Tivoli SecureWay Policy Director Release Notes Version 3.8

Transcription

1 Tivoli SecureWay Policy Director Release Notes Version 3.8 Revised Date: December 31, 2001

2 Tivoli SecureWay Policy Director Release Notes Copyright Notice Copyright IBM Corporation All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished as is without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation. Trademarks IBM, Tivoli, the Tivoli logo, AIX, DB2, Domino, Lotus, and SecureWay are trademarks or registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Lotus is a registered trademark of Lotus Development Corporation. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others. Notices References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York , U.S.A. Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

3 Contents Release Notes - Version 3.8 (Revised date: 31 Dec 2001) 1 General Information Release Notes Revision History Adobe Acrobat Reader, version 4.05 or higher Recommended Contacting Customer Support Policy Director 3.8 CD Distribution (12 Oct 2001) The Policy Director Documentation Set Policy Director Software Download Page (Registered Users) Policy Director National Language Packs Obtaining Policy Director 3.8 Software Patches (FixPacks) Problem Determination Checklist Pre-installation Notes...13 Migration and Upgrade Information Migration Read Me First Notes All Servers Must Be Running During Backup Process Backup Limited to Local Mode Authzn API Servers (13127) Upgrade Authorization Server After All Other Components Workaround for Incorrect WebSEAL SSL Upgrade (13925) Junction Database Not Restored After Upgrade (13804)...17 Installation Information Supported Platform Information General Installation Read Me First Notes Easy Installation Read Me First Notes Easy Installation of LDAP Fails on Windows Easy Installation of LDAP Fails with IIS Easy Installation on Windows Fails After System Reboot Easy Installation on Windows Fails to Reboot System LDAP Fails to Install on Korean Solaris (12553) LDAP Fails to Install HTTP Server (1.3.12) LDAP Chinese Display Problem (13060) Easy Install for Windows: National Language Support...23 Tivoli SecureWay Policy Director Release Notes iii

4 2.18 Native Installation Read Me First Notes Policy Director on Linux Using International Locales Solaris UTF-8 Packages Required for Policy Director Install Silent Installation Response File Reference New Supplemental Information New Login and Password Policy Information Modify Password Policy for Non-ASCII Characters (12613) Account Lock Policy with Load-balanced WebSEAL Servers New Base Information ssl-io-inactivity-timeout Parameter in pd.conf Incorrect Container Object Type Causes Incorrect Listing Overriding Global LDAP Master/Replica Preferences Conditions Affecting the Results of pdadmin user list (12945) Valid Characters for LDAP User and Group Names pdadmin user create -no-password-policy Option (IY19307) New WebSEAL Information Query_contents Junction Option Required for Windows Handling UTF-8 Encoded Characters (12936) Clarification for Certificate Authentication Documentation Example Use of xattr_set for Supplying Tag/Value Data Allocating Worker Threads for Junctions (Junction Fairness) Configuring Multiple WebSEAL Server Instances Preventing Vulnerability Caused by Cross-site Scripting (15146) Step-up Versus Multi-factor Authentication Configuring Multiple Junctions to Same Server (IY19635) New ADK Information Compiler Support on Solaris Corrections to the Documentation Base Installation Guide Corrections Stopping Base Services When Upgrading Removing GSKit on a Windows Platform Correction to Upgrade Procedure Incorrect Package Name for LDAP Client on LInux Install iv Version 3.8

5 4.5 Easy Installation Scenario...57 WebSEAL Installation Guide Corrections Corrections to Upgrading WebSEAL on Windows Corrections to Backing Up PDMgr Information Correction to WebSEAL on AIX Install Procedure...63 Base Administration Guide Corrections Incorrect Type Expressed in pdadmin object create Example...64 WebSEAL Administration Guide Corrections Correction to Certificate Mutual Authentication Discussion Correction to Token Authentication Shared Library File Name Correction to Token Authentication Configuration Syntax Clarification to pdadmin server task Junction Example LTPA Cookie (WebSphere SSO) Does Not Contain Password Correction to POST Requests Example for dynurl (IY25336) Correction to dynurl.conf Path...68 Administration API Reference Corrections Incorrect ivadmin_response_getok() Description Software Limitations Config File Contents Limited to Single-byte Characters (11148) Language Limitations Involving Non-ASCII Characters LDAP Does Not Treat User Names as Case-sensitive Limitations for Multiplexing Proxy Agents (MPA) Support Modifying iplanet Registry Look-through Limit (14785) WebSEAL Token Authentication Not Supported on HP-UX Known Software Defects and Workarounds...73 Installation and Upgrade Defects and Workarounds Restoring ACLs Requires Greater Timeout Value (13046) Incorrect Title and Prompt for WebSEAL ezinstall Screen PDWeb Upgrade Fails on HP-UX (13263) PDWeb Upgrade Fails with Incorrect GSO Configuration (13193) Cannot Change HTTP Port During Windows Easy Install (13101) Registry Key Causes Web Portal Manager Install Failure (13257) Incorrect Key File Windows Name Causes Install Failure (13224)..78 Tivoli SecureWay Policy Director Release Notes v

6 6.8 PDWeb Windows Install Does Not Create Audit Sub-directory Language Pack for WPM Requires WebSphere Restart (12008) HTTP Server Fails to Start After WPM Configuration (13208) JVM Uninstall Error with ISMP on AIX Base Defects and Workarounds Management Server (pdmgrd) Fails to Start on AIX Boot (12584) Using Multi-byte Character Set with pdadmin on Linux (12830) WebSEAL Defects and Workarounds Global Server ID Certificates Do Not Work Correctly (IY21308) Deleted User Credentials Remain in WebSEAL Cache Request Failure Occurs with Session Cookie Config (12062) Extra BA pkmslogout Recorded in request.log (12114) Failed ACL Check on Unfiltered Server-Relative Links Policy Update Notification Fails Under Heavy Load (13113) Uninstalling PDWeb on AIX Before Unconfiguring (14086) Forms Re-login Can Result Loss of POST Data (IY21348) WebSEAL Configuration on HTTP Port 80 Can Fail (15489) WebSEAL Worker Threads Configuration on AIX ADK Defects and Workarounds CDAS ADK Fails to Build on AIX (13321) Defects Fixed vi Version 3.8

7 Release Notes - Version 3.8 (Revised date: 31 Dec 2001) This Release Notes document contains new and revised technical information for Tivoli SecureWay Policy Director 3.8 (version 3, release 8, modification 0). This document is regularly updated with the latest information regarding Tivoli SecureWay Policy Director. A revision history table (found in the General Information section) tracks all additions and changes that occur to this document. The table provides fast access to the new material. Numbers in parentheses refer to an internal tracking system. Table of Contents: 1. General Information 2. Pre-installation Notes 3. New Supplemental Information 4. Corrections to the Documentation 5. Software Limitations 6. Known Software Defects and Workarounds 7. Defects Fixed Tivoli SecureWay Policy Director Release Notes 1

8 General Information 1 General Information Release Notes Revision History Adobe Acrobat Reader, version 4.05 or higher Recommended Contacting Customer Support Policy Director 3.8 CD Distribution (12 Oct 2001) The Policy Director Documentation Set Policy Director Software Download Page (Registered Users) Policy Director National Language Packs Obtaining Policy Director 3.8 Software Patches (FixPacks) Problem Determination Checklist 1.1 Release Notes Revision History History Table for Changes Made Since 31 Oct 2001 Complete History Table for This Document History Table for Changes Made Since 31 Oct 2001 The following Revision History table lists all changes made to this document since the last revision date of 31 Oct 2001: Policy Director 3.8 Release Notes Changes Since 31 Oct 2001 Date Topic 31 Dec 2001 Section 1.8: Obtaining Policy Director 3.8 Software Patches (FixPacks) 31 Dec 2001 Section 3.7: Valid Characters for LDAP User and Group Names 31 Dec 2001 Section 3.8: pdadmin user create -no-password-policy Option (IY19307) 31 Dec 2001 Section 3.13: Allocating Worker Threads for Junctions (Junction Fairness) 31 Dec 2001 Section 3.14: Configuring Multiple WebSEAL Server Instances 31 Dec 2001 Section 3.15: Preventing Vulnerability Caused by Cross-site Scripting (15146) 31 Dec 2001 Section 3.16: Step-up Versus Multi-factor Authentication 31 Dec 2001 Section 3.17: Configuring Multiple Junctions to Same Server (IY19635) 2 Version 3.8

9 General Information Policy Director 3.8 Release Notes Changes Since 31 Oct 2001 Date Topic 31 Dec 2001 Section 4.15: Correction to POST Requests Example for dynurl (IY25336) 31 Dec 2001 Section 4.16: Correction to dynurl.conf Path 31 Dec 2001 Section 4.17: Incorrect ivadmin_response_getok() Description 31 Dec 2001 Section 5.5: Modifying iplanet Registry Look-through Limit (14785) 31 Dec 2001 Section 5.6: WebSEAL Token Authentication Not Supported on HP-UX 31 Dec 2001 Section 6.6: Registry Key Causes Web Portal Manager Install Failure (13257) 31 Dec 2001 Section 6.19: Policy Update Notification Fails Under Heavy Load (13113) 31 Dec 2001 Section 6.20: Uninstalling PDWeb on AIX Before Unconfiguring (14086) 31 Dec 2001 Section 6.21: Forms Re-login Can Result Loss of POST Data (IY21348) 31 Dec 2001 Section 6.22: WebSEAL Configuration on HTTP Port 80 Can Fail (15489) 31 Dec 2001 Section 6.23: WebSEAL Worker Threads Configuration on AIX 31 Dec 2001 Section 6.24: CDAS ADK Fails to Build on AIX (13321) 31 Dec 2001 Section 7: Defects Fixed Complete History Table for This Document The following Revision History table lists all changes made to this document since its first publication date: Policy Director 3.8 Release Notes Revision History Date Topic 28 Sept 2001 First version supplied with CD distribution. 31 Dec 2001 Section 1.8: Obtaining Policy Director 3.8 Software Patches (FixPacks) 12 Oct 2001 Section 2.1: Migration Read Me First Notes 12 Oct 2001 Section 2.2: All Servers Must Be Running During Backup Process Tivoli SecureWay Policy Director Release Notes 3

