Tivoli SecureWay Security Manager Release Notespublib.boulder.ibm.com/tividd/td/security/GI11-0802-00/en_US/PDF/... · transcribed, stored in a retrieval system, or translated into

Tivoli SecureWay Security ManagerRelease Notes

Version 3.7 November 10, 2000

Tivoli Security Management Release Notes (November, 2000)

Copyright Notice© Copyright IBM Corporation 2000 All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished “as is” without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose.

U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation.

TrademarksIBM, the IBM logo, Tivoli, the Tivoli logo, AIX, AS/400, Cross-Site, NetView, OS/2, OS/390, OS/400, Policy Director, RACF, RS/6000, SecureWay, S/390, Tivoli Certified, Tivoli Enterprise, Tivoli Ready, and TME are trademarks or registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, Windows 2000, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

TACF Copyright © 1993-2000 by MEMCO Software Ltd., U.S. patent pending. All rights reserved.

Novell, NetWare, NetWare Directory Services, and NDS are trademarks of Novell, Inc.

Other company, product, and service names may be trademarks or service marks of others.Notices

References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.

Tivoli SecureWay Security Manager: Release Notes i

Table of ContentsAdditional Information ...........................................................................................1

Accessing Publications Online.......................................................................2

Ordering Publications.....................................................................................2

Providing Feedback about Publications .........................................................2

Contacting Customer Support ........................................................................3

New Features ..........................................................................................................3

Windows NT Computer and Desktop Settings Management .......................3

Microsoft Windows 2000 Endpoint Support .................................................4

Enhanced Support for IBM AS/400 Endpoints..............................................4

SeOS 5.0 Support ...........................................................................................5

UNIX Password Synchronization with Tivoli SecureWay User Administration .......................................................................................5

Microsoft Windows NT Domain Distribution Enhancements .......................6

Referential Integrity Checking and Repair Capability ...................................6

System Requirements..............................................................................................6

Tivoli Servers and Managed Nodes ...............................................................7

Tivoli Endpoints ...........................................................................................12

Installation Notes ..................................................................................................14

Prerequisites .................................................................................................15

Other Tivoli Products ...................................................................................16

Installing with the Tivoli Software Installation Service...............................16

Additional Installation Information..............................................................17

Uninstalling Security Manager after a Version 3.7 Upgrade Using SIS......28

Internationalization ...............................................................................................29

Enabling Language Support ........................................................................30

Tivoli SecureWay Security Manager, Version 3.7 Internationalization Issues............................................................................31

Patches Included in Version 3.7............................................................................32

Defects Fixed in Version 3.7 ................................................................................34

Software Defects, Limitations, and Workarounds Reported Prior to Version 3.7...............................................................................................36

ii Version 3.7 November 10, 2000

Tivoli SecureWay Security Manager ...........................................................36

TACF (MEMCO SeOS)...............................................................................38

Version 3.7 Software Defects, Limitations, and Workarounds ............................39

Tivoli Security Manager ..............................................................................39

TACF (MEMCO SeOS)...............................................................................40

Tivoli SecureWay Security Manager: Release Notes 1

1.Release Notes

This Release Notes document provides important information about the Tivoli SecureWay Security Manager, Version 3.7 release. These notes are the most current information for the product and take precedence over all other documentation.

Please review these notes thoroughly before installing or using this product.

You will notice that both Tivoli and TME 10 are used in some of our product information materials. These terms are interchangeable. We will be removing references to TME 10 in future product releases.

These release notes include the following topics:

� New Features

� System Requirements

� Installation Notes

� Internationalization

� Patches Included in Version 3.7

� Defects Fixed in Version 3.7

� Software Defects, Limitations, and Workarounds Reported Prior to Version 3.7

� Version 3.7 Software Defects, Limitations, and Workarounds

Additional InformationThe following sections describe how to access publications online, order publications, provide feedback about publications and contact customer support.

2 Version 3.7 November 10, 2000

Accessing Publications OnlineThe Tivoli Customer Support Web site (http://www.tivoli.com/support/) offers a guide to support services (the Customer Support Handbook); frequently asked questions (FAQs); and technical information, including release notes, user’s guides, redbooks, and white papers. You can access Tivoli publications online at http://www.tivoli.com/support/documents/. The documentation for some products is available in PDF and HTML formats. Translated documents are also available for some products.

To access most of the documentation, you need an ID and a password. To obtain an ID for use on the support Web site, go to http://www.tivoli.com/support/getting/.

