Software Announcement April 9, 2002 Operating Systems V3.8 Manages and Extends Access Control to UNIX and Linux Systems Overview Tivoli Access Manager for Operating Systems, previously a component of Tivoli Security Manager, is now available as a separate product. Version 3 Release 8 (V3.8) of IBM Tivoli Access Manager for Operating Systems includes enhanced security, helps save administrative time, and lets access management be delegated to suitable administrators. Operating Systems V3.8 provides: Resource access control enforcement on UNIX (including Red Hat Linux) operating systems Significant access control enhancements over native UNIX and Red Hat Linux security Integration capability with IBM Tivoli Access Manager for e-business, and IBM s latest provisioning solution, IBM Tivoli Identity Director Controls that apply to all users, including root, to partition roles and rights Secure auditing Delegated administration through a Web interface A stand-alone program no prerequisite on other IBM products Consistent policy definition across AIX, Solaris, HP-UX, and Red Hat Linux operating systems Key Prerequisites There are no prerequisites for Tivoli Access Manager for Operating Systems V3.8. Planned Availability Date April 26, 2002 At a Glance Operating Systems V3.8 delivers: Access controls for a variety of security-sensitive resources (such as file systems, IP services, and the switching between IDs) and for every user in the system, including the UNIX super user (root) Tracking of sensitive files and programs with access restriction for unauthorized users Auditing capabilities which include forwarding audit events to the IBM Tivoli Enterprise Console and/or to IBM Tivoli Risk Manager Integration capability with IBM Tivoli Identity Director that provides role-based administration and centralized systems management of Tivoli Access Manager for Operating Systems V3.8 Integration with IBM Tivoli Access Manager for e-business that allows re-use of user credential data Consistent policy definition across AIX, Solaris, HP-UX, and Red Hat Linux operating systems For ordering, contact: Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL Reference: YE001 This announcement is provided for your information only. For additional information, contact your IBM representative, call 800-IBM-4YOU, or visit the IBM home page at: http://www.ibm.com. IBM United States IBM is a registered trademark of International Business Machines Corporation. 202-088
Description Tivoli Access Manager for Operating Systems V3.8 provides a security server engine for UNIX and Red Hat Linux systems. This engine provides security services to one or more users of a UNIX or Red Hat Linux system. UNIX and Red Hat Linux operating systems often form the base of major applications, both internal and Web-based. Controlling access to these operating systems can be essential for ensuring high availability to these applications. However, conventional UNIX operating-system design requires a super user ID (usually a single predefined ID, also called a root user, with a unique level of privilege that allows bypass of standard UNIX security checks) for most administrative operations. This can open the UNIX platform to vulnerabilities as a super user gains access capabilities with few, if any, restrictions. Also, with the complexity of managing access to the UNIX operating system from multiple vendors, UNIX security can become as expensive as it is risk-laden. Tivoli Access Manager for Operating Systems V3.8 offers a policy-based solution with integration into the wider security and management portfolio offered by IBM. Tivoli Access Manager for Operating Systems V3.8 is an access enforcement engine that extends standard UNIX security to add major access control capability for every user in the operating system. It intercepts system calls and uses the accessor information to make a policy decision on whether the access should proceed. This is achieved through standard hooks into the operating system that avoid the need for kernel re-compiles or complicated install mechanisms. Once installed, Tivoli Access Manager for Operating Systems V3.8 can be switched on or off by an authorized user through a single command; or it can be operated in a warning mode where it does not enforce any policy, but tracks significant resources and logs all related access requests. Secure logging helps ensure a reliable audit trail and the watchdog capability can provide extra protection for critical files and executables by restricting access if a change is made in an unauthorized manner. UNIX and Red Hat Linux system access control is made difficult by the super user (root) administration model. A UNIX system requires a user to operate as a root user to perform privileged functions, but then provides no distinction between the kinds of privileged functions that a root user can perform. Many vulnerabilities in a UNIX system stem from attacks that result in a user gaining root access. Operating Systems V3.8 protects against this in two major ways: All access control capabilities can