10 General Information Policy Director 3.8 Release Notes Revision History Date Topic 12 Oct 2001 Section 2.3: Backup Limited to Local Mode Authzn API Servers (13127) 12 Oct 2001 Section 2.4: Upgrade Authorization Server After All Other Components 31 Oct 2001 Section 2.5: Workaround for Incorrect WebSEAL SSL Upgrade (13925) 31 Oct 2001 Section 2.6: Junction Database Not Restored After Upgrade (13804) 12 Oct 2001 Section 2.7: Supported Platform Information 12 Oct 2001 Section 2.8: General Installation Read Me First Notes 12 Oct 2001 Section 2.9: Easy Installation Read Me First Notes 12 Oct 2001 Section 2.10: Easy Installation of LDAP Fails on Windows 12 Oct 2001 Section 2.11: Easy Installation of LDAP Fails with IIS 12 Oct 2001 Section 2.12: Easy Installation on Windows Fails After System Reboot 12 Oct 2001 Section 2.13: Easy Installation on Windows Fails to Reboot System 12 Oct 2001 Section 2.14: LDAP Fails to Install on Korean Solaris (12553) 12 Oct 2001 Section 2.15: LDAP Fails to Install HTTP Server (1.3.12) 12 Oct 2001 Section 2.16: LDAP Chinese Display Problem (13060) 12 Oct 2001 Section 2.17: Easy Install for Windows: National Language Support 12 Oct 2001 Section 2.18: Native Installation Read Me First Notes 12 Oct 2001 Section 2.19: Policy Director on Linux Using International Locales 31 Oct 2001 Section 2.20: Solaris UTF-8 Packages Required for Policy Director Install 12 Oct 2001 Section 2.21: Silent Installation Response File Reference 12 Oct 2001 Section 3.3: ssl-io-inactivity-timeout Parameter in pd.conf 12 Oct 2001 Section 3.4: Incorrect Container Object Type Causes Incorrect Listing 12 Oct 2001 Section 3.5: Overriding Global LDAP Master/Replica Preferences 12 Oct 2001 Section 3.6: Conditions Affecting the Results of pdadmin user list (12945) 31 Dec 2001 Section 3.7: Valid Characters for LDAP User and Group Names 4 Version 3.8

11 General Information Policy Director 3.8 Release Notes Revision History Date Topic 31 Dec 2001 Section 3.8: pdadmin user create -no-password-policy Option (IY19307) 12 Oct 2001 Section 3.10: Handling UTF-8 Encoded Characters (12936) 12 Oct 2001 Section 3.9: Query_contents Junction Option Required for Windows 12 Oct 2001 Section 3.11: Clarification for Certificate Authentication Documentation 31 Oct 2001 Section 3.12: Example Use of xattr_set for Supplying Tag/Value Data 31 Dec 2001 Section 3.13: Allocating Worker Threads for Junctions (Junction Fairness) 31 Dec 2001 Section 3.14: Configuring Multiple WebSEAL Server Instances 31 Dec 2001 Section 3.15: Preventing Vulnerability Caused by Cross-site Scripting (15146) 31 Dec 2001 Section 3.16: Step-up Versus Multi-factor Authentication 31 Dec 2001 Section 3.17: Configuring Multiple Junctions to Same Server (IY19635) 12 Oct 2001 Section 3.18: Compiler Support on Solaris 12 Oct 2001 Section 4.1: Stopping Base Services When Upgrading 12 Oct 2001 Section 4.2: Removing GSKit on a Windows Platform 31 Oct 2001 Section 4.3: Correction to Upgrade Procedure 31 Oct 2001 Section 4.4: Incorrect Package Name for LDAP Client on LInux Install 12 Oct 2001 Section 4.5: Easy Installation Scenario 31 Oct 2001 Section 4.6: Corrections to Upgrading WebSEAL on Windows 31 Oct 2001 Section 4.7: Corrections to Backing Up PDMgr Information 31 Oct 2001 Section 4.8: Correction to WebSEAL on AIX Install Procedure 12 Oct 2001 Section 4.9: Incorrect Type Expressed in pdadmin object create Example 12 Oct 2001 Section 4.10: Correction to Certificate Mutual Authentication Discussion 12 Oct 2001 Section 4.11: Correction to Token Authentication Shared Library File Name 31 Oct 2001 Section 4.12: Correction to Token Authentication Configuration Syntax 31 Oct 2001 Section 4.13: Clarification to pdadmin server task Junction Example Tivoli SecureWay Policy Director Release Notes 5

12 General Information Policy Director 3.8 Release Notes Revision History Date Topic 31 Oct 2001 Section 4.14: LTPA Cookie (WebSphere SSO) Does Not Contain Password 31 Dec 2001 Section 4.15: Correction to POST Requests Example for dynurl (IY25336) 31 Dec 2001 Section 4.16: Correction to dynurl.conf Path 31 Dec 2001 Section 4.17: Incorrect ivadmin_response_getok() Description 12 Oct 2001 Section 5.1: Config File Contents Limited to Single-byte Characters (11148) 12 Oct 2001 Section 5.2: Language Limitations Involving Non-ASCII Characters 31 Dec 2001 Section 5.5: Modifying iplanet Registry Look-through Limit (14785) 31 Dec 2001 Section 5.6: WebSEAL Token Authentication Not Supported on HP-UX 12 Oct 2001 Section 6.1: Restoring ACLs Requires Greater Timeout Value (13046) 12 Oct 2001 Section 6.2: Incorrect Title and Prompt for WebSEAL ezinstall Screen 12 Oct 2001 Section 6.3: PDWeb Upgrade Fails on HP-UX (13263) 12 Oct 2001 Section 6.4: PDWeb Upgrade Fails with Incorrect GSO Configuration (13193) 12 Oct 2001 Section 6.5: Cannot Change HTTP Port During Windows Easy Install (13101) 12 Oct 2001 Section 6.6: Registry Key Causes Web Portal Manager Install Failure (13257) 12 Oct 2001 Section 6.7: Incorrect Key File Windows Name Causes Install Failure (13224) 12 Oct 2001 Section 6.8: PDWeb Windows Install Does Not Create Audit Sub-directory 12 Oct 2001 Section 6.9: Language Pack for WPM Requires WebSphere Restart (12008) 12 Oct 2001 Section 6.10: HTTP Server Fails to Start After WPM Configuration (13208) 12 Oct 2001 Section 6.11: JVM Uninstall Error with ISMP on AIX 12 Oct 2001 Section 6.13: Using Multi-byte Character Set with pdadmin on Linux (12830) 31 Dec 2001 Section 6.19: Policy Update Notification Fails Under Heavy Load (13113) 6 Version 3.8

13 General Information Policy Director 3.8 Release Notes Revision History Date Topic 31 Dec 2001 Section 6.20: Uninstalling PDWeb on AIX Before Unconfiguring (14086) 31 Dec 2001 Section 6.21: Forms Re-login Can Result Loss of POST Data (IY21348) 31 Dec 2001 Section 6.22: WebSEAL Configuration on HTTP Port 80 Can Fail (15489) 31 Dec 2001 Section 6.23: WebSEAL Worker Threads Configuration on AIX 31 Dec 2001 Section 6.24: CDAS ADK Fails to Build on AIX (13321) 31 Dec 2001 Section 7: Defects Fixed Tivoli SecureWay Policy Director Release Notes 7

14 General Information 1.2 Adobe Acrobat Reader, version 4.05 or higher Recommended It is highly recommended that you use Adobe Acrobat Reader, version 4.05 or higher, to view and print Policy Director PDF documents. Adobe Acrobat Reader is free from the Adobe Web site: Contacting Customer Support The Tivoli Customer Support Handbook at: provides complete information about Tivoli Customer Support, including the following: Registration and eligibility How to contact support, depending on the severity of your problem Telephone numbers and addresses (country-specific) What information you should gather before contacting support 1.4 Policy Director 3.8 CD Distribution (12 Oct 2001) Policy Director CD Set: Tivoli SecureWay Policy Director Base for AIX and Linux (Version 3.8, 128-bit) Tivoli SecureWay Policy Director Base for Solaris and HP-UX (Version 3.8, 128-bit) Tivoli SecureWay Policy Director Base for Windows (Version 3.8, 128-bit) Tivoli SecureWay Policy Director WebSEAL (Version 3.8, 128-bit) Tivoli SecureWay Policy Director Plug-in for Edge Server (Version 3.8, 128-bit) Tivoli SecureWay Policy Director Web Portal Manager (Version 3.8, 128-bit) 8 Version 3.8

15 General Information The /doc directory on each of the CD-ROMs contains PDF versions of the technical documentation for Policy Director. The Tivoli SecureWay Policy Director support site contains the latest versions of this documentation, plus new supplemental information. 1.5 The Policy Director Documentation Set The latest versions of all Tivoli SecureWay Policy Director documents are located on the Policy Director 3.8 support page. Installation Guides Policy Director Base Installation Guide Policy Director WebSEAL Installation Guide Administration Guides Policy Director Base Administration Guide Policy Director WebSEAL Administration Guide Policy Director Plug-in for Edge Server Administration Guide (includes installation procedures) Policy Director Web Portal Manager Administration Guide (includes installation procedures) Developer References Policy Director Authorization ADK Developer Reference Policy Director WebSEAL Developer Reference Policy Director Administration API Developer Reference Supplemental Documentation Policy Director Performance Tuning Guide Policy Director Capacity Planning Guide Tivoli SecureWay Policy Director Release Notes 9

16 General Information 1.6 Policy Director Software Download Page (Registered Users) The following page on the secure area of the Tivoli support site contains links to supplemental software downloads for all versions of Policy Director. This page requires a registered user name and password: ownloads.html 1.7 Policy Director National Language Packs Policy Director 3.8 is a National Language Support (NLS) release. The product supports data handling and message display for nine languages: Spanish, German, French, Italian, Brazilian Portuguese, Japanese, Korean, Simplified Chinese, and Traditional Chinese. All the messages in these languages are provided by separate language packs which are posted on the Policy Director software download web page. See Section 1.6: Policy Director Software Download Page (Registered Users). 1.8 Obtaining Policy Director 3.8 Software Patches (FixPacks) Software patches, or FixPacks, for Policy Director Base and Policy Director WebSEAL can be obtained from the following links (for registered users only): ftp://ftp.tivoli.com/support/patches/patches_3.8/ As of this Release Notes edition, FixPack 3 for Policy Director Base and FixPack 1 for Policy Director WebSEAL are available. Note: The installation of FixPack 1 for WebSEAL requires the installation of FixPack 3 for Base. Please refer to the specific FixPack README file for a complete list of defects fixed. Refer to the History Table for Changes Made Since 31 Oct 2001 (Section 1.1) and Section 7: Defects Fixed for updated information about previous material in this document that has been impacted by the Fixpacks. 10 Version 3.8

17 General Information 1.9 Problem Determination Checklist Please use the following checklist to gather information about a problem with your Policy Director installation before you contact Customer Support. 1. Describe the hardware involved in this problem. Provide: System types and models Host names and IP addresses for all interfaces in each system 2. Describe the network involved. Which interfaces on each system share a network? What are the physical network types (for example, ethernet, token ring, FDDI)? Is this configuration connected to the internet? 3. Describe LDAP configuration. What version of the LDAP server and client is used? Where are the LDAP servers located? 4. What is the version and build level of Policy Director on each system? 5. Identify the Policy Director components configured on each system? Management Server (pdmgrd) Web Portal Manager WebSEAL (webseald) Plug-in for Edge Server Authorization Server (pdacld) Authorization ADK Custom CDAS 6. Gather all *log files under /var/policydirector/log and all *conf files under /opt/policydirector/etc and all files under /opt/pdweb/www/log. (On Windows, gather the files from under the Policy Director installation directory.) 7. With the pdadmin server task command, use list to list all junctions on the WebSEAL servers and show to provide junction details. Tivoli SecureWay Policy Director Release Notes 11

