IBM Security Access Manager Version 8.0.1 12 December 2014 Release information
IBM Security Access Manager Version 8.0.1 12 December 2014 Release information
ii IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Contents Chapter 1. Documentation for getting started............... 1 Chapter 2. Upgrading to version 8.0.1.. 3 Chapter 3. What is new for this release 7 Chapter 4. APARs fixed in this release 11 Chapter 6. Compatibility with earlier versions of the product....... 15 Chapter 7. Documentation updates for known limitations.......... 17 Index............... 19 Chapter 5. Product requirements... 13 iii
iv IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Chapter 1. Documentation for getting started The IBM Knowledge Center provides documentation that can help you get started with IBM Security Access Manager for Mobile and IBM Security Access Manager for Web. Activating Security Access Manager for Mobile Version 8.0.1 IBM Security Access Manager for Mobile Version 8.0.1 is a new modification of the product available from Passport Advantage. You can use this distribution to either configure a new deployment or upgrade a previous version of the product. 1. If you are upgrading from a previous version of Security Access Manager for Mobile V8.0, be sure to review Chapter 2, Upgrading to version 8.0.1, on page 3. If applicable, you must complete these steps before you configure the product. 2. See Product activations overview to review the features you can use when you activate Security Access Manager for Mobile. 3. Configure the appliance by using the instructions in Getting Started. 4. Complete initial setup of your Security Access Manager for Mobile deployment by following the instructions in Getting Started with Access Manager for Mobile. Activating Security Access Manager for Web Version 8.0.1 IBM Security Access Manager for Web Version 8.0.1 is a new modification of the product available from Passport Advantage. You can use this distribution to either configure a new deployment or upgrade a previous version of the product. 1. If you are upgrading from a previous version of Security Access Manager for Web V8.0, be sure to review Chapter 2, Upgrading to version 8.0.1, on page 3. If applicable, you must complete these steps before you configure the product. 2. See Product activations overview to review the features you can use when you activate Security Access Manager for Web. 3. Complete initial setup of your Security Access Manager for Web deployment by following the instructions in Initial configuration. The Security Access Manager for Web product includes an optional application development kit (ADK), available for download. To install the ADK, see Application development kit installation. See Administering Web Reverse Proxy for instructions on how to use the local management interface on the appliance to configure and administer Security Access Manager for Web. 1
2 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Chapter 2. Upgrading to version 8.0.1 Complete this task to upgrade an existing installation to version 8.0.1. Before you begin Note: If you are installing the virtual appliance for the first time, download the.iso image and follow the installation instructions in: v IBM Security Access Manager for Web Virtual Appliance Quick Start Guide v IBM Security Access Manager for Mobile Virtual Appliance Quick Start Guide Review the following tasks and complete the tasks that are appropriate to your environment before you begin the upgrade task: Risk engine reports Any risk engine reports that you generated before you begin the upgrade task are not preserved. Before you begin, export copies of the risk reports and save them locally by completing the following steps: 1. Log in to the local management interface. 2. Click Monitor Analysis and Diagnostics > Application Log Files. 3. Expand mga and select the risk reports to export. 4. Click Export and save the files. Database failover in a cluster For information about how the upgrade affects database failover in a cluster, see http://www.ibm.com/support/docview.wss?uid=swg21666968 Procedure Choose one of the following upgrade methods and complete its steps: Use the online update server 1. Ensure that the following conditions are met: v A valid license is installed on the appliance. v The appliance has network connectivity to the online update server. v If you are installing the upgrade to a cluster, prepare the cluster as follows: a. Log in to the local management interface. b. Select Manage System Settings > Cluster Configuration > General. c. Do not change the Primary Master setting. d. Remove the Secondary Master and other high-availability cluster member settings. e. Click Export and save the files. f. Wait for the cluster to synchronize. g. On the primary node, continue with the remaining steps to install the upgrade. 2. Log in to the local management interface. 3. Select Manage System Settings > Updates and Licensing > Available Updates. 3