apply to the root user as well as to any other user Access control checks are performed based on the original ID with which a user or application gained entry to the system regardless of whether or not they have used the UNIX switch user command (su) to change to another ID Applications provide their own level of access control. For example, a database application may provide table-level access controls. The ability to determine table-level access in a database is a commendable security measure, but it is ineffective if a root user can simply delete the file system on which the database resides. An unrestricted root user can also modify or destroy audit and other records that would otherwise show what had happened. Tivoli Access Manager for Operating Systems V3.8 can help prevent this kind of damage, whether malicious or accidental. Tivoli Access Manager for Operating Systems V3.8 is based on IBM Tivoli Policy Director technology and provides a centralized administration server (known as the Access Manager management server). The access control and user account repositories for Tivoli Access Manager for Operating Systems V3.8 are maintained in this secure Access Manager management server with data cached locally in a secure manner to help ensure optimum performance and reliability. Tivoli Access Manager for Operating Systems V3.8 is supported to interact with a V3.9 management server. It updates the Access Manager management server to V3.9. Tivoli Access Manager for Operating Systems V3.8 can provide significant performance improvements over previous IBM Tivoli UNIX solutions through a multi-threaded design. It can also utilize integration capability with IBM Tivoli Identity Director to manage UNIX system access control in a role-based environment alongside other operating systems and applications. UNIX operating system resources that can be protected are defined by resource types such as File, NetOutgoing, NetIncoming, Login, Surrogate, and TCB. A policy can also be set to enhance the security of the login process. For example, Tivoli Access Manager for Operating Systems V3.8 can lock out a user after multiple login failures due to a bad password. The IBM Tivoli Policy Director management server represents the core technology for IBM Tivoli security products. This sophisticated and versatile security server provides access control implementations for many environments. Examples include Web traffic, IBM MQSeries messaging, and securing custom applications through the publication of an industry-standard Application Programming Interface (API). All components of the management server and the Web GUI required to manage Operating Systems V3.8 are included in Tivoli Access Manager for Operating Systems V3.8. Migration If you are licensed for Tivoli Security Manager and your IBM Tivoli Support or Passport Advantage Software Maintenance contract is current, you are entitled to migrate to Tivoli Access Manager for Operating Systems V3.8, at no charge. The migration must be completed by September 30, 2002, and it is for the environment that is currently licensed only. Once you migrate to Tivoli Access Manager for Operating Systems V3.8, Software Maintenance must remain in effect for entitlement to updates for Tivoli Access Manager for Operating Systems V3.8. If there is a lapse in Software Maintenance, you must order Software Maintenance after license to again be entitled to updates. If you have IBM Tivoli Support or Passport Advantage Software Maintenance in effect, and have not yet migrated to Tivoli Access Manager for Operating Systems V3.8, you are entitled to updated code for IBM Tivoli Access Manager for Operating Systems V3.8 as it becomes available. You are entitled to use all components of Tivoli Access Manager for Operating Systems V3.8 to the extent covered in your current licensing. For example, if you have acquired Tivoli Management Points for Tivoli Security Manager and you are current on your Tivoli Support or Passport Advantage Software Maintenance, you are entitled to use all components of Tivoli Access Manager for Operating Systems V3.8 under the existing IBM Tivoli terms and conditions of your Tivoli Security Manager licensing. 202-088 -2-
If you are licensed for Tivoli Security Manager but do not have a current IBM Tivoli Support or Passport Advantage Software Maintenance contract in effect at the time of withdrawal of IBM Tivoli Support and Passport Advantage Software Maintenance for Tivoli Security Manager, you will have to acquire a license for Tivoli Access Manager for Operating Systems to be entitled to updates. Note: Tivoli Security Manager will be withdrawn from ordering effective May 9, 2002, and related Tivoli Support feature numbers and Passport Advantage Software Maintenance part numbers for these products will be withdrawn from ordering effective September 30, 2002. Refer to Withdrawal Announcement 902-083, dated April 9, 2002. Euro Currency This program is not impacted by euro currency. Refer to: Reference Information Software Announcement 201-272, dated September 25, 2001 Software Announcement 202-088, dated April 9, 2002 Trademarks Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United UNIX is a registered trademark is a registered trademark of the Open Company in the United States and other countries. Tivoli Enterprise is a trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United AIX and MQSeries are registered trademarks of International Business Machines Corporation in the United Other company, product, and service names may be trademarks or service marks of others. -3-202-088
