tivoli security manager - ibmpublib.boulder.ibm.com/tividd/td/security/gi11-0802-01/...tivoli...
TRANSCRIPT
Tivoli® Security ManagerRelease NotesVersion 3.8 GI11-0802-01
Tivoli® Security ManagerRelease NotesVersion 3.8 GI11-0802-01
Tivoli Security Manager Release Notes
Copyright Notice
© Copyright IBM Corporation 2001 All rights reserved. May only be used pursuant to a Tivoli Systems SoftwareLicense Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer orLicense Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrievalsystem, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic,optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporationgrants you limited permission to make hardcopy or other reproductions of any machine-readable documentationfor your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. Noother rights under copyright are granted without prior written permission of IBM Corporation. The document isnot intended for production and is furnished “as is” without warranty of any kind. All warranties on thisdocument are hereby disclaimed, including the warranties of merchantability and fitness for a particularpurpose.
U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM Corporation.
Trademarks
IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, AS/400, Cross-Site, NetView, OS/2, OS/390, OS/400, PolicyDirector, RACF, RS/6000, SecureWay, S/390, Tivoli Certified, Tivoli Enterprise, Tivoli Ready, and TME aretrademarks or registered trademarks of International Business Machines Corporation in the United States, othercountries, or both.
Microsoft, Windows, Windows NT, Windows 2000, and the Windows logo are trademarks of MicrosoftCorporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, othercountries, or both.
TACF Copyright © 1993-2000 by MEMCO Software Ltd., U.S. patent pending. All rights reserved.
Novell, NetWare, NetWare Directory Services, and NDS are trademarks of Novell, Inc.
Other company, product, and service names may be trademarks or service marks of others.Notices
References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that theywill be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products,programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or servicescan be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM,any functionally equivalent product, program, or service can be used instead of the referenced product, program,or service. The evaluation and verification of operation in conjunction with other products, except those expresslydesignated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patentsor pending patent applications covering subject matter in this document. The furnishing of this document doesnot give you any license to these patents. You can send license inquiries, in writing, to the IBM Director ofLicensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.
Contents
Chapter 1. Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Accessing Publications Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Ordering Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Providing Feedback about Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Microsoft® Windows® 2000 Endpoint Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Tivoli Servers and Managed Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Tivoli Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Hardware Requirements for Tivoli Security Manager for Policy Director . . . . . . . . . . . . . . . . . . 6
Installation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installing with the Tivoli Software Installation Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Additional Installation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Upgrading Tivoli Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Upgraded Dialogs in Tivoli Security Manager Version 3.8 . . . . . . . . . . . . . . . . . . . . . . . 9
Uninstalling Tivoli Security Manager after a Version 3.8 Upgrade Using Tivoli SoftwareInstallation Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Uninstalling Tivoli Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Uninstalling Tivoli Security Manager for NT, Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Internationalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Enabling Language Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Tivoli Security Manager, Version 3.8 Internationalization Issues . . . . . . . . . . . . . . . . . . . . . . . . 10
Patches Included in Version 3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Defects Fixed in Version 3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Software Defects, Limitations, and Workarounds Reported Prior to Version 3.8 . . . . . . . . . . . . . . . . 13
Version 3.8 Software Defects, Limitations, and Workarounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
iiiTivoli® Security Manager Release Notes
iv Version 3.8
Release Notes
This Release Notes document provides important information about the Tivoli SecurityManager, Version 3.8 release. These notes are the most current information for the productand take precedence over all other documentation.
Please review these notes thoroughly before installing or using this product.
These release notes include the following topics:
¶ New Features
¶ System Requirements
¶ Installation Notes
¶ Internationalization
¶ Patches Included in Version 3.8
¶ Defects Fixed in Version 3.8
¶ Software Defects, Limitations, and Workarounds Reported Prior to Version 3.8
¶ Version 3.8 Software Defects, Limitations, and Workarounds
Additional InformationThe following sections describe how to access publications online, order publications,provide feedback about publications and contact customer support.
Accessing Publications OnlineThe Tivoli Customer Support Web site (http://www.tivoli.com/support/) offers a guide tosupport services (the Customer Support Handbook); frequently asked questions (FAQs); andtechnical information, including release notes, user’s guides, redbooks, and white papers.You can access Tivoli publications online at http://www.tivoli.com/support/documents/.The documentation for some products is available in PDF and HTML formats. Translateddocuments are also available for some products.
To access most of the documentation, you need an ID and a password. To obtain an ID foruse on the support Web site, go to http://www.tivoli.com/support/getting/.
Resellers should refer to http://www.tivoli.com/support/smb/index.html for moreinformation about obtaining Tivoli technical documentation and support.
Business Partners should refer to “Ordering Publications” on page 2 for more informationabout obtaining Tivoli technical documentation.
1
1Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
Ordering PublicationsOrder Tivoli publications online athttp://www.tivoli.com/support/public/Prodman/public_manuals/td/TD_PROD_LIST.htmlor by calling one of the following telephone numbers:
¶ U.S. customers: (800) 879-2755
¶ Canadian customers: (800) 426-4968
Providing Feedback about PublicationsWe are very interested in hearing about your experience with Tivoli products anddocumentation, and we welcome your suggestions for improvements. If you have commentsor suggestions about our products and documentation, contact us in one of the followingways:
¶ Send e-mail to [email protected].