18 General Information 8. Provide a detailed set of steps that led to the problem, including all commands typed and buttons pressed. 9. Can you recreate the problem? If so, what are the detailed steps required to recreate the problem? 10. If a core dump is generated, gather the core, the binary causing the core, and all libraries used by the core. Send this information to customer support for analysis. 12 Version 3.8

19 Pre-installation Notes 2 Pre-installation Notes Migration and Upgrade Information Installation Information Migration and Upgrade Information Migration Read Me First Notes All Servers Must Be Running During Backup Process Backup Limited to Local Mode Authzn API Servers (13127) Upgrade Authorization Server After All Other Components Workaround for Incorrect WebSEAL SSL Upgrade (13925) Junction Database Not Restored After Upgrade (13804) 2.1 Migration Read Me First Notes Warning: Do not use the migrate37, migrate38, pdupgrade or migrate.conf files that are shipped on the Tivoli SecureWay Policy Director Base CD-ROMs. Download updated versions of these files from the software download section of the Tivoli SecureWay Policy Director support site. To access this page, see Section 1.6: Policy Director Software Download Page (Registered Users). Place the files in /tmp on UNIX systems and \temp on Windows systems. Replace Step 7 in the section entitled Upgrading the Management Server to Version 3.8 on page 67 of the Tivoli SecureWay Policy Director Base Installation Guide with the following text: # Begin New Text Here On UNIX systems, enter the following command to backup configuration information to the /tmp/policydirector directory: /tmp/pdupgrade -export On Windows systems, enter the following command to backup configuration information to the \temp\policydirector directory: \temp\pdupgrade -export For more information on the pdupgrade utility, see pdupgrade syntax on page 152. On AIX and Windows systems, a series of messages appear in the pdupgrade.log file, indicating the failure of attempts to copy certain Tivoli SecureWay Policy Director Release Notes 13

20 Pre-installation Notes files: fail to copy file.. These messages can be safely ignored. The necessary file copies occur when the pdupgrade command is run manually. # End New Text Here After Step 5 in the section entitled Upgrading Other Systems to Version 3.8 on page 71 of the Tivoli SecureWay Policy Director Base Installation Guide, add the same corrected text that is specified in the bullet item immediately above. Step 4 on page 31 of the Tivoli SecureWay Policy Director WebSEAL Installation Guide incorrectly states that you do not have to run pdupgrade on Windows systems. When upgrading WebSEAL, you must run pdupgrade on all systems, including Windows. When migrating data for WebSEAL, if the migrate37 command does not back up all WebSEAL junction data, increase the timeout value acl-dist-delay in migrate.conf. Reset this value to 60 seconds. Note that the default setting is 20 seconds. If you have an existing Policy Director 3.7 WebSEAL server, please review Section 6.4: PDWeb Upgrade Fails with Incorrect GSO Configuration (13193) for information on the PDWeb upgrade process. If you plan to upgrade your secure domain from a product version earlier than Tivoli SecureWay Policy Director, Version 3.7, you must first upgrade to a Version 3.7.x level before you upgrade to Version 3.8. For migration instructions to Version 3.7.x, consult the Version 3.7.x product documentation. When restoring object and user information, error information is logged in the default migration.log file (or the log file specified using the migrate38 -a option). Error information is not logged in the user-defined XML error file, which is specified using the migrate38 -e option. However, even though the migrate38 utility does not use the error file, you must specify the migrate38 -e option for the restore process to work. If you are upgrading to Version 3.8 on a machine that has an LDAP server installed, you also might need to update the LDAP server during the migration process. Ensure that the administrative user account for Tivoli SecureWay Policy Director (for example, sec_master) has permission over all ACLs before running the migration backup utility (migrate37). Otherwise, this utility does not have permission to successfully back up all Tivoli SecureWay 14 Version 3.8

21 Policy Director information. Pre-installation Notes Ensure that user and group registry data is restored first during the migration process. Restore ACL and POP data last. Otherwise, you might remove sec_master's permission to create objects in certain locations. In addition, ACLs will not be restored correctly if the users and groups that they reference do not exist in the restore target environment. The s all option and argument to the migrate37 utility is not supported. The s webseal option and argument to the migrate37 utility is used to backup Webseal junction data from a Policy Director 3.7 installation. 2.2 All Servers Must Be Running During Backup Process The following information supplements the procedures described in the Tivoli SecureWay Policy Director WebSEAL Installation Guide for using the migration tool to backup data from Policy Director 3.7 and and restore this data to Policy Director 3.8. In general, all Policy Director servers must be running when using the migration tool to perform backup operations. The Management Server (pdmgrd) must be running to successfully backup authorization and policy information. All WebSEAL servers must be running to successfully backup WebSEAL junction information. For example, when using the Policy Director migration tool to back up the junction databases of multiple WebSEAL servers in a secure domain, all WebSEAL servers must be running during the back up process. During the back up process, the migration tool must bind to each WebSEAL server to obtain junction information. 2.3 Backup Limited to Local Mode Authzn API Servers (13127) Only local mode authorization API server applications are backed up by the Policy Director migration tool. All other Policy Director server types (including WebSEAL and the Authorization Server) are incompatible with Policy Director 3.8 and are therefore not backed up. Only local mode authorization API server applications can be upgraded without re-configuring the servers. Tivoli SecureWay Policy Director Release Notes 15

22 Pre-installation Notes 2.4 Upgrade Authorization Server After All Other Components Ensure that the Tivoli SecureWay Policy Director Authorization Server is the last Base component upgraded on a Solaris system. When the Tivoli SecureWay Policy Director Authorization ADK is upgraded after the Policy Director Authorization Server, you can correct the resulting database problem by completing the following instructions: 1. Stop all Policy Director services by entering the following command: pd_start stop 2. Recreate the database file by entering the following command from the /opt/policydirector/bin directory:./pdmgrd -initdb 3. Use pdconfig to unconfigure the Policy Director Authorization Server (PDAcld) and then re-configure the Policy Director Authorization Server (PDAcld). 4. Use the migrate38 restore commands to restore the migrated data. 2.5 Workaround for Incorrect WebSEAL SSL Upgrade (13925) Defects in the WebSEAL upgrade process on Windows affect the SSL key database file and password used by WebSEAL for internal server communication. When the migration tool is used during the upgrade process, this tool incorrectly handles the LDAP server's custom key database file and password (that is used when SSL communication between the PDMgr server and the LDAP server is configured). Two workaround steps are necessary before you upgrade WebSEAL from to 3.8 on a Windows system. You must perform these steps before proceeding with the instructions in the section Upgrading WebSEAL on Windows on page 36 of the Tivoli SecureWay Policy Director WebSEAL Installation Guide. 1. Change the password for the ssl-keyfile-pwd parameter in the backup version of the iv.conf file to pdsrv : C:\Program Files\Tivoli\Policy Director\save37\lib\iv.conf For example: ssl-keyfile-pwd = pdsrv 16 Version 3.8

23 Pre-installation Notes 2. Import the certificate data from the original custom key file (ssl-keyfile) to the pdsrv.kdb file: C:\Program Files\Tivoli\Policy Director\save37\lib\certs\pdsrv.kdb You can use the GSKit ikeyman (gsk4ikm) utility to perform this task. 2.6 Junction Database Not Restored After Upgrade (13804) The junction database is not restored when you run a WebSEAL upgrade on a system with a large user registry (greater than 100K users). The problem occurs when the junction import tool starts to run before WebSEAL has completely started (it starts slower because of the larger registry). The workaround is to manually run the jctimp_tool utility from the command line after the upgrade process completes. For example, on UNIX: # /opt/pdweb/bin/jctimp_tool -s webseald-<hostname> -p <pdadmin-password> -f <jct-backup-xml-filename> -v PD3.7.1 Tivoli SecureWay Policy Director Release Notes 17

24 Pre-installation Notes Installation Information Supported Platform Information General Installation Read Me First Notes Easy Installation Read Me First Notes Easy Installation of LDAP Fails on Windows Easy Installation of LDAP Fails with IIS Easy Installation on Windows Fails After System Reboot Easy Installation on Windows Fails to Reboot System LDAP Fails to Install on Korean Solaris (12553) LDAP Fails to Install HTTP Server (1.3.12) LDAP Chinese Display Problem (13060) Easy Install for Windows: National Language Support Native Installation Read Me First Notes Policy Director on Linux Using International Locales Solaris UTF-8 Packages Required for Policy Director Install Silent Installation Response File Reference 2.7 Supported Platform Information Tivoli SecureWay Policy Director, Version 3.8, components are supported on the following operating systems, except Linux, which only supports the runtime environment and the Authorization ADK components: 1. Hewlett-Packard HP-UX IBM AIX with the following: bos.rte.libpthreads patch at level or greater Note: You can download this patch from the following Web address: 3. Microsoft Windows NT 4.0 with the following: Service Pack 6a NTFS file system (recommended) 18 Version 3.8

25 Pre-installation Notes 4. Microsoft Windows 2000 Advanced Server with the following: Service Pack 1 NTFS file system (recommended) 5. Red Hat Linux 7.1 with the following: rpm mdk.i586.rpm or greater than Note: You can locate this package from the following Web address: Linux Mandrake 7.2 Powerpack libstdc mdk.i586.rpm Note: You can locate this package from the following Web address: allpwp&s=./libstdc++-libc6.1-2.so.3 6. Sun Solaris 2.7 and General Installation Read Me First Notes It is recommended that you carefully monitor the space usage of the /opt and /var directories on UNIX systems. Tivoli SecureWay Policy Director components are installed in the /PolicyDirector subdirectory of these directories on UNIX systems. Tivoli SecureWay Policy Director databases also are stored in the /var directory. If you plan to install the IBM SecureWay Directory server as your LDAP server of choice, do not enable the Change Log function as specified in the IBM SecureWay Directory documentation. This creates performance impacts. The Change Log function is disabled by default. The Tivoli SecureWay Policy Director Base CD ships an efix4 patch that must be installed on every supported AIX, Solaris, or Windows system where the IBM SecureWay Directory server or client is installed. See the Tivoli SecureWay Policy Director Base Installation Guide for more information. Note that easy installation scripts and batch files install this fix automatically. Tivoli SecureWay Policy Director Release Notes 19