Resellers should refer to http://www.tivoli.com/support/smb/index.html for more information about obtaining Tivoli technical documentation and support.

Business Partners should refer to “Ordering Publications” for more information about obtaining Tivoli technical documentation.

Ordering PublicationsOrder Tivoli publications online at http://www.tivoli.com/support/Prodman/html/pub_order.html or by calling one of the following telephone numbers:

� U.S. customers: (800) 879-2755

� Canadian customers: (800) 426-4968

Providing Feedback about PublicationsWe are very interested in hearing about your experience with Tivoli products and documentation, and we welcome your suggestions for improvements. If you have comments or suggestions about our products and documentation, contact us in one of the following ways:

� Send e-mail to [email protected].

� Fill out our customer feedback survey at http://www.tivoli.com/support/survey/.


Contacting Customer SupportIf you need support for this or any Tivoli product, contact Tivoli Customer Support in one of the following ways:

� Submit a problem management record (PMR) electronically from our Web site at http://www.tivoli.com/support/reporting/. For information about obtaining support through the Tivoli Customer Support Web site, go to http://www.tivoli.com/support/getting/.

� Submit a PMR electronically through the IBMLink™ system. For information about IBMLink registration and access, refer to the IBM Web page at http://www.ibmlink.ibm.com.

� Send e-mail to [email protected].

� Customers in the U.S. can call 1-800-TIVOLI8 (1-800-848-6548).

� Customers outside the U.S. should refer to the Tivoli Customer Support Web site at http://www.tivoli.com/support/locations.html for customer support telephone numbers.

When you contact Tivoli Customer Support, be prepared to provide the customer number for your company so that support personnel can assist you more readily.

New FeaturesThis section briefly describes changes and enhancements made to Tivoli SecureWay Security Manager, Version 3.7.

Windows NT Computer and Desktop Settings Management

Windows NT provides system-configurable settings that you can now manage using system policy and role records in Tivoli security profiles. You can learn more about this enhancement in the Tivoli SecureWay Security Manager User’s Guide: see “Setting Windows NT System Policy Attributes” in Chapter 5 and “NT System Policy Attributes” in Appendix C. Three areas of functionality are provided:


� Management of registry values for the default user and default computer by setting (distributing) and reading (populating) registry values. The set of computers to which the settings are applied during a distribute is the set of targets to which the profile is distributed (like most distributes). All work is done with the system registry. No system policy files are read or updated. This functionality is primarily used to support the management of machines where policies are stored locally in the registry (instead of downloaded from domain controllers).

� Management of default user and computer policy by modifying (distributing) and reading (populating) system policy files. This functionality primarily supports network environments where default policies are read from files instead of the registry.

� Management of group-specific policy by extending the management of system policy files to include the setting of group-specific policies. Changes are made to system policy files since group policies cannot be stored in the registry.

Microsoft Windows 2000 Endpoint SupportTivoli SecureWay Security Manager, Version 3.7 now manages Windows 2000 endpoints. A full description of this functionality is provided in a user’s guide supplement entitled Tivoli SecureWay Security Manager Supplement for Microsoft Windows 2000.

Enhanced Support for IBM AS/400 EndpointsTivoli SecureWay Security Manager, Version 3.7 includes enhanced support for AS/400 endpoints. A full description of this functionality is provided in a user’s guide supplement entitled Tivoli SecureWay Security Manager Supplement for AS/400. Improvements include:

� Tivoli SecureWay Security Manager for AS/400, Version 3.7, Server now supports role template populates, and also supports group and user accessor types.

� OS/400 native DB/2 table processing performance enhancements. The AS/400 endpoint uses native DB/2 tables to store state information concerning security profile records. This state


information is then processed to make the actual security changes on the endpoint. Previously, all records in the state information were processed no matter how many records were received. This was causing an action similar to Exact Copy to occur every time a distribution occurred. Now, only those records that were changed are processed.

SeOS 5.0 SupportTivoli Access Control Facility (TACF), Version 3.7 is upgraded to the SeOS 5.0 level. This level includes daemon enhancements and a number of other changes. However, the resource management capability exposed through the Tivoli SecureWay Security Manager interface remains the same as that provided in TACF 3.6.2.

