Download

Abstract

This fixpack contains several fixes for problems in the various components that comprise the Tivoli Security Policy Manager software

Download Description

IBM® Tivoli® Security Policy Manager 7.1.0-TIV-ITSPM-FP0003 and 7.1.0-TIV-ITRTSS-FP0003 Readme

IBM® Tivoli® Security Policy Manager 7.1.0-TIV-ITSPM-FP0004 and 7.1.0-TIV-ITRTSS-FP0004 Readme

Abstract

Downloading the Fix Pack

Known Issues

Updating a previous version with Fix Pack 7.1.0.4

Updating policy administration components

Updating the Tivoli runtime security services server

Updating the Tivoli runtime security services client

Updating the Tivoli Security Policy Manager software development kit

Updating the Runtime Security Services software development kit

Rolling back or uninstalling fix pack files

Uninstalling both Fix Pack 7.1.0.4 and Version 7.1.0 files

Abstract

The Fix Pack Readme topics describe the contents of the Tivoli Security Policy Manager Fix Pack 7.1.0.4

Readme file for: IBM Tivoli Security Policy Manager
Product/Component Release: 7.1.0
Update Name: Fix Pack 4
Fix ID: 7.1.0-TIV-ITSPM-FP0004
Fix ID: 7.1.0-TIV-ITRTSS-FP0004
Publication date: 18 November 2012
Last modified date: 18 November 2012

1) Denial of Service Security Exposure with Java JRE/JDK:

Description:

This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting
"2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component.
Before updating Tivoli Security Policy Manager/Runtime Security Services with this fix pack, update the JRE/JDK to mitigate the security exposure.
This fix pack includes all versions of JRE/JDK that were installed with Tivoli Security Policy Manager/Runtime Security Services or Tivoli Integrated Portal/Tivoli Common Reporting (embedded WebSphere Application Server).
Note: The update process for the embedded WebSphere Application Server (that comes with Tivoli Integrated Portal/Tivoli Common Reporting) is same as the regular WebSphere® update.
Use the following link to update the appropriate version of your JRE/JDK with the WebSphere Application Server update:

Java Security Exposure (CVE-2010-4476) Flash for WebSphere Application Server (WSAS)

You might need to install the WebSphere Update Installer (WUI), which is at the following location: WebSphere Update Installer (WUI)

2) Potential security exposure with IBM WebSphere Application Server with Web Services using XML Encryption:

Problem Description:

If a Web Service (either JAX-WS or JAX-RPC) is configured to use WS-Security to encrypt data, that data might be vulnerable to a decryption attack.
If requests containing encrypted data can be intercepted, an attacker might be able to decrypt the encrypted
data in those requests. All versions of JAX-RPC and JAX-WS are vulnerable.
Use the following link to update the appropriate version of the installed WebSphere Application Server:

Potential security exposure with IBM WebSphere Application Server with Web Services using XML Encryption

Fixes

The fix pack provides fixes for a number of the APARs. Fixes are cumulative, meaning the latest fix pack also contains all the fixes contained in the previous fix packs.

Table 1. Fixes contained in Fix Pack 7.1.0.4
APAR	Problem summary
IV15661	CREATEPOLICY() AND MODIFYPOLICY() RETURN INCORRECT DATA IN SOMETRUE
IV15818	UNABLE TO EXPORT TSPM POLICY USING IE BROWSER
IV20522	TSPM CONSOLE ERRORS INTERNET EXPLORER 8
IV21909	TSPM 7.0 -> 7.1 MIGRATION FAILURE (PARTIAL)
IV22007	POLICY CHANGES DO NOT TAKE AFFECT UNTIL RTSS IS RELOADED
IV22638	SUPPRESS ERRORS LOG ENTRIES FOR NULL VALUE
IV25186	WRONG UPDATE MAPPING WHEN SORTING LIST
IV23845	7.1 DOCUMENTATION FIXPACK TYPO AND CLARIFICATION

Table 2. Fixes contained in Fix Pack 7.1.0.3
APAR	Problem summary
IV02079	WSDL IMPORT FAILS IF XSD FILES ARE REFERENCED WITH RELATIVE PATH
IV03218	TSPM POLICY/DIRECTORY NOT GETTING PROPAGATED TO THE DMGR.
IV04689	MISSING TSPMREPORTS.SQL
IV06278	POLICY PENDING RETRIEVAL WHEN VALID TIMESTAMP NOT FOUND
IV07258	SEARCHING FOR MEMBERS OF A TSPM ADMIN GROUP TO ASSIGN POLICY OW
IV08352	ILLEGALSTATEEXCEPTION: SESSION HAD BEEN INVALIDATED:
IZ96492	TSPMRUNTIMEEXCEPTION: UNHANDLED EXCEPTION
IV05128	NULLPOINTER EXCEPTION WHEN RUNNING THE CREATEPOLICY API.

Table 3. Fixes contained in Fix Pack 7.1.0.2
APAR	Problem summary
Stability Fixes	Some Stability Fixes Went into FP02

Table 4. Fixes contained in Fix Pack 7.1.0.1
APAR	Problem summary
IZ80883	RTSS LOCAL MODE IS FAILING WITH J2EE ENFORCEMENT
IZ87160	NULLPOINTEREXCEPTION IN STS ATTRIBUTE FINDER WHEN PARSING RTSR
IZ77364	JAX-WS PEP DOES NOT ENFORCE SERVICES USING MESSAGE LEVEL AUTHENTICATION
IZ87161	JAXWS PEP SHOULD LOOK IN MESSAGE CONTEXT FOR SUBJECT
IZ87166	JAXWS PEP SHOULD FALL BACK TO RUN-AS SUBJECT
IZ83168	PROBLEM ATTACHING POLICY VIA CLASSIFICATION
IZ81535	TSPM WILL GENERATE INDIVIDUAL POLICY AND POLICYATTACHEMENT DOCUMENTS

Prerequisites

TSPM 7.1.0 GA Version

Installation Instructions

Installation Instructions

Downloading the Fix Pack

Download and extract the fix pack files from the IBM Tivoli Security Policy Manager Support website.

About this task

Tivoli Security Policy Manager Fix Pack 7.1.0.4 consists of two compressed files. One file contains the policy manager packages. The other file contains the runtime security services packages. Download the compressed files that apply to your deployment.

Table 1. Fix pack packages and compressed files
Package	Fix Pack compressed file
Tivoli Security Policy Manager	7.1.0-TIV-ITSPM-FP0004.zip
Tivoli Security Policy Manager Software Development Kit	7.1.0-TIV-ITSPM-FP0004.zip
Runtime Security Services Server	7.1.0-TIV-ITRTSS-FP0004.zip
Runtime Security Services Client
Runtime Security Services Software Development Kit

Procedure

Access either the support website:
1. Go to the IBM Tivoli Security Policy Manager Support website.
2. Locate and download the fix pack compressed files:
  1. Click Download.
  2. In the Search field, enter the Policy Manager fix pack identifier:
```
7.1.0-TIV-ITSPM-FP0004
```
  3. Download the compressed file.
  4. In the Search field, enter the runtime security services fix pack identifier:
```
7.1.0-TIV-ITRTSS-FP0004
```
  5. Download the compressed file.
Extract the compressed files. Each compressed file contains packages of files.
1. Extract the file or files with the packages you want to install.
2. Make note of the directory where you downloaded each compressed file.

Known Issues

This topic documents the known issues with the fix pack. You can also query the tech notes database on the Customer Support website.

There are known issues with the Installation Manager application:

Do not install both IBM Tivoli Runtime Security Services Server Version 7.1.0.4 and IBM Tivoli Runtime Security Services Software Development Kit 7.1.0.4 in the same Installation Manager session. If you attempt to do so, the following message might be displayed:
```
Packages IBM Tivoli Runtime Security Services Server 7.1.0.4 and 
```
```
IBM Tivoli Runtime Security Services Software Development Kit 7.1.0.4 
```
```
cannot coexist in the same package group
```
If this message is displayed, install each package in a separate Installation Manager session.

Installation fails with an out of memory exception:
```
Error during "pre-install configure" phase:
 java.lang.OutOfMemoryError: unable to allocate 60432017 bytes for native buffer
```
The workaround is to increase the memory available to the Java Virtual Machine. Modify the <InstallationManager>/eclipse/IBMIM.ini file in IBM Installation Manager's installation directory to add an additional parameter, "-Xmx1024m", restart Installation Manager; and then perform the update.

On a 64bit Linux system, Installation Manager exits during installation without error. Installation Manager and Tivoli Integrated Portal require the 32bit compatibility libraries on 64bit Linux systems. Review the product documentation for specific requirements.

During update or installation, the EJB deploy step may fail with:

Error executing deployment: java.lang.IllegalStateException. Error is Platform not running.
java.lang.IllegalStateException: Platform not running
        at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:374)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
        at java.lang.reflect.Method.invoke(Method.java:611)
        at com.ibm.etools.ejbdeploy.batch.impl.BootLoaderLoader.run(BootLoaderLoader.java:494)
        at com.ibm.etools.ejbdeploy.batch.impl.BatchDeploy.execute(BatchDeploy.java:114)
        at com.ibm.etools.ejbdeploy.EJBDeploy.execute(EJBDeploy.java:107)
        at com.ibm.etools.ejbdeploy.EJBDeploy.deploy(EJBDeploy.java:348)
        at com.ibm.etools.ejbdeploy.EJBDeploy.main(EJBDeploy.java:310)
EJBDeploy level: @build@
ADMA5008E: The EJBDeploy program failed on file /tmp/app3860524633747861547.ear.  Exception: com.ibm.etools.ejbdeploy.EJBDeploymentException: Error executing EJBDeploy

The problem and resolution are described in EJBDeploy command Exceptions on WebSphere Application Server and Eclipse OSGI cache purge issues. To resolve, update the <WAS>/deploytool/itp/ejbdepoy.sh script (or .bat for Windows) to always clear the OSGi cache by default (the "FOURTH" workaround in the referenced technote) by adding the " -Dosgi.clean="true" \" option to the com.ibm.tools.ejbdeploy.EJBDeploy invocation. Note that this option may add several seconds to the deployment operation.