26 Pre-installation Notes 2.9 Easy Installation Read Me First Notes Linux systems only: Before running easy installation scripts, ensure that the ksh is installed or create a soft link to the bash as shown: ln -s /bin/bash /bin/ksh Before installing components, remove the nss_ldap package, if installed. Otherwise, an installation failure occurs. Windows systems only: If you plan to use the ezinstall_ldap_server batch file to install the IBM SecureWay Directory server, the IBM HTTP server is installed automatically. If you want to install a supported Web server other than the IBM HTTP server, do not use easy installation to install the LDAP server. Instead, see the IBM SecureWay Directory server documentation for installation instructions. IBM SecureWay Directory documentation is shipped on the IBM SecureWay Directory Base CD for your particular platform in the following directory: /doc/directory/install_config_guide/platform/aparent.htm The ezinstall_ldap_server batch file runs on Windows NT file systems (NTFS) only. UNIX systems only: If you want to see the status and messages in your native language, you must install your language pack first. To download and install the language pack for your particular country, see the following Web address: Easy Installation of LDAP Fails on Windows The command ezinstall_ldap_server fails to install the IBM SecureWay Directory server on a Windows system if a Web server other than IBM HTTP server is already installed. There are two workarounds for this problem. You can uninstall the Web server before running ezinstall_ldap_server. Please refer to the documentation for your web server for directions on uninstalling the Web server. 20 Version 3.8

27 Pre-installation Notes You can now run ezinstall_ldap_server to install the IBM SecureWay Directory server to the Windows system. The IBM SecureWay Directory server can be installed using the native installation method. Complete the following steps: a. On the Tivoli SecureWay Policy Director Base CD, change directories to: \windows\directory\ldap32_us b. Run Setup.EXE. c. Fill in the prompts as you would for ezinstall_ldap_server. d. When prompted, select the appropriate web server to use. e. Finish the installation as normal Easy Installation of LDAP Fails with IIS When using easy installation, IBM SecureWay Directory server fails to install on Windows 2000 Advanced Server when Microsoft Internet Information Services (IIS) is installed There are two workarounds for this problem. Disable Microsoft Internet Information Services before running ezinstall_ldap_server. Complete the following steps. a. Select: Start Menu > Settings > Control Panel. b. Double-click Add/Remove Programs. c. Select Add/Remove Windows Components. d. Remove the check mark from the entry Internet Information Services (IIS) e. Select Next. f. Select Finish. g. You can now run ezinstall_ldap_server to install the IBM SecureWay Directory server on the Windows 2000 system. Use the Policy Director native installation to install the IBM SecureWay Directory server. Complete the following instructions. a. On the Tivoli SecureWay Policy Director Base CD, change directories to: \windows\directory\ldap32_us Tivoli SecureWay Policy Director Release Notes 21

28 Pre-installation Notes b. Run Setup.EXE. c. Fill in the prompts as you would for ezinstall_ldap_server. d. When prompted, select the appropriate web server: IBM HTTPD or Internet Information Services (IIS). e. Finish the installation as normal Easy Installation on Windows Fails After System Reboot If the easy installation on a Windows system fails to continue after an automatic reboot, issue the appropriate easy install command again. The command will continue where it left off Easy Installation on Windows Fails to Reboot System If the easy installation of a component on Windows fails to reboot the system when it states that it will automatically reboot, reboot the system manually LDAP Fails to Install on Korean Solaris (12553) Easy installation of the IBM SecureWay Directory server fails on some Korean (euckr) Solaris systems. The error reported in the ezinstall log is a java load class failure. If this happens, use the Policy Director native installation and configuration methods for setting up the IBM SecureWay Directory sever LDAP Fails to Install HTTP Server (1.3.12) IBM SecureWay Directory server does not install the IBM HTTP Server (1.3.12) on a Windows 2000 system successfully. On a Windows 2000 system, install the IBM HTTP server before you install the IBM SecureWay Directory server. Do not attempt to install IBM HTTP server as part of the IBM SecureWay Directory server installation. To install the IBM HTTP separately complete the following instructions: 22 Version 3.8

29 Pre-installation Notes 1. On the Tivoli SecureWay Policy Director Base CD, change directory to: windows\directory\ldap32_us\ibmhttp 2. Run setup.exe 2.16 LDAP Chinese Display Problem (13060) On a Simplified Chinese Windows system, the panels for the IBM SecureWay Directory Configuration utility or Directory Management Tool may be garbled. The reason is that the system does not have the following font: simsum.ttf. To fix the problem, complete the following steps: 1. Open the file font.properties.zh in the jre\lib subdirectory where IBM SecureWay Directory is installed. For example: C:\Program Files\IBM\LDAP\jre\lib\font.properties.zh 2. Replace the occurrence of simsun.ttf with simsun.ttc in the file Easy Install for Windows: National Language Support When using easy installation on the Windows platform, with a language other than English, observe the following notes: (12925) Error and status messages from the various configuration utilities used to set up the system will be displayed in English. Menus, navigation panels, and error messages from the easy installation utility will be displayed in the specified non-english language. After the easy installation process, you can install the language packs. This enables future configuration tasks to be in the specified non-english language. Note that the language packs cannot be installed prior to using the easy installation utilities. (12983) During easy installation, confirm that the choices entered for each of the items is correct for your system. In particular, ensure that the Administrator ID choice for the HTTP Server during easy installation of the IBM SecureWay Directory server is correct for your version of Windows. The default choice is appropriate for the English version of the Windows operating system, but is not appropriate for all national language versions of Windows. Tivoli SecureWay Policy Director Release Notes 23

30 Pre-installation Notes 2.18 Native Installation Read Me First Notes Tivoli SecureWay Policy Director Base, Version 3.8 supports IBM Global Security Toolkit (GSKit), Version IBM SecureWay Directory, however, installs a downlevel version of GSKit (Version 4.01). Ensure that you install GSKit, Version before installing IBM SecureWay Directory. Otherwise, you must uninstall GSKit, Version 4.01 and then install Version Policy Director on Linux Using International Locales The following information describes setting up Policy Director on Linux (Redhat 7.1) using international locales. This information is appropriate for Japanese EUC and Traditional Chinese (BIG5). Japanese SJIS is currently not supported. 1. Install Redhat 7.1 with Japanese and Chinese support and with X Windows System Configure X, Launch X. 2. Install the PDRTE package. 3. Install the Policy Director Language pack: #./pd_lp 4. Configure PDRTE against a PDMgr that also supports the required locale. For Japanese EUC: 1. Run the following commands: # export LC_ALL=ja_JP.eucjp # export LANG=ja_JP.eucjp # rxvt -km eucj & 2. In the rxvt terminal, load pdconfig and ensure that the configuration menu appears in Japanese. For Chinese, an additional package is required that contains the necessary screen fonts. These fonts are not included with Redhat 7.1: 24 Version 3.8

31 1. Run the following commands: # rpm -i cxterm-5.1p1-2.i386.rpm # export LANG=zh_TW # export LC_ALL=zh_TW # cxterm -big5 Pre-installation Notes 2. In cxterm, load pdconfig and ensure that the configuration menu appears in Chinese. The cxterm package can be downloaded from the following site: 6.html 2.20 Solaris UTF-8 Packages Required for Policy Director Install The following UTF-8 packages are required by WebSEAL and the IBM SecureWay Directory server installations on a Solaris 2.8 system: SUNWuiu8 SUNWjiu8 SUNWuiu8x If these packages are not installed (such as in the case of a basic core Solaris installation), a failure is returned when the cn=root password is set during the ldapcfg command (easy installation) Silent Installation Response File Reference Use the following table as a reference when using a response file for silent installation. For more information, refer to Chapter 4, Using Silent Installation in the Tivoli SecureWay Policy Director Base Installation Guide. The table documents the various stanza-keyword options available for use in a response file. The stanza names are required only for WIN32 response files; on UNIX platforms, they are only used for readability. Tivoli SecureWay Policy Director Release Notes 25

32 Pre-installation Notes Stanza Name UNIX Keyword WIN32 Keyword Description [DB2] n/a admin-pwd Specifies the administrator's password. If you log in to a Windows system as Administrator, use the default password of db2admin. If you log in as a different user with administrative authority, use the login password. [DB2] n/a install_dir Specifies the installation directory (WIN32 only). Specify the drive and directory. For example: C:\SQLDIR [HTTPD] http-admin-id admin-id Specifies the administrator's ID. For UNIX, the default ID is root. For WIN32, the default is administrator. [HTTPD] http-admin-pwd admin-pwd Specifies the administrator's password. [HTTPD] http-port port Specifies the port that HTTPD uses. [HTTPD] n/a install_dir Specifies the installation directory (WIN32 only). Specify the drive and directory. For example: C:\Program Files\IBM HTTP Server [LDAP] n/a install_dir Specifies the installation directory (WIN32 only). Specify the drive and directory. For example: C:\Program Files\IBM\LDAP The LDAP client and server software reside in this directory. [LDAPS] ldap-adminid admin-id Specifies the LDAP administrator ID or Distinguished Name (DN). The default is cn=root [LDAPS] ldap-password admin-pwd Specifies the LDAP administrator password. [LDAPS] host hostname Specifies the LDAP server hostname. The default is the hostname of the machine being configured. 26 Version 3.8

33 Pre-installation Notes Stanza Name UNIX Keyword WIN32 Keyword Description [LDAPS] port server-port Specifies the LDAP server non-ssl port number. The default port number is 389. [LDAPS] suffixsuffixspecifies the LDAP distinguished name for the Global Sign On (GSO) database. For example, o=tivoli,c=us. [LDAPS] ldap-ssl-clientkeyfile ssl-client-keyfile Specifies the path to the LDAP SSL key file. The default is <CD>/common/pd_ldapkey.kdb which is shipped on the CD. If this file is used, the password of gsk4ikm and the server-side label of PDLDAP are required. [LDAPS] ldap-ssl-clientkeyfile-pwd ssl-client-keyfilepwd Specifies the password associated with the key file. If using the default of <CD>/common/pd_ldapkey.kdb, the password is gsk4ikm. [LDAPS] ldap-label label Specifies the label associated with the SSL key file. If using the default of <CD>/common/pd_ldapkey.kdb, the label is PDLDAP. [GSKIT] n/a install_dir Specifies the installation directory (WIN32 only). Specify the drive and path. For example: C:\Program Files\IBM\GSK [PDMGR] ldap-adminid ldap-admin-id Specifies the LDAP administrator ID. The default is cn=root This ID is created during the configuration of the LDAP server. [PDMGR] ldap-password ldap-admin-pwd Specifies the LDAP administrator password. [PDMGR] port ssl-port Specifies the LDAP server non-ssl port. The default port number is 389. Tivoli SecureWay Policy Director Release Notes 27