4. Click Refresh. 5. Select the firmware update. 6. Click Install. The firmware update might take a long time to complete, depending on the bandwidth that is available to the appliance. After the update is successfully applied to the system, the appliance automatically restarts. 7. If you installed the upgrade on a cluster, complete the installation with the following steps: a. Repeat steps b. through f. on each appliance in the cluster. b. From the local management interface on the master node, update the cluster configuration to set the high-availability cluster members back to the settings you want. c. Wait for the cluster to synchronize. The firmware for each appliance in the cluster is now upgraded and the cluster is operational. Use the local management interface for a single appliance not in a cluster 1. Download the.pkg file. 2. Log in to the local management interface. 3. Select Manage System Settings > Updates and Licensing > Available Updates. 4. Click Upload. The New Update window opens. 5. Click Select Update. 6. Browse to the.pkg file. 7. Click Open. 8. Click Save Configuration. The upload process might take several minutes. 9. Select the new firmware and click Install. The installation of the new firmware takes a few minutes to complete. After the update is successfully applied, the appliance restarts automatically. Use the local management interface for a cluster of appliances To upgrade a cluster configuration, you must change the cluster configuration temporarily before the upgrade so that changes can be written to the database. 1. Download the.pkg file. 2. Log in to the local management interface. 3. Select Manage System Settings > Cluster Configuration > General. 4. Do not change the Primary Master setting. 5. Remove the Secondary Master and other high-availability cluster member settings. 6. Click Export and save the files. 7. Wait for the cluster to synchronize. 8. Upload and install the firmware.pkg file on the primary node appliance. This step includes the automatic restart of the appliance. 9. Upload and install the firmware.pkg file on each appliance in the cluster, and restart each one. 10. From the local management interface on the master node, update the cluster configuration to set the high-availability cluster members back to the settings you want. 4 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
11. Wait for the cluster to synchronize. The firmware for each appliance in the cluster is now upgraded and the cluster is operational. Use a USB drive (Only for upgrading a hardware appliance) 1. Download the.pkg file. 2. Copy the firmware update from the.pkg file to a USB flash drive. The flash drive must be formatted with a FAT file system. 3. Insert the USB flash drive into the hardware appliance. 4. Log in to the appliance console as admin or use Secure Shell. 5. Type updates and press Enter. 6. Type install and press Enter. 7. Select the following options: a. Select 1 for a firmware update. b. Select 1 to install the update from a USB drive. c. YES: to confirm that the USB drive is plugged into the appliance. d. <index> to select the appliance firmware from the list. e. YES: to confirm the update and start the update process. Note: The firmware update takes a few minutes to complete and the appliance automatically restarts. What to do next v If you upgraded an IBM Security Access Manager for Web appliance, your appliance is ready to use. v If you upgraded an IBM Security Access Manager for Mobile appliance, continue with Upgrade configuration. Chapter 2. Upgrading to version 8.0.1 5
6 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Chapter 3. What is new for this release IBM Security Access Manager for Mobile and IBM Security Access Manager for Web provide new features and extended functions for Version 8.0.1. The following sections detail the new features for Version 8.0.1. v IBM Security Access Manager Version 8.0 and newer is not available as a software distribution. It is available only as a virtual or hardware-based appliance. v Version 8.0.1 consists of two product releases: IBM Security Access Manager for Mobile Version 8.0.1 IBM Security Access Manager for Web Version 8.0.1 Each product contains the same code. The difference between the two product versions is the activation level license. The Mobile product provides a license to activate the Mobile features in the appliance. The Web product provides a license to activate the Web features in the appliance. After your initial deployment, if you decide that you want an additional activation level, you need only obtain the necessary license. You do not need to redeploy the product. For example, if you purchase and deploy IBM Security Access Manager for Web V8.0.1, and afterward decide to deploy the Mobile features, you need only obtain and install the Mobile license. You do not need to reload the code. v Each Version 8.0.1 product is distributed on IBM Passport Advantage. You can use this version of the code to create a new deployment, or you can use it to update an existing deployment. This version contains the entire product and includes features added by prior versions and fix packs. You can deploy Version 8.0.1 without needing any prior 8.0 versions. You can use IBM Security Access Manager for Mobile Version 8.0.1 to update any of the following deployments: - IBM Security Access Manager for Mobile Version 8.0.0.5 - IBM Security Access Manager for Mobile Version 8.0.0.4 - IBM Security Access Manager for Mobile Version 8.0.0.3 - IBM Security Access Manager for Mobile Version 8.0.0.1 - IBM Security Access Manager for Mobile Version 8.0.0 You can use IBM Security Access Manager for Web Version 8.0.1 to update any of the following deployments: - IBM Security Access Manager for Web Version 8.0.0.5 - IBM Security Access Manager for Web Version 8.0.0.4 - IBM Security Access Manager for Web Version 8.0.0.2 v Use the following links to review the features that are introduced with 8.0.1: IBM Security Access Manager for Mobile Version 8.0.1 on page 8 IBM Security Access Manager for Web Version 8.0.1 on page 8 New features that are common to both IBM Security Access Manager V8.0.1 products on page 9 v Review the APARs that were fixed in 8.0.1. 7