¶ Fill out our customer feedback survey at http://www.tivoli.com/support/survey/.
Contacting Customer SupportIf you need support for this or any Tivoli product, contact Tivoli Customer Support in one ofthe following ways:
¶ Submit a problem management record (PMR) electronically from our Web site athttp://www.tivoli.com/support/reporting/. For information about obtaining supportthrough the Tivoli Customer Support Web site, go tohttp://www.tivoli.com/support/getting/.
¶ Submit a PMR electronically through the IBMLink™ system. For information aboutIBMLink registration and access, refer to the IBM Web page athttp://www.ibmlink.ibm.com.
¶ Send e-mail to [email protected].
¶ Customers in the U.S. can call 1-800-TIVOLI8 (1-800-848-6548).
¶ Customers outside the U.S. should refer to the Tivoli Customer Support Web site athttp://www.tivoli.com/support/locations.html for customer support telephone numbers.
When you contact Tivoli Customer Support, be prepared to provide the customer number foryour company so that support personnel can assist you more readily.
New FeaturesThis section briefly describes enhancements made to Tivoli Security Manager, Version 3.8.
Microsoft® Windows® 2000 Endpoint SupportTivoli Security Manager, Version 3.8 now supports role template populates for Windows2000 clients. For more information about managing Windows 2000 clients, see the Tivoli®
Security Manager Supplement for Microsoft® Windows® 2000.
Tivoli Security Manager, Version 3.8 now fully supports the Endpoint Audit Log Report taskrunning on the Windows 2000 platform.
Additional Information
2 Version 3.8
System RequirementsThis section describes the system requirements, including software and hardware, for each ofthe following resources in the Tivoli environment:
¶ Tivoli servers and managed nodes
¶ Tivoli endpoints
¶ Supported Windows NT/2000 node configurations
Tivoli products that support Windows 3.x, Windows 95, Windows 98, Windows NT,Windows 2000, and NetWare must be installed on an IBM PC AT-compatible machine.Tivoli does not support platforms (such as the NEC PC 98xx series) that are not 100%compatible with the IBM PC AT.
At the end of this section, the hardware requirements are described for Tivoli SecurityManager for Policy Director.
Tivoli Servers and Managed Nodes
Hardware RequirementsThe following tables list the estimated disk space required for Tivoli Security Manager,Version 3.8 on the supported systems. This is in addition to the space required for the TivoliManagement Framework.
Note: Tivoli strongly recommends you do not share the Tivoli Security Manager files acrossTivoli management region boundaries.
Table 1. Tivoli Security Manager, Version 3.8Platform Server
DatabaseManaged
NodeDatabase
Binaries Other* Total forServer
Total forManaged
Node
AIX 4.x 0.93 MB 0.06 MB 48.33 MB 0.82 MB 50.08 MB 49.21 MB
HP-UX 0.93 MB 0.06 MB 33.33 MB 0.82 MB 35.58 MB 34.71 MB
Solaris 0.93 MB 0.06 MB 40.33 MB 0.82 MB 42.08 MB 41.21 MB
WindowsNT/2000
0.94 MB 0.06 MB 28.06 MB 0.82 MB 29.821 MB 28.94 MB
*Includes Message Catalogs (0.33 MB), Audit Report Tasks (0.26 MB), Libraries (0.01 MB)and Man Pages (0.22 MB).
Table 2. Tivoli Security Manager for NT, Version 3.8, GatewayPlatform Gateway Files Database Binaries Total
AIX 4.x 0.79 MB 0.01 MB 0.03 MB 0.83 MB
HP-UX 0.79 MB 0.01 MB 0.03 MB 0.83 MB
Solaris 0.79 MB 0.01 MB 0.03 MB 0.83 MB
Windows NT/2000 0.79 MB 0.01 MB 0.03 MB 0.83 MB
Table 3. Tivoli Security Manager for Windows 2000, Version 3.8, ServerPlatform Server Database
AIX 4.x 0.13 MB
System Requirements
3Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
Table 3. Tivoli Security Manager for Windows 2000, Version 3.8, Server (continued)Platform Server Database
HP-UX 0.13 MB
Solaris 0.13 MB
Windows NT/2000 0.13 MB
Table 4. Tivoli Security Manager for Windows 2000, Version 3.8, GatewayPlatform Gateway Files Database Binaries Total
AIX 4.x 0.79 MB 0.01 MB 0.03 MB 0.83 MB
HP-UX 0.79 MB 0.01 MB 0.03 MB 0.83 MB
Solaris 0.79 MB 0.01 MB 0.03 MB 0.83 MB
Windows NT/2000 0.79 MB 0.01 MB 0.03 MB 0.83 MB
Table 5. Tivoli Security Manager for AS/400, Version 3.8, ServerPlatform Server Database Audit Report
TasksMessageCatalogs
Total
AIX 4.x 0.14 MB 0.30 MB 0.01 MB 0.45 MB
HP-UX 0.14 MB 0.30 MB 0.01 MB 0.45 MB
Solaris 0.14 MB 0.30 MB 0.01 MB 0.45 MB
Windows NT/2000 0.14 MB 0.30 MB 0.01 MB 0.45 MB
Table 6. Tivoli Security Manager for AS/400, Version 3.8, GatewayPlatform Gateway Files
AIX 4.x 4.68 MB
HP-UX 4.68 MB
Solaris 4.68 MB
Windows NT/2000 4.68 MB
Software RequirementsThis section contains information about the supported operating system versions andrequired patches for each supported hardware architecture. Tivoli does not distribute ormaintain operating system patches from other vendors. Please contact your operating systemvendor for information on obtaining and installing operating system patches.