34 Pre-installation Notes Stanza Name UNIX Keyword WIN32 Keyword Description [PDMGR] ssl-life cert-life Specifies the lifetime of the certificate file (pdcacert.b64). The default is 365 days. [PDMGR] enable-certdownload enable-certdownload Specifies to enable runtime environments on other machines to automatically download the certificate file (pdcacert.b64). Valid values are Y (enable) or N (disable). [PDMGR] sec-master-pwd sec-master-pwd Specifies the security master password. [PDRTE] ldap-or-domino registry-type Specifies the registry type. On UNIX, the only valid value is 1. On WIN32, the only valid value is ldap. [PDRTE] host ldap-server Specifies the hostname of the LDAP server. [PDRTE] port ldap-port Specifies the LDAP server non-ssl port. The default port number is 389. [PDRTE] ldap-server-sslport ldap-ssl-port Specifies the LDAP server SSL port. The default port number is 636. [PDRTE] ssl-port pdmgr_ssl_port Specifies the management server SSL port. The default port number is [PDRTE] master-host pdmgr-host Specifies the hostname of the management server. [PDRTE] pd-cacert cacert Specifies the path to the management server certificate file (pdcacert.b64). This is required if the management server does not allow automatic downloading of the file by the runtime environment clients. [PDRTE] enable-ssl enable-ssl Specifies to enable SSL communication with the LDAP server. Valid values are Y (enable) or N (disable). 28 Version 3.8

35 Pre-installation Notes Stanza Name UNIX Keyword WIN32 Keyword Description [PDRTE] ssl-client-keyfile ssl-client-keyfile Specifies the path to the SSL key file from the LDAP server (required if SSL is enabled). This file must be manually obtained from the LDAP server machine. [PDRTE] ssl-keyfile-pwd ssl-client-keyfilepwd [PDRTE] ssl-cert-label ssl-client-keyfiledn Specifies the password associated with the LDAP SSL client key file. Specifies the label associated with the LDAP SSL client key file of client-side-type key files. The default is blank (null). This value is used only if SSL is enabled. [PDRTE] SuffixsuffixSpecifies the LDAP distinguished name for the GSO database. [PDRTE] pdc_dir Specifies the installation directory (WIN32 only). Specify the drive and path. For example: C:\Program Files\Tivoli\PolicyDirector Tivoli SecureWay Policy Director components reside in this directory. [PDACLD] ldap-adminid admin-id Specifies the LDAP administrator ID. The default is cn=root This ID is created during the configuration of the LDAP server. [PDACLD] ldap-password admin-pwd Specifies the LDAP administrator password. [PDACLD] sec-master-pwd sec-master-pwd Specifies the security master password. This password is created during the configuration of the management server. n/a prompt-languages n/a For UNIX only, turns the prompting of LDAP (and/or other) language installation menus on or off. Valid values are Y (enable) or N (disable). Tivoli SecureWay Policy Director Release Notes 29

36 New Supplemental Information 3 New Supplemental Information New Login and Password Policy Information New Base Information New WebSEAL Information New ADK Information New Login and Password Policy Information Modify Password Policy for Non-ASCII Characters (12613) Account Lock Policy with Load-balanced WebSEAL Servers 3.1 Modify Password Policy for Non-ASCII Characters (12613) The default password policy controlling the minimum number of alphabetic characters in a password (pdadmin policy set min-password-alphas) is set at four (4) characters. Some languages (for example, Japanese) use non-ascii (multi-byte) characters that are not accepted as alphabetic by Policy Director password policy. If you want to allow all characters in a password to be non-ascii (multi-byte), you must change the default min-password-alphas password policy setting appropriately. 3.2 Account Lock Policy with Load-balanced WebSEAL Servers You can use the Policy Director three strikes login policy to ensure that an account is locked after a specified number of login attempts. This policy is described in the Tivoli SecureWay Policy Director WebSEAL Administration Guide. This policy performs as expected in a configuration involving one WebSEAL server. In a configuration involving multiple front-end WebSEAL servers with a load-balancing mechanism, the results of the policy are affected by the fact that each WebSEAL server maintains its own local count of failed login attempts. 30 Version 3.8

37 New Supplemental Information For example, if the max-login-failures value is set to three (3) attempts, and the client fails the first three attempts, the account on this server is locked. However, as the client continues login attempts, the load-balancing mechanism detecting a failure to connect to the first server re-directs the request to another available replicated WebSEAL server. Now the client has three more opportunities to attempt a successful login. For n attempts configured on each WebSEAL server, and m front-end replicated WebSEAL servers, you are guaranteed an initial account lock on one server after n attempts. You are also guaranteed n x m total attempts to log in across all configured servers. However, after n attempts, it is not clear whether subsequent authentication failures are due to the lock on a particular server, or due to continuing incorrect login attempts across the remaining replicated servers. The n x m calculation provides a fixed maximum upper limit on the total number of consecutive login attempts before a complete lockout occurs. A case can be made that this number is still probably far less than the number of attempts statistically required to break a password. If your business security solution requires a three strikes login policy, understand the implications of a load-balanced/multiple front-end WebSEAL configuration on this policy. Tivoli SecureWay Policy Director Release Notes 31

38 New Supplemental Information New Base Information ssl-io-inactivity-timeout Parameter in pd.conf Incorrect Container Object Type Causes Incorrect Listing Overriding Global LDAP Master/Replica Preferences Conditions Affecting the Results of pdadmin user list (12945) Valid Characters for LDAP User and Group Names pdadmin user create -no-password-policy Option (IY19307) 3.3 ssl-io-inactivity-timeout Parameter in pd.conf The ssl-io-inactivity-timeout parameter in [ssl] stanza of several Policy Director configuration files specifies the inactivity timeout value, in seconds, for SSL communication between the internal Policy Director servers and processes. The parameter determines how long SSL communication waits for a response before timing out. For example, the pdadmin command waits the duration of this setting (in pd.conf) for a response from the Management Server. If there is no response in the allocated time, pdadmin returns a timeout error to the caller. The error does not mean the task could not complete. The error means that the processing did not complete in the time allotted for pdadmin. The ssl-io-inactivity-timeout value applies to all SSL activity and can be set in the following configuration files: pd.conf The setting in this file controls timeouts associated with the pdadmin utility or pdadmin API requests to the Management Server for an administration operation. If the timeout is reached, the timeout action is reported to the log file. However, the administration operation still completes at the server. ivmgrd.conf The setting in this file controls timeouts associated with server task commands made to resource managers (such as WebSEAL). ivacld.conf The setting in this file controls timeouts associated with requests by the Authorization Server for authorization database (policy) updates from the Management Server. These policy update requests occur in response to either a polling interval setting or the Authorization Server receiving an update notification from the Management Server. 32 Version 3.8

39 aznapi.conf New Supplemental Information The setting in this file controls timeouts associated with policy update requests made by the authorization API demo. Although all four ssl-io-inactivity-timeout settings operate independently, the coordination of these settings could eliminate possible unusual behavior or log messages. Consider the following scenario: pd.conf: ssl-io-inactivity-timeout=30 seconds ivmgrd.conf: ssl-io-inactivity-timeout=60 seconds A WebSEAL server task executed via pdadmin takes 90 seconds to complete. In this situation, pdadmin timeouts after 30 seconds and returns an error to the user. After 60 seconds, the Management Server (pdmgrd) stops waiting for a response from WebSEAL (webseald) and attempts to return an error to pdadmin, which is no longer active for this task. WebSEAL completes the task after 90 seconds and attempts to make a response to the Management Server (pdmgrd), which is no longer active for this task. 3.4 Incorrect Container Object Type Causes Incorrect Listing The correct object type to use when creating a group container object for use in delegated user administration is type 14 (application container object). If you use another (incorrect) object type value, the group container object appears in the output of a group list command. To recover from this mistake, set the group container object s type to the correct value and restart the Management server (pdmgrd). For example: pdadmin> object modify /Management/Groups/Travel set type 14 See also page of the Tivoli SecureWay Base Administration Guide. See also Section 4.9: Incorrect Type Expressed in pdadmin object create Example. 3.5 Overriding Global LDAP Master/Replica Preferences Policy Director supports the combination of a master (read-write) LDAP server and multiple replicated (read-only) LDAP servers to help ensure that directory data is always available when needed. If any server fails, the directory service continues to be available from another replicated server. Tivoli SecureWay Policy Director Release Notes 33

40 New Supplemental Information You can set hierarchical preference values to allow read-only access to a single LDAP server (with fail-over to the other servers), or set equal preferences for all servers and allow load balancing to dictate server selection. With appropriate settings, you can prevent the master (read-write) server from handling everyday read-only operations. You configure global read-only preference values for LDAP servers in the ldap.conf configuration file. Configuration details are provided in the Tivoli SecureWay Policy Director Base Administration Guide. You can configure the Management Server process (pdmgrd), the Authorization Server process (pdacld), and WebSEAL (webseald) to override these global preferences. When set to a value of yes, the prefer-read-write-server parameter in the [ldap] stanza of each respective configuration file overrides the global preferences. By default, the prefer-read-write-server parameter for the Management Server is set to yes and therefore overrides the global preferences. This default setting assumes the Management Server is often involved in making changes to the LDAP registry. When a change is made to the registry, there is a time lag before this change is broadcast to the replica server databases. If the Management Server required an immediate read of the information that had just been altered, the prefer-read-write-server=yes setting ensures the read operation is directed to the master LDAP server. 3.6 Conditions Affecting the Results of pdadmin user list (12945) This section clarifies and enhances the information for the command: pdadmin> user list in the pdadmin command reference appendix of the Tivoli SecureWay Policy Director Base Administration Guide. Three conditions affect the maximum number of users returned by this command: 1. The max-return argument in the user list command. 2. The max-search-size parameter in the [ldap] stanza of the ldap.conf configuration file. 34 Version 3.8

41 New Supplemental Information Note: To indicate no limit to the maximum search size, set max-search-size=0. 3. The ibm-slapsizelimit parameter in the slapd32.conf configuration file. Note: To indicate no size limit, set ibm-slapsizelimit=0. The final result of the user list command is restricted by the lesser of these three values. 3.7 Valid Characters for LDAP User and Group Names When using LDAP as the user registry, the set of valid characters allowed within a user or group name, is determined by the following Internet Engineering Task Force (IETF) Request for Comments (RFC): 2253 "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names" 2254 "The String Representation of LDAP Search Filters" The specific LDAP server can also dictate the validity of these characters. In general, you can use special characters within a Distinguished Name. However, certain special characters require an additional escape character. The following special characters must be escaped when used in a Distinguished Name: + (plus) \ (backslash) ; (semicolon), (comma) For example, to create a user containing a semicolon using the pdadmin utility: pdadmin> user create user;one cn=user\;one,o=tivoli,c=us user;one user;one password1 Note the backslash used to escape the semicolon in the Distinguished Name. The above command creates a user whose Policy Director identity is "user;one". Tivoli SecureWay Policy Director Release Notes 35