UNIX Password Synchronization with Tivoli SecureWay User Administration

These synchronization enhancements are only operational when Tivoli SecureWay Security Manager, Version 3.7 and Tivoli SecureWay User Administration, Version 3.7 are both installed. Additional information regarding password synchronization between these products will be available in Tivoli SecureWay User Administration, Version 3.7 documentation. The following enhancements have been added:

� Support for server-side password quality checks. When a UNIX password is changed in Tivoli SecureWay User Administration, the password quality policy that is defined in the relevant Tivoli SecureWay Security Manager security profile system policy record can now be used to validate the quality of the password. This prevents the password from failing quality checks at each endpoint when a password change is distributed.

� Synchronization of UNIX password updates in environments in which both the Tivoli Access Control Facility (TACF), Version 3.7 and Tivoli SecureWay User Administration, Version 3.7 are installed. In prior releases, when Tivoli SecureWay User Administration and TACF were both used, users had to use the TACF sepass utility to change passwords if they wanted to take advantage of TACF password quality checks and grace login


policy. If they used wpasswd to change passwords across multiple platforms, these quality-checking advantages were not realized on UNIX platforms. In Tivoli SecureWay Security Manager, Version 3.7, when Tivoli SecureWay User Administration, Version 3.7 and TACF, Version 3.7 are both used, the user should ONLY use wpasswd to change passwords.

Microsoft Windows NT Domain Distribution Enhancements

In prior releases of Tivoli SecureWay Security Manager, security profiles had to be distributed first to the Windows NT primary domain controller (PDC), and then to backup domain controllers (BDCs), additional servers and workstations. This is because, in the case of BDCs, the local groups, and in the case of other NT servers and workstations, the global groups have to be created on the PDC before they can be referenced by non-PDC endpoints. Similarly, in a multi-domain environment, the security profile must be distributed first to the PDC of the master domain so that the resource domains can reference them later. In Tivoli SecureWay Security Manager, Version 3.7, you can distribute to all the NT endpoints in all the domains at the same time. This is accomplished by setting two new profile attributes that specify a domain list and a time out value. You can learn more about this enhancement by reading the section entitled “Setting Profile Level Attributes” in Chapter 3 of the Tivoli SecureWay Security Manager User’s Guide.

Referential Integrity Checking and Repair CapabilityA new CLI command, wchksec, provides a means of checking and repairing references between Tivoli SecureWay Security Manager, Version 3.7 security profile records. You can learn more about this enhancement by reading the wchksec command description in Appendix B of the Tivoli SecureWay Security Manager User’s Guide.

System RequirementsThis section describes the system requirements, including software and hardware, for each of the following resources in the Tivoli environment:


� Tivoli servers and managed nodes

� Tivoli endpoints

� Supported NT node configurations

Tivoli products that support Windows 3.x, Windows 95, Windows 98, Windows NT, OS/2, and NetWare must be installed on an IBM PC AT-compatible machine. Tivoli does not support platforms (such as the NEC PC 98xx series) that are not 100% compatible with the IBM PC AT.

Tivoli Servers and Managed Nodes

Hardware Requirements

The following tables list the estimated disk space required for Tivoli SecureWay Security Manager, Version 3.7 on the supported systems. This is in addition to the space required for the Tivoli Framework.

Note: Tivoli strongly recommends you do not share the Tivoli Security Manager files across Tivoli Management Region (TMR) boundaries. Upgrading to future releases and installing Tivoli service packs cannot be completed on a TMR-by-TMR basis if these files are shared across TMR boundaries.

*Includes Message Catalogs (0.33 MB), Audit Report Tasks (0.24 MB), Libraries (0.01 MB) and Man Pages (0.22 MB for Windows NT and 0.21 MB for others).