The rollback feature does not present a graphical user interface for entering the required configuration settings, such as passwords. If you do not manually supply the necessary passwords, Installation Manager displays the following error:
```
Error during "pre-install configure" phase:
java.lang.ExceptionInitializerError
```
This fix pack topic in the information center contains instructions for manually editing the required configuration files. See Rolling back Fix Pack 7.1.0.x.

The rollback feature does not save the response files that an administrator creates for the Tivoli Security Policy Manager configuration utility. The fix pack topic in the information center contains instructions for manually saving these files. See Rolling back the policy manager package.

For the rollback operation, two files located in the agent data location, installed.xml and installRegistry.xml will need to have certain properties updated for the rollback operation (as explained in the rollback section). In some instances, incorrect paths to the WebSphere and/or Tivoli Integrated Portal (TIP) profile paths may be recorded in these files. Ensure that the following entries are correct prior to performing the rollback.

Incorrect:

<property name='user.tipProfilePath' value='/opt/IBM/InstallationManager/eclipse/null'/>

<property name='user.tipWsAdminScript' value='/opt/IBM/InstallationManager/eclipse/null/bin/wsadmin.sh'/>

Correct (assuming the default TIP install location is /opt/IBM/tivoli/tip):

<property name='user.tipProfilePath' value='/opt/IBM/tivoli/tip/profiles/TIPProfile'/>

<property name='user.tipWsAdminScript' value='/opt/IBM/tivoli/tip/profiles/TIPProfile/bin/wsadmin.sh'/>

Incorrect:

<property name='user.wasProfilePath' value='/opt/IBM/InstallationManager/eclipse/null'/>

<property name='user.wasWsAdminScript' value='/opt/IBM/InstallationManager/eclipse/null/bin/wsadmin.sh'/>

Correct (assuming the default WebSphere profile creation location is /opt/IBM/WebSphere/AppServer/profiles):

<property name='user.wasProfilePath' value='/opt/IBM/WebSphere/AppServer/profiles/<profileName>'/>

<property name='user.wasWsAdminScript' value='/opt/IBM/WebSphere/AppServer/profiles/<profileName>/bin/wsadmin.sh'/>

There are known issues with the Tivoli Integrated Portal application:

Some elements displayed by the Tivoli Integrated Portal console may incorrectly render text in the system locale instead of the browser locale. Fields in the login panel, banner are page bar areas may show text in the locale of the Tivoli Integrated Portal server.

When using the policy simulation panel with only one service defined, the content of the services selection box may not render properly. As a workaround, you can define another service, or use the keyboard navigation keys to select the resource.

Tech notes on the IBM Software Support website document known problems and limitations:

http://www.ibm.com/software/tivoli/support/security-policy-mgr/

As limitations and problems are discovered and resolved, the IBM Software Support team updates the knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems. The following link sends a customized query to the live Support knowledge base for Tivoli Security Policy Manager:

http://www.ibm.com/support/search.wss?tc=SSNGTE&rank=8&atrn=SWVersion&atrv=7.1&dc=DB520+DB560

To create your own query, go to the Advanced search page on the IBM Software Support website.

Updating a previous version with Fix Pack 7.1.0.4

You can update a Tivoli Security Policy Manager 7.1.0, 7.1.0.1, 7.1.0.2, or 7.1.0.3 deployment with the files in Fix Pack 7.1.0.4. Consult the IBM Tivoli Security Policy Manager information center for additional configuration and upgrade requirements.

Tivoli Security Policy Manager Fix Packs

Use the Installation Manager application to add the fix pack packages. The Installation Manager Update icon runs a wizard to guide you through adding fix pack packages to an existing deployment.

Use Installation Manager to install the fix pack files. During the update, you can specify values for the same configuration properties that were used during installation or previous fix pack updates.

Installation Manager displays the current values for each configuration property.
Installation Manager does not display values for passwords. You must enter any required passwords, such as the administrative user password.
Review each property to ensure that it is correct. Modify any property that must change.

Complete the prerequisite tasks:
1. Download and extract the fix pack files. See Downloading the Fix Pack.
2. Review known issues and limitations. See Known Issues.

Identify the packages and features that you want to update.

Package	Features
Tivoli Security Policy Manager	Tivoli Policy Platform
	Tivoli Security Policy Manager server
	Tivoli Security Policy Manager administration console
	Tivoli Integrated Portal console
	Tivoli Security Policy Manager configuration utility
Tivoli Security Policy Manager SDK	Software Development Kit and Samples
Runtime Security Services Server	Authorization Service
Runtime Security Services Client	Authorization Service Runtime
	Policy Management Administration Agent
	Web Services Application Enforcement
Runtime Security Services SDK	Software Development Kit and Samples
Runtime Security Services SDK	Portal Application Enforcement Software Development Kit

Complete the instructions for the package that you want to update.
Optional: Use the Installation Manager log viewer to verify that the installation was successful by reviewing the Installation Manager log files.
- When you complete an installation, go to the Installation Manager landing page and click File -> View Log.
- If you already closed Installation Manager or installed another product after Tivoli Security Policy Manager:
  1. Click File -> View Installation History.
  2. Select the package installation that you want to view. For example, Tivoli Security Policy Manager.
  3. Click View Log.

Updating policy administration components

You can update the policy administration components with the fix pack installation files that you downloaded from the Customer Support website. The policy administration components include the policy manager server, configuration tool, and policy manager console.

Before you begin

Complete the prerequisite tasks in Updating Version 7.1.0, 7.1.0.1, 7.1.0.2 or 7.1.0.3 with Fix Pack 7.1.0.4. The tasks include extracting the fix pack compressed files.

Procedure

Start Installation Manager.
Note: If you are installing the fix pack into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX®, Linux, Linux on System z®, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows®

Click Start -> All Programs -> IBM Installation Manager -> IBM Installation Manager.
Click File -> Preferences.
Configure a repository connection. This step specifies the location of the fix pack installation files.
1. Click Add Repository.
2. Browse to the directory containing the extracted files from the archive file.
3. Locate the repository configuration file. For example, if you extracted the fix pack files on a Windows system in C:\Temp:
```
C:\Temp\policy\delta.7104\repository.config
```
4. Click OK to add the location as a repository.
5. Optional: Click Test Connections. Verify that you receive the message:
```
All repositories are connected
```
Verify that the fix pack repository that you want to install is listed at the bottom of the repository list. This order ensures that Installation Manager installs the files for this fix pack last.
Click OK.
Note:

Depending on your network configuration, you also might need to configure proxy settings or adjust your firewall settings.
Click Update.
The Update Packages panel displays package groups. The Tivoli Security Policy Manager package group is highlighted. Click Next.
On the Update Packages panel, select the Version 7.1.0.4 package. Click Next.
After reading the license agreement:
- To continue the installation, select I accept the terms in the license agreement and click Next.
- To cancel the installation, select I do not accept the terms in the license agreement and click Cancel.
Installation Manager displays a list of installed components. Each installed component is selected. These components are updated. Verify that the list is correct and click Next.
Components can include:
- Policy manager server
- Policy manager console
- Configuration tool
Confirm the values in the Connection Details panel and click Next.
Installation Manager displays current values for:

SOAP port

Specifies the port value for WebSphere Application Server for SOAP communications.

Security enabled

Specifies whether communication with WebSphere Application Server occurs only over secure connections.
Note:

Clear Security enabled only if instructed to do so by IBM Support personnel.
If you are updating the policy manager server, specify the required passwords on the Security Details panel.
Verify that the supplied values for the other properties are correct. Click Next.
Supply a password for the administrative user and for the truststore. If your deployment uses the keystore, supply a password for it.
Note:

If your deployment does not have security enabled, you cannot specify these values.

Administrative user name

Required. Specifies the user name of the administrator that manages the WebSphere Application Server instance. The default value is wasadmin.

Administrative user password

Required. Specifies the password for the WebSphere Application Server administrator.

Truststore location

Required. Specifies the fully qualified path and name of the truststore for WebSphere Application Server.

Truststore password

Required. Specifies the password for the truststore.

Keystore location

Optional. Specifies the keystore location used by the WebSphere server to establish a secure connection with the installation program. If you use the default keystore, the location is blank.

Keystore password

Optional. Specifies the password for the keystore if a location was specified.
In the Queried WebSphere Server Information panel, verify that the listed values are correct for the WebSphere Application Server instance.
Perform one of the following actions:
Note:

If you are installing in a WebSphere cluster, the displayed text shows the correct cell name, but incorrectly shows the server name as one of the nodes.
- If the information is correct, click Next.
- If this information is not correct, an error indicates that the data cannot be confirmed with WebSphere Application Server.
  1. Exit and restart Installation Manager. Click Cancel -> File -> Exit.
    Note:
    
    Do not use Back to return to the data-entry panel.
  2. You do not have to reenter the repository information. Continue with Step 6.
In the Server Or Cluster To Deploy panel, select the WebSphere environment where you want to update the product components.
Click Next.
If you are updating the policy manager console, specify the password in the Tivoli Integrated Portal Install Details panel.
Confirm that the other values are correct and click Next.
User name

Specifies the name of the administrator for the console. The default value is tipadmin.

User password

Specifies a password for the administrator.

Verify user password

Specifies the password again for verification.

Console HTTP port

Specifies the port number for connecting to the console with a web browser. You can specify a specific port number or accept the default. The default port number is 16310.