Tivoli Security Manager, Version 3.8 runs on all the operating systems supported by TivoliManagement Framework, Version 3.7 and 3.7.1. However, Security Manager can onlymanage UNIX clients that are supported by Tivoli Policy Director for Operating Systems orby Tivoli Access Control Facility (Tivoli ACF). See the Tivoli Management Frameworkrelease notes for a list of the supported operating systems and required patches.
Notes:
1. Windows NT/2000 servers and workstations managed by Tivoli Security Managermust be configured into a domain.
System Requirements
4 Version 3.8
2. Tivoli Security Manager supports NetWare, OS/390 and OS/400 as endpoints only.See “Tivoli Endpoints” for specific information regarding supported versions.
Tivoli Security Manager, Version 3.8 server and managed nodes run on thefollowing operating systems:
Platform Operating Systems
AIX IBM RS/6000 series running AIX 4.3, 4.3.1, 4.3.2, 4.3.3
HP-UX HP9000/700 and 800 series running HP-UX 10.2, HP-UX 11, or HP-UX 11,Service Pack 1
OS/390 IBM S/390 running V1R3, V2R4, V2R5, V2R6, V2R7, or V2R8 (see note)
Solaris Sun SPARC series running Solaris 2.6, 7, or 8
Windows NT/2000 IBM-compatible PCs, 80486 or higher, running Microsoft Windows NT 4.0,Service Pack 5, Windows NT 4.0, Service Pack 6 or 6a, or Windows 2000,Service Pack 1
Note: To use OS/390 as the management server for Tivoli Security Manager, or tomanage access control data in the OS/390 Security Server (RACF), it isnecessary to obtain a separately licensed product. Contact your TivoliSystems representative for details about Tivoli Security Manager for OS/390(5698_SCM).
3. Tivoli Policy Directory for Operating Systems, Version 3.8 is a separate productthat may be purchased to provide resource access control enforcement for UNIXendpoints and managed nodes.
Tivoli Endpoints
Software RequirementsThe following table lists the supported operating systems for Tivoli Security Manager,Version 3.8 endpoints:
Platform Operating Systems
AIX IBM RS/6000 series running AIX 4.3, 4.3.1, 4.3.2, 4.3.3, or 5.1
HP-UX HP9000/700 and 800 series running HP-UX 10.2, HP-UX 11, or HP-UX 11SP1
NetWare A NetWare-compatible system running NetWare 4.11, Service Pack 8,NetWare 4.2, Service Pack 8, NetWare 5.0, Service Pack 4, or NetWare 5.1,Service Pack 2
OS/390 Endpoint only, IBM S/390 running Resource Access Control Facility(RACF) V1R3 through V2R10 (see note)
OS/400 IBM AS/400 running V4R3, V4R4, V4R5
Solaris Sun SPARC series running Solaris 2.6, 7, or 8
Windows NT IBM-compatible PCs, 80486 processor or higher, running MicrosoftWindows NT 4.0, Service Pack 5, or Windows NT 4.0, Service Pack 6 or 6a
Windows 2000 IBM-compatible PCs, 80486 or higher, running Microsoft Windows 2000,Service Pack 1
Note: To manage access control data in the OS/390 Security Server (RACF) it is necessaryto obtain a separately licensed product. Contact your Tivoli Systems representativefor details about Tivoli Security Manager for OS/390 (5698-SCM).
System Requirements
5Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
Hardware Requirements for Tivoli Security Manager for Policy DirectorThe following tables list the estimated disk space required for Tivoli Security Manager forPolicy Director, Version 3.8 on the supported systems. This is in addition to the spacerequired for the Tivoli Management Framework. All values are listed in megabytes.
Note: Tivoli strongly recommends you do not share the Tivoli Security Manager files acrossTivoli management region boundaries. Upgrading to future releases and installingTivoli service packs becomes very complex if these files are shared across Tivolimanagement region boundaries.
Table 7. Tivoli Policy Director Connection, Version 3.8Platform Server
DatabaseBinaries Message
CatalogsTotal
AIX 4.x 0.09 0.73 0.01 0.83
HP-UX 0.09 2.74 0.01 2.84
Solaris 0.09 0.73 0.01 0.83
Windows NT/2000 0.09 1.50 0.01 1.60
Table 8. Tivoli Security Manager for Policy Director, Version 3.8, ServerPlatform Server
Database
AIX 4.x 0.16
HP-UX 0.16
Solaris 0.16
Windows NT/2000 0.16
Table 9. Tivoli Security Manager for Policy Director, Version 3.8, ConnectionPlatform Binaries
AIX 4.x 1.77
HP-UX 1.34
Solaris 1.51
Windows NT/2000 0.96
Installation NotesThis section summarizes prerequisite steps and other information needed for a successfulinstallation of Tivoli Security Manager, Version 3.8.