Table 1. Tivoli SecureWay Security Manager, Version 3.7

PlatformServer

Database

Managed Node

DatabaseBinaries Other* Total for

Server

Total forManaged

Node

AIX 4.x 0.93 MB 0.06 MB 49.49 MB 0.79 MB 51.21 MB 50.34 MB

HP-UX 0.93 MB 0.06 MB 43.10 MB 0.79 MB 44.82 MB 43.95 MB

Solaris 0.93 MB 0.06 MB 37.09 MB 0.79 MB 38.81 MB 37.94 MB

Windows NT 0.93 MB 0.06 MB 30.68 MB 0.80 MB 32.41 MB 31.54 MB


Table 2. Tivoli SecureWay Security Manager for NT, Version 3.7, Gateway

PlatformGateway

FilesDatabase Binaries Total

AIX 4.x 0.74 MB 0.01 MB 0.03 MB 0.78 MB

HP-UX 0.74 MB 0.01 MB 0.03 MB 0.78 MB

Solaris 0.74 MB 0.01 MB 0.03 MB 0.78 MB

Windows NT 0.74 MB 0.01 MB 0.03 MB 0.78 MB

Table 3. Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Server

PlatformServer

Database

AIX 4.x 0.13 MB

HP-UX 0.13 MB

Solaris 0.13 MB

Windows NT 0.13 MB

Table 4. Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Gateway

PlatformGateway

FilesDatabase Binaries Total

AIX 4.x 0.74 MB 0.01 MB 0.03 MB 0.78 MB

HP-UX 0.74 MB 0.01 MB 0.03 MB 0.78 MB




Table 5. Tivoli SecureWay Security Manager for AS/400, Version 3.7, Server

PlatformServer

Database

Audit Report Tasks

Message Catalogs

Total

AIX 4.x 0.14 MB 0.03 MB 0.01 MB 0.45 MB

HP-UX 0.14 MB 0.03 MB 0.01 MB 0.45 MB



Table 6. Tivoli SecureWay Security Manager for AS/400, Version 3.7, Gateway

PlatformGateway

Files

AIX 4.x 4.53 MB

HP-UX 4.53 MB

Solaris 4.53 MB

Windows NT 4.53 MB

Table 7. Tivoli SecureWay Security Manager for TACF, Version 3.7, Managed Node

Platform Database Libraries Binaries Total

AIX 4.x 0.01 MB 1.90 MB 1.50 MB 3.41 MB

HP-UX 0.01 MB 4.12 MB 1.01 MB 5.14 MB



Note: The TACF files must be installed on a local file system. These files cannot be shared. However, on managed nodes the TACF man pages are stored in the same directory structure as the Tivoli Framework man pages. The size of the TACF database (included in the table in the Binaries column) will grow over time, similar to the Tivoli object database.

Table 8. Tivoli SecureWay Security Manager for TACF, Version 3.7, Gateway

PlatformGateway

FilesBinaries Database Total

AIX 4.x 16.18 MB 0.03 MB 0.01 MB 16.22 MB

HP-UX 16.18 MB 0.03 MB 0.01 MB 16.22 MB



Table 9. TACF, Version 3.7

Platform TACF Files BinariesMan

PagesTotal

AIX 4.x 22.96 MB 0.17 MB 0.42 MB 23.55 MB

HP-UX 53.04 MB 0.37 MB 0.42 MB 53.83 MB


Table 10. TACF Tasks, Monitors, and Event Integration, Version 3.7

Supported Platform

Task Files

Binaries DatabaseMessage Catalogs

Total

AIX 4.x 0.23 MB 0.03 MB 0.07 MB 0.02 MB 0.35 MB

HP-UX 0.23 MB 0.03 MB 0.07 MB 0.02 MB 0.35 MB

Solaris 0.23 MB 0.03 MB 0.07 MB 0.02 MB 0.35 MB

Windows NT 0.23 MB 0.03 MB 0.07 MB 0.02 MB 0.35 MB


Software Requirements

This section contains information about the supported operating system versions and required patches for each supported hardware architecture. Tivoli does not distribute or maintain operating system patches from other vendors. Please contact your operating system vendor for information on obtaining and installing operating system patches.

Tivoli SecureWay Security Manager, Version 3.7, (except for the TACF component) runs on all the operating systems supported by Tivoli Framework, Version 3.6.3. However, Security Manager can only manage UNIX clients that are supported by TACF (see note below). See the Tivoli Framework release notes for a list of the supported operating systems and required patches.

Notes:

• NT servers and workstations managed by Tivoli SecureWay Security Manager must be configured into a domain.

• Tivoli SecureWay Security Manager, Version 3.7 supports Windows 2000, NetWare, OS/2, OS/390 and OS/400 as endpoints only. See “Tivoli Endpoints” on page 12 for specific information regarding supported versions.

Tivoli SecureWay Security Manager, Version 3.7, and TACF 3.7 servers and managed nodes run on the following operating systems:

Table 11. TACF Installation Utilities, Version 3.7

Supported Platforms

BinariesServer

Database

ManagedNode

Database

MessageCatalogs

OtherTotal forServer

Total forManaged

Node

AIX 4.x 2.31 MB 0.06 MB 0.01 MB 0.01 MB 0.63 MB 3.01 MB 2.96 MB

HP-UX 2.40 MB 0.06 MB 0.01 MB 0.01 MB 0.63 MB 3.10 MB 3.05 MB

Solaris 1.54 MB 0.06 MB 0.01 MB 0.01 MB 0.63 MB 2.24 MB 2.19 MB

Windows NT 3.02 MB 0.06 MB 0.01 MB 0.01 MB 0.63 MB 3.72 MB 3.67 MB


Notes:

• TACF 3.7 supports AIX 4.3.3, which was supported in a patch in version 3.6.2.