IBM US Announcement Supplemental Information April 9, 2002 Education Support Training is available for many IBM Tivoli products. Education is offered through IBM Education and Training, and through IBM Tivoli Systems. Worldwide information about education offerings is available on the IBM Education and Training home page at: http://www.training.ibm.com For current information on IBM Tivoli Systems education, call 512-436-8000, or visit the IBM Tivoli Systems home page at: http://www.tivoli.com/services/education Offering Information Product information will be available on day of announcement through Offering Information (OITOOL) at: http://www.ibm.com/common/ssi and through the Passport Advantage Web site at: http://ww.ibm.com/software/passportadvantage Publications One copy of the following publication will be supplied with the basic machine-readable material in English and translated languages: Title Tivoli Policy Director for Operating Systems V3.8 README First Order GI11-0896 The following publications are included in English and translated languages in displayable softcopy form on a CD-ROM shipped with the product on the planned availability date. Tivoli Policy Director for Operating Systems V3.8 Administration Guide Tivoli Policy Director for Operating Systems V3.8 Installation Guide Tivoli Policy Director for Operating Systems V3.8 Release Notes Note: Operating Systems V3.8 includes the e-business management server and the IBM Tivoli Access Manager for e-business Web portal manager. The documentation for the management server and for the Web portal manager is also included, in U.S. English, on the product CD-ROMs and can be downloaded in other languages from the Web site shown below. The publications listed below can be downloaded in English in softcopy from the following Web site on the planned availability date: http://www.tivoli.com/support/documents Order Title Language Tivoli Policy Director for GC32-0795 English Operating Systems V3.8 Administration Guide Tivoli Policy Director for GC32-0796 English Operating systems V3.8 Installation Guide Tivoli Policy Director for GI11-0885 English Operating Systems V3.8 Release Notes Technical Information Specified Operating Environment Hardware Requirements: Hardware platforms supporting the operating systems at the software levels stated in the Software Requirements section. Software Requirements: Operating Systems V3.8 runs on the following operating systems: AIX 4.3.1, 4.3.2, 4.3.3, or 5.1 HP-UX 11.0 or 11i Solaris 2.6, 2.7, or 2.8 Red Hat Linux uniprocessor or multiprocessor 6.2 (2.2.14-5.0 or 2.2.19-6.2.7 kernel) or 7.1 (2.4.2-2 kernel) Note: Operating Systems V3.8 includes the e-business management server. At least one management server is required in an IBM Tivoli Access Manager for Operating Systems V3.8 implementation. The e-business management server runs on the following operating systems: AIX 4.3.3 Solaris 2.7 or 2.8 HP-UX 11 Windows NT 4.0 Windows 2000 Advanced Server with Service Pack 1 The Web portal manager (which provides a Web management interface) is a Web server-based application that runs on the following Web servers: Windows NT 4.0 Windows 2000 Advanced Server with Service Pack 1 This announcement is provided for your information only. For additional information, contact your IBM representative, call 800-IBM-4YOU, or visit the IBM home page at: http://www.ibm.com. IBM United States IBM is a registered trademark of International Business Machines Corporation. 202-088
Planning Information Packaging: Operating Systems V3.8 is distributed with: International Program License Agreement (Z125-3301) License Information document (GC23-4479) CD-ROMs Publications (refer to the Publications section) Security, Auditability, and Control Operating Systems V3.8 relies on the security and auditability features of the operating system software. The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities. Ordering Information Passport Advantage Customer: Media Pack Entitlement Details Customers with active maintenance or subscription for Tivoli SecureWay Security Manager are entitled to receive the following media pack. Media Pack Description Operating Systems V3.8 Media Pack Multi-lingual New Licensees Orders for new licenses will be accepted now. Part BJ03DML Shipment will begin on the planned availability date. Basic License Ordering Information for Passport Advantage: Passport Advantage allows you to have a common anniversary date for Software Maintenance renewals, which can simply management and budgeting for eligible new versions and releases (and for related technical support) for your covered products. The anniversary date, established at the start of your Passport Advantage Agreement, recurs on an annual basis while your Passport Advantage Agreement remains in effect. However, regardless of when Software Maintenance is acquired, the coverage period for Software Maintenance is always up to the anniversary date specified in the acquisition. Refer to the IBM International Passport Advantage Agreement and to the IBM Software Maintenance Handbook for specific terms relating to, and a more complete description of, technical support provided through Software Maintenance. The quantity to be specified for the Passport Advantage part numbers in the following table is per processor. To order for Passport Advantage, specify the desired part number and quantity. Description Operating Systems License and Software Maintenance 1st Anniversary Operating Systems License and Software Maintenance 2nd Anniversary Operating Systems Software Maintenance Renewal to Anniversary Date Operating Systems Software Maintenance after License to Anniversary Date Part D512TLL D512ULL E009QLL D512VLL To order a media pack for Passport Advantage, specify the part number in the desired quantity from the following table: Description Operating Systems V3.8 Media Pack Multi-lingual Part BJ03DML In addition, Operating Systems V3.8 is available for download from Passport Advantage on April 26, 2002. Ordering Information for 5698-PDO: To order a basic license, specify the program number and the feature number of the desired distribution medium. Also, specify the one-time charge feature number in the quantity desired (maximum quantity of 250). The quantity to be specified for the features in the following table is per processor. Use the following table to order the program products listed below: Product Product Processors Name Qty 1 Qty 250 5698-PDO IBM Tivoli Access Manager 2803 2804 for Operating Systems V3.8 This software license includes Software Maintenance, previously referred to as Software Subscription and Technical Support. Extending coverage for a total of three years from date of acquisition may be elected. Order the program number, feature number, and quantity to extend coverage for your software licenses. If maintenance has expired, specify the after license feature number. 202-088 -2-
Operating Systems V3.8 Maintenance IASP PID 1 Year: 5698-DO1 Description Qty 1 Qty 250 Use authorizations (to be ordered in quantity): Software Maintenance No Charge Registration 2845 2846 Software Maintenance 1 Year Renewal 2795 2796 Software Maintenance 1 Year After License 2797 2798 Maintenance IASP PID 3 Year: 5698-DO3 Description Qty 1 Qty 250 Use authorizations (to be ordered in quantity): Software Maintenance 3 Year Registration 2789 2790 Software Maintenance 3 Year Renewal 2791 2792 Software Maintenance 3 Year After License 2793 2794 Software Maintenance Software Maintenance is included with each product authorization acquired. Software Maintenance provides an easy and effective way by which you have access, during the coverage period, to eligible new versions and releases and to remote technical support for your covered products. The technical support included in Software Maintenance provides remote support during normal business hours in your country or location as well as access to escalation management 24 hours a day, 7 days a week, for mission-critical (severity 1) problems. With Software Maintenance, you receive the following technical support benefits: Telephone access and/or electronic access via the Web to an IBM Customer Support Center. Support for routine, short duration installation and usage (how-to) questions and code-related problems. Support during normal country business hours; namely, prime shift hours, Monday through Friday, excluding national or statutory holidays. Support for mission-critical (severity 1) problems during non-prime shift hours; namely, all hours outside normal country business hours including national and/or statutory holidays. Two hour response time objective during prime shift for voice and electronic submission. The response objective for critical/emergency problems during offshift is also two hours. Access to hints, tips, and frequently asked questions. Access to escalation management 24 hours a day, 7 days a week. Open Authorized Technical Caller list to submit problems to IBM Support Centers on your behalf. Open to any number of technical specialists within your IS organization. Each caller must be registered through the IBM problem submission Web site in order to submit problems. Problem submission is handled by the Site Technical Contact as listed on the Passport Advantage enrollment form. ecare for Software is an initiative designed to enhance your electronic support experience by providing the following advantages: Single view of IBM distributed software that includes easy/integrated access to the following information and functions: -- Marketing -- Technical -- Developer -- Business Partner -- IBM Services -- Downloads