Tivoli Security Manager contains several modules that are installed separately. Theauthorization role for installing each of these modules is install_product.
Note: Any object created during installation is important and should not be deleted from thedesktop. You can remove it, but do not delete it. If you want to uninstall anapplication, use the wuninst utility.
The following full installation modules are part of Tivoli Security Manager:
¶ Tivoli Security Manager, Version 3.8
¶ Tivoli Security Manager for NT, Version 3.8, Gateway
System Requirements
6 Version 3.8
¶ Tivoli SecureWay Security Manager for NetWare, Version 3.7, Server
¶ Tivoli SecureWay Security Manager for NetWare, Version 3.7, Gateway
¶ Tivoli Security Manager for AS/400, Version 3.8, Server
¶ Tivoli Security Manager for AS/400, Version 3.8, Gateway
¶ Tivoli Security Manager for Windows 2000, Version 3.8, Server
¶ Tivoli Security Manager for Windows 2000, Version 3.8, Gateway
¶ Tivoli Security Manager for Policy Director, Version 3.8, Server
¶ Tivoli Security Manager for Policy Director, Version 3.8, Connection
¶ Tivoli Policy Director Connection, Version 3.8
The following upgrade modules are part of Tivoli Security Manager:
¶ Tivoli Security Manager Upgrade, Version 3.6/3.6.1/3.6.2/3.7/3.7.1 to 3.8
¶ Tivoli Security Manager for NT Upgrade, Version 3.7 to 3.8, Gateway
¶ Tivoli SecureWay Security Manager for NetWare Upgrade, Version 3.6.1/3.6.2 to 3.7,Gateway
¶ Tivoli SecureWay Security Manager for NetWare Upgrade, Version 3.6.1/3.6.2 to 3.7,Server
¶ Tivoli Security Manager for AS/400 Upgrade, Version 3.6/3.6.1/3.6.2/3.7 to 3.8, Server
¶ Tivoli Security Manager for AS/400 Upgrade, Version 3.6/3.6.1/3.6.2/3.7 to 3.8, Gateway
¶ Tivoli Security Manager for Windows 2000 Upgrade, Version 3.7 to 3.8, Server
¶ Tivoli Security Manager for Windows 2000 Upgrade, Version 3.7 to 3.8, Gateway
¶ Tivoli Policy Director Connection, Upgrade, Version 3.7 to Version 3.8
¶ Tivoli Security Manager for Policy Director Upgrade, Version 3.7.1 to 3.8, Server
¶ Tivoli Security Manager for Policy Director Upgrade, Version 3.7.1 to 3.8, Connection
PrerequisitesRefer to the Tivoli® Management Framework User’s Guide and the Tivoli® ManagementFramework Release Notes for details about the product and information about operatingsystem patches needed to run the Tivoli Management Framework.
For proper operation of Windows NT/2000 managed nodes, Tivoli Security Manager,Version 3.8 requires a Tivoli Management Framework patch appropriate to the version ofTivoli Management Framework that you are running. Tivoli Management Framework 3.7requires patch 3.7-TMF-0013. Tivoli Management Framework 3.7.1 requires no patches.
For proper operation of Windows NT/2000 endpoints, Tivoli Security Manager, Version 3.8requires a Tivoli Management Framework patch appropriate to the version of TivoliManagement Framework that you are running. For instance, Tivoli Management Framework,Version 3.7 requires Patch 3.7-TMF-0012. Tivoli Management Framework 3.7.1 requires nopatches.
Tivoli Security Manager for AS/400, Version 3.8, Gateway requires AS/400 patch3.6.2-OS4-0001 as a minimum. AS/400 Tivoli management agents at previous levels do notsupport populates. This patch provides an AS/400 Tivoli management agent required forpopulating from AS/400 endpoints.
Installation Notes
7Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
Installing with the Tivoli Software Installation ServiceTivoli Software Installation Service is a product that can install multiple Tivoli products onmultiple systems in parallel. This Java-based product can, therefore, install more products onmore systems in much less time than the installation facility of Tivoli ManagementFramework. Tivoli Software Installation Service performs product prerequisite checks and, ifdefined, user-specified prerequisite checks, ensuring as few installation failures as possible.In most cases, failures now occur only when machines are turned off or removed from thenetwork.
Tivoli Software Installation Service also creates an install repository into which you canimport the installation image of one or more Tivoli products. You can import only thoseinterpreter (operating system) types needed in your environment, which saves you disk spaceand import time. The install repository is then the source of all your Tivoli installations. Youcan even share a single install respository across multiple Tivoli management regions.
