ibm tivoli access manager for e-business: release …publib.boulder.ibm.com › tividd › td ›...
TRANSCRIPT
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
Version
5.1
GI11-4156-00
���
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
Version
5.1
GI11-4156-00
���
Note
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
Appendix
B,
“Notices,”
on
page
53.
First
Edition
(November
2003)
This
edition
applies
to
version
5,
release
1,
modification
0
of
IBM
Tivoli
Access
Manager
(product
number
5724-C08)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
1999,
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Who
should
read
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
What
this
book
contains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Release
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Base
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Web
security
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Developer
references
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Technical
supplements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Related
publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Accessing
publications
online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Contacting
software
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Conventions
used
in
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Typeface
conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Operating
system
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Chapter
1.
About
this
release
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
CD
distribution
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Software
download
page
for
IBM
Tivoli
Access
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Chapter
2.
System
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
Supported
registries
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
IBM
Tivoli
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
IBM
Security
Server
for
OS/390
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
IBM
z/OS
Security
Server
LDAP
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
Lotus
Domino
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Microsoft
Active
Directory
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Netscape
iPlanet
and
Sun
ONE
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Novell
eDirectory
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Disk
space
and
memory
requirements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
Tivoli
Access
Manager
Base
components
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Tivoli
Access
Manager
Web
Security
components
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Supported
platforms,
including
required
patches
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Backward
compatibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Hardware
acceleration
card
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
Chapter
3.
Known
problems
and
workarounds
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Considerations
before
installation
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Installation
wizard
fails
on
Windows
2003
server
with
Active
Directory
(44369)
.
.
.
.
.
.
.
.
.
.
. 21
Installation
wizard
does
not
provide
SSL
option
for
Plug
in
for
Web
Servers
for
an
LDAP
server
(44336)
.
.
. 21
Installation
wizard
fails
on
a
multi-domain
Active
Directory
system
(44046)
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Tivoli
Access
Manager
requires
minimum
JRE
level
of
1.3.1.5
on
AIX
(41082)
.
.
.
.
.
.
.
.
.
.
.
. 21
JDK
1.3.1
failing
on
Red
Hat
Enterprise
Linux
3
when
using
the
installation
wizard
(40973,
43956)
.
.
.
.
. 22
Access
Manager
Runtime
component
must
be
installed
before
you
can
install
Tivoli
Access
Manager
Java
runtime
environment
javadocs
(43895)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Web
Portal
Manager
configuration
requires
IBM
Java
Runtime
Environment
1.3.1
(44178)
.
.
.
.
.
.
.
. 22
Default
ports
used
in
WebSphere
Application
Server
installations
(44432)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Upgrading
an
existing
WebSEAL
installation
might
overwrite
libcdmf.*
files
(44079)
.
.
.
.
.
.
.
.
.
. 23
Considerations
during
installation
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Installation
wizard
fails
on
Red
Hat
Enterprise
Linux
3.0
for
zSeries
(42163)
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Java
Runtime
Environment
cannot
be
located
during
installation
on
Windows
2000
(43948)
.
.
.
.
.
.
. 23
Configuration
of
the
policy
server
fails
after
reboot
during
use
of
installation
wizard
(43906)
.
.
.
.
.
.
. 24
Double-byte
recorded
response
files
for
installation
wizard
contain
corrupted
text
(37601,
39896,
43907)
.
.
. 24
Exception
error
displayed
when
installing
Web
Portal
Manager
on
Windows
using
installation
wizard
(44045)
24
©
Copyright
IBM
Corp.
1999,
2003
iii
Removing
the
ibmjcaprovider.jar
file
during
installation
(44323)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Using
Microsoft
Active
Directory
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Avoid
special
characters
in
Active
Directory
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Enable
″File
and
Sharing″
when
using
Active
Directory
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Configuration
of
the
policy
server
might
create
a
user
with
a
password
that
is
too
weak
for
use
with
Windows
2003
Active
Directory
(43908)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Active
Directory
data
incompatible
after
switching
from
a
single
domain
to
a
multi-domain
on
a
Windows
2000
platform
(36389)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Using
iPlanet
Directory
Server
or
Sun
ONE
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Modifying
iPlanet
registry
look-through
limit
(14785)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Error
appears
when
protecting
iPlanet
administration
server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
pdunconfig
does
not
completely
clean
up
on
Sun
ONE
Directory
Server
5.2
(40621)
.
.
.
.
.
.
.
.
.
. 26
Using
Web
Portal
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
Browse
the
Web
Portal
Manager
GUI
from
AIX
5.1
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
Do
not
configure
a
policy
proxy
server
using
default
timeout
values
(30100
and
30128)
.
.
.
.
.
.
.
.
. 27
Authentication
slows
down
when
the
ACL
cache
is
enabled
(29961)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
Web
Portal
Manager
can
only
be
configured
to
the
Default
domain
(43847)
.
.
.
.
.
.
.
.
.
.
.
.
. 28
Using
WebSEAL
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
Expired
password
in
Active
Directory
(AD_LDAP)
might
prevent
WebSEAL
authentication
(43684)
.
.
.
.
. 28
Global
server
ID
certificates
do
not
work
correctly
(IY30623,
IY21308)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
Improving
SSL
encryption
performance
in
WebSEAL
on
Solaris
(43387)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
WebSEAL
on
Red
Hat
Linux
3.0
crashes
during
a
junction
delete
operation
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Error
messages
displayed
after
removing
WebSEAL
from
a
Linux
platform
(44078)
.
.
.
.
.
.
.
.
.
. 29
Error
messages
incorrectly
refer
to
″session
inactivity
timestamp″
(44086)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
The
help
message
for
server
task
remove
is
incorrect
(44083)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
No
error
message
for
failover
cookie
update
failure
(44084)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
Certificate
login
prompt
displayed
inappropriately
(44088)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
BASE
HREF
tags
not
preserved
when
missing
the
trailing
slash
(44090)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
WebSEAL
help
messages
incomplete
(44095)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
WebSEAL
error
messages
for
the
wsadmin
library
are
missing
from
the
message
catalogs
(44100)
.
.
.
.
. 30
Incorrect
error
code
displayed
when
a
container
cannot
be
found
during
AMWebARS
request
(44134)
.
.
.
. 31
WebSEAL
might
crash
if
the
Active
Directory
server
is
unavailable
or
slow
to
respond
(44386)
.
.
.
.
.
. 31
WebSEAL
fails
to
authenticate
(44082)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
Using
Plug-in
for
Web
Servers
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
Redirected
URL
not
displayed
in
Internet
Explorer
address
field
(37028)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
Recorded
option
files
in
multi-byte
languages
display
corrupted
text
in
the
explanatory
field
(39896)
.
.
.
. 32
Dynamically
generated
hidden
fields
not
passed
by
Forms
Single
Sign-On
(39924)
.
.
.
.
.
.
.
.
.
. 32
Use
of
non-default
user
identities
with
application
pools
on
a
Windows
Domain
Controller
causes
service
unavailable
errors
(42351)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
SPNEGO
behavior
differs
depending
on
where
the
browser
is
operating
from
within
the
Active
Directory
Domain
(41078)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
Modifying
the
pdwebpi.conf
file
before
upgrading
the
Microsoft
IIS
Plug-in
(44361)
.
.
.
.
.
.
.
.
.
. 32
Relative
URLs
on
Web
Page
not
returned
with
request
(44209)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Cancelled
certificate
authentication
might
result
in
timeout
when
using
Apache
Web
Server
(44273,
44286)
.
. 33
Using
IBM
Tivoli
Directory
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Using
IBM
Tivoli
Directory
Server
Version
5.2
on
Linux
for
zSeries
(44406)
.
.
.
.
.
.
.
.
.
.
.
.
. 33
Tivoli
Access
Manager
server
unresponsive
if
Directory
Server
is
restarted
while
pdadmin
is
running
(43951)
34
Using
Tivoli
Access
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
If
using
SSL,
all
LDAP
servers
and
replicas
must
be
enabled
(18832)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
Object
might
not
be
deleted
after
pdadmin
object
delete
command
(27173)
.
.
.
.
.
.
.
.
.
.
.
.
. 34
Password
expiration
time
cannot
be
changed
while
the
daemon
is
running
(24411)
.
.
.
.
.
.
.
.
.
. 34
Upgrading
policy
server
using
two
systems
only
supported
with
LDAP
(28114)
.
.
.
.
.
.
.
.
.
.
. 34
Policy
server
and
authorization
server
do
not
start
on
Windows
after
pipe
logging
enabled
(IY34142)
.
.
.
. 35
Existing
Java
applications
need
a
patch
to
interoperate
with
Tivoli
Access
Manager
Version
5.1
(24996)
.
.
.
. 35
Policy
Director
applications
on
Solaris
must
be
recompiled
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
Use
of
multiple
network
interface
aliases
on
AIX
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
IBM
HTTP
Server
reauthentication
limitation
with
directory
indexing
(19559)
.
.
.
.
.
.
.
.
.
.
.
. 36
HTTP
redirection
affects
reauthentication
behavior
(20633,
20631,
20735)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Sample
tutorial
for
Tivoli
Access
Manager
for
WebSphere
Application
Server
might
not
work
on
HP-UX
(28015)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
BEA
WebLogic
Server
can
run
out
of
heap
space
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
iv
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Configuration
of
policy
server
might
fail
after
installation
of
Microsoft
Security
updates
(43306)
.
.
.
.
.
. 38
Microsoft
Internet
Explorer
specifies
an
incorrect
value
for
the
Host
header
on
redirects
(43398)
.
.
.
.
.
. 38
Use
of
the
authorization
server
(pdacld)
as
an
authentication
enforcement
server
(43511)
.
.
.
.
.
.
.
. 38
Home
directories
are
not
automatically
deleted
when
Tivoli
Access
Manager
for
WebSphere
Application
Server
is
uninstalled
using
Windows
Add
or
Remove
Programs
function
(43612)
.
.
.
.
.
.
.
.
.
.
.
.
. 39
Tivoli
Access
Manager
Java
runtime
environment
successfully
configures
even
when
an
invalid
domain
name
is
entered
during
installation
or
configuration
(43896)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
Erroneous
error
message
during
uninstallation
of
Tivoli
Access
Manager
runtime
environment
(43904)
.
.
.
. 39
Tivoli
Access
Manager
might
not
recognize
suffixes
added
after
starting
the
daemons
(43933)
.
.
.
.
.
.
. 39
Incorrect
error
message
displayed
for
SvrSslCfg
error
(43701)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 40
After
configuring
Tivoli
Access
Manager
on
SuSE
Linux
Enterprise
Server
8,
the
policy
server
(pdmgrd)
and
the
authorization
server
(pdacld)
fail
to
start
(36687,
37558)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 40
Tivoli
Access
Manager
for
WebSphere
Application
Server
migration
tool
might
fail
to
migrate
application
(28418)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 40
Migration
tool
error
with
WebSphere
Application
Server
(21935)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
The
migration
tool
fails
when
using
a
Tivoli
Access
Manager
domain
other
than
the
default
domain
(43748)
.
. 41
Migration
tool
incorrectly
reports
successful
migration
of
ACLs
(44245)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Migration
tool
incorrectly
reports
successful
migration
of
policy
(44410)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Warning
messages
displayed
when
using
the
pdbackup
command
on
a
UNIX-based
platform
(44285)
.
.
.
. 42
jlog.properties
file
not
created
when
using
pdwascfg
(44410)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Startup
of
WebSphere
Application
Server
fails
Linux
on
zSeries
(44540)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
NoSuchMethodErrors
might
be
generated
when
running
Java
applications
compiled
against
previous
versions
of
Tivoli
Access
Manager
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
Chapter
4.
Internationalization
notes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
Known
problems
and
workarounds
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
Configuration
change
needed
on
some
internationalized
versions
of
Red
Hat
Linux
7.1
.
.
.
.
.
.
.
.
. 45
Group
name
might
be
truncated
on
DBCS
systems
using
Active
Directory
(44415,
44312)
.
.
.
.
.
.
.
. 45
Japanese
locale
and
language
setting
supported
on
Linux
systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
Considerations
when
using
certain
locales
on
Linux
systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 46
Some
text
appears
incorrectly
in
installation
wizard
(28420,
28422)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 46
Resizing
installation
wizard
panels
could
result
in
truncated
text
(28453)
.
.
.
.
.
.
.
.
.
.
.
.
.
. 46
LANG
variable
used
with
Windows
overrides
locale
setting
in
Control
Panel
.
.
.
.
.
.
.
.
.
.
.
. 47
Command
output
displayed
using
wrong
code
page
on
Windows
systems
(26899)
.
.
.
.
.
.
.
.
.
. 47
Avoid
non-ASCII
characters
in
server
names
(26985)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Reconfiguration
of
Web
Portal
Manager
requires
reinstallation
of
language
packages
(IY32306)
.
.
.
.
.
. 47
Fonts
necessary
to
display
characters
correctly
in
Java
(IY31894)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Policy
server
fails
to
start
on
AIX
boot
(12584)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
Double-byte
recorded
response
files
for
installation
wizard
contain
corrupted
text
(37601,
39896,
43907)
.
.
. 48
Recorded
option
files
in
multi-byte
languages
display
corrupted
text
in
the
explanatory
field
(39896)
.
.
.
. 48
Installation
wizard
for
the
Plug-in
for
Web
Servers
fails
on
a
German
Windows
system
(44565)
.
.
.
.
.
. 48
Apostrophes
are
not
displayed
correctly
when
using
the
installation
wizard
in
French
(44080)
.
.
.
.
.
.
. 48
Garbled
text
in
installation
wizard
when
installing
BEA
WebLogic
Server
(44219,
44398)
.
.
.
.
.
.
.
.
. 48
After
configuring
Tivoli
Access
Manager
on
SuSE
Linux
Enterprise
Server
8,
the
policy
server
(pdmgrd)
and
the
ACL
server
(pdacld)
fail
to
start
(36687,
37558)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Chapter
5.
Known
documentation
updates
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
IBM
Tivoli
Access
Manager
Upgrade
Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
IBM
Tivoli
Access
Manager
Base
Administration
Guide
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
.
.
.
.
.
.
.
.
.
.
.
.
. 49
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
.
.
.
.
.
.
.
.
.
.
.
. 50
Appendix
A.
Tips
for
building
Tivoli
Access
Manager
applications
on
Linux
.
.
.
.
.
. 51
Appendix
B.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 53
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
Contents
v
vi
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Preface
Welcome
to
the
IBM®
Tivoli®
Access
Manager
for
e-business
Release
Notes.
This
document
contains
new
and
revised
technical
information
for
IBM
Tivoli
Access
Manager
for
e-business,
Version
5.1.
Tivoli
Access
Manager
is
the
base
software
that
is
required
to
run
applications
in
the
IBM
Tivoli
Access
Manager
product
suite.
It
enables
the
integration
of
IBM
Tivoli
Access
Manager
applications
that
provide
a
wide
range
of
authorization
and
management
solutions.
Sold
as
an
integrated
solution,
these
products
provide
an
access
control
management
solution
that
centralizes
network
and
application
security
policy
for
e-business
applications.
Note:
IBM
Tivoli
Access
Manager
is
the
new
name
of
the
previously
released
software
entitled
Tivoli
SecureWay®
Policy
Director.
Also,
for
users
familiar
with
the
Tivoli
SecureWay
Policy
Director
software
and
documentation,
the
management
server
is
now
referred
to
as
the
policy
server.
IBM
Tivoli
Access
Manager
for
e-business
is
a
complete
authorization
solution
for
corporate
Web,
client/server,
MQSeries®,
and
existing
legacy
applications.
Tivoli
Access
Manager
authorization
allows
an
organization
to
securely
control
user
access
to
protected
information
and
resources.
You
use
Tivoli
Access
Manager
in
conjunction
with
standard
Internet-based
applications
to
build
highly
secure
and
well-managed
network-based
applications.
Internal
defect
numbers
often
appear
in
the
titles
of
release
note
items
relating
to
software
problems
and
workarounds.
Attention:
Release
notes
are
not
updated
after
they
have
been
translated.
For
known
product
defects,
limitations,
and
workarounds
found
after
the
release
of
this
document,
see
the
TechNotes
Web
site.
Who
should
read
this
book
This
guide
is
for
system
administrators
responsible
for
the
installation,
deployment,
and
administration
of
Tivoli
Access
Manager.
Readers
should
be
familiar
with
the
following:
v
UNIX®
operating
system
v
Internet
protocols,
including
HTTP,
TCP/IP,
FTP,
Telnet,
SSL
v
Security
management
v
Authentication
v
Authorization
v
IBM
Tivoli
Access
Manager
Base
v
Lightweight
Directory
Access
Protocol
(LDAP)
and
directory
services
©
Copyright
IBM
Corp.
1999,
2003
vii
What
this
book
contains
This
book
contains
the
following
sections:
v
Chapter
1,
“About
this
release,”
on
page
1
v
Chapter
2,
“System
requirements,”
on
page
5
v
Chapter
3,
“Known
problems
and
workarounds,”
on
page
21
v
Chapter
4,
“Internationalization
notes,”
on
page
45
v
Chapter
5,
“Known
documentation
updates,”
on
page
49
Publications
Review
the
descriptions
of
the
Tivoli
Access
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Additional
information
about
the
IBM
Tivoli
Access
Manager
for
e-business
product
itself
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
The
Tivoli
Access
Manager
library
is
organized
into
the
following
categories:
v
“Release
information”
v
“Base
information”
v
“Web
security
information”
on
page
ix
v
“Developer
references”
on
page
ix
v
“Technical
supplements”
on
page
x
Release
information
v
IBM
Tivoli
Access
Manager
for
e-business
Read
This
First
(GI11-4155-00)
Provides
information
for
installing
and
getting
started
using
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
(GI11-4156-00)
Provides
late-breaking
information,
such
as
software
limitations,
workarounds,
and
documentation
updates.
Base
information
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide
(SC32-1362-00)
Explains
how
to
install
and
configure
the
Tivoli
Access
Manager
base
software,
including
the
Web
Portal
Manager
interface.
This
book
is
a
subset
of
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
and
is
intended
for
use
with
other
Tivoli
Access
Manager
products,
such
as
IBM
Tivoli
Access
Manager
for
Business
Integration
and
IBM
Tivoli
Access
Manager
for
Operating
Systems.
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide
(SC32-1360-00)
Describes
the
concepts
and
procedures
for
using
Tivoli
Access
Manager
services.