42 New Supplemental Information If you use special characters when using pdadmin from a command line, enclose each argument of the user or group command with double quotes as illustrated in the above example. The double quotes allows the argument to be entered without being subject to interpretation by the operating system shell command processor. Due to the variability of special character handling in general, it is recommended that you avoid special characters completely, if possible. 3.8 pdadmin user create -no-password-policy Option (IY19307) The no-password-policy option to the pdadmin user create command allows the administrator to create the user with a password that is not checked by the existing global password policies. If this option is not present in the command, the password is checked against the global password policies. In this case, the user create command fails if the password is invalid and the error message includes information on what conditions were not met. However if the administrator applies the pdadmin user modify password, the no-password-policy option is not available. Therefore, the modified password is always checked against the global password policy settings. Similarly, if the user changes the password (/pkmspasswd), the new password is always checked against the global password policy settings. 36 Version 3.8

43 New Supplemental Information New WebSEAL Information Query_contents Junction Option Required for Windows Handling UTF-8 Encoded Characters (12936) Clarification for Certificate Authentication Documentation Example Use of xattr_set for Supplying Tag/Value Data Allocating Worker Threads for Junctions (Junction Fairness) Configuring Multiple WebSEAL Server Instances Preventing Vulnerability Caused by Cross-site Scripting (15146) Step-up Versus Multi-factor Authentication Configuring Multiple Junctions to Same Server (IY19635) 3.9 Query_contents Junction Option Required for Windows When you require, and install, the query_contents program on a Web server located on a back-end junctioned Windows application server, you must use the q option when creating the WebSEAL junction to that server. By default, WebSEAL looks for the program as query_contents in the cgi-bin directory: /cgi-bin/query_contents The q option in the junction create command is not required for a UNIX server because the query_contents program name and location matches the default conditions. If you change the name of the query_contents program or change its directory location, you must use the q <location> option when creating the junction. The location argument specifies the location and name of the program. The default name of the query_contents program used on the Windows platform is query_contents.exe. The presence of the.exe extension makes the program name different. Therefore, WebSEAL cannot find the program by default unless the q <location> option and argument is specified. For example: create -t tcp -h <host-name>... -q /cgi-bin/query_contents.exe /<junction-name> This information supplements the existing discussion of query_contents found on pages 180 and 245 of the Tivoli SecureWay Policy Director WebSEAL Administration Guide. Tivoli SecureWay Policy Director Release Notes 37

44 New Supplemental Information 3.10 Handling UTF-8 Encoded Characters (12936) The utf8-url-support-enabled parameter in the [server] stanza of the webseald.conf configuration file controls how WebSEAL interprets URL's sent from browsers. The parameter recognizes three settings: yes WebSEAL recognizes UTF-8 encoding in URL strings and decodes the information into native character set (local code page). Other encoding techniques are not accepted. no WebSEAL does not recognize UTF-8 encoding in URL strings. Any UTF-8 encoded information is not interpreted correctly. auto WebSEAL attempts to distinguish between UTF-8 and double-byte character set (%uxxxx) forms of language character encoding and correctly process any UTF-8 encoding. When utf8-url-support-enabled is set to yes (default), WebSEAL assumes URL's can include UTF-8 encoded characters. These UTF-8 characters are then validated and taken into account when determining access rights to the URL. In addition, the default setting does not allow URL's with Unicode chars of the form %uhhhh. According to HTTP specifications, browsers are limited in the character set that can legally be used within a URL. This range is defined to be the printable characters in the ASCII character set (between hex code 0x20 and 0x7e). For non-english languages, and other purposes, characters outside the printable ASCII character set are often required in URL's. These characters should be encoded using printable characters for transmission and interpretation. There are a number of different encoding methods for transmitting characters outside the permitted range. Despite the HTTP specifications, there are also many commercial Web servers which simply tolerate and accept characters outside the legal range. Policy Director WebSEAL, acting as a Web proxy, must be able to handle all these cases. The most widely accepted ( de facto standard ) encoding method is UTF-8. Many current commercial Web servers can be configured to accept UTF-8 encoding. The URL is normalized (that is, encoded characters are converted to their local codepage equivalents), and ACL checking is applied to the normalized URL. 38 Version 3.8

45 New Supplemental Information Other encoding techniques are not accepted if UTF-8 is enabled. This is the recommended configuration for Policy Director WebSEAL. Some existing applications and Web servers do not function correctly with Policy Director WebSEAL if UTF-8 support is enabled, as these applications use DBCS characters (such as Shift-JIS) in the URL, or other encoding mechanisms. If this is the case for your deployment, you need to do two things: 1. Edit webseald.conf and set the new parameter as follows: utf8-url-support-enabled = no 2. Ensure that all junctioned servers do NOT accept UTF-8 encoded URL's. It is important from a security perspective, that WebSEAL is interpreting URLs in the same manner as the junctioned servers. The recommended deployment strategy is as follows: 1. Unless required for content purposes, immediately check and set the default-webseal ACL on existing production deployments to NOT allow unauthenticated r access. This limits security exposure to users who do have a valid account within the Policy Director domain. 2. Install and test the Policy Director WebSEAL fix in a pre-production environment against all applications. Set the utf8-url-support-enabled parameter to the recommended value of yes. 3. Test your applications. If they function correctly, use this setting. 4. If any applications fail with Bad Request errors, retry the application with the utf8-url-support-enabled parameter set to no. If this works, you may deploy with the parameter set to no. However, you should also ensure that no junctioned Web server is configured to accept UTF-8 encoded URL's. Tivoli SecureWay Policy Director Release Notes 39

46 New Supplemental Information 3.11 Clarification for Certificate Authentication Documentation The section in the Tivoli SecureWay Policy Director WebSEAL Administration Guide entitled Configuring the Certificate Authentication Mechanism (pages ) contains the following statement: The default mapping provided by the shared library file directly maps a certificate DN to an LDAP DN. The following explanation clarifies this statement. During certificate authentication, the shared library identifies the Policy Director user by exactly matching the Distinguished name (DN) in the Subject field of the client-side certificate with an existing DN entry in the LDAP registry Example Use of xattr_set for Supplying Tag/Value Data The following example illustrates a method of calling xattr_set to supply tag/value data (business entitlements) in a custom CDAS: xattr_set(&ident->xattrs, strdup( tagvalue_ldap-emplpoyee-number ) strdup( ) ); xattr_set(&ident->xattrs, strdup( tagvalue_ldap-employee-phone ) strdup( ) ); 3.13 Allocating Worker Threads for Junctions (Junction Fairness) You can configure the allocation of WebSEAL worker threads used to process requests across multiple junctions on a global or per-junction basis. The configuration mechanism maintains a fair distribution of worker threads across all junctions and prevents depletion of the worker thread pool by any one junction. Background Policy Director WebSEAL draws from its pool of worker threads to process multiple requests. The number of worker threads available to WebSEAL is specified by the worker-threads parameter in the webseald.conf configuration file. 40 Version 3.8

47 New Supplemental Information You can adjust the worker-threads value to best serve your particular WebSEAL implementation. When no worker threads are available to handle incoming requests, users experience a WebSEAL server that is not responding. Worker threads are used to handle incoming requests to applications residing on multiple junctioned back-end servers. However, the worker thread pool can be quickly drained if a particular back-end application is unusually slow when responding to and processing a high volume of requests. A depletion of the worker thread pool by this one application renders WebSEAL incapable of responding to requests for services on the remaining junctioned application servers. You can configure global or per-junction limits on the number of worker threads used to service applications on multiple junctions. These limits allow fairness to prevail for all junctions and prevents any one application from claiming more than its share of worker threads. Global Allocation of Worker Threads for Junctions Two parameters located in the [junction] stanza of the webseald.conf configuration file control the global allocation of worker threads across all junctions for a particular WebSEAL server. The values used for these parameters are expressed as percentages within the range of 0 to 100. The default of 100 (%) indicates there is no limit. worker-thread-soft-limit This parameter serves to act as a warning before the hard limit is reached. When the worker-thread-soft-limit is exceeded, warning messages are sent (every 30 seconds) to the WebSEAL error log file. For example, when worker-threads=50, a setting of 60 (%) causes warning messages to be issued when the junction consumes more than 30 worker threads. All requests above 30 worker threads are still processed, until the hard limit is reached. worker-thread-hard-limit This paramater acts as the cut-off point for servicing requests across a junction. When the worker-thread-hard-limit is exceeded, error messages are sent (every 30 seconds) to the WebSEAL error log file. In addition, the user is sent a 503 Service Unavailable message. For example, when worker-threads=50, a setting of 80 (%) causes error messages to be issued when the junction tries to consume more than 40 worker threads. All requests representing greater than 40 worker threads on the junction are returned with a 503 Service Unavailable message. Tivoli SecureWay Policy Director Release Notes 41

48 New Supplemental Information These global settings apply equally to all configured junctions. When configuring these two parameters, it is logical to set the soft limit to a lower value than the hard limit. Per-Junction Allocation of Worker Threads for Junctions Alternatively, you can limit worker thread consumption on a per-junction basis. The following options to the pdadmin server task create command allow you to specifiy hard and soft worker thread limits on a specific junction: l <percent-value> This option sets a value (percent) on the junction that defines the soft limit for consumption of worker threads. As in the global soft limit setting, this option causes warning messages to be issued when the junction consumes more worker threads than allowed by the setting. L <percent-value> This option sets a value (percent) on the junction that defines the hard limit for consumption of worker threads. As in the global hard limit setting, this option causes warning messages to be issued when the junction tries to consume more worker threads than allowed by the setting. In addition, the user is sent a 503 Service Unavailable message. For example: pdadmin> server task webseald-<server> create -t tcp \ -h <host-name> -l 60 -L 80 <jct-point> Per-junction settings always override the global settings in webseald.conf. Inappropriate settings on a specific junction could adversely affect the policy established by the global settings. Troubleshooting Notes You can use the pdadmin server task show command to view the number of active worker threads on a specific junction: pdadmin> server task webseald-<server> show /<jct-point> This information might be useful when you want to determine the location of a junction that is absorbing more than its share of worker thread resources. If you specify a soft limit value that is greater than the hard limit value on a specific junction, the junction will not be created. You must specify both soft and hard limit values (both l and L options) on a specific junction. 42 Version 3.8

49 New Supplemental Information 3.14 Configuring Multiple WebSEAL Server Instances Policy Director WebSEAL 3.8, with the installation of WebSEAL FixPack 1, provides the capability for configuring multiple WebSEAL server instances on a single machine. Configuration Overview: For configuration purposes, an instance of a WebSEAL server is defined by a unique network interface (IP address) and port number combination. Multiple WebSEAL instances can be configured using one of the following methods to create unique network interface:port combinations: Use a single network interface (IP address) and assign WebSEAL instances to unique HTTP/HTTPS listening ports Assign WebSEAL instances to unique network interfaces (physical network interface cards or logical network aliases) and use common HTTP/HTTPS listening ports Each configured WebSEAL instance has a unique name, a unique internal port number (for inter-policy Director server communication), a unique directory location, and a unique configuration file. Multiple configuration files are made unique by the server instance name, prepended with webseald-. For example: /opt/pdweb/etc/webseald-<instance-name>.conf The required configuration tools for configuring and unconfiguring multiple WebSEAL server instances include: UNIX systems (multiple instances are not supported on HP-UX): PDWeb_config command line utility PDWeb_unconfig command line utility Note: The pdconfig utility can be used to create the initial WebSEAL instance. The PDWeb_config command line must be used to create all additional instances. This discussion of multiple instances assumes you have configured an initial WebSEAL server. Windows systems: ivweb_setup command line utility ivweb_uninst command line utility Tivoli SecureWay Policy Director Release Notes 43