Tivoli recommends upgrading the Tivoli Management Framework installation facility in yourcurrent Tivoli installation by installing Tivoli Software Installation Service. If you areinstalling Tivoli for the first time, install Tivoli Software Installation Service on the firstmanaged node running a Tivoli Software Installation Service supported operating system.After Tivoli Software Installation Service is installed, you should use it to install other Tivoliproducts. For more information, see the Tivoli® Software Installation Service User’s Guide.
Additional Installation InformationTivoli Security Manager modules can be installed on managed nodes and endpoints asdescribed in the Tivoli® Security Manager User’s Guide. The subsections in this sectionprovide information that is not included in the Tivoli® Security Manager User’s Guide.
Upgrading Tivoli Security ManagerAll Tivoli Security Manager, Version 3.8 components can be installed as upgrades to TivoliSecurity Manager, Version 3.7 and 3.7.1 components. The steps required to upgrade TivoliSecurity Manager components on managed nodes are similar to the steps required to installthe products for the first time. The key difference is that instead of installing the product,you are installing a patch for the product. You can upgrade the products from either thedesktop or the command line.
Notes:
1. Tivoli Security Manager supports gateways and endpoints. To implement gatewaysupport, you must install Tivoli Security Manager Gateway components for theappropriate endpoint types.
2. Before upgrading an AS/400 endpoint or a system that manages AS/400 endpointsto Tivoli Security Manager, examine all 3.6.2 profiles with OS4 resource records. Ifany of these records have DefAccess set to None, change the DefAccess setting toNo Access.
3. On AS/400 endpoints, local copies of security profiles are kept in native AS/400database tables. When you upgrade AS/400 endpoints, any database tablesremaining from a version of Tivoli Security Manager of 3.6.2 or previous must bedeleted. Deleting these tables does not affect the endpoint. To delete the tables, runthe following series of commands on each AS/400 endpoint running Tivoli SecurityManager (when you issue the DLTJRN command you will receive a warningmessage which can be safely ignored.):
Installation Notes
8 Version 3.8
QSYS/ENDJRNAP FILE(*ALL) JRN(QUSRSYS/QLCFJRN)QSYS/ENDJRNPF FILE(*ALL) JRN(QUSRSYS/QLCFJRN)DLTF FILE(QUSRSYS/WLCF*)DLTJRN JRN(QUSRSYS/QLCFJRN)DLTJRNRCV JRNRCV(QUSRSYS/QLCFJR*)
See Chapter 2 of the Tivoli® Security Manager User’s Guide for detailed instructions onupgrading Tivoli Security Manager products.
Upgraded Dialogs in Tivoli Security Manager Version 3.8To support UNIX endpoints for both Tivoli Policy Director for Operating Systems and TivoliACF, the dialogs for the Endpoint Audit Log Report Task have been modified. For moreinformation, see Chapter 8 of the Tivoli® Security Manager User’s Guide.
Uninstalling Tivoli Security Manager after a Version 3.8 Upgrade UsingTivoli Software Installation Service
To uninstall Tivoli Security Manager components after upgrading to Version 3.8 from aprevious version using Tivoli Software Installation Service, perform the steps listed in thefollowing sections. These steps assume that /data/Tivoli is your top-level platforminstallation directory and that /data is your top-level Tivoli ACF installation directory. Thesesteps remove the entire Tivoli Security Managers product.
Uninstalling Tivoli Security ManagerTo uninstall Tivoli Security Manager, run the following CLI commands:
1. wuninst SECMGT $server –rmfiles
2. rm $BINDIR/.installed/SECMGT_*_BIN
3. rm $BINDIR/../generic_unix/.installed\/SECMGT_*_GBIN
4. rm $LIBDIR/.installed/SECMGT_*_LIB
5. rm /data/Tivoli/msg_cat/.installed/SECMGT_*_CAT
6. rm /data/Tivoli/man/$INTRP/.installed/SECMGT_*_MAN
Uninstalling Tivoli Security Manager for NT, GatewayTo uninstall Tivoli Security Manager for NT, Gateway, run the following CLI commands:
1. wuninst SECNTGW $server –rmfiles
2. rm $BINDIR/.installed/SECNTGW_*_BIN
3. rm $BINDIR/../lcf_bundle/.installed\/SECNTGW_*_LCF
4. rm /data/Tivoli/msg_cat/.installed/SECNTGW_*_CAT
InternationalizationTivoli Security Manager, Version 3.8 is an internationalized product that supports Englishand other languages. It derives its language behavior from the installed localization featuresand from the user’s language preference. The localization features consist primarily oftranslated X/Open message catalogs and codeset tables for text processing andinteroperability.
Installation Notes
9Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
To view the translated versions of Web pages used by products in the Tivoli 3.8 release, youmust use a Web browser that supports Unicode UTF-8 encoding, such as NetscapeNavigator, Version 4.0.2 and above. You must also select a display font that includes theUTF-8 character set.
If you are unsure if your software meets these requirements or are not sure how to configureyour system for UTF-8 support, contact the manufacturer of your Web browser or systemsoftware.