Provides
instructions
for
performing
tasks
from
the
Web
Portal
Manager
interface
and
by
using
the
pdadmin
command.
viii
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Web
security
information
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
(SC32-1361-00)
Provides
installation,
configuration,
and
removal
instructions
for
the
Tivoli
Access
Manager
base
software
as
well
as
the
Web
Security
components.
This
book
is
a
superset
of
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
v
IBM
Tivoli
Access
Manager
Upgrade
Guide
(SC32-1369-00)
Explains
how
to
upgrade
from
Tivoli
SecureWay
Policy
Director
Version
3.8
or
previous
versions
of
Tivoli
Access
Manager
to
Tivoli
Access
Manager
Version
5.1.
v
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
(SC32-1359-00)
Provides
background
material,
administrative
procedures,
and
technical
reference
information
for
using
WebSEAL
to
manage
the
resources
of
your
secure
Web
domain.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere®
Application
Server
Integration
Guide
(SC32-1368-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
IBM
WebSphere®
Application
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Edge
Server
Integration
Guide
(SC32-1367-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
the
IBM
WebSphere
Edge
Server
application.
v
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
(SC32-1365-00)
Provides
installation
instructions,
administration
procedures,
and
technical
reference
information
for
securing
your
Web
domain
using
the
plug-in
for
Web
servers.
v
IBM
Tivoli
Access
Manager
for
e-business
BEA
WebLogic
Server
Integration
Guide
(SC32-1366-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
BEA
WebLogic
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
(SC32-1364-00)
Provides
an
overview
of
the
tasks
related
to
integrating
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
and
explains
how
to
use
and
install
the
Provisioning
Fast
Start
collection.
Developer
references
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
(SC32-1355-00)
Provides
reference
material
that
describes
how
to
use
the
Tivoli
Access
Manager
authorization
C
API
and
the
Tivoli
Access
Manager
service
plug-in
interface
to
add
Tivoli
Access
Manager
security
to
applications.
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java™
Classes
Developer
Reference
(SC32-1350-00)
Provides
reference
information
for
using
the
Java™
language
implementation
of
the
authorization
API
to
enable
an
application
to
use
Tivoli
Access
Manager
security.
Preface
ix
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
(SC32-1357-00)
Provides
reference
information
about
using
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
This
document
describes
the
C
implementation
of
the
administration
API.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
(SC32-1356-00)
Provides
reference
information
for
using
the
Java
language
implementation
of
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference
(SC32-1358-00)
Provides
administration
and
programming
information
for
the
cross-domain
authentication
service
(CDAS),
the
cross-domain
mapping
framework
(CDMF),
and
the
password
strength
module.
Technical
supplements
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
(SC32-1354-00)
Provides
information
about
the
command
line
utilities
and
scripts
provided
with
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
Error
Message
Reference
(SC32-1353-00)
Provides
explanations
and
recommended
actions
for
the
messages
produced
by
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide
(SC32-1352-00)
Provides
problem
determination
information
for
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide
(SC32-1351-00)
Provides
performance
tuning
information
for
an
environment
consisting
of
Tivoli
Access
Manager
with
the
IBM
Tivoli
Directory
server
as
the
user
registry.
Related
publications
This
section
lists
publications
related
to
the
Tivoli
Access
Manager
library.
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
IBM
Global
Security
Kit
Tivoli
Access
Manager
provides
data
encryption
through
the
use
of
the
IBM
Global
Security
Kit
(GSKit)
Version
7.0.
GSKit
is
included
on
the
IBM
Tivoli
Access
Manager
Base
CD
for
your
particular
platform,
as
well
as
on
the
IBM
Tivoli
Access
Manager
Web
Security
CDs,
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CDs,
and
the
IBM
Tivoli
Access
Manager
Directory
Server
CDs.
The
GSKit
package
provides
the
iKeyman
key
management
utility,
gsk7ikm,
which
is
used
to
create
key
databases,
public-private
key
pairs,
and
certificate
requests.
x
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
The
following
document
is
available
on
the
Tivoli
Information
Center
Web
site
in
the
same
section
as
the
IBM
Tivoli
Access
Manager
product
documentation:
v
IBM
Global
Security
Kit
Secure
Sockets
Layer
and
iKeyman
User’s
Guide
(SC32-1363-00)
Provides
information
for
network
or
system
security
administrators
who
plan
to
enable
SSL
communication
in
their
Tivoli
Access
Manager
environment.
IBM
Tivoli
Directory
Server
IBM
Tivoli
Directory
Server,
Version
5.2,
is
included
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
for
the
desired
operating
system.
Note:
IBM
Tivoli
Directory
Server
is
the
new
name
for
the
previously
released
software
known
as:
v
IBM
Directory
Server
(Version
4.1
and
Version
5.1)
v
IBM
SecureWay
Directory
Server
(Version
3.2.2)
IBM
Directory
Server
Version
4.1,
IBM
Directory
Server
Version
5.1,
and
IBM
Tivoli
Directory
Server
Version
5.2
are
all
supported
by
IBM
Tivoli
Access
Manager
Version
5.1.
Additional
information
about
IBM
Tivoli
Directory
Server
can
be
found
at:
http://www.ibm.com/software/network/directory/library/
IBM
DB2
Universal
Database™
IBM
DB2®
Universal
Database
Enterprise
Server
Edition,
Version
8.1
is
provided
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
and
is
installed
with
the
IBM
Tivoli
Directory
Server
software.
DB2
is
required
when
using
IBM
Tivoli
Directory
Server,
z/OS®,
or
OS/390®
LDAP
servers
as
the
user
registry
for
Tivoli
Access
Manager.
Additional
information
about
DB2
can
be
found
at:
http://www.ibm.com/software/data/db2/
IBM
WebSphere
Application
Server
IBM
WebSphere
Application
Server,
Advanced
Single
Server
Edition
5.0,
is
included
on
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CD
for
the
desired
operating
system.
WebSphere
Application
Server
enables
the
support
of
both
the
Web
Portal
Manager
interface,
which
is
used
to
administer
Tivoli
Access
Manager,
and
the
Web
Administration
Tool,
which
is
used
to
administer
IBM
Tivoli
Directory
Server.
IBM
WebSphere
Application
Server
Fix
Pack
2
is
also
required
by
Tivoli
Access
Manager
and
is
provided
on
the
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
CD.
Additional
information
about
IBM
WebSphere
Application
Server
can
be
found
at:
http://www.ibm.com/software/webservers/appserv/infocenter.html
IBM
Tivoli
Access
Manager
for
Business
Integration
IBM
Tivoli
Access
Manager
for
Business
Integration,
available
as
a
separately
orderable
product,
provides
a
security
solution
for
IBM
MQSeries®,
Version
5.2,
and
IBM
WebSphere®
MQ
for
Version
5.3
messages.
IBM
Tivoli
Access
Manager
for
Business
Integration
allows
WebSphere
MQSeries
applications
to
send
data
with
privacy
and
integrity
by
using
keys
associated
with
sending
and
receiving
applications.
Like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Operating
Preface
xi
Systems,
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Business
Integration
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Business
Integration
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide
(SC23-4831-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide
(GC23-1328-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
(GI11-0957-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers,
available
as
part
of
IBM
Tivoli
Access
Manager
for
Business
Integration,
provides
a
security
solution
for
WebSphere
Business
Integration
Message
Broker,
Version
5.0
and
WebSphere
Business
Integration
Event
Broker,
Version
5.0.
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
operates
in
conjunction
with
Tivoli
Access
Manager
to
secure
JMS
publish/subscribe
applications
by
providing
password
and
credentials-based
authentication,
centrally-defined
authorization,
and
auditing
services.
Additional
information
about
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers,
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Administration
Guide
(SC32-1347-00)
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Release
Notes
(GI11-4154-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
Operating
Systems
IBM
Tivoli
Access
Manager
for
Operating
Systems,
available
as
a
separately
orderable
product,
provides
a
layer
of
authorization
policy
enforcement
on
UNIX
systems
in
addition
to
that
provided
by
the
native
operating
system.
IBM
Tivoli
Access
Manager
for
Operating
Systems,
like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Operating
Systems
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
xii
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Operating
Systems
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
(SC23-4829-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
(SC23-4827-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide
(SC23-4828-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
(GI11-0951-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Read
Me
First
(GI11-0949-00)
IBM
Tivoli
Identity
Manager
IBM
Tivoli
Identity
Manager
Version
4.5,
available
as
a
separately
orderable
product,
enables
you
to
centrally
manage
users
(such
as
user
IDs
and
passwords)
and
provisioning
(that
is
providing
or
revoking
access
to
applications,
resources,
or
operating
systems.)
Tivoli
Identity
Manager
can
be
integrated
with
Tivoli
Access
Manager
through
the
use
of
the
Tivoli
Access
Manager
Agent.
Contact
your
IBM
account
representative
for
more
information
about
purchasing
the
Agent.
Additional
information
about
IBM
Tivoli
Identity
Manager
can
be
found
at:
http://www.ibm.com/software/tivoli/products/identity-mgr/
Accessing
publications
online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
also
can
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
Contacting
software
support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
Preface
xiii
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
used
in
this
book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
Typeface
conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
names
of
Java
classes,
and
objects
are
in
bold.
Italic
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
Operating
system
differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows®
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
xiv
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Chapter
1.
About
this
release
IBM
Tivoli
Access
Manager
for
e-business
(Tivoli
Access
Manager)
Version
5.1
builds
on
previous
versions
of
IBM
Tivoli
Access
Manager
and
IBM
SecureWay
Policy
Director
to
provide
a
complete
authentication
and
authorization
solution
for
corporate
e-business
environments.
New
features
in
this
release
include:
Authorization
Rules
Tivoli
Access
Manager
can
make
authorization
decisions
based
on
real-time
dynamic
information
in
addition
to
using
access
control
lists.
Hosting
Support
Tivoli
Access
Manager
supports
an
environment
where
a
single
centralized
Tivoli
Access
Manager
infrastructure
provides
authorization
services
to
a
number
of
distinct
internal
or
external
customers.
Policy
Proxy
Server
Tivoli
Access
Manager
supports
a
policy
proxy
server,
which
among
other
things,
allows
incoming
Tivoli
Access
Manager
replication
and
administration
requests
to
be
terminated
in
a
DMZ.
Optional
in-memory
caching
of
policy
database
at
the
proxy
also
allows
for
traffic
reduction
over
slow
network
links.
Support
for
Microsoft®
Active
Directory
Tivoli
Access
Manager
supports
an
environment
where
Tivoli
Access
Manager
components
on
UNIX-based
platforms
can
join
a
Tivoli
Access
Manager
domain
that
is
using
Microsoft
Active
Directory
as
the
user
registry.
The
policy
server
is
the
only
component
that
must
be
on
Windows.
Support
for
dynamic
groups
in
IBM
Tivoli
Directory
Server
and
Sun
ONE
Directory
servers
Tivoli
Access
Manager
can
import
dynamic
groups
that
have
been
defined
in
IBM
Directory
Server
and
Sun
ONE
servers.
WebSEAL
support
for
Windows
Desktop
Single
Sign-on
Tivoli
Access
Manager
includes
Windows
Desktop
Single
Sign-on
(SPNEGO)
support
to
the
WebSEAL
component.
This
is
available
on
both
Windows
and
UNIX-based
platforms.
Password
Synchronization
between
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
Tivoli
Access
Manager
supports
password
synchronization
in
integrated
environments.
You
can
set
up
Tivoli
Identity
Manager
and
Tivoli
Access
Manager
such
that
passwords
are
synchronized,
and
when
passwords
are
changed
through
password
change
mechanisms,
the
same
set
of
password
rules
apply
across
the
integrated
environment.
Tracing
and
Logging
facility
supports
log
file
rollover
Tivoli
Access
Manager
supports
log
file
rollover
based
on
the
configuration
of
file
counts
and
sizes.
The
new
PDJLog
facility
provides
configuration
parameters
in
the
PDJLog.properties
file
for
each
of
the
tracing
and
logging
file
handlers.
©
Copyright
IBM
Corp.
1999,
2003
1
Support
for
Lotus®
Domino®
Server
clustering
Tivoli
Access
Manager
supports
Domino
environments
where
clustering
is
used
for
load
balancing
and
failover
of
multiple
Domino
servers.
Tivoli
Access
Manager
now
detects
this
type
of
environment,
and
can
switch
over
to
another
Domino
server
in
the
cluster
if
the
server
it
is
configured
to
becomes
unresponsive.
In
this
case,
Tivoli
Access
Manager
also
replicates
the
Tivoli
Access
Manager
database
to
other
cluster
members.
Linux
Support
Tivoli
Access
Manager
supports
the
policy
server,
WebSEAL,
and
Plug-in
for
Web
Servers
on
Red
Hat
and
SuSE
Linux.
For
a
complete
list
by
component,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
Updated
Command
Reference
manual
The
Command
Reference
has
been
updated
for
this
release
to
include
information
about
the
new
error
handling,
return
codes,
and
message
numbering
schemes
to
improve
serviceability.
The
reference
also
includes
information
about
blade
utilities
and
policy
proxy
servers.
New
pdadmin
commands
described
in
the
reference
include:
v
new
pdadmin
-d
domain
flag
to
specify
a
domain
other
than
Default
v
new
padadmin
-m
flag
to
specify
the
management
domain
v
new
pdadmin
-l
(local
login)
flag
v
new
pdadmin
context
command
v
new
pdadmin
domain
commands
v
new
pdadmin
authzrule
(authorization
rule)
commands
v
new
pdadmin
config
commands:
config
modify
and
config
show
v
new
pdadmin
object
commands:
object
access
and
object
exists
v
new
permissions
(ACL
bits):
Bypass
AuthzRule
(R)
and
Bypass
Pop
(B)
CD
distribution
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
is
provided
on
the
following
CDs.
Base
CDs:
v
IBM
Tivoli
Access
Manager
Base
for
AIX
v
IBM
Tivoli
Access
Manager
Base
for
Solaris
v
IBM
Tivoli
Access
Manager
Base
for
HP-UX
v
IBM
Tivoli
Access
Manager
Base
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Base
for
Linux
on
zSeries
v
IBM
Tivoli
Access
Manager
Base
for
Linux
on
pSeries
and
iSeries
v
IBM
Tivoli
Access
Manager
Base
for
Windows
NT,
Windows
XP,
Windows
2000
and
Windows
2003
Web
Administration
CDs:
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
AIX
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Solaris
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
HP-UX
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Linux
on
zSeries
2
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Linux
on
pSeries
and
iSeries
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Windows
2000
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Windows
2003
Web
Security
CDs:
v
IBM
Tivoli
Access
Manager
Web
Security
for
AIX
v
IBM
Tivoli
Access
Manager
Web
Security
for
Solaris
v
IBM
Tivoli
Access
Manager
Web
Security
for
HP-UX
v
IBM
Tivoli
Access
Manager
Web
Security
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Web
Security
for
Linux
on
zSeries
v
IBM
Tivoli
Access
Manager
Web
Security
for
Windows
2000
and
Windows
2003
Directory
Server
CDs:
v
IBM
Tivoli
Access
Manager
Directory
Server
for
AIX
v
IBM
Tivoli
Access
Manager
Directory
Server
1
of
2
for
Solaris
v
IBM
Tivoli
Access
Manager
Directory
Server
2
of
2
for
Solaris
v
IBM
Tivoli
Access
Manager
Directory
Server
for
HP-UX
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Linux
on
zSeries
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Linux
on
pSeries
and
iSeries
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Windows
2000
and
Windows
2003
WebSphere
Fix
Pack
CDs:
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
AIX
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Solaris
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
HP-UX
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Windows
2000
Attribute
Retrieval
Service
CDs:
v
IBM
Tivoli
Access
Manager
Attribute
Retrieval
Service
for
AIX
v
IBM
Tivoli
Access
Manager
Attribute
Retrieval
Service
for
Solaris
v
IBM
Tivoli
Access
Manager
Attribute
Retrieval
Service
for
HP-UX
v
IBM
Tivoli
Access
Manager
Attribute
Retrieval
Service
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Attribute
Retrieval
Service
for
Linux
on
zSeries
v
IBM
Tivoli
Access
Manager
Attribute
Retrieval
Service
for
Windows
2000
v
IBM
Tivoli
Access
Manager
Attribute
Retrieval
Service
for
Windows
2003
Language
Support
CDs:
v
IBM
Tivoli
Access
Manager
Language
Support
for
AIX
v
IBM
Tivoli
Access
Manager
Language
Support
for
Solaris
v
IBM
Tivoli
Access
Manager
Language
Support
for
HP-UX
v
IBM
Tivoli
Access
Manager
Language
Support
for
Linux
on
xSeries
v
IBM
Tivoli
Access
Manager
Language
Support
for
Linux
on
zSeries
v
IBM
Tivoli
Access
Manager
Language
Support
for
Linux
on
pSeries
and
iSeries
Chapter
1.
About
this
release
3
v
IBM
Tivoli
Access
Manager
Language
Support
for
Windows
NT,
Windows
XP,
Windows
2000,
and
Windows
2003
Software
download
page
for
IBM
Tivoli
Access
Manager
Links
to
supplemental
software
downloads
for
Tivoli
products
can
be
found
at:
http://www.tivoli.com/support/downloads/
Follow
the
″Software
downloads
(for
registered
users)″
link
and
then
select
″IBM
Tivoli
Access
Manager″.
Enter
your
registered
user
name
and
password
when
prompted.
4
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Chapter
2.
System
requirements
This
section
describes
the
minimum
product
levels
you
should
have
installed.
The
following
sections
are
included:
v
“Supported
registries”
v
“Disk
space
and
memory
requirements”
on
page
10
v
“Backward
compatibility”
on
page
19
Supported
registries
Tivoli
Access
Manager
supports
the
following
user
registries,
their
supported
operating
systems,
and
any
necessary
prerequisite
software.
IBM
Tivoli
Directory
Server
Tivoli
Access
Manager
supports
the
use
of
IBM
Tivoli
Directory
Server,
Versions
4.1,
5.1,
and
5.2.
Note:
IBM
Tivoli
Directory
Server,
Version
5.2,
is
shipped
with
Tivoli
Access
Manager,
Version
5.1.
Only
a
single
version
of
IBM
Directory
Server
can
exist
on
a
system
at
a
time
and
because
IBM
Tivoli
Access
Manager,
Version
5.1,
uses
the
Version
5.2
IBM
Directory
client
for
the
LDAP
registry,
you
should
install
the
IBM
Tivoli
Directory
Server
on
a
separate
system
if
using
either
Version
4.1
or
5.1.