Location to install Tivoli Integrated Portal (TIP)
Specifies the fully qualified name of the directory where the Tivoli Integrated Portal is installed.
The default installation directory is:
AIX, Linux, Linux on System z, or Solaris
/opt/IBM/tivoli/tip
Windows
C:\Program Files\tivoli\tip
Review the summary information and click Update. Installation Manager starts gathering files.
Click Finish to complete the installation.
Exit Installation Manager by clicking File -> Exit.
Continue with the appropriate action:
- If you installed the update on a stand-alone server, continue with step 26.
- If you installed the update in a clustered environment, complete the following steps to ensure that the repository plug-in files are available to all the shared nodes in your cluster:
  1. Locate the plug-in JAR files.
    After you install Tivoli Security Policy Manager, the plug-ins are on the deployment manager server:
    Windows
    TSPM_INSTALL_DIR\plugins\com.ibm.ws.repository_6.2.0.jar
    
    TSPM_INSTALL_DIR\plugins\com.ibm.tspm.repository.datasource_7.1.0.jar
    AIX, Linux, or Solaris
    TSPM_INSTALL_DIR/plugins/com.ibm.ws.repository_6.2.0.jar
    
    TSPM_INSTALL_DIR/plugins/com.ibm.tspm.repository.datasource_7.1.0.jar
  2. Copy both JAR files to the following path on each WebSphere Application Server installation that contains a node profile in the cell:
    
    Windows
    
    WAS_HOME\plugins
    
    AIX, Linux, or Solaris
    
    WAS_HOME/plugins
If you installed the upgrade in a clustered environment, verify that the WS-Notification and Tivoli Security Policy Manager modules are mapped:
1. Log in to the WebSphere Application Server console for the Deployment Manager and take the action for your version of WebSphere:
  - On WebSphere Application Server 6.1, click Enterprise Applications.
  - On WebSphere Application Server 7.0, click Applications -> Applications Types -> WebSphere Enterprise Applications.
2. For each of the following applications, click the module name and then click Manage Modules.
  
  IBM Tivoli Security Policy Manager
  
  The Tivoli Security Policy Manager module.
  
  TsmEPListener.cluster1
  
  TsmEPListener is the module name and cluster1 is the name of your cluster.
  
  sibws.cluster1
  
  sibws is the module name and cluster1 is the name of your cluster.
3. Ensure that each module shows a mapping to the cluster and the web server. If any applications are not mapped, complete the steps in Mapping the WS-Notification and Tivoli Security Policy Manager modules to the cluster. Then, return to this topic.
4. Continue with step 21.
Refresh the WebSphere OSGi cache:
1. Stop the WebSphere Application Server for the policy manager. In a cluster, stop the cluster, including the node agents and the deployment manager.
2. Run the OSGi configuration script to refresh the WebSphere OSGi cache. In a cluster, run the script on each node.
  - AIX, Linux, Linux on System z, or Solaris
```
WAS_HOME/profiles/profile_name/bin/osgiCfgInit.sh
```
  - Windows
```
WAS_HOME\profiles\profile_name\bin\osgiCfgInit.bat
```
3. Start the WebSphere Application Server for the policy manager. In a cluster, start the cluster, including the node agents and the deployment manager.
  Windows:
  Go to C:\Program Files\IBM\tivoli\tip\profiles\TIPProfile\bin
  1. Stop the server with the following command:
    stopServer.bat -server1 -username adminname -password adminpassword
  2. Start the server with the following command:
    startServer.bat server1
  AIX, Linux, or Solaris
  Go to /opt/IBM/tivoli/tip/profiles/TIPProfile/bin
  1. Stop the server with the following command:
    stopServer.sh -server1 -username adminname -password adminpassword
  2. Start the server with the following command:
    startServer.sh server1

What to do next

Continue with the updates that are appropriate for your environment:

Updating the Tivoli runtime security services server
Updating the Tivoli runtime security services client
Updating the Tivoli Security Policy Manager software development kit
Updating the Runtime Security Services software development kit

Updating the Tivoli runtime security services server

You can update the Tivoli runtime security services server package with the fix pack installation files that are downloaded from the Customer Support website.

Procedure

Start Installation Manager.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start -> All Programs -> IBM Installation Manager -> IBM Installation Manager.
Click File -> Preferences.
Configure a repository connection. This step specifies the location of the fix pack installation files.
1. Click Add Repository.
2. Browse to the directory containing the extracted files from the archive file.
3. Locate the repository configuration file. For example, if you extracted the fix pack files in C:\Temp on a Windows system:
```
C:\Temp\policy\delta.7104\repository.config
```
4. Click OK to add the location as a repository.
5. Optional: Click Test Connections.
6. Verify that you get the message:
```
All repositories are connected
```
Verify that the Fix Pack repository you want to install now is listed at the bottom of the repository list. This order ensures that Installation Manager installs the files for this fix pack last.
Click OK.
Note:

Depending on your network configuration, you also might need to configure proxy settings or adjust your firewall settings.
Click Update.
The Update Packages panel displays package groups. The RTSS package group is highlighted. Click Next.
On the Update Packages panel, select the Version 7.1.0.4 package. Click Next.
After reading the license agreement:
- To continue the installation, select I accept the terms in the license agreement and click Next.
- To cancel the installation, select I do not accept the terms in the license agreement and click Cancel.
The Update Packages panel displays the features to update. The Authorization Service package is highlighted. Click Next.
Confirm the values in the Connection Details panel and click Next.
Installation Manager displays current values for:

SOAP port

Specifies the port value that is used by WebSphere Application Server for SOAP communications.

Security enabled

Specifies whether communication with WebSphere Application Server occurs only over secure connections.
Note:

Clear Security enabled only if instructed to do so by IBM Support personnel.
Specify the necessary passwords on the Security Details panel.
Verify that the supplied values for the other properties are correct and click Next.
Supply a password for the administrative user and for the truststore. If your deployment uses the keystore, supply a password for it.
Note:

If your deployment does not have security enabled, you cannot specify these values.

Administrative user name

Required. Specifies the user name of the administrator that is managing the WebSphere Application Server instance. The default value is wasadmin.

Administrative user password

Required. Specifies the password for the WebSphere Application Server administrator.

Truststore location

Required. Specifies the fully qualified path and name of the truststore for WebSphere Application Server.

Truststore password

Required. Specifies the password for the truststore.

Keystore location

Optional. Specifies the keystore location used by the WebSphere server to establish a secure connection with the installation program. If you are using the default keystore, the location is blank.

Keystore password

Optional. Specifies the password for the keystore if a location was specified.
In the Queried WebSphere Server Information panel, verify that the listed values are correct for the WebSphere Application Server instance and perform one of the following actions:
Note:

If you are installing in a WebSphere cluster, the displayed text shows the correct cell name, but incorrectly shows the server name as one of the nodes.
- If the information is correct, click Next.
- If this information is not correct, an error indicates that the data cannot be confirmed with WebSphere Application Server:
  1. Exit and restart Installation Manager. Click Cancel -> File -> Exit.
    Note:
    
    Do not use Back to return to the data entry panel.
  2. You do not need to add the repositories to Installation Manager. Continue with Step 6.
In the Server Or Cluster To Deploy panel, select the WebSphere environment where you are installing the product components. Click Next.
Review the summary information and click Update to begin the installation.
Click Finish to complete the installation.
Exit Installation Manager by clicking File -> Exit.

What to do next

Verify that you can issue administration commands to the runtime security services server.
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
Verify that you can distribute policy to a policy distribution target.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
Update the runtime security services clients.

Updating the Tivoli runtime security services client

You can update the Tivoli runtime security services package with the fix pack installation files that are downloaded from the Customer Support website.

Procedure

Start Installation Manager.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start -> All Programs -> IBM Installation Manager -> IBM Installation Manager.
Click File -> Preferences.
Configure a repository connection. This step specifies the location of the fix pack installation files.
1. Click Add Repository.
2. Browse to the directory containing the extracted files from the archive file.
3. Locate the repository configuration file. For example, if you extracted the fix pack files in C:\Temp on a Windows system:
```
C:\Temp\policy\delta.7104\repository.config
```
4. Click OK to add the location as a repository.
5. Optional: Click Test Connections. Verify that you get the message:
```
All repositories are connected
```
Verify that the fix pack repository you want to install now is listed at the bottom of the repository list. This order ensures that Installation Manager installs the files for this fix pack last.
Click OK.
Note:

Depending on your network configuration, you also might need to configure proxy settings or adjust your firewall settings.
Click Update.
The Update Packages panel displays package groups.
1. Verify that the RTSSClient package group is selected.
2. Click Next.
On the Update Packages panel, select the Version 7.1.0.4 package. Click Next.
After reading the license agreement:
- To continue the installation, select I accept the terms in the license agreement and click Next.
- To cancel the installation, select I do not accept the terms in the license agreement and click Cancel.
The Update Packages panel displays the installed features to update.
1. Verify that the required features Authorization Service Runtime and Policy Management Administration Agent are selected.
2. If the optional feature Web Services Application Enforcement is installed, verify that it is selected.
3. Click Next.
Confirm the values in the Connection Details panel and click Next.
Installation Manager displays current values for:

SOAP port

Specifies the port value that is used by WebSphere Application Server for SOAP communications.

Security enabled

Specifies whether communication with WebSphere Application Server occurs only over secure connections.
Note:

Clear Security enabled only if instructed to do so by IBM Support personnel.
Specify the necessary passwords on the Security Details panel. Verify that the supplied values for the other properties are correct. Click Next.
Supply a password for the administrative user and for the truststore.
If your deployment uses the keystore, supply a password for it.
Note:

If your deployment does not have security enabled, you cannot specify these values.

Administrative user name

Required. Specifies the user name of the administrator that is managing the WebSphere Application Server instance. The default value is wasadmin.

Administrative user password

Required. Specifies the password for the WebSphere Application Server administrator.