Enabling Language SupportTivoli Security Manager is translated into the following languages:
¶ Brazilian Portuguese
¶ Chinese (simplified)
¶ Chinese (traditional)
¶ French
¶ German
¶ Japanese
¶ Korean
¶ Spanish
To enable these languages, install the appropriate language support pack from the TivoliSecurity Management Language Support CD. You can also install multiple languagesupport packs for a single product.
For installation procedures, see Chapter 2 of the Tivoli® Security Manager User’s Guide.Substitute the desired language support pack names for the product names shown in theprocedures.
For issues specific to using Tivoli Security Manager in a non-English system environment,see the Tivoli ®Management Framework Release Notes for the product version running onyour system.
Tivoli Security Manager, Version 3.8 Internationalization IssuesThe following are known defects, limitations, and workarounds (when applicable) affectingthe international versions of Tivoli Security Manager:
1. Due to translation dependencies being addressed in later releases, some graphical userinterface (GUI) text and command line interface (CLI) messages will appear in English.
2. When editing resource access rights in the GUI, after adding a role record in a securityprofile, if you deny the permission, the English name of the permission will bedisplayed. (CMVC-106948)
3. You cannot use double-byte characters in the OS/400 text field of a role record in asecurity profile. You can disable the validation policy by opening the Security RoleRecords dialog and clicking Edit->Validation Policies and then changing the DefaultType for OS4Name to None. (CMVC 106932)
4. The Windows NT Endpoint Audit Log Report saved by Security Audit may containcorrupted DBCScharacters. (CMVC-105839)
Internationalization
10 Version 3.8
5. In resource records on the Netware endpoint, there is no context help for the followingoptions: NetWare Inherited Rights Filters, NetWare NDS Attributes, NetWare FileSystem Attributes. Please see the documentation for help. (CMVC-105318)
6. When installing the Tivoli Security Manager language pack on a Japanese or Frenchsystem using either the Framework install GUI or the winstall command, the installationwill complete with errors. All of the language files will be installed correctly; but not allof the old files will be deleted. (CMVC-104378)
Workaround:
a. Change the locale to English.
b. Run setup_env.
c. If on NT, enter bash at the command line.
d. Enter “odadmin reexec all” and wait for the TMR oserv to restart.
e. Either use the Framework desktop GUI to install the language pack OR enter“winstall -c d: -i SEC_XX.IND” where -c is the drive letter where the languagepack is located and XX is either JA or FR.
f. Change the locale back to either French or Japanese.
g. Enter “odadmin reexec all” and wait for the TMR oserv to restart.
Patches Included in Version 3.8The following patches have been incorporated into Tivoli Security Manager, Version 3.8:
Table 10. Tivoli Security Manager3.2-SEC-0001
3.2-SEC-0002
3.2-SEC-0003
3.2-SEC-0005
3.6-SEC-0003
3.6-SEC-0005
3.6.1-SEC-0004
3.6.1-SEC-0005
3.6.1-SEC-0009
3.6.2-SEC-0001
3.6.2-SEC-0002
3.6.2-SEC-0005E
3.6.2-SEC-0005
3.6.2-SEC-0006
3.6.2-SEC-0007
3.6.2-SEC-0014-SEC
3.7-SEC-0001
3.7-SEC-0002
3.7-SEC-0003
3.7-SEC-0004
Internationalization
11Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
Table 10. Tivoli Security Manager (continued)3.7.1-SEC-0001
3.7.1-SEC-0002
3.7.1-SEC-0003
3.7.1-SEC-0004
3.7.1-SEC-0005
Table 11. Tivoli Security Manager for AS/400, Server3.6.1-SEC-0001 (Security Management, Version 3.6.1 for AS/400, Server)
3.6.1-SEC-0003
3.6.2-SECOS4-0001
3.6.2-SECOS4-0002
Table 12. Tivoli Security Manager for AS/400, Gateway3.6-SEC-0002 (Security Management, Version 3.6 for AS/400, Gateway)
3.6-SEC-0004
3.6.1-SEC-0002 (Security Management, Version 3.6.1 for AS/400, Gateway)
3.6.2-SECOS4GW-0002
Table 13. Tivoli Policy Director ConnectionPDPROXY-3.7.01
Table 14. Tivoli Security Manager for Policy Director, ServerSECPD-3.7.01
Table 15. Tivoli Security Manager for Policy Director, ConnectionSECPDCN-3.7.01
SECPDCN-3.7.02
Defects Fixed in Version 3.8The following defects have been fixed for release 3.8 of Tivoli Security Manager:
1. Distribution of HOLIDAY records creates objects incorrectly in path:/OSSEAL/branch-name/Login/Holiday. (CMVC-113242)
2. Distributing a TCP resource record causes an oserv:Transaction Error, but appears todistribute correctly to Tivoli Policy Director. (CMVC-113244)
3. TCP resources are not distributed properly. (CMVC-113733)
4. Tivoli Security Manager is unaware of the OSSEAL list directory permission.(CMVC-113987)
5. Error when redistributing profiles with via rules. Roles with resources attached thathave more than one conditional access rule defined per attached resource are not gettingdistributed correctly. (CMVC-114098)
Patches Included in Version 3.8
12 Version 3.8
6. Terminal policy is always mapped to remote. UX:TERMINAL resources are mapped asfollows: 1) If the resource name begins with a /, it is assumed local. 2) If the resourcename does NOT begin with a /, it is assumed remote. (CMVC-114181)
7. Sudo arguments cause failure when distributing profile. (CMVC-114366)
8. Login policy should be at /OSSEAL/<branch>/login. (CMVC-114987)