http://www.ibm.com/software/support Comprehensive electronic (via the Web) self-help capabilities available 24 hours a day, 7 days a week Advanced search capabilities A single interface to the IBM problem submission/management system for IBM distributed software Software Maintenance renewals offer you favorable pricing to continue your coverage without interruption. Basic Machine-Readable Material: The distribution media features in the following table apply to program numbers 5698-PDO, 5698-DO1, and 5698-DO3. To order, select the distribution medium feature for the desired program number. Distribution Language Medium English 5809 CD-ROM Terms and Conditions Agreement: For orders under 5698-PDO: IBM International Program License Agreement (IPLA), IBM International Agreement for Acquisition of Programs and Support (IIAAPS) and the IBM Attachment for Support, IBM Agreement for Acquisition of Support (IAAS), IBM Addendum for Support (Software Maintenance) for Selected Programs (Z125-6495), and an Order Form. -3-202-088
For orders under Passport Advantage: IBM International Program License Agreement (IPLA), IBM International Passport Advantage Agreement (PAA), and an IBM International Passport Advantage Agreement Enrollment Form. Transferable: Yes, except for programs acquired at a discount or allowance Limited Warranty Applies: Yes Guarantee: 30 day money-back guarantee Usage Restriction: Yes. of processors licensed. Volume Offering (IVO): No Usage is limited to the quantity Upgrade Protection Applies: Covered as long as Software Maintenance is in effect Educational Allowance Available: Yes, 15% to qualified education institution customers. Licensed Program Materials Availability: Restricted Materials of IBM: None Non-Restricted Source Materials: None Object Code Only (OCO): All Maintenance Applies: Software Maintenance under Passport Advantage: Yes Software Maintenance for IBM Tivoli products: Yes Complementary Introductory Support: Not available Program Services and End of Support: Program services for an IBM Tivoli program are one year from the date IBM or your Business Partner makes the program available to you. The program services duration period shall be less than one year for programs acquired after the announcement of a program s end-of-support (EOS) date. EOS for programs or versions/releases of programs will be announced 12 months prior to the effective date. Software Maintenance for IBM Tivoli Products and Passport Advantage Support Center applies:: Yes. Access is available through the IBM Support Center, 800-237-5511. Support Web Site for Problem Reporting: http://www.tivoli.com/support/reporting Availability of Software Maintenance: The first year of Software Maintenance is included with the license at no additional charge. The first year starts when the product is shipped to the customer. For a fee, Software Maintenance can be extended until 3 years from the date of license acquisition. Software Maintenance is available for a 1 year and 3 year renewal for a fee as part of the IAAS, IIAAPS, or any equivalent agreement. Availability of Passport Advantage Software Maintenance: Passport Advantage Software Maintenance is provided at no additional charge for each eligible program acquired until the first anniversary date. For an additional fee, a license can be acquired with maintenance to the second anniversary date. Passport Advantage Software Maintenance is provided for renewal for a fee at each anniversary date. Customers who do not renew their Software Maintenance will have to purchase the Maintenance after License option to renew their maintenance agreement when they require a new level of software code or remote technical support. Software Maintenance and Passport Advantage Software Maintenance are available until: Twelve months after announcement of product discontinuance, (that is, end of life (EOL)) Software Maintenance and Passport Advantage Software Maintenance are applicable to: The current release The immediate previous release for twelve months after the general availability of the current release APAR Mailing Address: Tivoli Systems Inc. 11400 Burnet Road Austin, TX 78758 Attention: Product Development IBM Operational Support Services Support Line: No Product Web Site: A complete list of products, terminology definitions, and licensing documents are available at the following Web site: http://www.tivoli.com/products/licensing Prices Contact your IBM representative for prices information for this announcement. Order Now Use Priority/Reference Code: YE001 Phone: Fax: Internet: Mail: 800-IBM-CALL 800-2IBM-FAX ibm direct@vnet.ibm.com IBM Atlanta Sales Center Dept. YE001 P.O. Box 2690 Atlanta, GA 30301-2690 You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU. Note: Shipments will begin after the planned availability date. Trademarks 202-088 -4-
Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United AIX and SecureWay are registered trademarks of International Business Machines Corporation in the United Windows NT and Windows are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others. -5-202-088