Truststore location

Required. Specifies the fully qualified path and name of the truststore for WebSphere Application Server.

Truststore password

Required. Specifies the password for the truststore.

Keystore location

Optional. Specifies the keystore location used by the WebSphere server to establish a secure connection with the installation program. If you are using the default keystore, the location is blank.

Keystore password

Optional. Specifies the password for the keystore if a location was specified.
In the Queried WebSphere Server Information panel, verify that the listed values are correct for the WebSphere Application Server instance and perform one of the following actions:
Note:

For a WebSphere cluster, the displayed text shows the correct cell name, but incorrectly shows the server name as one of the nodes.
- If the information is correct, click Next.
- If this information is not correct, an error is displayed indicating that the data could not be confirmed with WebSphere Application Server:
  1. Exit and restart Installation Manager. Click Cancel -> File -> Exit.
    Note:
    
    Do not use Back to return to the data entry panel.
  2. You do not need to add the repositories to Installation Manager. Continue with Step 6.
In the Server Or Cluster To Deploy panel, select the WebSphere environment where you are installing the product components. Click Next.
Review the summary information and click Update to begin the installation.
Click Finish to complete the installation.
Exit Installation Manager by clicking File -> Exit.

What to do next

Update and verify the client configuration. Use the following links to complete the configuration. The links point to configuration tasks on the Tivoli Security Policy Manager information center.

Local client mode:
- Standalone WebSphere Application Server deployment
  1. Deploy the client in local mode.
  2. Configure a policy enforcement point in local mode.
  3. Verify that you can issue administration commands to the runtime security services server.
    For example, you can use the administration console to verify that the runtime security services audit settings are visible.
  4. Verify that you can distribute policy to a policy distribution target.
    See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
- WebSphere Cluster deployments
  1. Deploy the client in local mode.
  2. Configure a policy enforcement point in local mode.
  3. Verify that you can issue administration commands to the runtime security services server.
    For example, you can use the administration console to verify that the runtime security services audit settings are visible.
  4. Verify that you can distribute policy to a policy distribution target.
    See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
Remote client configuration and verification:
- Standalone WebSphere Application Server deployments
  1. Deploy the client in remote mode.
  2. Configure a policy enforcement point on the client in remote mode.
  3. Configure SSL for the runtime security services client in remote mode.
  4. If you want to verify that a runtime security services client is configured correctly in remote mode, use your deployed application to verify that you get the appropriate permit and deny access decisions.
- Cluster deployments
  1. Deploy the client in remote mode.
  2. Configure a policy enforcement point on the client in remote mode.
  3. Configure SSL for the runtime security services client in remote mode.
  4. If you want to verify that a runtime security services client is configured correctly in remote mode, use your deployed application to verify that you get the appropriate permit and deny access decisions.

Updating the Tivoli Security Policy Manager software development kit

You can update the Tivoli Security Policy Manager software development kit package with the fix pack installation files.

Procedure

Start Installation Manager.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start -> All Programs -> IBM Installation Manager -> IBM Installation Manager.
Click File -> Preferences.
Configure a repository connection. This step specifies the location of the fix pack installation files.
1. Click Add Repository.
2. Browse to the directory containing the extracted files from the archive file.
3. Locate the repository configuration file. For example, if you extracted the fix pack files in C:\Temp on a Windows system:
```
C:\Temp\policy\delta.7104\repository.config
```
4. Click OK to add the location as a repository.
5. Optional: Click Test Connections.
6. Verify that you get the message:
```
All repositories are connected
```
Verify that the Fix Pack repository you want to install now is listed at the bottom of the repository list. This order ensures that Installation Manager installs the files for this fix pack last.
Click OK.
Note:

Depending on your network configuration, you also might need to configure proxy settings or adjust your firewall settings.
Click Update.
The Update Packages panel displays package groups. The TSPM package group is highlighted. Click Next.
On the Update Packages panel, select the Version 7.1.0.4 package. Click Next.
After reading the license agreement:
- To continue the installation, select I accept the terms in the license agreement and click Next.
- To cancel the installation, select I do not accept the terms in the license agreement and click Cancel.
The Update Packages panel highlights the Software Development Kit package. Confirm that the package is correct and click Next
Review the summary information and click Update to begin the installation.
Click Finish to complete the installation.
Exit Installation Manager by clicking File -> Exit.

Updating the Runtime Security Services software development kit

You can update the Runtime Security Services software development kit package by installing the fix pack installation files.

Procedure

Start Installation Manager.
For a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start -> All Programs -> IBM Installation Manager -> IBM Installation Manager.
Click File -> Preferences.
Configure a repository connection. This step specifies the location of the fix pack installation files.
1. Click Add Repository.
2. Browse to the directory containing the extracted files from the archive file.
3. Locate the repository configuration file. For example, if you extracted the fix pack files in C:\Temp on a Windows system:
```
C:\Temp\policy\delta.7104\repository.config
```
4. Click OK to add the location as a repository.
5. Optional: Click Test Connections.
6. Verify that you get the message:
```
All repositories are connected
```
Verify that the Fix Pack repository you want to install now is listed at the bottom of the repository list. This order ensures that Installation Manager installs the files for this fix pack last.
Click OK.
Note:

Depending on your network configuration, you also might need to configure proxy settings or adjust your firewall settings.
Click Update.
The Update Packages panel displays package groups. The RTSS package group is highlighted. Click Next.
On the Update Packages panel, select the Version 7.1.0.4 package. Click Next.
After reading the license agreement:
- To continue the installation, select I accept the terms in the license agreement and click Next.
- To cancel the installation, select I do not accept the terms in the license agreement and click Cancel.
The Update Packages panel highlights the packages that are installed. This includes Software Development Kit package and can include Software Development Kit and Samples and Portal Application Enforcement Software Development Kit. Confirm that the packages are correct and click Next.
Review the summary information and click Update to begin the installation.
Click Finish to complete the installation.
Exit Installation Manager by clicking File -> Exit.

Rolling back or uninstalling fix pack files

Use Installation Manager to roll back or uninstall a set of software packages.

Installation Manager supports two different tasks for removing the fix pack files. You must choose which task you want to do.

The Installation Manager graphical user interface has icons for Roll back and Uninstall.

Roll back
In one session, Installation Manager:
1. Saves the necessary configuration files.
2. Uninstalls the files for Fix Pack 7.1.0.4.
3. Installs the Version 7.1.0.0, 7.1.0.1, 7.1.0.2 or 7.1.0.3 files, depending on the version you used before you installed Fix Pack 7.1.0.4.
4. Places the saved configuration files back into the correct locations.
Uninstall
In one Installation Manager session, uninstalls the files for Fix Pack 7.1.0.4 and all previously installed versions. You can remove files on a package or feature level.

Select the instructions that are appropriate for your deployment:

To roll back an installation, follow a set of instructions that guide you through the file rollback and component configuration steps that are needed to restore a fully functional Version 7.1.0 deployment. See Rolling back Fix Pack 7.1.0.4
To uninstall the fix pack files without rolling back to a previous version, continue with the instructions in this Readme file.

Rolling back Fix Pack 7.1.0.4

Use Installation Manager to roll back the fix pack and return to a Version 7.1.0 configuration.

About this task

The Installation Manager application provides a roll back option so you can return Tivoli Security Policy Manager to a Version 7.1.0 configuration.

Note:

The roll back process is separate from the Installation Manager uninstallation process. The Installation Manager uninstallation removes files for the Fix Pack and Version 7.1.0. If you want to completely remove Tivoli Security Policy Manager from your deployment, see Uninstalling both Fix Pack 7.1.0.4 and Version 7.1.0 files.

Installation Manager provides a graphical user interface for the roll back process, but does not prompt for configuration properties. You must edit properties files before running Installation Manager. Installation Manager automatically saves configuration files, uninstalls the fix pack files, installs the Version 7.1.0 files, and restores the saved configuration files.

Note:

All packages in a deployment must be at the same level. If you roll back one package, you must roll back the other packages. Tivoli Security Policy Manager does not support deployments that mix Version 7.1.0 packages with Version 7.1.0.4 packages.

Procedure

Review and modify the configuration properties files.
See Setting properties for rollback.
Use Installation Manager to run the roll back process.
See Using Installation Manager to roll back to a previous version.

Setting properties for rollback

You must manually edit the properties files before starting the Installation Manager rollback process. The process obtains properties directly from the product properties files and does not offer an opportunity for verifying or modifying them.

Installation Manager and Tivoli Security Policy Manager do not store values for passwords in properties files. You must manually insert values for passwords into each property file.

Table 3. Properties files to edit for rollback
Package	Administration properties files	Installation Manager properties files
Tivoli Security Policy Manager	admin.client.properties tip.admin.client.properties tip.properties	installed.xml installRegistry.xml
Tivoli Security Policy Manager Software Development Kit	none	none
Runtime Security Services Server	admin.client.properties	installed.xml installRegistry.xml
Runtime Security Services Client	admin.client.properties	installed.xml installRegistry.xml
Runtime Security Service Software Development Kit	none	none

Follow the instructions for editing each property file that applies to the package that you want to roll back.

To roll back the Tivoli Security Policy Manager package:
To roll back the Runtimes Security Service Server package or Runtime Security Services Client package:
1. Editing password properties for Installation Manager
2. Setting administration client properties
To roll back only the Tivoli Security Policy Manager Software Development Kit or the Runtime Security Services Software Development Kit, you do not need to edit any files.

After you have modified the properties files, use Installation Manager to roll back the product files. See Using Installation Manager to roll back to a previous version.

Editing password properties for Installation Manager

Insert values for necessary passwords into properties used by Installation Manager.

About this task

Installation Manager requires values for several passwords in order to complete the roll back process. Installation Manager does not store passwords. Because the Installation Manager roll back process does not supply a method to enter the password values through a graphical panel, you must manually insert password values into two properties files.