9. The Certificate Transfer Utility does not work on w32-ix86 Tivoli management regionservers. (CMVC-115095)
10. A distribution error occurs when TCPAccess contains an asterisk. (CMVC-115484)
11. HolidayDates distributes incorrectly if in mm/dd@hh:mm format. The HolidayDatesattribute of UX:HOLIDAY resource is not distributed correctly if in mm/dd@hh:mmformat. The time is truncated and a year of 2000 is supplied. For example,“12/01@17:30-12/31@00” becomes “2000-12-01 2000-12-31”. (CMVC-115589)
12. Two-digit years are always converted to 20xx. The HolidayDates attribute ofUX:HOLIDAY resource gets converted to the form 20xx if specified as xx. It isrecommended that all UX:HOLIDAY resources be updated to use the full four digits.(CMVC-115596)
13. Access-Restrictions setup wrong after distribution. The Access-Restrictions extendedattribute placed on objects has some extraneous data that causes a warning message tobe generated in the pdosd logfile. This warning can be ignored, since the desired policywill still be enforced. (CMVC-117847)
14. TACFEPIU Japanese catalog has some errors. There are two issues: 1) A message wasupdated in TacfCatalog.msg for 371 Patch 02. Tivoli Security Manager does nottranslate message catalogs for Patches, and the English message is out of sync withtranslated catalogs. 2) The original Japanese translation is incorrect.(CMVC-121082)
Software Defects, Limitations, and Workarounds Reported Priorto Version 3.8
This section describes known defects reported since the Tivoli Security Manager, Version 3.7release and prior to the Tivoli Security Manager, Version 3.8 release that have not yet beenfixed.
The following is a list of significant defects that apply to Tivoli Security Manager.
1. The migration tool pd_mgr does not run on interconnected Tivoli management regions.It is recommended that you run this tool using the -f option. Using this option will allowyou to review the commands that will be run during the migration process.(CMVC-116390)
2. Program resource objects are not created. When creating or editing a Program resourcerecord in Tivoli Security Manager, an administrator can specify access permissions ofeither Execute or No Access. Setting Execute indicates a user has the ability to runtrusted programs and setting No Access indicates the ability to run trusted programs isexplicitly denied. On distribution, however, a PDOS File resource object is not created.Therefore, a workaround is for the administrator to explicitly create this PDOS Fileresource object and specify the appropriate access permission to control who can executethis program. (CMVC-113988)
3. Unable to remove arguments from SUDO resource.This is a problem with the validationpolicy for the PermittedArgs and ProhibitedArgs attributes. The validation policy is
Defects Fixed in Version 3.8
13Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
not allowing the NULL value. Because there is no default policy for these two attributes,they, in effect, do not really exist when a record is made, thus no validation is runagainst them. Therefore, a SUDO resource can be made without specifying theseattributes. However, once they have been set, for instance, to “-l” and “-a,” they nowexist and validation will be run against them. The problem occurs when a customer nowwishes to remove these arguments from the attributes. They now exist, have a value ofNULL, and fail validation. The work-around is to disable validation for these attributesor to modify the policy to allow NULL. (CMVC-114105)
4. Tivoli Policy Director user does not show up in GUI UserList on NT PD proxy. Pointingthe Group record dialog “Edit Member List” action to a PolicyDirector Connectionobject which runs on an NT box will return an Empty List. User can be added manuallyusing the wmodsec CLI. (CMVC-119479)
Version 3.8 Software Defects, Limitations, and WorkaroundsThis section describes known defects reported for Tivoli Security Manager, Version 3.8 thathave not yet been fixed. See the previous section for a list of defects reported prior to theTivoli Security Manager, Version 3.8 release that have not yet been fixed.
1. The Endpoint Audit Log Report task seems to hang in Tivoli Management Framework3.7.1. When the Endpoint Audit Log Report task is run in Tivoli ManagementFramework 3.7.1, it seems to hang when Display on Desktop option is selected. The taskmay eventually display the results after a very long time.(CMVC-121472)
Workaround: There is no workaround for this problem. However, if the Save to Fileoption is selected, it works. This is a Tivoli Management Framework related problem.The fix for this problem will be provided by a Tivoli Management Framework patch.
2. The Endpoint Audit Log Report task does not display the results if the PDOS audit logfiles are too big. (Limitation)
Workaround: If the PDOS audit log files are too big, then select the Archived AuditLogs option. In this case, you can specify the names of the PDOS audit log files whichwill be used to generate the report.
3. Distribution to Tivoli Policy Director Connection fails. Large scale distribution to TivoliPolicy Director Connection results in a core dump. This is due to some knowncorruption problems in BerkelyDB. (CMVC-126364)
Workaround: The distribution will be successful after cleaning up some BerkelyDBfiles. In order to do this, remove all the *.tbl and *.idx files in $DBDIR.