Supported
platforms
are
as
follows:
v
AIX
platforms:
–
AIX
5.1
–
AIX
5.2
Note:
On
AIX
5.1,
you
must
install
AIX
Maintenance
Level
4
or
higher.
On
AIX
5.2,
you
must
install
AIX
Maintenance
Level
1
or
higher.
v
HP-UX
platforms:
–
HP-UX
11
–
HP-UX
11i
with
the
following
patches:
-
December
2001
GOLDBASE11i
bundle
-
December
2001
GOLDAPPS11i
bundle
-
patch
PHSS_26560v
Linux
on
xSeries
platforms:
–
UnitedLinux
1.0
with
Service
Pack
2
–
SuSE
Linux
Enterprise
Server
8
–
Red
Hat
Enterprise
Linux
3.0v
Linux
on
zSeries
platforms:
–
SuSE
Linux
Enterprise
Server
8
–
Red
Hat
Enterprise
Server
3.0v
Linux
on
pSeries
and
iSeries
platforms:
–
Red
Hat
Enterprise
Server
3.0
©
Copyright
IBM
Corp.
1999,
2003
5
–
SuSE
Linux
Enterprise
Server
8v
Solaris
platforms:
–
Solaris
Operating
Environment
Software,
Versions
8
and
9
–
Trusted
Solaris,
Version
8v
Windows
platforms:
–
Windows
2000
–
Windows
Server
2003,
Standard
or
Enterprise
–
Windows
NT
4.0
with
Service
Pack
6
or
later;
a
Windows
NT
file
system
(NTFS)
is
required
for
security
support.
Attention:
v
If
you
have
an
existing
IBM
Directory
Server
that
you
want
to
use
for
Tivoli
Access
Manager,
ensure
that
you
upgrade
the
server
to
a
supported
level.
For
upgrade
instructions,
see
the
IBM
Tivoli
Access
Manager
Upgrade
Guide.
v
If
you
have
a
preexisting
version
of
Lightweight
Directory
Access
Protocol
(LDAP)
from
a
vendor
other
than
IBM,
you
must
remove
it
before
installing
IBM
Tivoli
Directory
Server.
IBM
Tivoli
Directory
Server
Web
Administration
Tool
IBM
Tivoli
Directory
Server
supports
the
use
of
the
IBM
Tivoli
Directory
Server
Web
Administration
Tool,
Version
5.2.
You
can
install
the
Web
Administration
Tool
on
a
computer
with
or
without
the
IBM
Tivoli
Directory
Server
client
or
server.
The
Web
Administration
Tool
can
be
used
to
administer
LDAP
servers
of
the
following
types:
v
IBM
Tivoli
Directory
Server,
Version
5.2
v
IBM
Directory
Server,
Version
5.1
v
IBM
Directory
Server,
Version
4.1
v
OS/400
V5R3
v
z/OS™
R4
Note:
For
z/OS
R4,
only
the
following
setups
are
supported
by
the
Web
Administration
Tool:
–
A
single
TDBM
backend
–
A
single
SDBM
backend
–
One
TDBM
and
SDBM
backend
The
Web
Administration
Tool
is
supported
on
the
following
platforms:
v
AIX
platforms:
–
AIX
4.3.3
–
AIX
5.1
–
AIX
5.2v
HP-UX
platforms:
–
HP-UX
11
–
HP-UX
11iv
Linux
on
xSeries
platforms:
–
UnitedLinux
1.0
–
SuSE
Linux
Enterprise
Server
7
and
8
–
Red
Hat
Advanced
Server
2.1v
Linux
on
zSeries
platforms:
6
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
–
SuSE
Linux
Enterprise
Server
8.0v
Linux
on
pSeries
and
iSeries
platforms:
–
UnitedLinux
1.0
–
SuSE
Linux
Enterprise
Server
8.0v
Solaris
platforms:
–
Solaris
Operating
Environment
Software,
Versions
7,
8,
and
9
–
Trusted
Solaris,
Version
8v
Windows
platforms:
–
Windows
2000
–
Windows
XP
–
Windows
Server
2003,
Standard
or
Enterprise
–
Windows
NT
4.0
with
Service
Pack
6
or
later
To
use
the
Web
Administration
Tool,
you
also
need
the
following:
v
One
of
the
following
application
servers:
–
The
embedded
version
of
WebSphere
Application
Server
—
Express
V5.0
or
later.
–
IBM
WebSphere
Application
Server,
Version
5.0
or
later.
IBM
WebSphere
Application
Server,
Version
5.0.2,
is
provided
with
Tivoli
Access
Manager,
Version
5.1.v
One
of
the
following
Web
browsers
on
the
computer
from
which
you
will
use
the
Web
Administration
Tool.
(This
might
or
might
not
be
the
computer
where
the
Web
Administration
Tool
is
installed):
–
AIX
platforms:
Mozilla
1.3
or
1.4
–
HP-UX
platforms:
Mozilla
1.3
or
1.4
–
Linux
on
xSeries
platforms:
Mozilla
1.3
or
1.4
–
Linux
on
iSeries,
pSeries,
and
zSeries
platforms:
No
browser
support
is
available.
You
must
use
another
system
to
access
the
Web
Administration
Tool
on
these
Linux
platforms.
–
Solaris
platforms:
Mozilla
1.3
or
1.4
–
Windows
platforms:
Internet
Explorer,
Version
6.0
IBM
Security
Server
for
OS/390
Tivoli
Access
Manager
supports
the
use
of
IBM
Security
Server
for
OS/390®,
Version
2,
Release
10.
For
product
information,
see
the
OS/390
Internet
Library
Web
site
at:
http://www.s390.ibm.com/os390/bkserv/
IBM
z/OS
Security
Server
LDAP
Server
Tivoli
Access
Manager
supports
the
use
of
IBM
z/OS
Security
Server
LDAP
Server,
Version
1,
Release
2
or
higher.
For
product
information,
see
the
z/OS
Internet
Library
Web
site
at:
http://www.ibm.com/servers/eserver/zseries/zos/bkserv/
Customers
can
also
obtain
softcopy
publications
on
CD-ROM,
z/OS:
Collection,
SK3T-4269.
Chapter
2.
System
requirements
7
Lotus
Domino
Tivoli
Access
Manager
on
Windows
platform
supports
the
use
of
Lotus®
Domino,
Version
5.0.10
and
6.0
as
a
user
registry.
The
Domino
server
can
run
on
any
platform
supported
by
Tivoli
Access
Manager,
Version
5.1.
Attention:
When
Lotus
Domino
is
used
as
the
registry:
v
The
IBM
Tivoli
Directory
Client
is
not
required.
v
You
must
install
a
Lotus
Notes®
client
prior
to
installing
the
Access
Manager
Runtime
component.
Tivoli
Access
Manager
supports
Lotus
Notes
client,
Version
5.0.10,
and
Version
6.0
or
higher.
Microsoft
Active
Directory
Tivoli
Access
Manager
supports
the
use
of
Active
Directory
for
Windows
2000
and
Windows
2003
as
a
user
registry.
In
previous
releases
of
Tivoli
Access
Manager,
Active
Directory
support
was
available
on
the
Windows
2000
Advanced
Server
platform
only.
New
to
version
5.1,
Active
Directory
users
can
run
Tivoli
Access
Manager
on
all
Windows
and
UNIX
platforms
currently
supported
in
the
Tivoli
Access
Manager
product
(with
the
exception
of
Windows
NT).
UNIX
platforms
make
use
of
the
IBM
Tivoli
Directory
Client
to
communicate
with
Active
Directory.
This
LDAP
client
is
also
used
in
cases
where
the
policy
server
domain
differs
from
the
domain
of
the
local
host
name.
Note
that
the
Tivoli
Access
Manager
policy
server
is
supported
on
Windows
2000
and
2003
systems
only.
Netscape
iPlanet
and
Sun
ONE
Directory
Server
Tivoli
Access
Manager
supports
the
use
of
Netscape
iPlanet
Directory
Server,
Version
5.1,
and
Sun
ONE
Directory
Server,
Version
5.2,
as
a
user
registry.
For
installation
information,
consult
the
product
documentation
that
came
with
your
iPlanet
or
Sun
ONE
Directory
Server.
Attention:
v
If
you
have
an
existing
iPlanet
or
Sun
ONE
Directory
Server
that
you
want
to
use
for
Tivoli
Access
Manager,
ensure
that
you
upgrade
the
server
to
a
supported
level.
For
upgrade
instructions,
see
Sun
documentation
at
the
following
Web
address:
http://docs.sun.com/db/prod/s1dirsrv
v
The
iPlanet
and
Sun
ONE
Directory
Server
has
built-in
SSL
capability.
You
must
install
GSKit
only
if
the
Access
Manager
Runtime
component
is
installed
on
the
same
system
as
the
directory
server.
Novell
eDirectory
Tivoli
Access
Manager
supports
the
use
of
Novell
eDirectory
8.6.2
and
8.7
as
a
user
registry.
For
installation
information,
consult
the
product
documentation
that
came
with
your
Novell
eDirectory
server.
Novell
eDirectory
product
documentation
is
available
at:
8
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
http://www.novell.com/documentation/a-z.html
The
latest
patches
to
these
products
are
available
at:
http://support.novell.com/filefinder/5069/index.html
Attention:
v
If
you
have
an
existing
Novell
eDirectory
server
that
you
want
to
use
for
Tivoli
Access
Manager,
ensure
that
you
upgrade
the
server
to
a
supported
level.
v
The
Novell
eDirectory
server
has
built-in
SSL
capability.
You
must
install
GSKit
only
if
the
Access
Manager
Runtime
component
is
installed
on
the
same
system
as
the
directory
server.
Chapter
2.
System
requirements
9
Disk
space
and
memory
requirements
Tivoli
Access
Manager
binaries
and
libraries
can
require
a
large
amount
of
disk
space.
You
should
ensure
that
there
is
enough
disk
space
in
the
file
systems
where
you
are
going
to
install
these
files.
As
each
Tivoli
Access
Manager
component
or
system
is
added
to
a
secure
domain,
additional
disk
space
is
required.
Ensure
that
there
is
enough
available
disk
space
to
allow
for
future
installation
of
Tivoli
Access
Manager
software.
This
section
includes:
v
“Tivoli
Access
Manager
Base
components”
on
page
11
v
“Tivoli
Access
Manager
Web
Security
components”
on
page
12
Note:
These
tables
list
disk
space
and
memory
requirements
for
Tivoli
Access
Manager
components
only.
Keep
in
mind
that
you
must
also
factor
in
additional
requirements,
such
as
operating
system
or
Web
server
estimates
(if
installing
a
plug-in).
10
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Tivoli
Access
Manager
Base
components
Table
1.
Base
components
—
Disk
space
and
memory
requirements
Component
Minimum
Disk
Space
(MB)
Recommend
Disk
Space
(MB)
Disk
Space
for
ACL
database
(MB)
Add
Disk
Space
for
Log
Files
(MB)
Minimum
Memory
(MB)
Recommend
Memory
(MB)
Memory
per
additional
domain
Access
Manager
Application
Development
Kit
3
5
—
—
—
—
—
Access
Manager
Authorization
Server
2
4
15
2
5
30
40
—
Access
Manager
Java
Runtime
Environment
8
10
—
—
—
—
—
Access
Manager
Policy
Proxy
Server
1
2
—
40
—
Access
Manager
Policy
Server
2
4
5
1,
2
10
1
30
40
5
2
Access
Manager
Runtime
36
40
—
—
—
—
—
Access
Manager
Web
Portal
Manager
1
2
—
—
35
3
70
4
—
Global
Security
Kit
18
20
—
—
—
—
—
IBM
Tivoli
Directory
Client
46
50
—
—
6
6
IBM
Tivoli
Directory
Server
(including
prerequisite
software)
145
7
245
7
—
10
256
5
512–1GB
5
—
IBM
WebSphere
Application
Server,
Version
5.0.2
552
552
—
—
256
512
—
Notes:
1
The
size
is
for
the
default
domain
only.
For
each
additional
domain,
increase
the
recommended
disk
space
by
this
amount.
2
This
is
based
on
the
approximate
requirement
for
an
ACL
database
with
10,000
objects,
equally
spread
across
10
object
spaces
and
about
30
ACLs
attached
to
10%
of
the
objects.
Except
for
the
policy
server,
the
size
is
tripled
to
account
for
a
backup
copy
and
an
additional
copy
created
during
replication.
3
The
minimum
for
WPM
represents
the
memory
requirement
for
each
connected
browser.
4
This
recommendation
for
WPM
represents
two
connected
browsers.
5
256MB
(minimum)
and
512MB–1GB
(recommended)
memory
are
for
less
than
one
million
Tivoli
Access
Manager
users.
For
more
than
one
million
users,
increase
this
amount
to
512
(minimum)
and
1GB–2GB
(recommended)
memory.
6
Memory
requirements
for
the
IBM
Tivoli
Directory
Client
are
part
of
the
memory
requirements
of
the
servers
that
use
it.
7
IBM
Tivoli
Directory
Server
estimates
include
an
empty
database.
Add
an
additional
10KB
per
Tivoli
Access
Manager
user.
Chapter
2.
System
requirements
11
Tivoli
Access
Manager
Web
Security
components
Table
2.
Web
Security
components
—
Disk
space
and
memory
requirements
Component
Minimum
Disk
Space
(MB)
Recommend
Disk
Space
(MB)
Disk
Space
for
ACL
database
(MB)
Add
Disk
Space
for
Log
Files
(MB)
Minimum
Memory
(MB)
Recommend
Memory
(MB)
Memory
per
additional
domain
Access
Manager
WebSEAL
20
25
15
1
200
2
80
250
3
—
Access
Manager
WebSEAL
Application
Development
Kit
3
5
—
—
—
—
—
Access
Manager
for
WebLogic
Server
2
4
—
5
64
128
—
Access
Manager
for
WebSphere
2
4
—
5
64
128
—
Access
Manager
Plug-in
for
IBM
HTTP
Server
15
25
15
1
10
60
120
—
Access
Manager
Plug-in
for
Apache
Web
Server
15
25
15
1
10
60
120
—
Access
Manager
Plug-in
for
Sun
ONE
Web
Server
15
25
15
1
10
70
140
—
Access
Manager
Plug-in
for
Internet
Information
Services
15
25
15
1
10
165
225
—
Access
Manager
Attribute
Retrieval
Service
6
10
—
—
10
14
—
Access
Manager
Plug-in
for
Edge
Server
15
25
15
1
10
15
30
—
Notes:
1
This
is
based
on
the
approximate
requirement
for
an
ACL
database
with
10,000
objects,
equally
spread
across
10
object
spaces
and
about
30
ACLs
attached
to
10%
of
the
objects.
Except
for
the
policy
server,
the
size
is
tripled
to
account
for
a
backup
copy
and
an
additional
copy
created
during
replication.
2
This
includes
space
for
the
www
(web
servers
access)
logs.
3
Includes
memory
for
maximum
default
cache
growth.
Increase
this
amount
if
cache
parameters
are
increased.
12
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Supported
platforms,
including
required
patches
Table
3
lists
required
patches
or
service
levels
for
supported
operating
systems.
Note:
SuSE
Linux
is
one
of
four
partner
companies
whose
products
are
based
on
UnitedLinux
1.0;
other
companies
being
the
SCO
Group,
Turbolinux,
and
Conectiva.
When
SuSe
Linux
Enterprise
Server
(SLES)
is
listed
as
supported,
other
partner
companies’
products
based
on
UnitedLinux
1.0
support
is
implied
as
well.
For
more
information,
consult
the
UnitedLinux
Web
site
at:
http://www.unitedlinux.com
Table
3.
Table
1.
Patches
required
by
supported
operating
system
platform
Operating
System
Platform
Tivoli
Access
Manager
5.1
supported
systems
Required
Patches
or
Service
Level
AIX
4.3.3
v
Development
(ADK)
v
Java
runtime
environment
v
Runtime
Latest
patches
and
the
following:
v
bos.rte.libpthreads
at
level
4.3.3.51
or
higher
v
xlC.rte
(6.0.0.0
C
Set
++
Runtime)
v
xlC.aix43.rte
(6.0.0.3
C
Set
++
Runtime)
AIX
5.1
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Plug-in
for
Edge
Server,
Version
5.1
v
Plug-in
for
IBM
HTTP
Server,
Version
1.3.26
v
Plug-in
for
Sun
ONE
Web
Server,
Version
6.0
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebLogic
v
Tivoli
Access
Manager
for
WebSphere
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
Maintenance
Level
4
or
higher
and
the
following:
v
xlC.rte
(6.0.0.0
C
Set
++
Runtime)
v
xlC.aix50.rte
(6.0.0.3
or
higher
C
Set
++
Runtime)
Chapter
2.
System
requirements
13
Table
3.
Table
1.
Patches
required
by
supported
operating
system
platform
(continued)
Operating
System
Platform
Tivoli
Access
Manager
5.1
supported
systems
Required
Patches
or
Service
Level
AIX
5.2
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Plug-in
for
Edge
Server,
Version
5.1
v
Plug-in
for
IBM
HTTP
Server,
Version
1.3.26
v
Plug-in
for
Sun
ONE
Web
Server,
Version
6.0
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebSphere
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
Maintenance
Level
1
or
higher
AIX
5200-01
maintenance
packageand
the
following:
v
xlC.rte
(6.0.0.0
C
Set
++
Runtime)
v
xlC.aix50.rte
(6.0.0.3
C
Set
++
Runtime)
v
bos.rte.libc
at
5.2.0.12
HP-UX
11.0
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebLogic
(BEA
WebLogic
Server,
Version
7.0
only)
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
v
XSWGR-1100
v
PHKL_25475
v
PHSS_26945
or
later
v
PHSS_25091
v
For
specific
languages
only:
–
Japanese:
PHSS_26972
–
Korean:PHSS_26974
–
Simple-Chinese:
PHSS_26976
–
Traditional
Chinese:PHSS_24937
HP-UX
11i
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebLogic
(BEA
WebLogic
Server,
Version
7.0
only)
v
Tivoli
Access
Manager
for
WebSphere
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
v
PHCO_24400
v
PHCO_24402
v
PHSS_25092
v
PHSS_26946
v
For
specific
languages
only:
–
Japanese:PHSS_26971
–
Korean:PHSS_26973
–
Simple-Chinese:PHSS_24975
–
Traditional
Chinese:PHSS_26977
14
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Table
3.
Table
1.