Note:

If you are rolling back only the software development kit packages, you do not have to complete this task. Installation Manager does not need passwords to roll back either the Tivoli Security Policy Manager Software Development Kit package or the Runtime Security Services Software Development Kit package.

Procedure

Change directory to the location of the two properties files.
Both files are located in the Installation Manager agent data location. The agent data location is the directory that Installation Manager uses for data that is associated with an application.

The installing user may override the default data location by using the Installation Manager -dataLocation switch and if this has been done when installing TSPM or RTSS components, the two files that will need updating will reside in that location rather than in the default locations listed below.

Additionally, the default location of the agent data location will differ depending whether an admininstrative (root) or non-administrative type installation of Installation Manager was done. If an administrative user installed Installation Manager using the 'install' command then this is considered an administrative install. If the 'userinst' command was used to install the Installation Manager then this is considered to be a non-administrative install.
Administrative installation default agent data location
- Linux and UNIX
```
/var/ibm/InstallationManager
```
- Administrative installation agent data location on Windows Vista and Windows 2008
```
C:\ProgramData\IBM\Installation Manager
```
- Administrative installation agent data location on Windows 2000 and Windows XP
```
C:\Documents and Settings\All Users\Application Data\IBM\Installation Manager
```
Non-admininistrative installation default agent data location
- Linux and UNIX
```
<user home>/var/ibm/InstallationManager
```
- Windows Vista and Windows 2008
```
C:\Users\<user>\AppData\Roaming\IBM\InstallationManager
```
- Windows 2000 and Windows XP
```
C:\Documents and Settings\<user>\Application Data\IBM\Installation Manager
```
Open the file installRegistry.xml for editing. Specify the password properties needed for the package that you are rolling back.
- When rolling back the Tivoli Security Policy Manager package:
  - The following properties are required:
```
<property name='user.wasAdminUserPwd' value='ExamplePasswOrdForWASAdmin'/>
<property name='user.wasTruststorePwd' value='ExamplePasswOrdForWAStruststore'/>
<property name='user.tipAdminUserPwd' value='ExamplePasswOrdForTIPAdmin'/>
```
  - The following property is optional. If you have specified a WebSphere keystore file, specify the password for it:
```
<property name='user.wasKeystorePwd' value='ExamplePasswOrdForWASKeystore'/>
```
- When rolling back the runtime security services server package or runtime security services client package:
  - The following properties are required:
```
<property name='user.wasAdminUserPwd' value='ExamplePasswOrdForWASAdmin'/>
<property name='user.wasTruststorePwd' value='ExamplePasswOrdForWAStruststore'/>
```
  - The following property is optional. If you have specified a WebSphere keystore file, specify the password for it:
```
<property name='user.wasKeystorePwd' value='ExamplePasswOrdForWASKeystore'/>
```
- When rolling back the Tivoli Security Policy Manager Software Development Kit or the Runtime Security Services Software Development Kit, you do not have to edit any properties.
Repeat the above step for the file Installed.xml.
There is a possible known issue with some properties within these two files. Refer to the Known Issues section and review all items listed before proceeding.

Ensure you save and close the file before starting Installation Manager.

Setting administration client properties

Specify and verify values in the administration client properties file, in order to use Installation Manager to roll back your deployment to a previous version. Although you supplied these values during the Fix Pack installation, password values are not stored and must be manually inserted. You must also verify that other values, such as truststore names, are correct.

About this task

For a complete description of the administration client file properties, see Administration client properties file.

Procedure

Open the properties file for editing.
The default installation location is:
```
<TSPM_installation_dir>/etc/admin.client.properties
```
Verify that the property is set for the SSL truststore.
The application uses this truststore when communicating with WebSphere Application Server. For example:
```
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\
  profiles\\AppSrv01\\etc\\trust.p12
```

Enter the password for the SSL truststore.

For example:

javax.net.ssl.trustStorePassword=<your_trustStore_password>

Verify that the WebSphere administrative user name is correct.
For example:
```
username=wasadmin
```
Enter the password for the WebSphere administrative user.
For example:
```
password=<your_WebSphere_adminstrator_password>
```
If your deployment uses a keystore for configuring SSL between WebSphere and the installation program, verify that the keystore property is set correctly.
Note:

When the default location for the keystore is used, this property does not require a value. You must supply a value for javax.net.ssl.keyStore only when the default location is not used.

Default value:
```
javax.net.ssl.keyStore=
```
If your deployment uses an SSL keystore, enter the password for the keystore.
For example:
```
javax.net.ssl.keyStorePassword=<your_keyStore_password>
```
Do not modify any of the other properties in the properties file.
The file contains other properties that are used by Installation Manager and WebSphere. Do not modify the values when using the Installation Manager roll back process.

Example file

The example shows a properties file with password values manually inserted for the rollback process. The properties file, when stored on the file system, does not contain password values.

Figure 1. Example admin.client.properties file, with password values inserted

#Wed Sep 15 15:13:10 CDT 2010
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\
      profiles\\AppSrv01\\etc\\trust.p12
port=8880
cacheDisabled=true
securityEnabled=true
username=wasadmin
javax.net.ssl.keyStore=
ssl.disable.url.hostname.verification=true
javax.net.ssl.trustStorePassword=myTrustStOrePasswOrD
type=SOAP
javax.net.ssl.keyStorePassword=myKeyStOrePasswOrD
location=remote
password=myWASAdminPasswOrD
autoAcceptSignerForThisConnectionOnly=true
host=localhost

What to do next

If your rollback includes the Tivoli Security Policy Manager console, go to Setting Tivoli Integrated Portal administration client properties.
If you have finished editing configuration properties, go to Using Installation Manager to roll back to a previous version.

Administration client properties file

The administration client properties file contains configuration and communication properties for Tivoli Security Policy Manager components and for runtime security services components.

The Installation Manager application uses this file. For most Installation Manager processes, you supply values for some of the properties in this file through the graphical user interface. However, for the Installation Manager roll back process, Installation Manager does not prompt for values for any properties. For the rollback process, you must supply values for passwords and verify the values for other properties, such as truststore and keystore locations.

Note:

Tivoli Security Policy Manager does not maintain password values in properties files. You must supply values for use during the Installation Manager process. For installation processes, you supply the values through by the installation wizard. For the rollback process, you must enter the values manually.

The properties file also contains some properties which are used internally by Installation Manager for communicating with the administration client for WebSphere Application Server. Do not edit these internal properties. The following descriptions identify the properties that must not be modified.

The default installation location for the file is:

<TSPM_installation_dir>/etc/admin.client.properties

For examples of how these properties appear in the file, see Example admin.client.properties.
For instructions on how to edit this file for the rollback process, see Setting administration client properties.

Properties

javax.net.ssl.trustStore

Specifies the fully qualified path and name of the truststore for WebSphere Application Server. For example:

javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\
   profiles\\AppSrv01\\etc\\trust.p12

For the rollback process, verify that this value is correct for your current deployment.

port

Specifies the port value that is used by WebSphere Application Server for SOAP communications. The default port value is 8880 for a stand-alone server. Do not modify this value for the Installation Manager roll back process.

cache-disabled

Specifies whether the WebSphere administration client uses an internal cache. This property is internal to the WebSphere administration client. Do not modify it.

securityEnabled

Specifies whether communication with WebSphere Application Server occurs only over secure connections. This option is true by default and ensures that communications between Tivoli Security Policy Manager and WebSphere Application Server are always encrypted. Do not modify this value for the Installation Manager roll back process.

username

Specifies the user name of the administrator that is managing the WebSphere Application Server instance. The default value is wasadmin. For example:

username=wasadmin

For the rollback process, verify that this value is correct for your current deployment.

javax.net.ssl.keyStore

Specifies the keystore location used by the WebSphere server to establish a secure connection with the installation program. If you are using the default keystore, you can leave the location blank. For example:

javax.net.ssl.keyStore=

For the rollback process, verify that this value is correct for your current deployment.

ssl.disable.url.hostname.verification

Specifies whether host name verification is disabled by default for URL connections. Host name verification checks that the X509 Certificate Common Name (CN) matches the host name from which it is received. This property is internal to the WebSphere administration client. Do not modify it.

javax.net.ssl.trustStorePassword

Specifies the password for the truststore. For example:

javax.net.ssl.trustStorePassword=<your_password>

type

The type of connector used by the WebSphere administration client. Possible values include SOAP, RMI, and JMS. Do not modify this value for the Installation Manager roll back process.

javax.net.ssl.keyStorePassword

Specifies the password for the keystore location used by the WebSphere server to establish a secure connection with the installation program. For example:

javax.net.ssl.keyStorePassword=<your_password>

location

This property is internal to the WebSphere administration client. Do not modify it.

password

Specifies the password for the WebSphere Application Server administrator. For example:

password=<WebSphere_administrative_user_password>

autoAcceptSignerForThisConnectionOnly

Specifies whether the WebSphere administration client programmatically trusts the connection, without storing the signer in the local truststore. This property is internal to the WebSphere administration client. Do not modify it. For example:

autoAcceptSignerForThisConnectionOnly=true

host

The name of the host that runs WebSphere Application Server for the administration client. This value is internal to the WebSphere administration client. Do not modify it.

Example admin.client.properties

The example file does not display any values for password properties. The file, when stored on the file system, does not contain passwords.

Figure 2. Example admin.client.properties

#Wed Sep 15 15:13:10 CDT 2010
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\WebSphere\\AppServer\\
   profiles\\AppSrv01\\etc\\trust.p12
port=8880
cacheDisabled=true
securityEnabled=true
username=wasadmin
javax.net.ssl.keyStore=
ssl.disable.url.hostname.verification=true
javax.net.ssl.trustStorePassword=
type=SOAP
javax.net.ssl.keyStorePassword=
location=remote
password=
autoAcceptSignerForThisConnectionOnly=true
host=localhost

Setting Tivoli Integrated Portal administration client properties

Specify and verify values in the Tivoli Integrated Portal administration client properties file, in order to use Installation Manager to roll back your deployment to a previous version. Although you supplied these values during the Fix Pack installation, password values are not stored and must be manually inserted.

