29 customer cannot longer change the DAML password |
RTC 173723 |
|
Attempt to destroy context for invalid socket results in dump in _ermListFree |
|
|
Items included in release 7.1.12 |
RTC169659 |
|
PSIRT Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) |
|
|
Items included in release 7.0.11 |
RTC166463 |
PMR 22742,003,756 |
RSA key length used by certTool increased from 1024 to 4096, which allows it to be NIST compliant beyond 2021. |
RTC166463 |
|
Unmodified attribute values for failed add/remove profile operations not returned to the server |
|
|
Items included in release 7.0.10 |
RTC156346 |
|
Attribute values following the string PASSWORD are masked in the adapter log |
RTC156842 |
PMR 17895,001,862 |
Heap storage problem in RACF agent CEE3204S The system detected a protection exception (System Completion Code=0C4). From entry point _ermFree at compile unit offset +0000008A at entry offset +0000008A at address 2500BF4A. |
|
|
Items included in release 7.0.9 |
RTC 149789 |
|
ICN 1469 - UNIX File Directory Usage for N/A N/A |
RTC 147988 |
PMR 30634,082,000 |
ACID Profiles numbering sequence gets changed on reconciliation
|
RTC 149790 |
PMR 14970,082,000 |
TopSecret support for Z/OS V2.2, R16
|
|
|
Items included in release 7.0.8 |
|
|
No items included in this release |
INTERNAL# |
APAR/CASE# |
Description |
RTC67316 |
|
Earlier releases of the Broadcom Top Secret Adapter do not place a password on the Broadcom Top Secret ACID adapter when created. IBM supports the use of a password on this account. Please note that adding a password to the Verify Governance Adapter ACID may result in the console prompting for the password at adapter start up.
|
|
N/A |
This release of the Broadcom Top Secret Adapter does not support FIPS.
|
|
N/A |
User-defined ACID fields are supported for a data length of up to 249 bytes. Field data containing characters other than letters, numbers, or national characters (@, #, $) may have unpredictable results.
|
|
N/A |
When changing profile assignments in Verify - Governance, the ISVG server will send two requests to the adapter. One for the rights value or permission that was deleted and one for the rights value or permission that was added.
|
Upgrading to the current release requires a full installation. Refer to the Installing and configuring section of the Broadcom Top Secret adapter guide for detailed instructions.
ADK version 6.06.0027 and higher offer a DAML PROTOCOL setting that allows you to disable TLSv1.1.
ADK version 6.04 and higher offer a DAML PROTOCOL setting that allows you to disable TLSv1.0.
ADK version 6.0.3 and higher no longer support SSLV3 and RC4 ciphers. The Identity server should be configured to use TLS 1.1 or higher. This is done by adding the $ITIM/data/enRole.properties parameter. For example:
com.ibm.daml.jndi.DAMLContext.SSL_PROTOCOL=TLSv1.1
Possible values are:
TLSv1.1 |
TLS v1.1 protocol (defined by RFC 4346). |
TLSv1.2 |
TLS v1.2 protocol (defined by RFC 5246). |
In the V7.1.15 and later installation package three profiles are included, one specific for ISVG, one specific for Governance Data Integration and one specific for Identity Manager (SVI).
Installing the ISVI specific version on an Identity Manager server removes the requirement to install the Complex Attribute Handler. This can be of interest when you have defined policies on the Identity Manager server that manage ertopzprofile related processing.
If no customization has been done to the Identity Manager server that involves the ertopzprofile attribute, the ISVG-specific profile can be used in combination with the Complex Attribute Handler on Identity Manager servers.
For the Governance Data Integration profile the complex attribute handler is not required. It merely defines the Top Secret Profile object class as a Service Group for ISVG compatibility.This profile can be used if Top Secret profile assignments are being made from ISVG.
If you want to be able to make changes in Top Secret profile assignments in both ISVG and Identity Manager, you will have to modify the resource.def file that is included in the profile jar to define the ertopzprofile attribute as complex attribute and the complex attribute handler properties as depicted below. Then include the complex attribute handler jar file in the ITIM_LIB shared library on ISVI/WAS server and with ISIGADI include it in the jars of SDI running ISIGADI. With ISIQ, the handler is already included in the ISIQ side code.
Required additions to the <ProtocollProperties> section of the resource.def when using ISIGADI and managing Top Secret profile assignments from both ISVI and ISVG.
<Property Name = "ercomplexattributes"
Value = "ertopzprofile" />
<Property Name = "erattributehandler"
Value = "com.ibm.isim.util.complexattribute.TopSecretComplexAttributeHandler" />
Before you start the adapter, ensure that TCP/IP is active.
Starting ADK release 6.0.3 the adapter will write a message to SYSLOG and shutdown if it can not connect to the IP communications port. In previous releases the adapter would write an error to the adapter log and remain active without an indication that it could not communicate with the server in the SYSLOG.
The Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
LDAP schema management
Working knowledge of scripting language appropriate for the installation platform
Working knowledge of LDAP object classes and attributes
Working knowledge of XML document structure
Note: This adapter supports customization only through the use of pre-Exec and post-Exec scripting. The Broadcom Top Secret adapter has REXX scripting options. Please see the Broadcom Top Secret Installation and Configuration guide for additional details.
IBM Security Verify Resources:
Check the “Learn” section of the IBM Security Verify Governance Documentation for links to training, publications, and demos.
The integration to the Verify Governance server – the adapter framework – is supported. However, IBM does not support the customization, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a case is opened.
See the IBM Security Verify Install library and search for information about installing the adapter language pack.
Please check out the latest documentation on the site.
Select the latest server release to navigate to the latest version of the adapter documentation.
No updates in the current release
No updates in the current release
No updates in the current release
No updates in the current release
Profile entitlements and Rights
The order of profiles attached to an ACID is important and affects the checking of the profile permissions.
To add profiles in a particular order you must add the profile names in the account form in this manner. The first number indicates the order and the separator is a vertical bar character:
010|PROFA020|PROFB
The profile names are sorted by number (if necessary) by the adapter and added to the ACID in that order.
Any request to update ertopzprofile values must have the profile values in the request sorted from the lowest sequence to the highest sequence.
For instance:
<Modification Operation="replace">
<attr name="ertopzprofile">
<value>010|T3AUTO40</value>
<value>020|T3AUTO20</value>
<value>030|T3AUTO50</value>
</attr>
</Modification>
If the profiles in the request are not ordered by sequence, this will result in inconsistency in the profile assignments.
No updates in the current release
No updates in the current release
If you experience issues opening an account form after upgrading to the latest release , it might be required to start the design forms editor, open the Top Secret account form and select save. It is not required to make any changes to the form.
The IBM Security Verify Governance Adapter supports any combination of the following product
versions.
Operating System:
z/OS V2.4
z/OS V2.5
z/OS V3.1
Managed Resource:
Broadcom CA Top Secret for z/OS R16
IBM Security Identity Manager:
Identity Manager v6.0.0-ISS-SIM-FP0011 or higher
Identity Manager v7.0.1-ISS-SIM-FP0001 or higher.
IBM Security Identity Governance and Intelligence:
Identity Governance 5.2.6.0-ISS-SIGI-FP0002 or higher
IBM Security Verify Governance:
IBM Security Verify Governance v10.x
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
IBM
IBM
logo
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
CA ACF2, and CA Top Secret are trademarks of Broadcom, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Other company, product, and service names may be trademarks or service marks of others.
End of Release Notes