Patches
required
by
supported
operating
system
platform
(continued)
Operating
System
Platform
Tivoli
Access
Manager
5.1
supported
systems
Required
Patches
or
Service
Level
Red
Hat
Enterprise
Linux
2.1
v
Plug-in
for
Edge
Server,
Version
5.1
The
following
patch
is
required
only
if
you
are
installing
the
GSKit
iKeyman
utility
(gsk7ikm):
pdksh-5.2.14-13.i386.rpm
Red
Hat
Enterprise
Linux
3.0
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
WebSEAL
server
v
WebSEAL
Development
(ADK)
None
SuSE
SLES8
for
IA32
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Plug-in
for
IBM
HTTP
Server,
Version
1.3.26
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebSphere
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
libstdc++-3.2.2-5
v
SuSE
SLES8
for
S/390
and
zSeries
(31–bit
systems)
v
SuSE
SLES8
for
zSeries
(64–bit
systems)
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Plug-in
for
Apache
Web
Server,
Version
1.3.26–36,
with
mod
SSL
(31–bit
only)
v
Plug-in
for
IBM
HTTP
Server,
Version
1.3.26
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebSphere
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
Kernel
levels
supported:
v
31–bit:
k_deflt-2.4.19-32
v
64–bit
kernel:
k_deflt-2.4.19-34
Service
Pack
2
update:
v
31–bit
kernel:
–
k_deflt-2.4.19-79
v
64–bit
kernel:
–
k_deflt-2.4.19-80
Chapter
2.
System
requirements
15
Table
3.
Table
1.
Patches
required
by
supported
operating
system
platform
(continued)
Operating
System
Platform
Tivoli
Access
Manager
5.1
supported
systems
Required
Patches
or
Service
Level
SuSE
SLES8
for
pSeries
and
iSeries
v
Development
(ADK)
v
Java
runtime
environment
v
Runtime
v
Web
Portal
Manager
Kernel
levels
supported:
v
kernel-iseries64-2.4.19-104
v
kernel-ppc64-2.4.19-108
Service
Pack
1
update:
v
kernel-iseries64-2.4.19-194
v
kernel-ppc64-2.4.19-186
Solaris
Operating
Environment
7
v
Development
(ADK)
v
Java
runtime
environment
v
Runtime
32–bit
packages:
v
106327-18
v
106541–24
v
106950-22
v
106980–22
v
107544–03
64–bit
packages:
v
106300-19
v
106327-18
v
106541–24
v
107544–03
v
106950-22
v
106980–22
Solaris
Operating
Environment
8
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
v
Java
runtime
environment
v
Plug-in
for
Apache
Web
Server,
Version
1.3.27,
with
mod
SSL
v
Plug-in
for
Edge
Server,
Version
5.1
v
Plug-in
for
IBM
HTTP
Server,
Version
1.3.26
v
Plug-in
for
Sun
ONE
Web
Server,
Version
6.0
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebLogic
v
Tivoli
Access
Manager
for
WebSphere
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
32–bit
packages:
v
109147-15
v
108434-05
v
108528–24
v
108827–40
v
111327–02
v
SUNWuiu8
v
SUNWjiu8
64–bit
packages:
v
109147-15
v
108434–05
v
108435–06
v
108528–24
v
108827–40
v
111327–02
v
SUNWuiu8
v
SUNWjiu8
16
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Table
3.
Table
1.
Patches
required
by
supported
operating
system
platform
(continued)
Operating
System
Platform
Tivoli
Access
Manager
5.1
supported
systems
Required
Patches
or
Service
Level
Solaris
Operating
Environment
9
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Plug-in
for
Apache
Web
Server,
Version
1.3.27,
with
mod
SSL
v
Plug-in
for
Edge
Server,
Version
5.1
v
Plug-in
for
IBM
HTTP
Server,
Version
1.3.26
v
Plug-in
for
Sun
ONE
Web
Server,
Version
6.0
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebLogic
v
Tivoli
Access
Manager
for
WebSphere
(Version
5.0.2
only)
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
11711–06
Windows
NT
4.0
v
Development
(ADK)
v
Java
runtime
environment
v
Runtime
Service
Pack
6a
Windows
XP
and
2000
Pro
v
Development
(ADK)
v
Java
runtime
environment
v
Runtime
None
Windows
2000
Server
and
Advanced
Server
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Plug-in
for
Edge
Server,
Version
5.1
v
Plug-in
for
Internet
Information
Services,
Version
5.0
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebLogic
v
Tivoli
Access
Manager
for
WebSphere
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
Service
Pack
3
Chapter
2.
System
requirements
17
Table
3.
Table
1.
Patches
required
by
supported
operating
system
platform
(continued)
Operating
System
Platform
Tivoli
Access
Manager
5.1
supported
systems
Required
Patches
or
Service
Level
Windows
2003
Standard
Server
and
Enterprise
Server
v
Attribute
Retrieval
Service
v
Authorization
server
v
Development
(ADK)
v
Java
runtime
environment
v
Plug-in
for
Internet
Information
Services,
Version
6.0
v
Policy
server
v
Policy
proxy
server
v
Runtime
v
Tivoli
Access
Manager
for
WebSphere
(Version
5.0.2
only)
on
Windows
2003
Enterprise
Server
v
Web
Portal
Manager
v
WebSEAL
server
v
WebSEAL
development
(ADK)
None
18
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Backward
compatibility
The
following
Tivoli
Access
Manager
components
can
communicate
with
a
Version
5.1
policy
server
or
authorization
server:
v
Access
Manager
Runtime,
Versions
3.8,
3.9,
4.1,
and
5.1
v
Access
Manager
Java
Runtime
Environment,
Versions
3.9,
4.1,
and
5.1
Notes:
1.
Because
the
AZN
servers
use
the
runtime
for
communication,
the
servers
are
backward
compatible.
2.
All
components
on
a
single
system
must
be
at
the
same
version.
3.
When
using
Active
Directory
or
Lotus
Domino
as
the
user
registry,
all
Tivoli
Access
Manager
components
must
be
at
the
Version
5.1
level.
The
binary
backward
compatibility
supported
by
Tivoli
Access
Manager,
Version
5.1,
for
Tivoli
Access
Manager,
Version
3.9
and
4.1,
applications
is
as
follows:
v
Access
Manager
Runtime,
Version
5.1,
supports
applications
compiled
against
Tivoli
Access
Manager,
Version
4.1
and
3.9
ADKs
for
all
platforms
(except
Solaris).
v
Access
Manager
Runtime,
Version
5.1,
for
Solaris
supports
applications
compiled
against
the
Tivoli
Access
Manager,
Version
4.1
ADK
only.
Chapter
2.
System
requirements
19
Hardware
acceleration
card
support
Table
4
lists
platform-specific
hardware
accelerator
cards
have
been
verified
to
perform
successfully
with
Tivoli
Access
Manager
WebSEAL,
Version
5.1.
Table
4.
Hardware
acceleration
card
support
Operating
system
Supported
Hardware
Acceleration
Cards
AIX
5.1
v
nCipher
nForce
300
RSA
BSAFE,
Version
5.32
v
nCipher
nForce
300
PKCS#11,
Version
5.32
v
IBM
4758–023
PKCS#11,
Version
2.41
v
Eracom
Orange
PKCS#11,
Version
2.11
v
IBM
4960
PKCS#11,
Version
5.1.0.25
AIX
5.2
v
IBM
4758–023
PKCS#11,
Version
2.41
v
Eracom
Orange
PKCS#11,
Version
2.11
v
IBM
4960
PKCS#11,
Version
5.1.0.25
HP-UX
11
Rainbow
Crypto
Swift
RSA
BSAFE,
Version
3.2.0
HP-UX
11i
Not
supported
Red
Hat
Enterprise
Linux
3.0
v
Eracom
Orange
PKCS#1,
Version
2.11
SuSE
SLES8
for
IA32
v
Eracom
Orange
PKCS#11,
Version
2.11
SuSE
SLES8
for
zSeries
(31-bit
native
and
31-bit
compat.
mode
in
64-bit
native)
and
S/390
(31-bit
native)
v
PCICA
-
zSeries
Feature
code
0862
v
PCICC
-
zSeries
Feature
code
0861,
S/390
Feature
code
0860
Solaris
8
v
Rainbow
Crypto
Swift
RSA
BSAFE,
Version
3.2.0
v
nCipher
nForce
300
RSA
BSAFE,
Version
8.0
v
nCipher
nForce
300
PKCS#11,
Version
8.0
v
Eracom
Orange
PKCS#11,
Version
2.11
Solaris
9
v
nCipher
nForce
300
RSA
BSAFE
v
nCipher
nForce
300
PKCS#11,
Version
2.10
Windows
2000
Server
and
Advanced
Server
v
Rainbow
Crypto
Swift
RSA
BSAFE,
Version
3.2.0
v
nCipher
nForce
300
RSA
BSAFE,
Version
8.0
v
nCipher
nForce
300
PKCS#11,
Version
8.0
v
IBM
4758–023
PKCS#11,
Version
2.41
v
Eracom
Orange
PKCS#11,
Version
2.11
Windows
2003
Standard
Server
and
Enterprise
Server
Not
supported
Install
the
appropriate
vendor’s
device
drivers
on
the
machine
where
WebSEAL
is
running,
per
the
instructions
accompanying
the
card.
In
the
case
of
the
BSAFE
cards,
no
additional
configuration
for
WebSEAL
is
required.
GSKit
automatically
detects
the
cards.
Therefore,
any
Tivoli
Access
Manager
component
that
uses
GSKit
(such
as
WebSEAL)
automatically
uses
the
acceleration.
In
the
case
of
the
PKCS11
cards,
WebSEAL
must
be
enabled
to
use
PKCS11,
using
the
PKCS11
directives
in
the
WebSEAL
configuration
file.
20
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Chapter
3.
Known
problems
and
workarounds
The
following
problems
and
limitations
are
known
to
exist
in
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager).
Workarounds
are
provided
if
they
are
available.
Some
entries
include
an
internal
tracking
number.
Report
any
other
problems
to
IBM
Customer
Support
for
Tivoli
products.
Note:
If
you
are
using
a
version
of
IBM
Tivoli
Access
Manager
for
e-business
in
a
language
other
than
English,
be
sure
to
also
review
the
information
in
Chapter
4,
“Internationalization
notes,”
on
page
45.
Considerations
before
installation
Consider
the
following
problems
or
limitations
before
installation.
Installation
wizard
fails
on
Windows
2003
server
with
Active
Directory
(44369)
The
installation
wizard
fails
on
a
Windows
2003
server
with
Active
Directory
as
the
user
registry.
Workaround:
Consider
using
the
native
installation
method
instead.
Otherwise,
to
use
the
installation
wizard,
you
must
first
install
the
IBM
Tivoli
Directory
client.
To
install
the
client,
change
to
CD
drive:\Windows\Directory
and
run
setup.exe.
The
installation
program
will
start.
Follow
the
instructions
on
the
wizard
panels
but
select
the
Client
SDK
5.2
only.
After
installation
is
complete,
continue
with
the
installation
wizard.
Installation
wizard
does
not
provide
SSL
option
for
Plug
in
for
Web
Servers
for
an
LDAP
server
(44336)
If
you
plan
to
use
SSL
communication
with
an
LDAP
server,
do
not
use
the
installation
wizard
to
install
the
Plug-in
for
Web
Servers.
Use
native
installation
instead.
The
installation
wizard
for
the
Plug-in
for
Web
Servers
does
not
provide
an
option
for
SSL
communication
with
an
LDAP
server.
Installation
wizard
fails
on
a
multi-domain
Active
Directory
system
(44046)
If
you
are
running
the
installation
wizard
on
a
multi-domain
Active
Directory
system
and
you
do
not
add
the
domain
extension
to
the
sec_master
user
ID,
an
invalid
user
ID
error
is
returned
and
the
installation
fails.
Workaround:
Enter
the
fully
qualified
domain
extensions
on
the
Access
Manager
user
ID.
Tivoli
Access
Manager
requires
minimum
JRE
level
of
1.3.1.5
on
AIX
(41082)
You
must
install
a
minimum
of
JRE
1.3.1.5
on
AIX®,
which
is
provided
on
the
Tivoli
Access
Manager
CDs.
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
for
more
information.
©
Copyright
IBM
Corp.
1999,
2003
21
JDK
1.3.1
failing
on
Red
Hat
Enterprise
Linux
3
when
using
the
installation
wizard
(40973,
43956)
The
new
threading
library
(NPTL)
implemented
by
Red
Hat
Enterprise
Linux
3.0
is
not
compatible
with
the
JDK
1.3.1
that
is
included
with
Tivoli
Access
Manager
5.1.
It
causes
an
installation
failure.
Workaround:
Set
the
LD_ASSUME_KERNEL
environment
variable
prior
to
running
the
installation
script
to
a
value
compatible
with
JDK
1.3.1.
For
example:
export
LD_ASSUME_KERNEL=2.4.0
or
export
LD_ASSUME_KERNEL=2.2.5
As
an
alternate
workaround,
you
could
install
the
latest
JRE
service
pack,
which
is
available
at
the
following
IBM
Web
site:
http://www.ibm.com/developerworks/java/jdk/index.html
Access
Manager
Runtime
component
must
be
installed
before
you
can
install
Tivoli
Access
Manager
Java
runtime
environment
javadocs
(43895)
To
install
the
Javadoc
information
associated
with
the
Tivoli
Access
Manager
Application
Development
Kit,
you
must
have
the
Tivoli
Access
Manager
runtime
component
installed.
This
is
due
to
incorrect
prerequisite
checking
in
the
Access
Manager
Application
Development
Kit.
Web
Portal
Manager
configuration
requires
IBM
Java
Runtime
Environment
1.3.1
(44178)
Web
Portal
Manager
can
only
be
configured
using
IBM
Java
Runtime
Environment
1.3.1.
If
other
JREs
are
used
(such
as
the
Sun
Java
Runtime
Environment),
the
configuration
of
Web
Portal
Manager
might
fail.
Default
ports
used
in
WebSphere
Application
Server
installations
(44432)
The
ports
used
in
the
installation
of
WebSphere
Application
Server
differ
depending
on
the
method
of
installation
you
choose.
In
addition,
the
ports
used
might
conflict
with
ports
that
are
already
in
use.
Refer
to
the
following
installation
method
descriptions
for
more
information.
Installation
wizard
If
you
use
the
installation
wizard
to
install
Web
Portal
Manager
and
as
part
of
that
installation
you
also
installed
WebSphere
Application
Server
on
a
machine
that
already
has
an
HTTP
server
running
on
port
80,
the
installation
wizard
sets
the
port
for
its
HTTP
server
to
81.
On
AIX,
the
installation
wizard
also
sets
the
port
for
WebSphere
Administrative
Console
to
9091
because
by
default
AIX
already
has
a
service
(wsmserver)
running
on
9090.
Native
installation
The
native
installation
of
WebSphere
sets
itself
to
use
port
80
for
the
HTTP
server
and
port
9090
for
the
Administrative
Console
by
default
even
if
other
services
are
already
running
on
these
ports.
If
other
22
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
services
are
using
these
ports,
change
the
configuration
of
those
services
so
that
they
use
other
ports.
Upgrading
an
existing
WebSEAL
installation
might
overwrite
libcdmf.*
files
(44079)
If
you
are
installing
WebSEAL
over
an
existing
version
of
WebSEAL,
backup
all
libcdmf.*
files
and
make
a
note
of
their
locations
prior
to
the
installation.
The
new
installation
will
overwrite
these
files.
After
installing
the
new
version
of
WebSEAL,
copy
the
backup
copies
to
their
previous
locations.
Considerations
during
installation
The
following
problems
or
limitations
might
occur
during
installation.
Installation
wizard
fails
on
Red
Hat
Enterprise
Linux
3.0
for
zSeries
(42163)
When
installing
the
Access
Manager
Runtime
environment
using
the
install_amrte
installation
utility
on
Red
Hat
Enterprise
Linux
3.0
Beta
2
on
Linux
for
zSeries®,
you
might
receive
the
following
error:
[root@metlnx03
am51-030915]#
./install_amrte
InstallShield
Wizard
Initializing
InstallShield
Wizard...
Searching
for
Java(tm)
Virtual
Machine...
.......................................
................................
....No
matching
JVM
was
found.
Workaround:
Run
the
installation
program
as
follows:
java
-cp
install_xxx_setup.jar
run
where
the
Java
version
is
Java
1.4.1.
Java
Runtime
Environment
cannot
be
located
during
installation
on
Windows
2000
(43948)
On
Windows
2000,
if
you
are
prompted
for
the
location
of
the
Java
Runtime
Environment
during
installation,
run
the
following
command:
java
-cp
install_xxx_setup.jar
run
For
example,
if
the
installation
wizard
is
install_amacld.exe,
you
would
run
java
-cp
install_amacld_setup.jar
run
The
.jar
files
are
in
the
same
directory
as
the
installation
wizard.
If
a
reboot
is
required,
run
the
above
command
again
to
complete
the
configuration.
Chapter
3.
Known
problems
and
workarounds
23
Configuration
of
the
policy
server
fails
after
reboot
during
use
of
installation
wizard
(43906)
If
you
install
the
policy
server
on
the
same
Windows
system
where
an
LDAP
Server
is
installed,
the
configuration
of
the
policy
server
will
fail
after
the
system
reboots.
This
happens
because
the
LDAP
server
does
not
automatically
restart.
Workaround:
Start
the
LDAP
server
services
and
then
configure
the
policy
server.
Double-byte
recorded
response
files
for
installation
wizard
contain
corrupted
text
(37601,
39896,
43907)
When
you
attempt
to
record
options
files
for
installation
wizard
on
double-byte
operating
systems
using
—options-record
or
—options-template,
the
recorded
response
file
contains
corrupted
text.
There
is
no
workaround
for
this
problem.
Exception
error
displayed
when
installing
Web
Portal
Manager
on
Windows
using
installation
wizard
(44045)
If
an
exception
is
displayed
while
you
are
installing
Web
Portal
Manager
on
Windows,
reboot
and
rerun
the
installation.
Removing
the
ibmjcaprovider.jar
file
during
installation
(44323)
When
installing
the
Tivoli
Access
Manager
Java
runtime
environment
component,
the
installation
program
might
prompt
you
to
remove
the
$JAVA_HOME/lib/ext/ibmjcaprovider.jar
file
and
restart
the
installation
program.
You
must
physically
remove
this
file
from
the
directory.