About this task

For a complete description of the Tivoli Integrated Portal administration client file properties, see Tivoli Integrated Portal administration client properties file.

Procedure

Open the properties file for editing.
The default installation location is:
```
<TSPM_installation_dir>/etc/tip.admin.client.properties
```
Verify the port number used for connecting to the console using a web browser.
For example:
```
port=16313
```
Verify that the Tivoli Integrated Portal administrative user name is correct.
For example:
```
username=tipdmin
```
Enter the password for the Tivoli Integrated Portal administrative user.
For example:
```
password=<your_TIP_adminstrator_password>
```
Do not modify any of the other properties in the file.
The properties file contains other properties that are used by WebSphere, and might contain entries for truststore and keystore configuration.

Note:

You do not have to specify passwords for either the truststore or keystore.

Example file

The example shows a properties file with password values manually inserted for the rollback process. The properties file, when stored on the file system, does not contain password values.

Figure 3. Example tip.admin.client.properties, with password entered for the Tivoli Integrated Portal administrator

#Mon Sep 27 14:46:11 CDT 2010
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\tip\\profiles\\TIPProfile\\
   etc\\trust.p12
port=16313
cacheDisabled=true
securityEnabled=true
username=tipadmin
ssl.disable.url.hostname.verification=true
javax.net.ssl.trustStorePassword=
type=SOAP
javax.net.ssl.keyStore=
javax.net.ssl.keyStorePassword=
location=remote
password=myTIPAdminPasswOrD
autoAcceptSignerForThisConnectionOnly=true
host=myhost.example.com

What to do next

Go to Setting Tivoli Integrated Portal properties.

Tivoli Integrated Portal administration client properties file

The Tivoli Integrated Portal administration client properties file contains configuration and communication properties for Tivoli Security Policy Manager components and for runtime security services components. The Installation Manager uses this file.

Note:

Tivoli Security Policy Manager does not maintain password values in properties files. You must supply values for use during the Installation Manager processes. For installation processes, you supply the values through by the installation wizard. For the rollback process, you must enter the values manually.

The default installation location for the file is:
```
<TSPM_installation_dir>/etc/tip.client.properties
```
For examples of how these properties appear in the file, see Example tip.admin.client.properties file.
For instructions on how to edit this file for the rollback process, see Setting Tivoli Integrated Portal administration client properties.

Properties

javax.net.ssl.trustStore

Optional. Specifies the fully qualified path and name of the truststore for WebSphere Application Server. Do not modify this property for the Installation Manager roll back process.

javax.net.ssl.trustStorePassword

Specifies the password for the truststore. For example:

javax.net.ssl.trustStorePassword=<your_password>

Note:

You do not need to specify this password for the roll back process.

port

Specifies the port number used for connecting to the console using a web browser.

The default port number is 16310. Do not modify this property for the Installation Manager roll back process.

cache-disabled

This value specifies whether the WebSphere administration client uses an internal cache. Do not modify this property for the Installation Manager roll back process.

securityEnabled

Specifies whether communication with WebSphere Application Server occurs only over secure connections. This option is true by default and ensures that communications between Tivoli Security Policy Manager and WebSphere Application Server are always encrypted. Do not modify this property for the Installation Manager roll back process.

username

Specifies the user name of the Tivoli Integrated Portal administrator. For example:

username=tipadmin

javax.net.ssl.keyStore

Optional. Specifies the keystore location used by the WebSphere server to establish a secure connection with the installation program. If you are using the default keystore, you can leave the location blank. You do not have to enter this password for the Installation Manager roll back process.

javax.net.ssl.keyStorePassword

Specifies the password for the keystore location used by the WebSphere server to establish a secure connection with the installation program. You do not have to enter this password for the Installation Manager roll back process.

ssl.disable.url.hostname.verification

type

The type of connector used by the WebSphere administration client. Possible values include SOAP, RMI, and JMS. Do not modify this value for the Installation Manager roll back process.

location

This value is internal to the WebSphere administration client. Do not modify this value for the Installation Manager roll back process.

password

Specifies the password for the Tivoli Integrated Portal administrator. For example:

password=<WebSphere_administrative_user_password>

host

The name of the host that runs WebSphere Application Server for the administration client. This value is internal to the WebSphere administration client. Do not modify this value for the Installation Manager roll back process.

Example tip.admin.client.properties file

The example file does not display any values for password properties. The file, when stored on the file system, does not contain passwords.

Figure 4. Example tip.admin.client.properties

#
javax.net.ssl.trustStore=C\:\\Program Files\\IBM\\tip\\profiles\\TIPProfile\\
   etc\\trust.p12
port=16313
cacheDisabled=true
securityEnabled=true
username=tipadmin
ssl.disable.url.hostname.verification=true
javax.net.ssl.trustStorePassword=
type=SOAP
javax.net.ssl.keyStore=
javax.net.ssl.keyStorePassword=
location=remote
password=
autoAcceptSignerForThisConnectionOnly=true
host=myhost.example.com

Setting Tivoli Integrated Portal properties

About this task

For a complete description of the Tivoli Integrated Portal properties, see Tivoli Integrated Portal properties file.

Procedure

Open the properties file for editing.
The default installation location is:
```
<TSPM_installation_dir>/etc/tip.properties
```
Verify the Tivoli Integrated Portal administrative user name.
For example:
```
tip.adminUser=tipadmin
```
Enter a value for the Tivoli Integrated Portal administration password.
For example:
```
tip.adminUserPwd=<your_password>
```
Do not modify the values of the other properties.

Example tip.properties file

The properties file does not contains passwords when stored on the file system. The example shows the file after you have manually inserted a password for use during the rollback process.

Figure 5. Example tip.properties, with password inserted for the administrative user

#Mon Sep 27 14:46:11 CDT 2010
tip.installLocation=C\:\\Program Files\\IBM\\tip
tip.adminUser=tipadmin
tip.consolePort=16310
tip.adminUserPwd=myTIPAdminPasswOrD

What to do next

If you have finished editing configuration properties files, go to Using Installation Manager to roll back to a previous version.
If you want to edit other properties file, see Setting properties for rollback.

Tivoli Integrated Portal properties file

The Tivoli Integrated Portal properties file contains configuration properties. The Installation Manager uses this file.

The Installation Manager processes for installation, update, and uninstallation present a graphical user interface for entering values. However, Installation Manager rollback process does not present a graphical user interface. For rollback, you must manually edit the file, and supply a value for the Tivoli Integrated Portal administrator password.

Some properties are used internally by Tivoli Integrated Portal for communicating with the administration client for WebSphere Application Server. Do not edit these internal properties. The following descriptions identify the properties that must not be modified.

The default installation location is:

<TSPM_installation_dir>/etc/tip.properties

For examples of how these properties appear in the file, see Example tip.properties file.
For instructions on how to edit this file for the rollback process, see Setting Tivoli Integrated Portal properties.

Properties

tip.installLocation

Fully qualified path name to the installation directory for the Tivoli Integrated Portal console. Do not modify this value for the Installation Manager roll back process.

tip.installLocation=C\:\\Program Files\\IBM\\tip

tip.adminUser

Specifies the user name of the Tivoli Integrated Portal administrator.

tip.consolePort

Specifies the port number used for connecting to the console using a web browser. The default port number is 16310. Do not modify this value for the Installation Manager roll back process.

tip.adminUserPwd

Specifies the password for the Tivoli Integrated Portal administrator. Enter a value for this property for the Installation Manager roll back process.

Example tip.properties file

The example file does not display any values for password properties. The file, when stored on the file system, does not contain passwords.

Figure 6. Example tip.properties

#
#Mon Sep 27 14:46:11 CDT 2010
tip.installLocation=C\:\\Program Files\\IBM\\tip
tip.adminUser=tipadmin
tip.consolePort=16310
tip.adminUserPwd=

Using Installation Manager to roll back to a previous version

Use Installation Manager to roll back your deployment to a previous version of the product.

The Installation Manager rollback process automatically saves aside configuration files, uninstalls the fix pack files, installs the Version 7.1.0 files, and restores the saved configuration files.

Important notes:

Perform roll back for each package that is installed. Some packages contain more than one feature or component. You must roll back the entire package.
All packages in a deployment must be at the same level. You cannot mix Version 7.1.0 packages with Version 7.1.0.4 packages.
The Tivoli Security Policy Manager packages and the Runtime Security Services packages in each deployment must be at the same level. This requirement includes deployments where the Tivoli Security Policy Manager server runs on a different computer from the Runtime Security Services server.
Installation Manager provides a graphical user interface for the rollback process, but does not prompt for configuration properties. You must edit properties files before running Installation Manager. See Setting properties for rollback.
If you run Installation Manager without first adding your password values to properties files, Installation Manager displays the following error:
```
Error during "pre-install configure" phase:
java.lang.ExceptionInitializerError
```
For more information on the required editing tasks, see Setting properties for rollback.
Fix Pack 7.1.0.4 does not support rollback of the Tivoli Security Policy Manager package when deployed into a WebSphere cluster. Version 7.1.0 did not support deployment of the Tivoli Security Policy Manager package into a WebSphere cluster. Rolling back to Version 7.1.0 is not supported because it results in loss of policy manager functionality within the cluster.