4. Populating a SecurityProfile after deleting and recreating it fails. Populating aSecurityProfile fails in the following scenario:
Create a SecurityProfile and populate it from an endpoint. The profile is successfullypopulated. Delete the SecurityProfile and recreate it using the same name. Now populatethe profile from the same endpoint. It fails saying that the records already exist.(CMVC-126643)
Workaround: There is no workaround for this problem. However, instead of deleting theprofile and recreating it, you can just delete all the records in the profile beforepopulating it again. This is a Tivoli Management Framework problem for which anAPAR exists (IY21796). The fix for this will be provided in a Tivoli ManagementFramework patch.
Software Defects, Limitations, and Workarounds Reported Prior to Version 3.8
14 Version 3.8
5. A security profile distributing to Tivoli ACF 3.6.2 HP 11 Tivoli management agentendpoint failed because Tivoli management agent 3.7 failed to maintain compatibilitywith Tivoli ACF 3.6.2 application. (CMVC-127231)
Workaround: Stop and restart lcfd using lcfd.sh shell script.
6. You must be careful when distributing policy from Tivoli Security Manager to aPolicyDirector Connection object. The following happens on the associated Tivoli PolicyDirector server: (CMVC 127276)
Assume a Tivoli Security Manager resource of PD:MANAGEMENT:/Management isdistributed to a Tivoli PolicyDirector object of type PD, which is configured to run underthe tsm_admin id.
a. The object /Management will get created if it does not exist.
b. If there is an ACL on this object, it will get detached.
c. An ACL named _Management will be created and attached with two entries:
¶ tsm_admin with a set of default actions put on by Tivoli Policy Director
¶ any-other with the set of requested actions.
The above example could seriously impact the ability of other users or groups if theywere on the original ACL. They would no longer have any rights for the /Managementobject. This must be considered when setting policy on any object.
7. Tivoli Security Manager GUI treats UX:FILE and UX:PROCESS as two distinctabstractions. However, Tivoli Policy Director for Operating Systems does not. It uses thesame Tivoli Policy Director object (/OSSEAL/<branch>/File/<target>) to keep track ofboth. So, in order to place “K” onto <target>, create UX:PROCESS:<target> and give it“Access.” Doing so will not interfere with the permissions placed on the object byUX:FILE:<target>. Because of this two-to-one mapping, care must be used if deletingeither UX:FILE:<target> or UX:PROCESS:<target>. If either one of these records isdeleted from a SecurityProfile and distributed, the underlying Tivoli Policy Directorobject and ACL will be removed. The other record will have to be distributed again inorder to recreate the object and ACL. (CMVC-128505)
8. Tivoli Policy Director Connection, Version 3.8 requires Tivoli Policy Director Runtimepatch 3.8-POL-0002. (CMVC-128786)
9. The following is an outline of what happens when distributing Resource and ResourceType policy to a PolicyDirector Connection object. This information is valid for all typesof PolicyDirector objects, such as PD, NET, WEB, and UX. The only difference will bethe branch name.
Individual Resource Record or ResType via SystemPolicy
a. Assume a Resource of UX:FILE:/test_file.
b. This is distributed to a PolicyDirector object configured as type UX with branchTSSM and user sec_master.
c. An object named /OSSEAL/TSSM/File/test_file will be created if it does not alreadyexist.
d. An ACL named TSSM_File_test_file will be created and attached to/OSSEAL/TSSM/File/test_file. Its entries will look similar to the following:
Version 3.8 Software Defects, Limitations, and Workarounds
15Tivoli® Security Manager Release Notes
1.R
eleaseN
otes
User sec_master TcmdbvaBAny-other T[OSSEAL]lrUnauthenticated T
Native object specified via the Role UXResAccess attribute or ResType via Role
a. Assume a Role record with TMEGroups=TBIT:test_grp andUXResAccess=FILE:/native_object perms(Delete, Read, Write).
b. This is distributed to a PolicyDirector object configured as type UX with branchTSSM and user sec_master.
c. If an object named /OSSEAL/TSSM/File/native_object exists, then an ACL namedTSSM_File_native_object will be created and attached to/OSSEAL/TSSM/File/native_object. Its entries will look similar to the following:
User sec_master TcmdvaBGroup test_grpT[OSSEAL]dlrw
d. Note that there are no entries for “Any-other” or “Unauthenticated.” If there are otherobjects below /OSSEAL/TSSM/File/native_object that Any-other, Unauthenticated, oreven different Groups need access to, then an entry that provides the “T” action mustbe provided on /OSSEAL/TSSM/File/native_object.
This can be accomplished by creating an individual Resource for /native_object,which will take care of Any-other and Unauthenticated. To grant just the “T” actionto Groups, they must be added to the Role and given the “No Access” permission.
For SystemPolicy, just drop the specific object name. So, in the above examples, theobject would be /OSSEAL/TSSM/File.
Version 3.8 Software Defects, Limitations, and Workarounds
16 Version 3.8
Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.
GI11-0802-01