Do
not
attempt
to
just
rename
the
file,
or
to
place
the
file
in
a
subdirectory
of
the
ext
directory.
The
JRE
opens
all
files
in
this
directory
tree
(regardless
of
name
or
extension)
to
determine
what
classes
are
available.
The
first
file
encountered
by
the
JRE
with
a
specific
class
is
the
one
that
is
used.
However,
the
algorithm
used
to
locate
these
files
is
platform
and
JRE
specific,
thus
it
can
not
easily
be
determined
which
file
will
be
selected
if
multiple
files
exist
in
the
directory
tree
with
the
requested
class.
Removing
the
existing
ibmjcaprovider.jar
file
ensures
that
the
proper
classes
are
used
by
applications
using
the
Tivoli
Access
Manager
Java
runtime
environment.
Using
Microsoft
Active
Directory
The
following
problems
and
limitations
might
occur
when
you
are
using
Microsoft
Active
Directory.
Avoid
special
characters
in
Active
Directory
names
When
using
Microsoft
Active
Directory
as
a
user
registry,
avoid
using
special
characters
in
user
names,
group
names,
or
Distinguished
Names
(DN).
For
example,
the
backslash
character
(\)
is
not
allowed
in
a
DN
in
Active
Directory.
Refer
to
the
Active
Directory
documentation
for
additional
details.
Enable
″File
and
Sharing″
when
using
Active
Directory
You
must
enable
the
File
and
Printer
Sharing
network
component
on
the
Microsoft
Windows
2000
or
Windows
2003-based
domain
controller
when
using
the
Active
Directory
user
registry.
If
this
component
is
not
enabled,
error
messages
occur
when
attempts
are
made
to
join
the
domain.
For
more
information,
see:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260371
24
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Configuration
of
the
policy
server
might
create
a
user
with
a
password
that
is
too
weak
for
use
with
Windows
2003
Active
Directory
(43908)
When
configuring
the
policy
server
on
Windows
2003
running
Active
Directory,
the
process
might
fail
to
create
a
user
with
a
sufficiently
strong
password.
If
this
happens,
the
system
places
an
error
message
in
the
policy
server
log
file
similar
to
the
following:
HPDRG0100E
The
operation
in
the
Active
Directory
registry
for
User:
rspi_create_user
:
:
HRESULT
=
0x800708C5
(778:
c:\am510\src\uraf\ad\urafuser.cpp
)
failed
with
return
error
800708c5
RunADURAFToolConfig:
uraf_create_domain()
return
error
0x16B48065
Workaround:
Unconfigure
the
policy
server
and
reconfigure
with
a
password
that
meets
the
minimum
strength
requirements.
Active
Directory
data
incompatible
after
switching
from
a
single
domain
to
a
multi-domain
on
a
Windows
2000
platform
(36389)
If
you
are
using
Active
Directory
with
Windows
2000
and
are
switching
from
a
single
domain
to
a
multi-domain,
you
will
need
to
perform
the
following
steps
so
that
your
existing
data
will
be
compatible
with
the
multi-domain
configuration:
1.
Remove
the
ACL
at
the
top
of
the
domain
if
any
exist.
If
no
ACL
exists,
skip
to
step
2.
a.
From
the
Active
Directory
Server,
go
to
Start
→
Programs
→
Administrative
Tools
and
click
Active
Directory
Users
and
Computers.
b.
From
the
Active
Directory
Users
and
Computers
console,
click
the
domain
where
Tivoli
Access
Manager
was
configured.
c.
Right-click
the
domain
and
click
Properties.
d.
In
the
Name
box,
find
the
two
groups
starting
with
ivacld-servers
and
remote-acl-users.
e.
Remove
each
of
these
two
groups.2.
Remove
the
Tivoli
PD
Domains
container,
as
follows:
a.
From
the
Active
Directory
Server,
go
to
Start
→
Programs
→
Administrative
Tools
and
click
Active
Directory
Users
and
Computers.
b.
From
the
Active
Directory
Users
and
Computers
console,
click
the
domain
where
Tivoli
Access
Manager
was
configured.
c.
Find
the
Tivoli
PD
Domains
container.
(You
must
have
the
Advanced
Features
box
selected
in
the
View
menu
to
see
this
container.
d.
Right-click
the
container
and
select
Delete
to
remove
the
whole
container.
e.
Next,
using
the
information
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide,
use
the
Tivoli
Access
Manager
import
functions
to
import
all
the
Active
Directory
users
and
groups
back
to
Tivoli
Access
Manager
after
you
have
successfully
reconfigured
to
the
multi-domain.
Using
iPlanet
Directory
Server
or
Sun
ONE
Directory
Server
The
following
problems
and
limitations
might
occur
when
you
are
using
the
iPlanet
Directory
Server
or
the
Sun
ONE
Directory
Server.
Chapter
3.
Known
problems
and
workarounds
25
Modifying
iPlanet
registry
look-through
limit
(14785)
Installing
Tivoli
Access
Manager
on
a
system
using
the
iPlanet
Directory
Server
Version
5
registry
can
result
in
a
“search
request
limit
exceeded”
error
under
certain
circumstances.
The
conditions
that
trigger
the
problem
include
using
a
user
registry
containing
more
entries
than
the
registry’s
“look-through”
search
limit.
When
the
look-through
limit
defined
in
the
iPlanet
Directory
Server
is
exceeded,
the
directory
server
returns
a
status
of
LDAP_ADMINLIMIT_EXCEEDED,
which
Tivoli
Access
Manager
treats
as
an
error.
The
look-through
limit
is
a
performance
related
parameter
that
can
be
customized
by
the
iPlanet
LDAP
administrator.
In
the
iPlanet
Console,
select
the
Configuration
tab
and
expand
the
Data
entry.
Then
select
the
Database
Settings
item
and
select
the
LDBM
Plug-in
Settings
tab.
In
the
Look-through
Limit
field,
enter
the
maximum
number
of
entries
you
want
the
server
to
check
in
response
to
a
search
request.
The
default
look-through
limit
value
is
5000.
If
you
do
not
wish
to
set
a
limit,
enter
-1
in
this
field.
If
you
bind
to
the
directory
as
the
Directory
Manager,
the
look-through
limit
is
unlimited
by
default,
and
overrides
any
settings
you
specify
in
this
field.
Error
appears
when
protecting
iPlanet
administration
server
When
you
protect
the
iPlanet
administration
server
(virtual
host
name:
https-admserv)
with
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers,
error
messages
similar
to
the
following
appear
in
the
pdwebpi.log
file:
2002-03-16-07:33:31.901+00:00I-----
0x35F02127
pdwebpi
ERROR
pic
Authorization
Server
pdwebpi_admin_svc.c
323
0x00000001
The
administration
service
could
not
read
the
configuration
information
for
virtual
host
/PDWebPI/https-admserv:
0x35f02002:
The
requested
data
is
not
currently
available
(pd
/
pic)
2002-03-16-07:33:31.902+00:00I-----
0x35F02129
pdwebpi
WARNING
pic
Authorization
Server
pdwebpi_admin_svc.c
330
0x00000001
The
administration
service
could
not
initialized
for
virtual
host
/PDWebPI/https-admserv.
Administration
service
features
will
not
be
available
for
this
virtual
host
These
error
messages
are
displayed
because
the
iPlanet
administration
server
does
not
have
any
local
file
system
Web
resources
and
consequently
does
not
have
a
document
root.
For
this
reason,
Tivoli
Access
Manager
cannot
perform
a
“query
contents”-like
operation
for
this
virtual
server.
pdunconfig
does
not
completely
clean
up
on
Sun
ONE
Directory
Server
5.2
(40621)
After
successful
unconfiguration
of
all
domain
information
on
an
IBM
Tivoli
Access
Manager
for
e-Business
server
on
a
Sun
ONE
5.2
system,
reconfiguration
fails
with
an
Object
does
not
exist
error.
Workaround:
Perform
the
following
steps:
1.
Unconfigure
the
server.
2.
Go
to
the
Sun
ONE
5.2
console.
3.
Delete
and
re-create
the
secauthority=default
suffix.
26
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Using
Web
Portal
Manager
The
following
problems
and
limitations
might
occur
when
you
are
using
the
Tivoli
Access
Manager
Web
Portal
Manager
GUI.
Browse
the
Web
Portal
Manager
GUI
from
AIX
5.1
The
IBM
Tivoli
Access
Manager
Base
Installation
Guide
states
that
Web
Portal
Manager
supports
the
following
Web
browsers:
v
Netscape
Navigator
4.78
and
6.2
v
Internet
Explorer
5.5
and
6.0
These
browser
versions
are
supported
on
other
operating
systems;
however,
you
cannot
use
these
browsers
to
log
in
to
Web
Portal
Manager
on
AIX
5.1
systems.
In
addition,
you
cannot
use
the
version
of
Netscape
packaged
in
the
Bonus
Pack
(Version
4.79).
When
this
browser
client
is
used
to
connect
to
the
Web
Portal
Manager
server,
the
text
in
the
pages
might
not
display.
Workaround:
Use
Netscape
7.0.3
for
AIX
5.1
systems.
Do
not
configure
a
policy
proxy
server
using
default
timeout
values
(30100
and
30128)
If
you
encounter
an
error
between
Tivoli
Access
Manager
and
the
IBM
Directory
server
while
a
proxy
server
is
being
configured,
a
timeout
will
occur
at
the
proxy
server.
The
proxy
server
is
left
in
a
partially-configured
state
(even
though
it
appears
to
be
configured
successfully).
In
this
case,
you
cannot
use
the
standard
Tivoli
Access
Manager
runtime
unconfiguration
procedure.
Workaround:
Do
the
following:
1.
In
the
/opt/PolicyDirector/etc/pd.conf
file,
change
the
ssl-io-inactivity-timeout
value
to
0.
2.
In
the
/opt/PolicyDirector/etc/pdmgrproxyd.conf
file,
add
the
following
statement
under
the
[aznapi-configuration]
stanza:
azn-app-host
=
proxy_hostname
where
proxy_hostname
is
the
host
name
of
the
proxy
server
machine.
3.
Unconfigure
the
policy
proxy
server
using
the
pdconfig
utility.
4.
Increase
the
timeout
setting
to
a
value
higher
than
the
default
timeout
setting.
5.
Reconfigure
the
policy
proxy
server.
Authentication
slows
down
when
the
ACL
cache
is
enabled
(29961)
The
authentication
performance
of
the
IBM
Directory
(LDAP
server,
Version
4.1,
progressively
slows
down
with
the
ACL
cache
enabled.
Workaround:
Disable
the
LDAP
ACL
cache
by
adding
a
line
to
the
/etc/slapd32.conf
file,
as
follows:
dn:
cn=Front
End,
cn=Configuration
cn:
Front
End
objectclass:
top
objectclass:
ibm-SlapdFrontEnd
ibm-slapdSetEnv:
ACLCACHE=NO
Chapter
3.
Known
problems
and
workarounds
27
Web
Portal
Manager
can
only
be
configured
to
the
Default
domain
(43847)
If
you
attempt
to
configure
Web
Portal
Manager
to
any
other
domain
other
than
the
Default
domain,
you
will
receive
an
invalid
argument
error.
There
is
no
workaround
for
this
problem.
Using
WebSEAL
The
following
problems
and
limitations
might
occur
if
you
are
using
Tivoli
Access
Manager
WebSEAL.
Expired
password
in
Active
Directory
(AD_LDAP)
might
prevent
WebSEAL
authentication
(43684)
If
a
user’s
password
has
expired
in
Active
Directory,
the
user
can’t
authenticate
to
WebSEAL.
When
the
authentication
fails,
an
error
message
is
displayed
that
says
Authentication
failed.
You
have
used
an
invalid
user
name,
password,
or
client
certificate.
The
problem
occurs
on
all
UNIX-based
platforms
and
on
Windows
systems
in
which
the
WebSEAL
machine
is
not
a
member
of
the
Active
Directory
domain.
However,
the
problem
occurs
only
if
the
user’s
password
is
set
to
expire
after
a
specified
time
period.
Passwords
that
have
been
flagged
as
″must
change
on
next
login,″
will
perform
correctly.
Workaround:
Use
the
Tivoli
Access
Manager
password
expiration
policy
instead
of
the
Active
Directory
password
expiration
policy.
Global
server
ID
certificates
do
not
work
correctly
(IY30623,
IY21308)
Global
Server
IDs
do
not
work
with
Microsoft
Internet
Explorer
on
any
supported
version
of
Tivoli
Access
Manager.
This
problem
is
caused
by
a
fault
in
the
ordering
of
the
CIPHER
list.
Workaround:
Perform
the
following
steps
for
each
WebSEAL
server
that
has
a
Global
Server
ID:
1.
Confirm
that
the
ssl-qop-mgmt
parameter
in
the
[ssl-qop]
stanza
of
the
webseald.conf
configuration
file
is
disabled:
[ssl-qop]
ssl-qop-mgmt
=
no
2.
Manually
edit
the
pdweb_start
script
and
place
the
GSK_V3_CIPHER_SPECS
environment
variable,
with
the
following
value,
near
the
beginning
of
the
script
where
environment
variables
are
set:
GSK_V3_CIPHER_SPECS=04050A030609020100
3.
Save
and
close
the
script
file,
and
restart
WebSEAL:
UNIX
#
/usr/bin/pdweb_start
restart
Windows
Use
the
Services
Control
Panel
to
restart
WebSEAL.
28
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Improving
SSL
encryption
performance
in
WebSEAL
on
Solaris
(43387)
To
improve
WebSEAL
HTTPS
SSL
encryption
performance
on
an
UltraSparc
Solaris
platform,
enable
the
use
RSA
option
in
the
webseald.conf
file.
To
use
WebSEAL
HTTPS
SSL
encryption
on
a
Solaris
platform
other
than
UltraSparc,
the
use
RSA
option
must
be
enabled.
If
not,
WebSEAL
HTTPS
encryption
will
fail
and
messages
will
not
be
logged
to
the
WebSEAL
error
log.
WebSEAL
on
Red
Hat
Linux
3.0
crashes
during
a
junction
delete
operation
This
problem
occurs
only
when
the
WebSEAL
binary
(webseald)
is
started
from
a
command
line.
One
method
to
start
WebSEAL
is
to
run
the
pdweb_start
script.
The
pdweb_start
script
sets
some
necessary
environment
variables
before
executing
webseald.
On
Red
Hat
Linux
3.0,
the
script
sets
the
environment
variable
LD_ASSUME_KERNEL.
When
webseald
is
run
without
first
setting
LD_ASSUME_KERNEL,
the
junction
delete
operation
can
cause
WebSEAL
to
crash.
Workaround:
Always
use
pdweb_start
to
start
WebSEAL
on
Red
Hat
Linux
3.0.
If
you
need
to
run
webseald
manually
(without
using
pdweb_start),
you
must
first
set
and
export
LD_ASSUME_KERNEL:
export
LD_ASSUME_KERNEL=
″2.4.19″
Error
messages
displayed
after
removing
WebSEAL
from
a
Linux
platform
(44078)
When
WebSEAL
has
been
removed
from
a
Linux
platform,
the
error
messages
such
as
the
following
are
displayed:
error:
cannot
remove
/var/pdweb/www/log
-
directory
not
empty
error:
cannot
remove
/var/pdweb/www
-
directory
not
empty
error:
cannot
remove
/var/pdweb/log
-
directory
not
empty
error:
cannot
remove
/var/pdweb
-
directory
not
empty
Workaround:
Ignore
these
error
messages.
You
can
remove
these
directories
manually.
Error
messages
incorrectly
refer
to
″session
inactivity
timestamp″
(44086)
Error
messages
that
refer
to
a
″session
inactivity
timestamp″
should
refer
to
a
″session
activity
timestamp.″
For
example,
the
following
message:
"The
session
inactivity
timestamp
is
missing
from
the
failover
cookie."
should
read
as
follows:
"The
session
activity
timestamp
is
missing
from
the
failover
cookie."
The
help
message
for
server
task
remove
is
incorrect
(44083)
The
help
message
for
the
server
task
remove
command
in
WebSEAL
is
incorrect.
The
portion
that
reads
<server-id>
in
the
current
message
should
read
<server-UUID>.
Refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
for
the
complete
syntax.
Chapter
3.
Known
problems
and
workarounds
29
No
error
message
for
failover
cookie
update
failure
(44084)
When
an
su-admin
has
switched
user
and
a
credential
refresh
is
performed,
the
failover
cookie
will
not
be
updated.
However,
no
error
message
is
displayed
warning
that
the
failover
cookie
was
not
updated.
Certificate
login
prompt
displayed
inappropriately
(44088)
When
the
certificate
stanza
is
set
to
prompt_as_needed
and
users
authenticate
using
certificates
and
then
try
to
access
a
resource
that
has
a
reauth
POP
applied,
the
users
get
a
certificate
login
prompt
when
they
should
really
get
a
″Reauth
required″
error
page.
BASE
HREF
tags
not
preserved
when
missing
the
trailing
slash
(44090)
When
preserve-base-href
is
set
to
yes
in
the
WebSEAL
configuration
file
the
following
behavior
exists:
If
an
HTML
page
has
a
BASE
tag
like
this:
BASE
HREF="http://server.ibm.com/",
where
junction
/jct
points
to
server.ibm.com,
WebSEAL
maps
the
HREF
to
/jct/
and
the
BASE
tag
resolves
to:
BASE
HREF="https://webseal/jct/"
However,
if
an
HTML
page
has
a
BASE
tag
like
this:
<BASE
HREF="http://server.ibm.com">,
with
no
trailing
slash,
where
junction
/jct
points
to
server.ibm.com,
WebSEAL
maps
the
HREF
to
/jct
and
eliminates
the
jct
because
there
is
no
trailing
slash.
In
this
case,
the
BASE
tag
is
resolved
to:
<BASE
HREF="https://webseal/">
WebSEAL
help
messages
incomplete
(44095)
The
help
messages
that
are
displayed
when
you
run
the
help
command
are
incomplete.
Use
the
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
instead
of
the
help
command.
WebSEAL
error
messages
for
the
wsadmin
library
are
missing
from
the
message
catalogs
(44100)
When
WebSEAL
is
started
and
the
wsadmin
library
cannot
be
loaded,
one
of
the
following
error
messages
will
be
printed
in
English
to
standard
out:
Unable
to
load
shared
library
’<libname>’
Unable
to
resolve
symbol
’<symbol>’
from
shared
library
’<libname>’
These
error
messages
are
not
in
the
message
catalog
and
are
not
documented
in
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide.