Package	Features
Tivoli Security Policy Manager	Tivoli Policy Platform
	Tivoli Security Policy Manager server
	Tivoli Security Policy Manager administration console
	Tivoli Integrated Portal console
	Tivoli Security Policy Manager configuration utility
Tivoli Security Policy Manager SDK	Software Development Kit and Samples
Runtime Security Services Server	Authorization Service
Runtime Security Services Client	Authorization Service
	Policy Management Administration Agent
	Web Services Application Enforcement
Runtime Security Services SDK	Software Development Kit and Samples
Runtime Security Services SDK	Portal Application Enforcement Software Development Kit

Follow the instructions for the package that you want to roll back:

Rolling back the policy manager package
Rolling back the runtime security services server
Rolling back the runtime security services client
Rolling back the Tivoli Security Policy Manager software development kit
Rolling back the Runtime Security Services software development kit

Rolling back the policy manager package

Use this procedure to interactively roll back the policy manager server, console, Tivoli Integrated Portal, and configuration tool.

Before you begin

Complete these tasks in the order listed before you roll back the policy manager components:

Ensure that WebSphere Application Server is running.
If necessary, save the response file for the Tivoli Security Policy Manager configuration tool.
If you created a response file for the Tivoli Security Policy Manager configuration tool in the /opt/IBM/TSPM directory hierarchy, back up the response file before you roll back Tivoli Security Policy Manager. Place the backup files in a directory that is separate from the Tivoli Security Policy Manager installation directory.
Set properties in the necessary properties file. Follow the instructions in Setting properties for rollback.
Note:
If you run Installation Manager without first adding your password values to the necessary properties file, Installation Manager displays the following error:
```
Error during "pre-install configure" phase:
java.lang.ExceptionInitializerError
```

Procedure

Start Installation Manager.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start > All Programs > IBM Installation Manager > IBM Installation Manager.
Select Roll back in the Installation Manager startup panel.
Select the IBM Tivoli Security Policy Manager package group. Click Next.
Select the IBM Tivoli Security Policy Manager package to roll back. Click Next.
Verify that the correct package is selected, then click Roll Back.
When the rollback completes, a panel indicates success or failure. Click Finish to exit.
Stop the WebSphere Application Server for the policy manager.
Run the OSGi configuration script to refresh the WebSphere OSGi cache.
- AIX, Linux, Linux on System z, or Solaris
```
WAS_HOME/profiles/profile_name/bin/osgiCfgInit.sh
```
- Windows
```
WAS_HOME\profiles\profile_name\bin\osgiCfgInit.bat
```
Start the WebSphere Application Server for the policy manager.
Windows:
Go to C:\Program Files\IBM\tivoli\tip\profiles\TIPProfile\bin
1. Stop the server with the following command:
  stopServer.bat -server1 -username adminname -password adminpassword
2. Start the server with the following command:
  startServer.bat server1
AIX, Linux, or Solaris
Go to /opt/IBM/tivoli/tip/profiles/TIPProfile/bin
1. Stop the server with the following command:
  stopServer.sh -server1 -username adminname -password adminpassword
2. Start the server with the following command:
  startServer.sh server1

Results

If you want, you can view the results of the Installation Manager process by using the Installation Manager log viewer to review the log file. If you have just completed a task, go to the Installation Manager landing page and click File > View Log . If you have already closed Installation Manager, start Installation Manager and click File > View Installation History. Select the package roll back that you want to view. For example, Tivoli Security Policy Manager. Then click View Log. The default Installation Manager log files are located in these directories: AIX, Linux, Linux on System z, or Solaris /var/ibm/InstallationManager/logs Windows 2000 and Windows XP Professional C:\Documents and Settings\All Users\Application Data\IBM\Installation Manager\logs Windows Vista and Windows 2008 C:\ProgramData\IBM\Installation Manager

What to do next

Verify that the packages that rolled back are active and correctly configured.

Verify that the version number on the Tivoli Integrated Portal console is 7.1.0.0.
Verify that the following files are located in <TSPM_installation_directory>/properties/version:
- Tivoli_Policy_Platform.7.1.0.cmptag
- Tivoli_Security_Policy_Manager.7.1.0.cmptag
- Tivoli_Security_Policy_Manager_for_Data_Entitlements.7.1.0.cmptag
Before running the roll back process, the corresponding file names in <TSPM_installation_directory>/properties/version are:
- Tivoli_Policy_Platform.7.1.0.fxptag
- Tivoli_Security_Policy_Manager.7.1.0.fxtag
- Tivoli_Security_Policy_Manager_for_Data_Entitlements.7.1.0.fxtag

Rolling back the runtime security services server

The WebSphere administrator uses the procedure in this topic to interactively roll back the runtime security services server.

Before you begin

Back up your new and edited registration property files before you roll back the runtime security services server. Place the backup files in a directory that is outside of the runtime security services server installation directory.
Ensure that the WebSphere Application Server where the runtime security services is deployed is running.
Ensure that the policy manager server is running.
Set properties in the administration client properties file. See Setting administration client properties.
Note:
If you run Installation Manager without first adding your password values to the properties file, Installation Manager displays the following error:
```
Error during "pre-install configure" phase:
java.lang.ExceptionInitializerError
```

About this task

This task applies to installations of the runtime security services server on either stand-alone WebSphere Application Servers or on WebSphere Network Deployment clusters.

Procedure

Start Installation Manager.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start > All Programs > IBM Installation Manager > IBM Installation Manager.
Select Roll back in the Installation Manager startup panel.
Select the IBM Tivoli Runtime Security Services package group. Click Next.
Select the IBM Tivoli Runtime Security Services Server package. Click Next.
Verify that the correct package is selected, then click Roll back.
The files are uninstalled and replaced with files from the previous version.
When the rollback completes, a panel indicates success or failure. Click Finish to exit.
Stop and restart WebSphere Application Server. If installing into a WebSphere cluster, restart the WebSphere Application Server cluster. Restart the deployment manager, cluster, and server, as appropriate

Results

If you want, you can view the results of the Installation Manager process by using the Installation Manager log viewer to review the log file. If you have just completed a task, go to the Installation Manager landing page and click File > View Log . If you have already closed Installation Manager, start Installation Manager and click File > View Installation History. Select the package roll back that you want to view. For example, Tivoli Security Policy Manager. Then click View Log. The default Installation Manager log files are located in these directories: AIX, Linux, Linux on System z, or Solaris /var/ibm/InstallationManager/logs Windows 2000 and Windows XP Professional C:\Documents and Settings\All Users\Application Data\IBM\Installation Manager\logs Windows Vista and Windows 2008 C:\ProgramData\IBM\Installation Manager

What to do next

Verify that the runtime security services server is correctly configured:

Verify that you can issue administration commands to the runtime security services server.
For example, you can use the administration console to verify that the runtime security services audit settings are visible.
Verify that you can distribute policy to a policy distribution target.
See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.

Rolling back the runtime security services client

Uses the procedure in this topic to interactively roll back the runtime security services client.

Before you begin

Back up your new and edited registration property files before you roll back the runtime security services client. Place the backup files in a directory that is outside of the runtime security services client installation directory.
Ensure that the WebSphere Application Server where the client is deployed is running.
Set properties in the administration client properties file. See Setting administration client properties.
Note:
If you run Installation Manager without first adding your password values to the properties file, Installation Manager displays the following error:
```
Error during "pre-install configure" phase:
java.lang.ExceptionInitializerError
```

About this task

This task applies to installations of the runtime security services client on either stand-alone WebSphere Application Servers or on WebSphere Network Deployment clusters.

Procedure

Start Installation Manager.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start > All Programs > IBM Installation Manager > IBM Installation Manager.
Select Roll back in the Installation Manager startup panel.
Select the IBM Tivoli Runtime Security Services package group. Click Next.
Select the IBM Tivoli Runtime Security Services Client package. Click Next.
Verify that the correct package is selected, then click Roll back.
When the rollback completes, a panel indicates success or failure. Click Finish to exit.
Stop the WebSphere server instance.
Deploy the client and configure a policy enforcement point.
The instructions for this step are specific to the client mode (local or remote) and to the type of WebSphere server environment (stand-alone or cluster). Use the instructions that fit your deployment.
- Local client mode, on a stand-alone WebSphere server
  1. Follow the instructions in the topic: Deploying the client in local mode
  2. Follow the instructions in the topic: Configuring a policy enforcement point in local mode
  3. Verify that you can issue administration commands to the runtime security services server.
    For example, you can use the administration console to verify that the runtime security services audit settings are visible.
  4. Verify that you can distribute policy to a policy distribution target.
    See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
- Local client mode, in a WebSphere cluster
  1. Follow the instructions in:Deploying the client in local mode
  2. Follow the instructions in: Configuring a policy enforcement point in local mode
  3. Verify that you can issue administration commands to the runtime security services server.
    For example, you can use the administration console to verify that the runtime security services audit settings are visible.
  4. Verify that you can distribute policy to a policy distribution target.
    See the Tivoli Security Policy Manager Administration Guide for instructions on how to distribute policy.
- Remote client mode on a stand-alone WebSphere Application Server
  1. Follow the instructions in: Deploying the client in remote mode
  2. Follow the instructions in: Configuring a policy enforcement point on the client in remote mode
  3. Follow the instructions in: Setting up security on the runtime security services client in remote mode
  4. To verify that a runtime security services client is configured correctly in remote mode, use your deployed application to verify that you get the appropriate permit and deny access decisions.
- Remote client mode in a WebSphere cluster
  1. Follow the instructions in: Deploying the client in remote mode
  2. Follow the instructions in: Configuring a policy enforcement point on the client in remote mode
  3. Follow the instructions in:Setting up security on the runtime security services client in remote mode
  4. To verify that a runtime security services client is configured correctly in remote mode, use your deployed application to verify that you get the appropriate permit and deny access decisions.