50 New Supplemental Information Configuring Multiple WebSEAL Instances on UNIX Note: Multiple instances are not supported on HP-UX. PDWeb_config syntax: #./PDWeb_config i <instance-name> m <internal-port> \ [ n <network-interface>] Argument instance-name internal-port network-interface Description Unique name for this instance. You must use this name to unconfigure the instance. Unique port number for inter-policy Director server communication. Value must be greater than (Values less than or equal to 1023 are reserved.) Optional argument to specify the IP address of a network interface. Configuring multiple instances on unique HTTP/HTTPS ports: 1. Assumption: Machine is configured with an initial WebSEAL server (pdconfig) and a single network card/ip address (for example: ). 2. Change directory location: # cd /opt/pdweb/sbin 3. Run the PDWeb_config command to create and configure an additional WebSEAL instance. In this scenario, multiple server instances are made unique through a unique HTTP/HTTPS listening port designation on the default network interface. Therefore, do not use the n option to specify a network interface. For example: #./PDWeb_config i webseal2 m The configuration setup screen appears: Please check Web Server configuration: 1. Enable TCP HTTP? Yes 2. HTTP Port Enable HTTPS? Yes 4. HTTPS Port Web document root directory /opt/pdweb/www-webseal2/docs a. Accept configuration and continue with installation x. Exit installation Select item to change: 44 Version 3.8

51 New Supplemental Information 5. Select the HTTP and HTTPS port menu items and provide unique port values that are not in use by any other server (for example, 81 and 444). Note: A warning message appears if you select a port value already in use. You are given the opportunity to select a different value. 6. Run the PDWeb_config command to create and configure any additional WebSEAL server instances. For example: #./PDWeb_config i webseal3 m From the configuration setup screen, configure unique HTTP and HTTPS port values. Note: The maximum number of allowed WebSEAL instances is governed by system configuration limitations, such as available RAM and disk space. If any system resource is exceeded, configuration error and startup failure messages appear. Configuring multiple instances on unique logical network interfaces: 1. Assumption: Machine is configured with an initial WebSEAL server (pdconfig) and a single network card/ip address. 2. By default, the initial WebSEAL server listens for requests on *:80 and *:443. You must assign a specific IP address for this initial network interface before you can configure and run additional WebSEAL servers. Note: Additional WebSEAL servers cannot start if the initial WebSEAL server listens on *:80 and *: Edit the webseald.conf configuration file and specify the appropriate IP address for the initial WebSEAL server by adding the network-interface parameter to the [server] stanza. For example: [server] network-interface = Restart the WebSEAL server # /opt/pdweb/bin/pdweb_start restart Tivoli SecureWay Policy Director Release Notes 45

52 New Supplemental Information 5. For each additional WebSEAL server instance, configure an additional logical network interface (alias). For example (on Solaris): # ifconfig hme0 addif netmask w.x.y.z up # ifconfig hme0 addif netmask w.x.y.z up Note: Alternatively, you could assign each WebSEAL instance to a unique pre-configured physical network card. 6. Change directory location: # cd /opt/pdweb/sbin 7. Run the PDWeb_config command to create and configure an additional WebSEAL instance. In this scenario, multiple server instances are made unique through a unique network interface on common HTTP/HTTPS listening ports. Therefore, you must use the n option. For example: #./PDWeb_config i webseal2 m 3232 n The configuration setup screen appears: Please check Web Server configuration: 1. Enable TCP HTTP? Yes 2. HTTP Port Enable HTTPS? Yes 4. HTTPS Port Web document root directory /opt/pdweb/www-webseal2/docs a. Accept configuration and continue with installation x. Exit installation Select item to change: 9. Accept the standard HTTP and HTTPS port values as listed. 10. Run the PDWeb_config command to create and configure any additional WebSEAL server instances. For example: #./PDWeb_config i webseal3 m n From the configuration setup screen, accept the standard HTTP and HTTPS port values as listed. Note: The maximum number of allowed WebSEAL instances is governed by system configuration limitations, such as available RAM and disk space. If any system resource is exceeded, configuration error and startup failure messages appear. 46 Version 3.8

53 New Supplemental Information Configuring Multiple WebSEAL Instances on Win NT/2000 Assumptions: Initial WebSEAL server instance has been configured Procedures described are appropriate for a Windows NT/2000 platform ivweb_setup syntax: MSDOS> ivweb_setup -m <pdadmin-passwd> -i <instance-name> \ -M <internal-port> -u {yes no} -r <http-port> -U {yes no} \ -R <https-port> [-n <network-interface>] Argument pdadmin-password instance-name internal-port Description Administration password. Unique name for this instance. You must use this name to unconfigure the instance. Unique port number for inter-policy Director server communication. Value must be greater than (Values less than or equal to 1023 are reserved.) u Enable/disable HTTP access. http-port Port number for HTTP access. U Enable/disable HTTPS access. https-port network-interface Port number for HTTPS access. Optional argument to specify the IP address of a network interface. Configuring multiple instances on unique HTTP/HTTPS ports: 1. Assumption: Windows is configured with an initial WebSEAL server (pdconfig) and physical network card/ip address (for this example: ). 2. Change directory location: MSDOS> cd C:\Program Files\Tivoli\Policy Director\PDWeb\bin 3. Run the ivweb_setup command to create and configure an additional WebSEAL instance. In this scenario, multiple server instances are made unique through a unique HTTP/HTTPS listening port designations on a common network Tivoli SecureWay Policy Director Release Notes 47

54 New Supplemental Information interface. Therefore, do not use the n option to specify additional network interfaces. For example: MSDOS> ivweb_setup -m xxxxx i webseal2 M u yes \ -r 81 -U yes -R 444 Note: A warning message appears if you select a port value already in use. You are given the opportunity to select a different value. 4. Run the ivweb_setup command to create and configure any additional WebSEAL server instances. For example: MSDOS> ivweb_setup -m xxxxx i webseal3 M u yes \ -r 82 -U yes -R 445 Configuring multiple instances on unique logical network interfaces: 1. Assumption: Windows is configured with an initial WebSEAL server and a single network card/ip address. 2. By default, the initial WebSEAL server listens for requests on *:80 and *:443. You must assign a specific IP address for this initial network interface before you can configure and run additional WebSEAL servers. Note: Additional WebSEAL servers cannot start if the initial WebSEAL server listens on *:80 and *: Edit the webseald.conf configuration file and specify the appropriate IP address for the initial WebSEAL server by adding the network-interface parameter to the [server] stanza. For example: [server] network-interface = Restart the WebSEAL server from the Services Control Panel. 5. For each additional WebSEAL server instance, configure an additional logical network interface (alias) using the Network Connections control panel. For example (on Windows 2000): a. Control Panel > Network Connections b. Right-click on Local Area Connections and select Properties. c. Select Internet Protocol (TCP/IP) d. Click on Properties and select Advanced e. From IP Settings tab, click Add 48 Version 3.8

55 f. Enter an IP address for the new network interface g. Enter a subnet mask h. Click Add i. Open a command prompt window and enter: MSDOS> ipconfig -all All network interfaces should appear as listening. j. Repeat these steps for additional network interfaces New Supplemental Information 6. Change directory location: MSDOS> cd C:\Program Files\Tivoli\Policy Director\PDWeb\bin 7. Run the ivweb_setup command to create and configure an additional WebSEAL instance. In this scenario, multiple server instances are made unique through a unique network interface on common HTTP/HTTPS listening ports. Therefore, you must use the n option. For example: MSDOS> ivweb_setup -m xxxxx i webseal2 M u yes \ -r 80 -U yes -R 443 -n Run the ivweb_setup command to create and configure any additional WebSEAL server instances. For example: MSDOS> ivweb_setup -m xxxxx i webseal3 M u yes \ -r 80 -U yes -R 443 -n Unconfigure Multiple WebSEAL Instances You cannot unconfigure the initial WebSEAL server until all server instances are unconfigured first. UNIX: PDWeb_unconfig -i <instance-name> 1. Change directory location: # cd /opt/pdweb/sbin 2. Run the PDWeb_unconfig command for each instance. For example: #./PDWeb_unconfig -i webseal2 #./PDWeb_unconfig -i webseal3 Tivoli SecureWay Policy Director Release Notes 49

56 New Supplemental Information Windows: ivweb_uninst -deconfig -m <pdadmin-passwd> -i <instance-name> 1. Change directory location: MSDOS> cd C:\Program Files\Tivoli\Policy Director\PDWeb 2. Run the ivweb_uninst command for each instance. For example: MSDOS> ivweb_uninst -deconfig -m xxxxxx -i webseal2 MSDOS> ivweb_uninst -deconfig -m xxxxxx -i webseal3 Server Start, Stop, Restart, Status Commands UNIX: The pdweb_start utility provides start, stop, restart, and status capabilities for the initial WebSEAL server and any multiple server instances. You can also apply a command to a specific server instance. pdweb_start {start stop restart status} [<instance-name>] Examples: Start the initial WebSEAL server and all configured server instances: # /opt/pdweb/bin/pdweb_start start Start a specific server instance only: # /opt/pdweb/bin/pdweb_start start webseal3 Restart the initial WebSEAL server and all configured server instances: # /opt/pdweb/bin/pdweb_start restart Stop the initial WebSEAL server and all configured server instances: # /opt/pdweb/bin/pdweb_start stop Stop a specific server instance only: # /opt/pdweb/bin/pdweb_start stop webseal3 Show status of all configured servers: # /opt/pdweb/bin/pdweb_start status Policy Director Servers Server Enabled Running pdmgrd yes yes pdacld yes yes webseald-webseal3 yes yes webseald-webseal2 yes yes webseald yes yes 50 Version 3.8