If
you
see
these
messages
without
a
corresponding
ID
at
the
front
of
the
message,
your
wsadmin
library
is
damaged
or
cannot
be
loaded.
This
library
should
be
in
the
following
locations:
UNIX
/opt/pdweb/lib
Windows
C:\Progra~1\Tivoli\PDWeb\bin
Workaround:
To
fix
the
problem,
reinstall
WebSEAL
or
copy
the
library
from
another
machine
where
WebSEAL
is
installed
and
running
correctly.
This
error
30
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
applies
to
only
the
wsadmin
library.
All
other
shared
libraries
list
errors
correctly
if
they
cannot
be
loaded
or
symbols
cannot
be
resolved.
Incorrect
error
code
displayed
when
a
container
cannot
be
found
during
AMWebARS
request
(44134)
When
a
request
is
made
of
the
AMWebARS
Web
service
for
a
container
that
cannot
be
found,
the
DynADI
internal
error
code
that
is
printed
in
the
webseald
log
file
is
1005b3b2.
This
error
code
is
not
a
valid
Tivoli
Access
Manager
error,
and
cannot
be
used
to
reference
any
additional
data
on
the
error
itself.
Workaround:
Use
the
error
message
that
is
displayed
at
the
time
the
error
occurs
to
help
diagnose
this
error.
WebSEAL
might
crash
if
the
Active
Directory
server
is
unavailable
or
slow
to
respond
(44386)
WebSEAL
might
crash
in
the
following
environments:
v
In
a
UNIX
environment,
when
using
Active
Directory
as
the
user
registry.
v
In
a
Windows
environment,
when
using
Active
Directory
as
the
user
registry,
and
in
which
the
WebSEAL
machine
is
not
a
member
of
the
Active
Directory
domain.
The
problem
does
not
occur
if
IBM
Tivoli
Directory
Server
is
used
as
the
user
registry.
WebSEAL
fails
to
authenticate
(44082)
When
the
webseald.conf
file
contains
accept-client-certs
=
optional,
and
an
attempt
to
authenticate
with
a
certificate
fails,
the
client
receives
an
SSL
error
and
is
unable
to
perform
any
other
type
of
authentication
or
to
proceed
as
unauthenticated
when
accessing
resources
through
the
WebSEAL
system.
This
problem
occurs
only
if
the
client
chooses
to
present
a
certificate,
and
something
is
wrong
with
the
certificate
itself,
such
as
the
expiration
dates
being
invalid.
The
problem
does
not
occur
if
the
client
does
not
present
a
certificate
at
all.
Workaround:
As
an
immediate
workaround,
the
client
can
close
and
reopen
the
browser,
then
re-access
the
resource,
this
time
not
selecting
a
certificate
when
prompted.
A
longer-term
solution
is
for
the
client
to
obtain
a
valid
certificate.
Using
Plug-in
for
Web
Servers
The
following
problems
or
limitations
might
occur
if
you
are
using
the
Plug-in
for
Web
Servers.
Redirected
URL
not
displayed
in
Internet
Explorer
address
field
(37028)
With
BA
and
login-redirect
configured,
an
authenticated
request
after
session
timeout
or
inactivity
timeout
results
in
the
display
of
an
incorrect
URL
in
the
Address
field
of
Internet
Explorer
6.0
browsers.
This
behavior
is
unique
to
Internet
Explorer
6.0,
and
there
is
no
workaround
to
force
the
browser
to
display
the
redirected
URL.
Chapter
3.
Known
problems
and
workarounds
31
Recorded
option
files
in
multi-byte
languages
display
corrupted
text
in
the
explanatory
field
(39896)
When
you
record
an
option
file
using
-options-record
or
-options-template
in
any
double
byte
language
operating
system,
the
explanatory
text
appears
corrupted.
There
is
no
workaround
for
this
issue.
Dynamically
generated
hidden
fields
not
passed
by
Forms
Single
Sign-On
(39924)
Current
implementation
of
Forms
Single
Sign
On
(FSSO)
in
web
plug-ins
does
not
support
text
in
<script>
blocks.
Hidden
fields
from
the
Access
Manager
login
form
are
not
passed
through
by
FSSO.
Only
standard
HTML
within
the
<forms>
block
is
recognized.
Use
of
non-default
user
identities
with
application
pools
on
a
Windows
Domain
Controller
causes
service
unavailable
errors
(42351)
When
running
IBM
Tivoli
Access
Manager
for
e-Business
Plug-in
for
Microsoft
IIS
on
a
Windows
2003
Domain
Controller,
you
must
configure
IIS
to
use
one
of
the
default
identities
to
successfully
access
the
application
pool.
Failure
to
use
one
of
these
identities
results
in
all
requests
to
URIs
on
protected
virtual
hosts
using
application
pools
receiving
503
Service
Unavailable
errors.
Workaround:
On
Windows
2003
Domain
Controller
systems,
configure
IIS
to
use
one
of
the
following
user
identities:
v
NETWORK
SERVICE
v
LOCAL
SERVICE
v
LOCAL
SYSTEM
v
<domain>\IWAM_<domain>-<machine>
This
is
only
necessary
for
Windows
2003
Domain
Controller
systems.
SPNEGO
behavior
differs
depending
on
where
the
browser
is
operating
from
within
the
Active
Directory
Domain
(41078)
When
the
Internet
Explorer
browser
is
operated
from
the
Domain
Controller
machine,
SPNEGO
behavior
is
not
the
same
as
when
the
browser
is
operated
from
a
another
machine
within
the
Active
Directory
Domain.
For
example
the
browser
will
not
renegotiate
or
fall
back
to
another
form
of
authentication
if
an
incorrect
username
or
password
is
entered
at
the
SPNEGO
login
prompt.
There
is
no
workaround
for
this
limitation.
Modifying
the
pdwebpi.conf
file
before
upgrading
the
Microsoft
IIS
Plug-in
(44361)
Before
upgrading
the
Tivoli
Access
Manager
Microsoft
IIS
Plug-in,
you
need
to
modify
the
pdwebpi.conf
file
as
follows:
1.
Edit
the
pdwebpi.conf
file.
2.
Locate
the
iis
stanza.
3.
Comment
out
the
map-ba-users-to-anonymous
entry.
After
you
have
successfully
upgraded
the
Microsoft
IIS
Plug-in,
you
can
re-enable
the
entry.
32
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Relative
URLs
on
Web
Page
not
returned
with
request
(44209)
When
you
are
using
the
Plug-in
for
Web
Servers
with
Microsoft
IIS
6.0,
references
that
are
specified
relative
to
the
page
are
not
displayed.
For
example,
as
tagged
in
the
following
reference,
pagerror.gif
is
not
displayed:
<body
bgcolor=white>
<table>
<tr>
<td
ID=tableProps
width=70
valign=top
align=center>
<img
ID=pagerrorImg
src="pagerror.gif"
width=36
height=48>
To
resolve
this
problem,
make
all
references
relative
to
the
Web
site
rather
than
relative
to
the
page.
For
example,
the
corrected
version
of
the
previous
example
would
be
as
follows:
<body
bgcolor=white>
<table>
<tr>
<td
ID=tableProps
width=70
valign=top
align=center>
<img
ID=pagerrorImg
src="/pagerror.gif"
width=36
height=48>
Cancelled
certificate
authentication
might
result
in
timeout
when
using
Apache
Web
Server
(44273,
44286)
On
an
Apache
Web
Server,
when
authenticating
using
a
client
certificate,
the
user
is
presented
with
a
dialog
box
showing
the
available
certificates.
If
the
user
clicks
the
Cancel
button
on
this
dialog
box,
then
no
certificate
authentication
is
performed.
However,
the
browser
might
time
out
waiting
for
a
response
from
the
Web
server,
rather
than
displaying
the
correct
response.
The
correct
response
in
this
situation
is
either
an
authentication
challenge
from
the
next
configured
authentication
module,
or
a
403
Forbidden
response
if
there
are
no
other
authentication
modules
configured.
Using
IBM
Tivoli
Directory
Server
Using
IBM
Tivoli
Directory
Server
Version
5.2
on
Linux
for
zSeries
(44406)
When
IBM
Tivoli
Directory
Server
Version
5.2
is
installed
on
Linux
for
zSeries,
a
directive
is
included
in
the
ibmslapd.conf
file
to
keep
IBM
Tivoli
Directory
Server
from
hanging
when
a
Tivoli
Access
Manager
workload
is
running.
However,
when
IBM
Tivoli
Directory
Server
is
configured
to
use
a
database,
the
ibm-slapdSetenv
directive
is
overlaid
with
a
new
directive,
which
might
cause
the
hang
to
occur
again.
To
correct
this
problem,
edit
the
ibmslapd.conf
and
add
the
following
directive:
ibmslapdSetenv:
LDAP_MAXCARD=NO
Following
is
an
example
of
an
ibmslapd.conf
file
with
the
directive
added
in
the
proper
location:
dn:
cn=Front
End,
cn=Configuration
cn:
Front
End
ibm-slapdACLCache:
TRUE
ibm-slapdACLCacheSize:
25000
ibm-slapdEntryCacheSize:
25000
ibm-slapdFilterCacheBypassLimit:
100
ibm-slapdFilterCacheSize:
25000
ibm-slapdIdleTimeOut:
300
ibm-slapdSetenv:
DB2CODEPAGE=1208
Chapter
3.
Known
problems
and
workarounds
33
ibm-slapdSetenv:
LDAP_MAXCARD=NO
objectclass:
top
objectclass:
ibm-slapdConfigEntry
objectclass:
ibm-slapdFrontEnd
Tivoli
Access
Manager
server
unresponsive
if
Directory
Server
is
restarted
while
pdadmin
is
running
(43951)
If
you
are
using
IBM
Directory
Server
4.1,
the
pdmgrd
process
might
become
unresponsive
if
the
Directory
Server
is
restarted
while
a
pdadmin
session
is
active.
This
issue
is
resolved
in
IR50309
(for
IBM
Directory
Server
4.1).
Workaround:
Be
sure
to
install
the
latest
fix
pack
for
IBM
Tivoli
Directory
Server.
Using
Tivoli
Access
Manager
The
following
problems
or
limitations
might
occur
when
you
are
using
Tivoli
Access
Manager.
If
using
SSL,
all
LDAP
servers
and
replicas
must
be
enabled
(18832)
If
SSL
is
enabled
for
secure
communications
between
Tivoli
Access
Manager
servers
and
the
user
registry,
the
master
directory
servers
and
its
replicas
must
all
have
SSL
enabled.
Workaround:
Enable
SSL
on
all
directory
servers
and
their
replicas.
Object
might
not
be
deleted
after
pdadmin
object
delete
command
(27173)
Deleting
an
object
using
a
pdadmin
object
delete
command
might
not
properly
delete
an
object.
Subsequently,
creating
an
object
that
has
been
deleted
this
way
might
result
in
an
error
message
that
the
object
already
exists.
This
might
be
because
an
objectspace
was
created
instead
of
an
object.
Workaround:
Create
an
object
using
the
ispolicyattachable
option.
To
delete
an
object
that
was
not
properly
deleted,
use
the
pdadmin
objectspace
delete
command.
Password
expiration
time
cannot
be
changed
while
the
daemon
is
running
(24411)
Setting
the
ssl-auto-refresh
attribute
to
yes
in
the
[ssl]
stanza
of
the
ivmgrd.conf
configuration
file
does
not
change
the
password
expiration
time
when
the
pdmgrd
daemon
is
running.
Automatic
refresh
picks
up
the
value
from
the
configuration
file
only
when
the
daemon
is
restarted.
Upgrading
policy
server
using
two
systems
only
supported
with
LDAP
(28114)
Upgrading
an
existing
policy
server
to
version
5.1
using
the
two
system
upgrade
method
outlined
in
the
IBM
Tivoli
Access
Manager
Upgrade
Guide
is
supported
only
when
an
LDAP
user
registry,
such
as
IBM
Directory
Server
or
iPlanet
Directory
Server,
is
being
used.
Otherwise,
use
the
single
system
upgrade
instructions
to
upgrade
the
policy
server
to
version
5.1.
34
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Policy
server
and
authorization
server
do
not
start
on
Windows
after
pipe
logging
enabled
(IY34142)
If
pipe
logging
is
configured,
the
policy
server
and
the
authorization
server
fail
to
start
as
services
on
Microsoft
Windows
systems.
For
instance,
if
the
ivmgrd.conf
configuration
file
specifies
the
following:
logaudit
=
yes
logcfg
=
audit:pipe
path=d:
/log_test/pipelog1.exe
the
policy
server
fails
to
start
and
an
error
message
similar
to
the
following
is
logged
by
PipeLogAgent.cpp
in
the
msg_warning.log
log
file:
0x000001e4
Cannot
execute
pipe
program
Workaround:
Configure
the
policy
server
and
authorization
server
to
run
as
foreground
processes.
This
can
be
done
as
follows.
1.
Click
Start
→
Run...
2.
In
the
Run
dialog,
enter
the
following
command
in
the
Open
field
to
cause
the
policy
server
to
run
in
the
foreground:
pdmgrd
–foreground
3.
Close
the
dialog.
Repeat
the
above
steps,
substituting
the
following
command
to
cause
the
authorization
server
to
run
in
the
foreground:
pdacld
–foreground
Note:
The
only
valid
options
are
–foreground
and
–version.
Running
pdmgrd
or
pdacld
with
no
options
fails
on
Windows
systems.
Existing
Java
applications
need
a
patch
to
interoperate
with
Tivoli
Access
Manager
Version
5.1
(24996)
Java
applications
using
the
Tivoli
Access
Manager
Version
3.9
Java
runtime
environment
or
the
pdperm.jar
file
provided
in
the
Tivoli
SecureWay
Policy
Director
Version
3.8
ADK
must
have
a
patch
applied
in
order
to
interoperate
with
Tivoli
Access
Manager
Version
5.1.
Contact
IBM
Customer
Support
for
Tivoli
products
to
obtain
these
patches.
Policy
Director
applications
on
Solaris
must
be
recompiled
Applications
written
on
the
Sun
Solaris
Operating
Environment
using
the
Tivoli
SecureWay
Policy
Director
Version
3.8
ADK
must
be
recompiled
using
the
Tivoli
Access
Manager
libraries.
This
is
due
to
a
compiler
problem.
Backward
binary
compatibility
is
maintained
on
all
the
other
supported
platforms.
Use
of
multiple
network
interface
aliases
on
AIX
IBM
AIX
Version
5.1
can
be
configured
with
multiple
network
interface
aliases
such
that
there
is
more
than
one
route
to
the
policy
server
available
in
the
routing
table.
When
this
condition
occurs,
the
Tivoli
Access
Manager
policy
server
might
not
be
able
to
definitively
identify
the
client
because
the
operating
system
chooses
a
different
route
for
each
communication.
This
could
result
in
a
condition
where
communications
fail
between
the
client
and
the
policy
server
with
an
error
message,
such
as:
The
server
lost
the
client’s
authentication,
probably
because
of
session
expiration.
This
problem
can
potentially
break
communications
between
the
following
components,
provided
the
first
item
in
each
list
is
located
on
an
AIX
system
with
multiple
routes:
Chapter
3.
Known
problems
and
workarounds
35
v
Authorization
API
server
in
local
mode
and
policy
server
v
Authorization
API
server
in
remote
mode
and
policy
server
v
Authorization
API
server
in
remote
mode
and
authorization
server
v
pdadmin
utility
and
policy
server
v
Administration
API
and
policy
server
v
Policy
server
and
any
Authorization
API
server,
such
as
the
authorization
server,
or
WebSEAL
v
svrsslcfg
utility
and
policy
server
Workaround:
Set
the
PD_FIXED_CLIENT_IP
environment
variable
to
the
IP
address
of
a
valid
interface
on
the
AIX
system.
The
value
should
be
in
Internet
address
form,
such
as
192.168.51.79.
You
also
can
avoid
this
problem
by
changing
the
routes
available
using
route
commands
and
metrics
such
that
the
same
route
is
always
selected.
For
example,
if
three
routes
exist
to
a
server,
two
of
those
routes
could
be
downgraded
so
that
one
route
is
always
chosen.
Refer
to
the
AIX
documentation
for
more
information
on
using
this
type
of
solution.
IBM
HTTP
Server
reauthentication
limitation
with
directory
indexing
(19559)
The
IBM
HTTP
Server
mod_dir
module
detects
accesses
to
directories
in
the
Web
space.
If
the
access
does
not
contain
a
trailing
forward
slash
character
(/),
this
module
appends
the
forward
slash
character
and
sends
a
redirect
(HTTP
status
302)
to
the
client.
In
the
case
of
reauthentication,
this
action
forces
the
client
to
reauthenticate
first
against
the
initial
URL
(for
example,
http://server/dirname)
and
then
against
the
mod_dir-modified
URL
(for
example,
http://server/dirname/).
Thus,
the
client
experiences
two
reauthentication
attempts
instead
of
the
typical
one
reauthentication
attempt
when
accessing
other
reauthentication
protected
objects.
This
is
a
limitation
in
the
behavior
of
the
IBM
HTTP
Server
mod_dir
module,
and
this
behavior
is
not
configurable.
However,
this
configuration
(a
reauthentication
POP
attached
to
a
directory
and
URL
access
direct
to
the
directory)
is
not
common.
No
workaround
is
available.
It
is
recommended
that
the
above
configuration
be
avoided.
HTTP
redirection
affects
reauthentication
behavior
(20633,
20631,
20735)
Web
servers
can
perform
redirections,
as
defined
by
the
HTTP
standard,
to
obtain
certain
behaviors.
This
release
note
describes
the
impact
redirection
can
have
on
Tivoli
Access
Manager
reauthentication
policy.
Reauthentication
policy
requires
an
additional
login
for
every
access
to
an
object
protected
by
a
reauthentication
POP
policy,
either
directly
applied
or
inherited.
If
a
client
is
redirected
to
such
an
object,
reauthentication
is
required.
Multiple
redirections
therefore
result
in
multiple
reauthentications.
A
simple
example
is
to
apply
a
reauthentication
POP
to
a
directory
in
the
Web
space
and
access
the
directory:
http://servername/directory.
36
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Reauthentication
is
required
to
access
the
object.
The
Web
server
redirects
the
client
to:
http://servername/directory/index.html
(some
servers
redirect
to
http://servername/directory/first)
The
client
follows
the
redirect
by
doing
a
GET
on
the
new
URL.
A
reauthentication
is
required
for
every
redirection
to
objects
protected
by
the
reauthentication
POP.