Results

If you want, you can view the results of the Installation Manager process by using the Installation Manager log viewer to review the log file. If you have just completed a task, go to the Installation Manager landing page and click File > View Log . If you have already closed Installation Manager, start Installation Manager and click File > View Installation History. Select the package roll back that you want to view. For example, Tivoli Security Policy Manager. Then click View Log. The default Installation Manager log files are located in these directories: AIX, Linux, Linux on System z, or Solaris /var/ibm/InstallationManager/logs Windows 2000 and Windows XP Professional C:\Documents and Settings\All Users\Application Data\IBM\Installation Manager\logs Windows Vista and Windows 2008 C:\ProgramData\IBM\Installation Manager

What to do next

Verify that the following files are in /opt/IBM/RTSSClient/properties/version:

Tivoli_Security_Policy_Manager_Runtime_Security_Services.7.1.0.cmptag
Tivoli_Security_Policy_Manager.7.1.0.swtag

Rolling back the Tivoli Security Policy Manager software development kit

The WebSphere administrator uses the procedure in this topic to interactively roll back the Tivoli Security Policy Manager Software Development Kit.

Procedure

Start Installation Manager.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start > All Programs > IBM Installation Manager > IBM Installation Manager.
Select Roll back in the Installation Manager startup panel.
Select the TSPM package group. Click Next.
Select the TSPM-SDK installation package. Click Next.
Verify that the correct package is selected, then click Roll back.
When the rollback completes, a panel indicaties success or failure. Click Finish to exit.

Results

If you want, you can view the results of the Installation Manager process by using the Installation Manager log viewer to review the log file. If you have just completed a task, go to the Installation Manager landing page and click File > View Log . If you have already closed Installation Manager, start Installation Manager and click File > View Installation History. Select the package roll back that you want to view. For example, Tivoli Security Policy Manager. Then click View Log. The default Installation Manager log files are located in these directories: AIX, Linux, Linux on System z, or Solaris /var/ibm/InstallationManager/logs Windows 2000 and Windows XP Professional C:\Documents and Settings\All Users\Application Data\IBM\Installation Manager\logs Windows Vista and Windows 2008 C:\ProgramData\IBM\Installation Manager

Rolling back the Runtime Security Services software development kit

The WebSphere administrator uses the procedure in this topic to interactively roll back the Tivoli Runtime Security Services Software Development Kit.

Procedure

Start Installation Manager.
If installing into a WebSphere cluster, start Installation Manager on the WebSphere Application Server deployment manager.
AIX, Linux, Linux on System z, or Solaris
1. Open a command-line window and navigate to the directory containing Installation Manager.
  The default installation directory is:
```
/opt/IBM/InstallationManager/eclipse
```
2. Start the program.
```
IBMIM
```
Windows

Click Start > All Programs > IBM Installation Manager > IBM Installation Manager.
Select Roll back in the Installation Manager startup panel.
Select the RTSS package group. Click Next.
Select the RTSS-SDK installation package. Click Next.
Verify that the correct package is selected, then click Roll back.
When the rollback completes, a panel indicates success or failure. Click Finish to exit.

Results

If you want, you can view the results of the Installation Manager process by using the Installation Manager log viewer to review the log file. If you have just completed a task, go to the Installation Manager landing page and click File > View Log . If you have already closed Installation Manager, start Installation Manager and click File > View Installation History. Select the package roll back that you want to view. For example, Tivoli Security Policy Manager. Then click View Log. The default Installation Manager log files are located in these directories: AIX, Linux, Linux on System z, or Solaris /var/ibm/InstallationManager/logs Windows 2000 and Windows XP Professional C:\Documents and Settings\All Users\Application Data\IBM\Installation Manager\logs Windows Vista and Windows 2008 C:\ProgramData\IBM\Installation Manager

Uninstalling both Fix Pack 7.1.0.4 and Version 7.1.0 files

Use Installation Manager to uninstall both the Fix Pack 7.1.0.4 and the Version 7.1.0 files. If Version 7.1.0.1 or Version 7.1.0.2 files were previously installed, they are also removed.

Before you begin

If you are uninstalling the Tivoli Security Policy Manager package and previously created a response file that you want to use later, save the response file before uninstalling the product.

If you created a response file for the Tivoli Security Policy Manager configuration tool in the /opt/IBM/TSPM directory hierarchy, back up the response file before you uninstall Tivoli Security Policy Manager. Place the backup files in a directory that is separate from the Tivoli Security Policy Manager installation directory.

About this task

You can use one Installation Manager uninstallation task to remove the Fix Pack 7.1.0.4 files, Version 7.1.0.3 files, Version 7.1.0.2 files, Version 7.1.0.1 files, (if previously installed) and Version 7.1.0 files. The fix pack has the same packages (components) and features as Version 7.1.0. The Installation Manager uninstallation process removes all files for the selected packages.

Procedure

Use the uninstallation process that is documented on the Tivoli Security Policy Manager information center. See Uninstalling Tivoli Security Policy Manager.
The uninstallation process on the information center applies to the fix pack files as well as to the Version 7.1.0 files. The information center describes both interactive and silent uninstallation mode. The information center topics describe the necessary unconfiguration and uninstallation steps for each of the product packages:
- Tivoli Security Policy Manager
- Tivoli Security Policy Manager Software Development Kit
- Runtime Security Services Server
- Runtime Security Services Client
- Runtime Security Services Software Development Kit
If you uninstalled the Tivoli Security Policy Manager policy manager component, you must refresh the WebSphere OSGi cache. Complete the following instructions:
1. Stop the WebSphere Application Server for the policy manager. In a cluster, stop the cluster, including the node agents and the deployment manager.
  - AIX, Linux, Linux on System z, or Solaris
```
WAS_HOME/profiles/profile_name/bin/osgiCfgInit.sh
```
  - Windows
```
WAS_HOME\profiles\profile_name\bin\osgiCfgInit.bat
```
2. Start the WebSphere Application Server for the policy manager. In a cluster, start the cluster, including the node agents and the deployment manager.
  Windows:
  Go to C:\Program Files\IBM\tivoli\tip\profiles\TIPProfile\bin
  1. Stop the server with the following command:
    stopServer.bat -server1 -username adminname -password adminpassword
  2. Start the server with the following command:
    startServer.bat server1
  AIX, Linux, or Solaris
  Go to /opt/IBM/tivoli/tip/profiles/TIPProfile/bin
  1. Stop the server with the following command:
    stopServer.sh -server1 -username adminname -password adminpassword
  2. Start the server with the following command:
    startServer.sh server1
Optional: When you complete the uninstallation, you can review the Installation Manager log files with the Installation Manager log viewer:
- If you just completed an uninstallation, go to the Installation Manager landing page and click File -> View Log .
- If you already closed Installation Manager:
  1. Start Installation Manager.
  2. Click File -> View Installation History.
  3. Select the package uninstallation that you want to view. For example, Tivoli Security Policy Manager.
  4. Click View Log.

[{"INLabel":"7.1.0-TIV-ITSPM-FP0004.README.htm","INLang":"English","INSize":"1111111","INURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/Tivoli&product=ibm/Tivoli/IBM Tivoli Security Policy Manager&release=7.1.0&platform=All&function=fixId&fixids=7.1.0-TIV-ITSPM-FP0004"}]

          [{"DNLabel":"7.1.0-TIV-ITSPM-FP0004.zip","DNDate":"12 Oct 2012","DNLang":"English","DNSize":"1300000000","DNPlat":{"label":"Linux zSeries","code":""},"DNURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/Tivoli&product=ibm/Tivoli/IBM Tivoli Security Policy Manager&release=7.1.0&platform=All&function=fixId&fixids=7.1.0-TIV-ITSPM-FP0004","DNURL_FTP":" ","DDURL":null}]
          

[{"Product":{"code":"SSNGTE","label":"Tivoli Security Policy Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Policy Manager","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Problems (APARS) fixed
IV15661;IV15818;IV20522;IV21909;IV22007;IV22638;IV25186;IV23845;IV02079;IV03218;IV04689;IV06278;IV07258;IV08352;IZ96492;IZ80883;IZ87160;IZ77364;IZ87161;IZ87166;IZ83168;IZ81535

Tips

Tivoli Security Policy Manager Version 7.1, Fix Pack 4, 7.1.0-TIV-ITSPM-FP0004

Download

Abstract

Download Description

IBM® Tivoli® Security Policy Manager 7.1.0-TIV-ITSPM-FP0004 and 7.1.0-TIV-ITRTSS-FP0004 Readme

Contents

1) Denial of Service Security Exposure with Java JRE/JDK:

Description:

2) Potential security exposure with IBM WebSphere Application Server with Web Services using XML Encryption:

Problem Description:

Prerequisites

Installation Instructions

About this task

Procedure

Incorrect:

Correct (assuming the default TIP install location is /opt/IBM/tivoli/tip):

Incorrect:

Correct (assuming the default WebSphere profile creation location is /opt/IBM/WebSphere/AppServer/profiles):

Before you begin

Procedure

What to do next

Procedure

What to do next

Procedure

What to do next

Procedure

Procedure

Rolling back Fix Pack 7.1.0.4

About this task

Procedure

Setting properties for rollback

Editing password properties for Installation Manager

About this task

Procedure

Setting administration client properties

About this task

Procedure

Example file

What to do next

Administration client properties file

Properties

Example admin.client.properties

Setting Tivoli Integrated Portal administration client properties

About this task

Procedure

Example file

What to do next

Tivoli Integrated Portal administration client properties file

Properties

Example tip.admin.client.properties file

Setting Tivoli Integrated Portal properties

About this task

Procedure

Example tip.properties file

What to do next

Tivoli Integrated Portal properties file

Properties

Example tip.properties file

Using Installation Manager to roll back to a previous version

Rolling back the policy manager package

Before you begin

Procedure

Results

What to do next

Rolling back the runtime security services server

Before you begin

About this task

Procedure

Results

What to do next

Rolling back the runtime security services client

Before you begin

About this task

Procedure

Results

What to do next

Rolling back the Tivoli Security Policy Manager software development kit

Procedure

Results