IBM Security Access Manager for Mobile Version 8.0.1 This version contains the following updates for IBM Security Access Manager for Mobile: v Validate username and password for the user registry A mapping rule method, isvalidusernamepassword, was added to support the validation of username and password. See OAuth 2.0 mapping rule methods. v Generate an IBM_SECURITY_CBA_AUDIT_RTE audit record for a JavaScript event. A mapping rule method, logauditevent, was added to generate an audit record. See OAuth 2.0 mapping rule methods. v Import template file directories at the top level On the appliance, you can add a directory at the top level of the template files. See Modifying template files. v IBM Knowledge Center documentation for Fiberlink MaaS360 PIPs See the following topics: Policy information points Fiberlink MaaS360 JavaScript PIP Fiberlink MaaS360 PIP See the predefined attributes specific to Fiberlink MaaS360 PIPs under predefined attributes. IBM Security Access Manager for Web Version 8.0.1 This version contains the following updates for IBM Security Access Manager for Web: v Support for federated registries and basic user in the Registry Direct Java API You can add individual suffixes of multiple LDAP registries into the IBM Security Access Manager registry. Federated Active Directory suffixes are also supported. With basic user support, you can use native LDAP user accounts without importing them into Security Access Manager. See the Administration Java Classes Developer Reference. v ICAP over an SSL connection The web reverse proxy on the appliance supports SSL connections in addition to TCP connections to the ICAP server. See Internet Content Adaptation Protocol (ICAP) Support and [ICAP:<resource>] stanza. v Kerberos SSO multi-domain support Kerberos SSO support is extended to cover users on domains other than the domain on which WebSEAL and the resource services run. For more information about how to configure a custom user principal name (UPN), see the kerberos-user-identity stanza entry. v Customized object names for authorization decisions You can customize the Security Access Manager object name, which is used in an authorization decision, based on the contents of the HTTP request. See HTTP transformation rules. v Security Access Manager Runtime for Java platform-independent installation package 8 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
You can download the Security Access Manager Runtime for Java installation package as a compressed file directly from the appliance. To install the runtime, extract the compressed file into your local directory. See Installing IBM Security Access Manager Runtime for Java. New features that are common to both IBM Security Access Manager V8.0.1 products v Account lockout If the failed login count for an account reaches a pre-configured threshold, authentication attempts against this account is not permitted for a pre-configured period. This feature prevents attackers from using brute force to try to determine the password of an account. v Appliance events updates The Event Id and Event Descriptions that are displayed under Event Logs are updated. See Events that are generated by the events framework. v Enhanced default security stance SSLv3 is disabled by default. Weak and Medium strength ciphers are disabled by default. In the local management interface: - The HTTP port is disabled by default. - The account lockout function provides better protection against attackers. v Silent configuration You can silently configure a new virtual appliance by providing a metadata image that contains essential configuration data, such as network configuration for the M1 interface and the system policy. Such metadata image can be created through the local management interface or manually with a text editor. See Silent configuration. Chapter 3. What is new in this release 9
10 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Chapter 4. APARs fixed in this release Several APARs were fixed with this release of the product. For the latest list, see: v Security Access Manager for Web: http://www.ibm.com/support/ docview.wss?uid=swg21690842 v Security Access Manager for Mobile: http://www.ibm.com/support/ docview.wss?uid=swg21690840 11
12 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Chapter 5. Product requirements You can view Software Product Compatibility Reports that list the system requirements and appliance specifications for the product. The reports provide current information about hardware and software support and requirements for IBM Security Access Manager. v System requirements for hardware appliance: Prerequisite software, including supported databases, user registries, and browsers Appliance specifications such as disk size, memory, network ports, physical characteristics, and electrical and environmental parameters v System requirements for the virtual appliance: Supported hypervisors, databases, user registries, and browsers Disk space and memory requirements for virtual images Note: IBM Security Access Manager version 8.0.1 and later is not available as a software distribution. It is available only as a virtual or hardware-based appliance. To view the reports, see: v IBM Security Access Manager for Mobile System Requirements v IBM Security Access Manager for Web System Requirements The system requirements for the Web activation level includes Application Development Kit support. 13