Therefore
it
is
possible
for
the
client
to
receive
multiple
login
requests
before
receiving
the
desired
object
due
to
redirection.
Redirection
might
also
occur
when
processing
forms,
particularly
the
Password
Change
form
returned
when
a
client’s
password
has
expired.
When
the
processing
of
a
form
is
completed,
a
redirect
is
used
to
direct
the
client
back
to
the
original
object.
If
this
object
requires
reauthentication,
the
user
is
forced
to
log
in
again.
In
this
case,
it
is
possible
to
perform
a
reauthentication,
a
password
change,
and
then
another
reauthentication,
before
receiving
the
original
page
requested.
Sample
tutorial
for
Tivoli
Access
Manager
for
WebSphere
Application
Server
might
not
work
on
HP-UX
(28015)
WebSphere
Application
Server
4.0
includes
a
tutorial
that
describes
how
to
use
the
WebSphere
tools
to
build
a
sample
WebSphere
application.
The
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide
extends
this
tutorial
to
describe
how
to
add
security
information
to
the
sample
application
using
Tivoli
Access
Manager.
In
some
cases,
the
WebSphere
Application
Server
tutorial
might
not
successfully
build
WebSphere
applications
on
the
HP-UX
platform.
If
this
occurs,
it
is
not
possible
to
use
Tivoli
Access
Manager
for
WebSphere
Application
Server
to
extend
the
sample
application
to
add
security
information.
Workaround:
You
can
complete
the
WebSphere
tutorial
on
a
different
operating
system.
See
the
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide
for
a
list
of
supported
operating
systems.
BEA
WebLogic
Server
can
run
out
of
heap
space
A
java.lang.OutofMemoryError
exception
is
thrown.
When
running
a
large
number
of
Tivoli
Access
Manager
for
WebLogic
Server
sessions,
BEA
WebLogic
Server
may
run
out
of
heap
space.
Workaround:
Increase
the
maximum
heap
size
option
for
the
Java
Virtual
Machine
(JVM)
in
the
startWebLogic
script.
For
example:
%JAVA_HOME%\bin
\java
-ms64m
-mx128m
Consult
the
BEA
product
documentation
for
recommended
heap
size,
based
on
application
architecture
and
the
number
of
memory-intensive
processes
running
on
the
host
system.
Applications
should
be
stress-tested
to
determine
the
appropriate
heap
size
for
their
environment.
See
the
following
URL
for
performance
tuning
considerations
for
thread
counts
and
heap
size:
http://edocs.bea.com/wls/docs61/perform/index.html
Chapter
3.
Known
problems
and
workarounds
37
Configuration
of
policy
server
might
fail
after
installation
of
Microsoft
Security
updates
(43306)
After
applying
some
Microsoft
Security
update
patches
on
some
Active
Directory
server
machines,
the
configuration
of
Tivoli
Access
Manager
policy
server
might
fail
configuration
because
it
cannot
update
the
URAF
schema
to
the
Active
Directory
machine.
This
only
happens
randomly
to
some
systems,
not
all.
The
Microsoft
Security
update
patches
that
have
this
been
documented
to
cause
this
problem
are
MS03-026
(KB823980)
and
MS03-039
(KB824146).
Workaround:
If
you
experience
this
problem,
uninstall
the
Microsoft
Security
patches
that
appear
to
be
causing
the
problem.
Then
you
can
configure
your
policy
server,
and
then
reapply
the
Microsoft
Security
updates
again.
If
you
cannot
uninstall
the
security
patches,
you
must
re-configure
your
Active
Directory.
Microsoft
Internet
Explorer
specifies
an
incorrect
value
for
the
Host
header
on
redirects
(43398)
All
versions
of
Internet
Explorer
incorrectly
handle
redirects
to
different
ports
on
the
same
Host.
For
example,
if
a
request
is
made
to
https://web.server.com:444/
that
results
in
a
redirect
to
https://web.server.com/,
Internet
Explorer
incorrectly
specifies
a
Host
header
value
of
web.server.com:444
on
the
second
request.
Workaround:
Define
a
second
host
name
for
the
same
IP
address,
and
direct
redirects
to
the
second
host
name.
Use
of
the
authorization
server
(pdacld)
as
an
authentication
enforcement
server
(43511)
In
typical
configurations,
the
authorization
server
(pdacld)
is
used
to
for
proxy
authentication
and
authorization
requests
for
the
Java
authorization
APIs.
In
addition,
it
is
used
for
proxy
authorization
requests
for
remote
mode
AZN
application.
When
the
authorization
server
is
used
to
enforce
login
policy
during
user
authentication,
the
authorization
server
needs
to
be
enhanced
with
additional
privileges.
By
default,
the
authorization
server
is
unable
to
update
user
login
policy
state
information
in
the
registry.
To
correctly
enforce
login
policy,
the
authorization
server
should
be
added
to
the
securitygroup
using
the
group
modify
pdadmin
command.
For
example:
pdadmin>
group
modify
securitygroup
add
ivacld/<machine_name>
The
server
name
is
located
in
the
ivacld.conf
file.
Without
this
change,
the
authorization
server
only
internally
caches
login
policy,
such
as
the
number
of
failed
login
attempts.
Once
an
account
has
been
disabled,
the
cache
can
only
be
reset
by
recycling
the
authorization
server.
Updates
to
the
account
using
pdadmin
or
any
other
mechanism
will
not
appear
on
the
authorization
server
until
the
server
has
been
recycled.
Making
this
change
gives
the
authorization
server
management
privileges,
so
you
must
take
appropriate
security
measures
to
secure
this
server.
38
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Home
directories
are
not
automatically
deleted
when
Tivoli
Access
Manager
for
WebSphere
Application
Server
is
uninstalled
using
Windows
Add
or
Remove
Programs
function
(43612)
If
you
use
the
Microsoft
Windows
Add
or
Remove
Programs
function
to
remove
IBM
Tivoli
Access
Manager
for
WebSphere
Application
Server,
the
files
located
in
the
c:\Program
Files\Tivoli\amwas
directory
are
deleted,
but
the
directory
itself
is
not
deleted.
Workaround:
Manually
delete
the
c:\Program
Files\Tivoli\amwas
directory
after
uninstalling
IBM
Tivoli
Access
Manager
for
WebSphere
Application
Server.
Tivoli
Access
Manager
Java
runtime
environment
successfully
configures
even
when
an
invalid
domain
name
is
entered
during
installation
or
configuration
(43896)
If
you
enter
an
invalid
domain
name
during
the
installation
or
configuration
of
the
Tivoli
Access
Manager
Java
runtime
environment
(PDJRTE),
the
configuration
completes
successfully,
but
does
not
function.
Workaround:
Edit
the
PD.properties
file
and
correct
the
invalid
domain
name,
or
unconfigure
and
reconfigure
the
Tivoli
Access
Manager
Java
runtime
environment.
Erroneous
error
message
during
uninstallation
of
Tivoli
Access
Manager
runtime
environment
(43904)
If
new
or
modified
files
exist
in
a
Tivoli
Access
Manager
runtime
environment
installation,
running
the
rpm
command
will
cause
the
system
to
display
an
error
message
stating
that
these
files
cannot
be
removed.
Workaround:
None
needed.
You
can
ignore
this
message
because
the
uninstallation
process
will
eventually
remove
these
files
despite
the
warning.
Tivoli
Access
Manager
might
not
recognize
suffixes
added
after
starting
the
daemons
(43933)
When
LDAP
is
selected
as
the
user
registry,
Tivoli
Access
Manager
queries
the
LDAP
server
to
determine
the
set
of
LDAP
suffixes
available.
Tivoli
Access
Manager
then
uses
this
set
of
suffixes
to
search
for
user
and
group
information.
To
avoid
querying
this
information
repeatedly,
Tivoli
Access
Manager
only
retrieves
the
available
set
of
suffixes
on
startup.
If
a
new
suffix
is
added
after
Tivoli
Access
Manager
has
started,
the
administrator
must
add
the
appropriate
access
control
lists
(ACLs)
manually
to
give
Tivoli
Access
Manager
the
appropriate
permission
to
administer
within
the
new
suffix.
The
steps
to
accomplish
this
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
Once
the
ACLs
have
been
added,
Tivoli
Access
Manager
is
able
to
create
users
and
groups
within
the
new
suffix.
When
a
user
or
group
is
created
successfully,
Tivoli
Access
Manager
attempts
to
verify
that
the
user
or
group
was
created
within
a
suffix
that
is
already
known
(one
obtained
at
startup
from
LDAP).
If
the
user
or
group
is
successfully
defined
in
a
new
suffix,
Tivoli
Access
Manager
will
add
this
new
suffix
to
its
list
of
searchable
suffixes,
without
having
to
restart
the
daemon.
Chapter
3.
Known
problems
and
workarounds
39
However,
there
are
some
situations
where
Tivoli
Access
Manager
incorrectly
determines
that
the
user
or
group
was
created
in
an
existing
suffix,
when
in
fact
it
was
created
in
a
new
suffix.
For
example,
given
the
following
set
of
existing
suffixes:
c=no
dc=DnB,dc=no
If
a
new
suffix
is
added:
dc=postbanken,dc=no
and
the
appropriate
ACLs
are
added
to
allow
a
user
to
be
created
in
the
new
suffix,
Tivoli
Access
Manager
might
incorrectly
determine
that
suffix
is
already
known,
when
it
is
actually
a
new
suffix.
In
this
situation,
Access
Manager
will
not
be
able
to
locate
the
newly
create
user
or
group.
If
this
occurs,
Tivoli
Access
Manager
must
be
restarted
so
that
it
reacquires
the
set
of
available
suffixes.
Incorrect
error
message
displayed
for
SvrSslCfg
error
(43701)
When
an
incorrect
file
specification
is
passed
to
the
Java
SvrSslCfg
utility,
the
following
error
is
produced:
HPDJA0809E
Cannot
create
the
specified
configuration
or
keystore
file.
This
is
an
incorrect
message.
The
correct
message
should
be
something
similar
to:
HPDJA...
Cannot
access
the
specified
configuration
or
keystore
file.
There
is
no
workaround
for
this
problem.
After
configuring
Tivoli
Access
Manager
on
SuSE
Linux
Enterprise
Server
8,
the
policy
server
(pdmgrd)
and
the
authorization
server
(pdacld)
fail
to
start
(36687,
37558)
After
configuring
Tivoli
Access
Manager
on
SuSE
Linux
Enterprise
Server
8,
the
policy
server
and
the
ACL
server
might
fail
to
start.
Workaround:
Before
configuring
Tivoli
Access
Manager,
grant
access
rights
for
the
user
ivmgr
(or
all
users)
to
the
LDAP
SSL
key
file
and
to
the
folder
that
contains
that
key
file.
Tivoli
Access
Manager
for
WebSphere
Application
Server
migration
tool
might
fail
to
migrate
application
(28418)
The
Tivoli
Access
Manager
for
WebSphere
Application
Server
migration
utility
migrateEAR
requires
the
specification
of
the
administrative
user’s
distinguished
name
(DN)
as
a
command
line
option.
When
the
DN
contains
a
space
within
any
of
the
suffixes,
the
migrateEAR
utility
fails
due
to
problems
caused
by
UNIX
shell
command
line
parsing.
For
example,
the
organization
portion
(o=)
of
the
following
suffix
will
cause
a
failure:
o=Sales
Division,c=us.
The
migrateEAR
command
assembles
a
Java
command
line
invocation
and
then
runs
it.
You
can
circumvent
the
problem
of
embedded
spaces
in
the
DN
by
entering
the
Java
command
directly
and
placing
double
quotation
marks
around
the
DN
suffix.
For
example,
assuming
WebSphere
Application
Server
was
installed
in
the
/opt/WebSphere/AppServer
directory,
the
following
command
correctly
specifies
the
suffix
″o=Sales
Division,c=us″
for
the
DN:
40
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
The
complete
Java
command
line
is
described
on
the
migrateEAR
reference
page
in
Appendix
A
of
the
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide.
Migration
tool
error
with
WebSphere
Application
Server
(21935)
The
migration
utility,
migrateEAR,
may
throw
the
following
error:
"Invalid
group
identification
specified"
Applications
that
have
been
deployed
to
work
with
WebSphere
Application
Server
can
contain
security
information
in
deployment
descriptors
(enterprise
archive
files).
This
security
information
is
migrated
to
the
Tivoli
Access
Manager
security
model
by
the
migrateEAR
utility.
The
user
uses
the
WebSphere
console
to
extract
a
deployed
application
from
WebSphere
with
an
LDAP
user
registry.
The
extracted
enterprise
archive
file
(EAR)
can
contain
groups.
These
groups
will
have
the
full
Distinguished
Name
(DN)
instead
of
just
the
name.
The
migration
utility
is
run
against
the
EAR
file,
and
the
error
is
encountered.
The
migration
utlity
creates
an
XML
file
containing
the
security
information.
Manually
edit
this
file
to
delete
the
portions
of
the
″name″
definition
that
refer
to
organization
and
country.
The
name
of
the
XML
file
is:
ibm-application-bnd.xmi
For
example,
if
the
group
entry
reads:
.....
<groups
xml:id="Group_1"
name="customer,
o=ibm,
c=gb"
accessId="group:server1.uk.ibm.com:3899/cn=customer,
o=ibm,
c=gb"/>
.....
Modify
the
entry
to
read:
.....
<groups
xml:id="Group_1"
name="customer"
accessId="group:server1.uk.ibm.com:3899/cn=customer,
o=ibm,
c=gb"/>
.....
The
migration
tool
fails
when
using
a
Tivoli
Access
Manager
domain
other
than
the
default
domain
(43748)
The
-b
option
is
now
required
by
the
migrateEAR4
and
migrateEAR5
utilities
in
order
for
AMWAS
to
migrate
application
security
and
role
info
in
the
AM
Object
space
correctly
for
the
new
AM
domain.
/opt/WebSphere/AppServer/java/jre/bin/java
\
-Dpdwas.lang=/opt/WebSphere/AppServer/lib:/opt/pdwas/nls/java
\
-cp
/opt/WebSphere/AppServer/lib/xerces.jar:/opt/pdwas/lib/migrate.jar:/opt/pdwas/nls/java
\
com.tivoli.pdwas.migrate.Migrate
-j
/opt/WebSphere/AppServer/config/your_application.ear
\
-a
sec_master
-p
sec_master_password
-w
wsadmin
-d
"o=Sales
Division,c=us"
\
-c
file:/opt/WebSphere/AppServer/java/jre/PDPerm.properties
Figure
1.
Sample
Java
command
line
to
duplicate
migrateEAR
processing
Chapter
3.
Known
problems
and
workarounds
41
Workaround:
Specify
the
-b
option
while
using
the
migrateEAR
utility
to
ensure
that
the
WAS
application
security
settings
are
migrated
into
the
correct
area
of
the
AM
Object
Space.
Migration
tool
incorrectly
reports
successful
migration
of
ACLs
(44245)
When
ACLs
are
attached
to
more
than
one
location
in
the
object
space,
the
migration
tool
might
fail
because
the
ACL
cannot
be
deleted.
However,
the
migration
tool
still
returns
a
successful
completion
message.
To
correct
this
problem,
do
not
attach
a
migrated
application
ACL
to
another
area
in
the
object
space.
Migration
tool
incorrectly
reports
successful
migration
of
policy
(44410)
The
migration
tool
returns
a
″Migration
completed
successfully″
message
but
some
of
the
policy
might
not
have
been
migrated.
Check
the
pdwas_migrate.log
file
to
ensure
that
all
the
policy
was
migrated
for
the
application.
An
error
in
the
log
file
indicates
a
possible
failure
in
the
migration.
Check
the
last
transaction
that
occurred
and
try
to
fix
the
migration
failure.
When
the
problem
has
been
fixed.
Rerun
the
migration
tool.
Warning
messages
displayed
when
using
the
pdbackup
command
on
a
UNIX-based
platform
(44285)
If
you
are
using
the
pdbackup
command
on
a
UNIX-based
platform,
the
following
messages
might
be
displayed:
sh[2]:
./var/PolicyDirector/log/msg__pdmgrd_utf8.log:
0403-006
Execute
permission
denied.
sh[3]:
./var/PolicyDirector/log/msg__pdmgrd_utf8.log:
0403-006
Execute
permission
denied.
These
messages
can
be
ignored.
You
can
check
that
the
backup
command
has
completed
successfully,
by
looking
at
the
last
few
lines
of
the
msg__pdbackup.log
file.
If
the
archive
made
through
the
pdbackup
command
is
extracted
or
restored,
the
file
is
restored
properly.
jlog.properties
file
not
created
when
using
pdwascfg
(44410)
When
using
the
pdwascfg
command
with
the
–action_type
local
option
to
configure
WebSphere
Application
Server,
the
jlog.properties
file
might
not
be
created.
To
create
the
file
manually,
copy
the
jlog.properties.template
file
to
jlog.properties
in
the
etc
directory
where
WebSphere
Application
Server
is
installed
(also
referred
to
as
the
PDWAS_HOME
directory).
Startup
of
WebSphere
Application
Server
fails
Linux
on
zSeries
(44540)
After
configuring
Tivoli
Access
Manager
for
WebSphere
Application
Server
for
Linux
on
zSeries,
onto
a
WebSphere
Application
Server
5.02
system,
the
next
startup
might
fail
with
an
error
in
the
SystemOut.log
similar
to:
org.xml.sax.SAXParseException:
Element
type
"properties"
must
be
followed
by
either
attribute
specifications,
">"
or
"/>".
at
org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.j
The
error
is
caused
by
a
missing
closing
angle
bracket
(>),
in
the
/opt/WebSphere/AppServer/config/cells/hostname/security.xml
file.
42
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
To
correct
the
error,
add
the
missing
’>’
from
the
first
line
of
the
following
statement.
The
location
of
the
missing
’>’
is
highlighted
in
bold.