57 New Supplemental Information Windows: The net command provides start and stop capabilities for the initial WebSEAL server and any multiple server instances. net {start stop} <instance-name> The Services Control Panel provides server status information. Examples: Start the initial WebSEAL server and all configured server instances (you must repeat the command for each instance): MSDOS> net start webseald MSDOS> net start webseal2 MSDOS> net start webseal3 Stop the initial WebSEAL server and all configured server instances (you must repeat the command for each instance): MSDOS> net stop webseald MSDOS> net stop webseal2 MSDOS> net stop webseal3 Show status of all configured servers: Start > Settings > Control Panel > Services 3.15 Preventing Vulnerability Caused by Cross-site Scripting (15146) Cross-site scripting refers to a technique used to cause Web server vulnerability by embedding malicious code into the URLs of Web requests. WebSEAL FixPack 1 provides certain built-in protection for this type of vulnerability and allows you to further refine the protection by configuring URL string filtering. Note: The term cross-site scripting, although accepted by the industry, does not entirely describe the range of issues involving embedded malicious code. Background Cross-site scripting is a specific type of Web Server vulnerability created when a client URL request includes embedded malicious scripting. For example (Javascript): Tivoli SecureWay Policy Director Release Notes 51

58 New Supplemental Information <script>malicious_code</script> Other scripting tags that could be used to create vulnerability include <OBJECT>, <APPLET>, and <EMBED>. When a user clicks on a link containing the malicious code (or enters such a URL directly), the script is executed when the HTML is read by the user s browser. For example, an attack can occur when a user clicks on a link that contains the following URL: In this example, the object is not found and WebSEAL responds by returning a 404 Page Not Found HTML error page. This error page happens to include the URL containing the malicious Javascript. The browser interprets the URL and executes the script. Please refer to the following CERT advisory for complete information about the mechanics of cross-site scripting and general preventative measures: Configuring URL String Filtering With the installation of WebSEAL FixPack 1, the problem of cross site scripting and embedded malicious code in general is handled in two ways. WebSEAL now encodes angle brackets (<, >) in re-directed URLs. The encoding can help prevent normal interpretation of scripts by the browser. In addition, you can now add a new stanza to the webseald.conf configuration file. The stanza, [illegal-url-substrings], can contain parameters specifying one or more string fragments. For example: [illegal-url-substrings] substring = <script substring = <applet substring = <embed If WebSEAL detects any configured string fragment in the requested URL, the URL is deemed illegal and not accepted. WebSEAL returns a 400 Bad Request error page. This flexible mechanism allows you to handle future attack schemes by adding additional substring values. Upon installation of WebSEAL FixPack 1, WebSEAL, by default, filters strings containing <script. You do not need to manually add the [illegal-url-substrings] stanza to filter this particular string. However, when 52 Version 3.8

59 New Supplemental Information you require additional filtering, you must create the stanza and list all substrings individually, as in the examnple above. You can completely disable the URL string filtering feature (including the default behavior) by placing an empty [illegal-url-substrings] stanza into the webseald.conf file. Functional notes: Substrings are located using a case insensitive search Substring filtering accommodates multi-byte characters The mechanism protects junctioned servers 3.16 Step-up Versus Multi-factor Authentication Policy Director step-up authentication and multi-factor authentication are two different and distinct mechanisms for controlling access to resources. Policy Director only provides step-up authentication functionality. The Tivoli SecureWay Policy Director 3.8 WebSEAL Administration Guide accurately describes the configuration required to enable step-up authentication. Multi-factor authentication forces a user to authenticate using two or more levels of authentication. For example, the access control on a protected resource can require that the user authenticate with both username/password and username/token passcode. Policy Director step-up authentication relies on a pre-configured hierarchy of authentication levels and enforces a specific level of authentication according to the policy set on a resource. Step-up authentication does not force the user to authenticate using multiple levels of authentication to access any given resource. Instead, step-up authentication requires the user to authenticate at a level at least as high as that required by the policy protecting the resource. Step-up authentication example: Configured authentication levels: authentication level 1 = username/password authentication level 2 = username/token passcode The following object is protected by a POP requiring authentication level 1: /WebSEAL/hostA/junction The following object is protected by a POP requiring authentication level 2. /WebSEAL/hostA/junction/applicationA Tivoli SecureWay Policy Director Release Notes 53

60 New Supplemental Information Under step-up authentication, username/password (level 1) authentication is required to access /WebSEAL/hostA/junction. However, username/token passcode (level 2) authentication is required to access /WebSEAL/hostA/junction/applicationA. If the user is currently logged in with a username and password, a prompt appears requesting username and token passcode information (the step-up). However, if the user initially logs in to WebSEAL with username and token passcode, access to applicationa is immediate (assuming a positive ACL check). Multi-factor authentication would require both level 1 and level 2 authentication for access to applicationa Configuring Multiple Junctions to Same Server (IY19635) Creating multiple WebSEAL junctions that point to the same back-end application server/port can cause unpredictable control of access to resources and therefore is not a recommended or supported Policy Director configuration strategy. Each WebSEAL junction can be secured by a unique set of access controls (ACLs). However, the ACL policy of each newly created junction overlays the policies of previously created junctions attached to the same back-end server/port. Subsequent junctions secured with more permissive ACLs can compromise previous junctions secured with less permissive ACLs. WebSEAL and the Policy Director authorization model cannot guarantee secure access control with this type of junction implementation. 54 Version 3.8

61 New Supplemental Information New ADK Information Compiler Support on Solaris 3.18 Compiler Support on Solaris On Solaris, you must compile with the Sun Workshop 5 or greater, with the Workshop 4 compatibility enabled ( compat=4). Tivoli SecureWay Policy Director Release Notes 55

62 Corrections to the Documentation 4 Corrections to the Documentation Base Installation Guide Corrections WebSEAL Installation Guide Corrections Base Administration Guide Corrections WebSEAL Administration Guide Corrections Administration API Reference Corrections Base Installation Guide Corrections Stopping Base Services When Upgrading Removing GSKit on a Windows Platform Correction to Upgrade Procedure Incorrect Package Name for LDAP Client on LInux Install Easy Installation Scenario 4.1 Stopping Base Services When Upgrading In Upgrading from Version 3.7.x on pages 67 and 71, it states: Do not stop Tivoli SecureWay Policy Director base services, such as the Management Server or Authorization Server. These components are required by the migration utility. This is misleading. The Tivoli SecureWay Policy Director Authorization Server is optional. It is only required by the migration utility if it currently exists in the secure domain and you plan to migrate the server system to Version Removing GSKit on a Windows Platform In Uninstalling Tivoli SecureWay Policy Director, Version 3.8 on page 83, it shows you how to uninstall components and prerequisite software, including the IBM Global Security Toolkit (GSKit). However, uninstalling GSKit on Windows is not listed. To remove GSKit from your system, use the InstallShield uninstallation file on your system (IsUninst.exe) and enter the following command: 56 Version 3.8

63 Corrections to the Documentation isuninst -f c:\program files\ibm\gsk4\gsk4bui.isu where c:\program\files\ibm\gsk4\ is the fully-qualified path where the gsk4bui.isu file is located. Note that you cannot uninstall GSKit using the Add/Remove Programs icon (similar to other Tivoli SecureWay Policy Director components). 4.3 Correction to Upgrade Procedure The following note pertains to the section Upgrading the Management Server to Version 3.8 on pages of the Tivoli SecureWay Policy Director Base Installation Guide. In step 9, replace the second bullet with the following text: On AIX and Windows systems, it is not necessary to uninstall GSKit and the IBM SecureWay Directory client if you plan to install GSKit version in the same directory. On Windows systems, reboot the machine after updating the GSKit software. 4.4 Incorrect Package Name for LDAP Client on LInux Install The following information pertains to the section Installing the IBM SecureWay Directory Client on Linux on page 45 of the Tivoli SecureWay Policy Director Base Installation Guide. The note preceding step 1 contains an error in the name of LDAP package that you must remove. The correct name is: nss_ldap Easy Installation Scenario Tivoli SecureWay Policy Director, Version 3.8, includes a new installation feature that makes setting up Tivoli SecureWay Policy Director workstations easier than ever before. With easy installation, you can now run a single program (UNIX shell script or Windows batch file) to create a Policy Director workstation. For example, run ezinstall_pdmgr to install and configure a management server, run ezinstall_authadk to set up a development workstation, or run ezinstall_pdrte to install a runtime client. Tivoli SecureWay Policy Director Release Notes 57

64 Corrections to the Documentation Easy installation automatically installs any prerequisites, lets you know what components are already installed, and prompts you for necessary configuration information. After you supply the information, the program installs and configures the software without further intervention. Chapter 2, Using Easy Installation in the Tivoli SecureWay Policy Director Base Installation Guide shows you how to use easy installation files, located in the root directory on the Tivoli SecureWay Policy Director CD for your particular platform. The following scenario is an addendum to Chapter 2. It shows you how to set up LDAP server and management server workstations; thereby, creating a secure domain. For descriptions of the configuration options used in this scenario, refer to Chapter 1 in the Tivoli SecureWay Policy Director Base Installation Guide. Note that for the purpose of this scenario, the IBM SecureWay Directory server is installed as your LDAP server and Secure Sockets Layer (SSL) communication is enabled between the LDAP server and IBM SecureWay Directory clients. 1. To create a secure domain using easy installation, you must first install a supported LDAP server. For example, to install the IBM SecureWay Directory server and prerequisite software, run the ezinstall_ldap_server script. A window similar to the following is displayed, listing required products: 2. To start the installation process, press Enter and supply configuration information when prompted. To modify an option, enter its associated 58 Version 3.8

65 Corrections to the Documentation number. For example, to change the HTTP port in the following window, press 3 and then enter the port value that you want to use. To begin configuration, press y. 3. When prompted for IBM SecureWay Directory language files, choose the number of the language message files to install or press Enter to accept the default English language. 4. As products are installed, you are prompted for configuration information. For example, IBM SecureWay Directory server configuration options are as follows: Tivoli SecureWay Policy Director Release Notes 59

66 Corrections to the Documentation Note that descriptions of these configuration options are provided in Chapter 1 of the Tivoli SecureWay Policy Director Base Installation Guide. 5. After you have successfully completed installing the IBM SecureWay Directory server, you must set up a management server workstation. To do this, run the ezinstall_pdmgr file. A window similar to the following is displayed: Note that if you plan to install the management server on the same workstation as the LDAP server, the ezinstall_pdmgr script detects that the IBM Global Security Toolkit and the IBM SecureWay Directory client products are already installed and configured. 60 Version 3.8

67 Corrections to the Documentation 6. Press Enter to start the installation process. You are prompted for a language file as shown. Choose the number of the language file to install or press Enter to accept the default English language. 7. Next, enter configuration options for the runtime environment package and then press y to begin configuration. 8. Continue to supply configuration information when prompted. For the purposes of this scenario, SSL is enabled and Policy Director client machines are able to download the CA certificate file. For example, options appear similar to the following: Tivoli SecureWay Policy Director Release Notes 61

68 Corrections to the Documentation 9. When management server installation and configuration has completed, you are notified as follows: 10. Optionally, you can set up additional workstations in your secure domain. For example, you can do the following: Run the ezinstall_pdrte file to install one or more runtime client workstations (without the management server). Run the ezinstall_authadk script to install a development workstation with the authorization application development kit (ADK). Run the ezinstall_pdacld script to set up an authorization server workstation. 62 Version 3.8