14 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Chapter 6. Compatibility with earlier versions of the product IBM Security Access Manager for Web V8.0 is compatible with previous versions of Security Access Manager for Web and Tivoli Access Manager for e-business. The Version 8.0 policy server can communicate with some previous versions of IBM Security Access Manager for Web and Tivoli Access Manager for e-business. The following compatibility with earlier versions is supported: v Policy server compatibility with servers in prior versions v Compatibility with single sign-on targets v Limited compatibility with earlier versions for session management Policy server compatibility with servers in prior versions The Version 8.0 policy server is compatible with prior releases of other servers, as specified in the following table. Table 1. Compatibility with earlier versions of servers Compatible servers Compatible versions WebSEAL server v Tivoli Access Manager for e-business, Authorization server Version 6.1.1 and newer Web plug-ins v Security Access Manager for Web, Version 7.0 and newer Version 8.0 interfaces are compatible with prior releases of the product, as specified in the following table. Table 2. Compatibility with earlier versions of interfaces Version 8.0 interfaces Compatible versions C Administration v Tivoli Access Manager for e-business, Java Administration Version 6.1 and newer External Authentication v Security Access Manager for Web, Version 7.0 and newer C Authorization Java Authorization Registry Direct v Tivoli Access Manager for e-business, Version 6.1.1 and newer v Security Access Manager for Web, Version 7.0 and newer Compatibility with single sign-on targets IBM Security Access Manager maintains compatibility with earlier versions for all single sign-on information that is sent over HTTP to applications behind WebSEAL junctions. Applications that are written to use single sign-on information that is supplied by previous versions of the product can use the same information that is provided by Version 8.0. 15
This compatibility applies to both custom applications and IBM applications such as the Trust Association Interceptor. The Trust Association interface is a service provider API that enables the integration of third-party security service (for example, a reverse proxy) with WebSphere Application Server. Security Access Manager, version 8.0, is compatible with all versions of the Trust Association Interceptor. Limited compatibility with earlier versions of session management IBM Security Access Manager for Web Version 8.0 introduces the Distributed Session Cache. This component replaces the Session Management Server that was provided in previous releases of the product. The following limitations apply to deployments that combine IBM Security Access Manager for Web, Version 8.0 with prior versions, such as IBM Security Access Manager for Web, Version 7.0.0: v v v You cannot use both the Distributed Session Cache and the Session Management Server in the same deployment. The IBM Security Access Manager for Web Version 8.0 WebSEAL server cannot communicate with the Session Management Server. IBM Security Access Manager for Web Version 7.0.* WebSEAL server can communicate with the Distributed Session Cache in Version 8.0, but only if IBM Security Access Manager for Web Fix Pack 2 (Version 7.0.0.2) or newer is applied. 16 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Chapter 7. Documentation updates for known limitations You can view the known software limitations, problems, and workarounds on the IBM Security Access Manager for Mobile or IBM Security Access Manager for Web Support sites. The Support site describes not only the limitations and problems that exist when the product is released, but also any additional items that are found after product release. As limitations and problems are discovered and resolved, the IBM Software Support team updates the online knowledge base. By searching the knowledge base, you can find workarounds or solutions to problems that you experience. Also, check the Troubleshooting topics. Known limitations for Security Access Manager for Mobile The following link launches a customized query of the live Support knowledge base for items specific to IBM Security Access Manager for Mobile, Version 8.0, and its fix packs. IBM Security Access Manager for Mobile technical documents You can also create your own search query on the IBM Support Portal. For example: 1. Go to the IBM Support Portal:http://www-947.ibm.com/support/entry/ portal/support 2. In the "Search support and downloads" field, enter: Access Manager for Mobile. Known limitations for Security Access Manager for Web The following link launches a customized query of the live Support knowledge base for items specific to IBM Security Access Manager for Web, Version 8.0, and its fix packs. IBM Security Access Manager for Web technical documents You can also create your own search query on the IBM Support Portal. For example: 1. Go to the IBM Support Portal:http://www-947.ibm.com/support/entry/ portal/support 2. In the "Search support and downloads" field, enter: Access Manager for Web. 17
18 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Index A APARs fixed 11 appliance specifications 13 W what is new 7 B backwards compatibility 15 C compatible interfaces 15 compatible server versions 15 D disk usage 13 documentation updates 17 F fixes APARs 11 G getting started 1 H hypervisors supported 13 K known limitations 17 N new features 7 P product requirements 13 S session management backwards compatibility 15 single sign-on backwards compatibility 15 supported hypervisors 13 supported software 13 system requirements 13 19
20 IBM Security Access Manager Version 8.0.1 12 December 2014: Release information
Printed in USA