(Note:
The
line
was
formatted
into
multiple
lines
to
fit
on
the
page.):
<properties
xmi:id="Property_1067638223188"name="com.ibm.security.useFIPS"
value="false"/>
<properties
xmi:id="Property_222"
name="com.ibm.websphere.security.authorizationTable"
value="com.tivoli.pdwas.websphere.PDWASAuthzManager"/>
</security:Security>
NoSuchMethodErrors
might
be
generated
when
running
Java
applications
compiled
against
previous
versions
of
Tivoli
Access
Manager
Java
applications
that
have
been
compiled
against
the
Tivoli
Access
Manager
Java
runtime
found
in
previous
versions
of
the
product
and
that
call
the
following
methods
will
encounter
a
Java
NoSuchMethodError
when
run
against
the
Tivoli
Access
Manager
Version
5.1
Java
runtime:
public
static
void
createPop(PDContext
context,
String
id,
String
description,
com.tivoli.mts.PDAttrs
attributes,
PDMessages
messages)
public
static
void
createAcl(PDContext
context,
String
id,
String
description,
HashMap
aclEntriesUser,
HashMap
aclEntriesGroup,
PDAclEntryAnyOther
aclEntryAnyOther,
PDAclEntryUnAuth
aclEntryUnAuth,
com.tivoli.mts.PDAttrs
attributes,
PDMessages
messages)
public
static
void
createProtObject(PDContext
context,
String
id,
String
description,
boolean
isPolicyAttachable,
String
aclId,
com.tivoli.mts.PDAttrs
attributes,
PDMessages
messages)
There
is
no
workaround
for
this
problem
other
than
to
recompile
the
application
using
the
non-deprecated
counterparts
to
the
missing
methods.
The
non-deprecated
counterparts
replace
the
arguments
of
datatype
com.tivoli.mts.PDAttrs
with
arguments
of
datatype
com.tivoli.pd.jutil.PDAttrs.
Otherwise,
Java
applications
that
call
the
missing
methods
must
have
a
patch
applied
in
order
to
interoperate
with
Tivoli
Access
Manager
Version
5.1
Java
runtime.
Contact
IBM
Customer
Support
for
Tivoli
products
to
obtain
this
patch.
Chapter
3.
Known
problems
and
workarounds
43
44
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Chapter
4.
Internationalization
notes
This
chapter
provides
information
related
to
installing
and
using
versions
of
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
in
a
language
other
than
English.
Known
problems
and
workarounds
The
following
problems
and
limitations
are
known
to
exist
in
versions
of
Tivoli
Access
Manager
other
than
the
English
language
version.
Workarounds
are
provided
if
available.
Some
entries
include
an
internal
tracking
number.
Report
any
other
problems
to
IBM
Customer
Support
for
Tivoli
products.
Known
problems
related
to
all
versions
of
Tivoli
Access
Manager
can
be
found
in
Chapter
3,
“Known
problems
and
workarounds,”
on
page
21
Configuration
change
needed
on
some
internationalized
versions
of
Red
Hat
Linux
7.1
You
must
change
a
configuration
file
if
you
plan
to
install
Tivoli
Access
Manager
on
a
Red
Hat
Linux
7.1
system
running
in
one
of
the
following
locales:
v
Japanese
(eucjp)
(ja_JP.eucjp)
v
Traditional
Chinese
(zh_TW)
Edit
the
/etc/ld.so.conf
file
and
add
the
following
line:
/usr/lib/gconv
This
change
corrects
a
problem
caused
by
the
implementation
of
the
iconv
character
set
conversion
interface.
Group
name
might
be
truncated
on
DBCS
systems
using
Active
Directory
(44415,
44312)
When
using
the
pdadmin
group
list
and
user
show-groups
commands,
the
name
of
the
group
displayed
might
be
truncated
on
DBCS
systems
when
using
Active
Directory
as
the
user
registry.
Japanese
locale
and
language
setting
supported
on
Linux
systems
The
only
supported
locale
and
language
setting
for
Japanese
on
Red
Hat
Linux
systems
is
ja_JP.eucjp.
For
example:
LANG=ja_JP.eucjp
LC_ALL=ja_JP.eucjp
Note:
Notice
the
case
used
in
the
locale
name
of
ja_JP.eucjp.
Using
a
locale
name
with
different
case,
such
as
ja_JP.eucJP,
does
not
work
Japanese
SJIS
is
not
supported.
©
Copyright
IBM
Corp.
1999,
2003
45
Considerations
when
using
certain
locales
on
Linux
systems
The
section
describes
setting
up
Tivoli
Access
Manager
on
Red
Hat
Linux
systems
using
international
locales.
The
information
is
appropriate
for
Japanese
EUC
and
Traditional
Chinese
(BIG5).
Japanese
SJIS
is
not
supported.
1.
Install
Red
Hat
Linux
with
Japanese
and
Traditional
Chinese
support
and
with
the
XWindows
system.
Configure
X,
and
then
launch
X.
2.
Install
the
Tivoli
Access
Manager
runtime
component,
PDRTE.
3.
Install
the
appropriate
language
pack:
#
./pd_lp
4.
Configure
the
Tivoli
Access
Manager
runtime
to
a
policy
server
that
supports
the
required
locale.
For
Japanese
EUC
1.
Run
the
following
commands:
#
export
LC_ALL=ja_JP.eucjp
#
export
LANG=ja_JP.eucjp
#
rxvt
-km
eucj
&
2.
In
the
rxvt
terminal,
run
the
pdconfig
command
and
ensure
that
the
configuration
menu
appears
in
Japanese.
For
Traditional
Chinese:
An
additional
package
that
contains
the
necessary
fonts
is
required.
These
fonts
are
not
included
with
Red
Hat
Linux.
1.
Run
the
following
commands:
#
rpm
-i
cxterm-5.1p1-2.i386.rpm
#
export
LANG=zh_TW
#
export
LC_ALL=zh_TW
#
cxterm
-big5
2.
In
cxterm,
run
the
pdconfig
command
and
ensure
that
the
configuration
menu
appears
in
Chinese.
The
cxterm
package
can
be
downloaded
from:
http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/cxterm-5.1p1-2.i386.html
Some
text
appears
incorrectly
in
installation
wizard
(28420,
28422)
Some
text
in
the
installation
wizard
panels
appears
incorrectly.
The
following
specific
problems
have
been
identified:
v
The
text
on
the
panel
asking
for
the
Policy
Server
SSL
port
is
not
translated
properly
in
the
Spanish
language
version.
v
The
word
directory
is
not
translated
in
the
summary
panel
in
the
Simplified
Chinese
language
version.
Resizing
installation
wizard
panels
could
result
in
truncated
text
(28453)
Maximizing
an
installation
wizard
panel
and
then
restoring
it
to
its
original
size
might
result
in
the
text
on
the
panels
being
truncated.
To
correct
the
problem,
resize
the
window
until
the
text
is
not
truncated.
This
problem
occurs
on
systems
using
English
and
on
languages
other
than
English.
46
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
LANG
variable
used
with
Windows
overrides
locale
setting
in
Control
Panel
On
Windows
systems,
if
the
LANG
variable
is
set,
it
will
override
the
locale
setting
in
the
Control
Panel
Globalization
settings.
Command
output
displayed
using
wrong
code
page
on
Windows
systems
(26899)
On
Microsoft
Windows
systems,
output
from
system
commands,
such
as
svrsslcfg,
bassslcfg,
mgrsslcfg,
and
pdjrtecfg,
might
be
displayed
using
the
wrong
code
page.
This
problem
has
been
reported
only
with
single
byte
languages.
To
have
the
output
displayed
in
the
proper
code
page,
do
the
following:
1.
Open
a
Command
Prompt
window.
2.
Enter
the
following
command:
chcp
1252
3.
From
the
window
menu,
click
Properties
and
click
on
the
Font
tab.
4.
Select
Lucida
Console,
or
any
True
Type
font,
and
click
OK.
Apply
this
change
to
all
windows
or
just
the
current
window,
as
desired.
Commands
entered
in
this
window
should
now
be
displayed
with
the
proper
code
page.
Avoid
non-ASCII
characters
in
server
names
(26985)
Do
not
use
non-ASCII
characters
in
server
names.
Tivoli
Access
Manager
stores
character
data
as
strings
of
Unicode
characters.
This
data
is
converted
from
Unicode
to
UTF-8
(Universal
Character
Set
Transformation
Format-8)
before
it
is
sent
to
the
policy
server.
For
version
5.1,
conversion
works
for
most
azn-api
applications.
For
WebSEAL,
only
allowable
characters
can
be
used
in
the
server
name.
Reconfiguration
of
Web
Portal
Manager
requires
reinstallation
of
language
packages
(IY32306)
If
you
unconfigure
the
Web
Portal
Manager
component
and
subsequently
configure
it
again,
you
must
reinstall
your
language
packages
to
view
text
in
your
native
language.
Fonts
necessary
to
display
characters
correctly
in
Java
(IY31894)
Fonts
are
included
in
the
language
support
packages
provided
by
an
operating
system.
However,
in
some
cases,
you
might
need
to
install
additional
fonts
to
display
characters
correctly
in
Java.
For
example,
when
installing
a
platform-specific
JRE
for
the
Japanese
locale,
the
X11.fnt.ucs.ttf
font
is
required.
The
list
of
required
fonts
varies
depending
on
your
operating
system,
the
JRE
level,
and
your
specific
locale.
Policy
server
fails
to
start
on
AIX
boot
(12584)
On
systems
using
a
language
other
than
English,
the
Tivoli
Access
Manager
policy
server,
pdmgrd,
might
fail
to
start
automatically
during
reboot.
If
the
policy
server
does
not
start
automatically,
start
it
manually
using
the
pd_start
utility:
pd_start
start
Chapter
4.
Internationalization
notes
47
Double-byte
recorded
response
files
for
installation
wizard
contain
corrupted
text
(37601,
39896,
43907)
When
you
attempt
to
record
options
files
for
the
installation
wizard
on
double-byte
operating
systems
using
—options-record
or
—options-template,
the
recorded
response
file
contains
corrupted
text.
There
is
no
workaround
for
this
problem.
Recorded
option
files
in
multi-byte
languages
display
corrupted
text
in
the
explanatory
field
(39896)
When
you
record
an
option
file
using
-options-record
or
-options-template
in
any
double
byte
language
operating
system,
the
explanatory
text
appears
corrupted.
There
is
no
workaround
for
this
issue.
Installation
wizard
for
the
Plug-in
for
Web
Servers
fails
on
a
German
Windows
system
(44565)
The
installation
of
the
Plug-in
for
Web
Servers
fails
on
a
German-language
Windows
system.
Workaround:
Specify
the
following
paths
as
the
target
installation
directory:
c:\program
files\tivoli\pdwebrte
c:\program
files\tivoli\pdwebpi
Apostrophes
are
not
displayed
correctly
when
using
the
installation
wizard
in
French
(44080)
When
using
the
installation
wizard
in
French,
all
apostrophes
are
displayed
as
squares.
Garbled
text
in
installation
wizard
when
installing
BEA
WebLogic
Server
(44219,
44398)
During
the
installation
of
the
BEA
WebLogic
Server,
if
you
run
the
installation
wizard
in
a
language
other
than
English,
garbled
text
might
be
displayed
on
the
Welcome
screen.
The
problem
occurs
if
you
are
using
the
JDKs
or
JRE
that
are
included
with
BEA
WebLogic
Server.
The
problem
does
not
affect
the
actual
software
installation.
However,
if
you
want
to
fix
this
problem,
install
the
IBM
JDK
or
JRE
1.3.1
and
use
it
to
run
install_amwls.
After
configuring
Tivoli
Access
Manager
on
SuSE
Linux
Enterprise
Server
8,
the
policy
server
(pdmgrd)
and
the
ACL
server
(pdacld)
fail
to
start
(36687,
37558)
After
configuring
Tivoli
Access
Manager
on
SuSE
Linux
Enterprise
Server
8,
the
policy
server
and
the
ACL
server
might
fail
to
start.
Workaround:
Before
configuring
Tivoli
Access
Manager,
grant
access
rights
for
the
user
ivmgr
(or
all
users)
to
the
SSL
key
file
and
to
the
folder
that
contains
that
key
file.
48
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Chapter
5.
Known
documentation
updates
The
following
sections
describe
corrections
to
books
in
the
IBM
Tivoli
Access
Manager
for
e-business
library.
IBM
Tivoli
Access
Manager
Upgrade
Guide
The
IBM
Tivoli
Access
Manager
Upgrade
Guide
is
a
white
paper
and
is
located
in
the
White
Paper
section
of
the
Tivoli
software
library
http://www.ibm.com/software/tivoli/library/.
IBM
Tivoli
Access
Manager
Base
Administration
Guide
(44534)
In
″Chapter
18.
XML
output
for
logging
and
auditing
logs″
the
information
for
<source>
...
</source>
in
Table
8
on
page
187
is
incorrect.
The
information
should
read
as
follows.
Output
Field
Name
Description
<source>
...
</source>
The
source
event
can
be
one
of
the
following:
cred
Applies
to
any
Tivoli
Access
Manager
component.
app
Applies
only
to
an
authorization
(azn)
component.
ruleADI
Applies
only
to
the
authorization
(azn)
component
when
evaluating
a
Boolean
rule.
The
rule
ADI
value
describes
Boolean
rule
access
decision
information
that
may
have
been
retrieved
from
the
credential,
application,
authorization,
or
through
an
attribute
retrieval
service.Note:
In
product
audit
logs,
if
the
dynADI
value
is
listed,
it
should
be
interpreted
as
ruleADI
instead.
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
In
″Chapter
1.
Authorization
API
overview″
on
page
7,
the
section
about
test
compilers
should
read
as
follows:
IBM
has
tested
the
use
of
the
IBM
Tivoli
Access
Manager
Application
Developer
Kit
(ADK)
component
with
the
compilers
listed
in
the
table
below.
Previous
versions
of
the
compilers
are
not
supported.
Compilers
on
other
supported
platforms,
such
as
IBM
AIX
5.1
or
HP-UX
11i,
have
not
been
tested.
Operating
system
platform
tested
Tested
compiler
IBM
AIX
4.3.3
IBM
Visual
Age
C/C++
5.0.2
©
Copyright
IBM
Corp.
1999,
2003
49
Operating
system
platform
tested
Tested
compiler
Sun
Solaris
Operating
Environment
5.7
Forte
6.1
with
patches
109505-11,
109508-09,
109510-06,
109513-11
Hewlett-Packard
HP-UX
11.0–11.01.07
AnsiC/3.30
aC++
Red
Hat
Enterprise
Linux
for
xSeries®
GNU
GCC
3.2.2
SuSE
Linux
Enterprise
Server
8
for
xSeries
GNU
GCC
3.2.2
SuSE
Linux
Enterprise
Server
8
for
S/390®
and
zSeries
GNU
GCC
3.2
SuSE
Linux
Enterprise
Server
8
for
pSeries®
GNU
GCC
3.2-32
Microsoft
Windows
2000
Advanced
Server
Microsoft
Visual
C/C++
6.0.5
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
In
″Chapter
1.
Introducing
the
administration
API
overview″
on
page
4,
the
section
about
test
compilers
should
read
as
follows:
IBM
has
tested
the
use
of
the
IBM
Tivoli
Access
Manager
Application
Developer
Kit
(ADK)
component
with
the
compilers
listed
in
the
table
below.
Previous
versions
of
the
compilers
are
not
supported.
Compilers
on
other
supported
platforms,
such
as
IBM
AIX
5.1
or
HP-UX
11i,
have
not
been
tested.
Operating
system
platform
tested
Tested
compiler
IBM
AIX
4.3.3
IBM
Visual
Age
C/C++
5.0.2
Sun
Solaris
Operating
Environment
5.7
Forte
6.1
with
patches
109505-11,
109508-09,
109510-06,
109513-11
Hewlett-Packard
HP-UX
11.0–11.01.07
AnsiC/3.30
aC++
Red
Hat
Enterprise
Linux
for
xSeries
GNU
GCC
3.2.2
SuSE
Linux
Enterprise
Server
8
for
xSeries
GNU
GCC
3.2.2
SuSE
Linux
Enterprise
Server
8
for
S/390
and
zSeries
GNU
GCC
3.2
SuSE
Linux
Enterprise
Server
8
for
pSeries
GNU
GCC
3.2-32
Microsoft
Windows
2000
Advanced
Server
Microsoft
Visual
C/C++
6.0.5
50
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Appendix
A.
Tips
for
building
Tivoli
Access
Manager
applications
on
Linux
The
following
information
applies
to
building
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager)
applications
using
either
Red
Hat
Linux
on
Intel™
platforms,
or
SuSE
Linux
Enterprise
Server
on
zSeries.
v
Always
link
with
-lpthread.
Use
this
option
even
when
your
application
is
not
threaded,
because
the
Tivoli
Access
Manager
libraries
are
threaded.
The
Linux
shared
library
libpthread.so
overrides
some
of
the
symbols
normally
provided
by
libc
such
as
fork().
Failure
to
explicitly
link
-lpthread
at
the
upper
level,
when
any
of
the
components
contains
threaded
libraries,
can
cause
unpredictable
behavior,
including
crashes.
v
Use
of
threads
in
your
application.
When
your
application
uses
threads
heavily,
you
might
encounter
problems
with
memory
usage.
The
default
stack
size
per
thread
on
current
Linux
distributions
in
2MB.
This
stack
size
limits
the
number
of
threads
per
process.
For
example,
on
a
system
with
256
MB
of
RAM,
the
number
of
threads
must
be
less
than
128.
To
avoid
this
problem,
do
one
of
the
following:
–
If
source
code
is
available,
reduce
the
default
stack
size
when
calling
pthread_create().
–
If
source
code
is
not
available,
or
if
the
problem
affects
Tivoli
Access
Manager
processes,
either
install
more
memory
on
the
target
system,
or
recompile
the
system
pthreads
library
with
a
reduced
default
stack
size.
©
Copyright
IBM
Corp.
1999,
2003
51
52
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Appendix
B.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106-0032,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
“AS
IS”
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
1999,
2003
53
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
information
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement,
or
any
equivalent
agreement
between
us.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
This
information
contains
examples
of
data
and
reports
used
in
daily
business
operations.
To
illustrate
them
as
completely
as
possible,
the
examples
include
the
names
of
individuals,
companies,
brands,
and
products.
All
of
these
names
are
fictitious
and
any
similarity
to
the
names
and
addresses
used
by
an
actual
business
enterprise
is
entirely
coincidental.
If
you
are
viewing
this
information
softcopy,
the
photographs
and
color
illustrations
may
not
appear.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
DB2
Universal
Database
Domino
IBM
IBM
logo
Lotus
MQSeries
OS/390
pSeries
S/390
SecureWay
Tivoli
Tivoli
logo
54
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
Universal
Database
WebSphere
z/OS
zSeries
Microsoft
and
Windows
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Intel
is
a
trademark
of
Intel
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix
B.
Notices
55
56
IBM
Tivoli
Access
Manager
for
e-business:
Release
Notes
����
Printed
in
USA
GI11-4156-00