• TACF support for HP-UX 11 (both 32 and 64 bit), Solaris 7 (64 bit) and Solaris 8 (both 32 and 64 bit) is not included on the TACF 3.7 CD (LK3T-5780). A TACF 3.7 patch will be provided in December 2000 to support these platforms. Contact your Tivoli Service Representative to obtain this patch.

• To use OS/390 as the management server for Tivoli SecureWay Security Manager, or to manage access control data in the OS/390 Security Server (RACF), it is necessary to obtain a separately licensed product. Contact your Tivoli Systems representative for details about Tivoli SecureWay Security Manager for OS/390 (5698-SCM).

Tivoli Endpoints

Software Requirements

The following table lists the supported operating systems for Tivoli SecureWay Security Manager, Version 3.7 endpoints:

Platform Operating Systems

AIX IBM RS/6000 series running AIX 4.2.1, 4.3, 4.3.1, 4.3.2, or 4.3.3

HP-UX HP9000/700 and 800 series running HP-UX 10.2 or HP-UX 11 (see note)

OS/390 IBM S/390 running V1R3, V2R4, V2R5, V2R6, V2R7, or V2R8 (see note)

Solaris Sun SPARC series running Solaris 2.6, 7.0, or 8.0 (see note)

Windows NT IBM-compatible PCs, 80486 or higher, running Microsoft Windows NT 3.51, Service Pack 5, Windows NT 3.51, Service Pack 9, Windows NT 4.0, Service Pack 4, or Windows NT 4.0, Service Pack 5


Notes:

• TACF support for HP-UX 11 (both 32 and 64 bit), Solaris 7 (64 bit) and Solaris 8 (both 32 and 64 bit) is not included on the TACF 3.7 CD (LK3T-5780). A TACF 3.7 patch will be provided in December 2000 to support these platforms. Contact your Tivoli Service Representative to obtain this patch.

• To manage access control data in the OS/390 Security Server (RACF) it is necessary to obtain a separately licensed product. Contact your Tivoli Systems representative for details about Tivoli SecureWay Security Manager for OS/390 (5698-SCM).

Platform Operating Systems

AIX IBM RS/6000 series running AIX 4.2.1, 4.3, 4.3.1, 4.3.2, or 4.3.3

HP-UX HP9000/700 and 800 series running HP-UX 10.2 or HP-UX 11 (see note)

NetWare A NetWare-compatible system running NetWare 4.1, 4.11, 4.2, or 5.0 (see note)

OS/2 IBM-compatible PCs, 80486 processor or higher, running OS/2 Warp V3, OS/2 Warp V4, WSOD V4R2, WSOD R2 Win32, or OS/2 Warp Server for e-business (see note)

OS/390 Endpoint only, IBM S/390 running Resource Access Control Facility (RACF) V1R3 through V2R10 (see note)

OS/400 IBM AS/400 running V3R2, V4R1, V4R2, V4R3, V4R4

Solaris Sun SPARC series running Solaris 2.6, 7.0, or 8.0 (see note)

Windows NT IBM-compatible PCs, 80486 processor or higher, running Microsoft Windows NT 3.51, Service Pack 5, Windows NT 3.51, Service Pack 9, Windows NT 4.0, Service Pack 4, or Windows NT 4.0, Service Pack 5

Windows 2000 IBM-compatible PCs, 80486 or higher, running Microsoft Windows 2000


Installation NotesThis section summarizes prerequisite steps and other information needed for a successful installation of Tivoli SecureWay Security Manager, Version 3.7.

Tivoli SecureWay Security Manager contains several modules that are installed separately. The authorization role for installing each of these modules is install_product.

Note: Any object created during installation is important and should not be deleted from the desktop. You can remove it, but do not delete it. If you want to uninstall an application, use the wuninst utility.

The following full installation modules are part of Tivoli SecureWay Security Manager, Version 3.7:

� Tivoli SecureWay Security Manager, Version 3.7

� Tivoli SecureWay Security Manager, Version 3.7, Gateway

� Tivoli Access Control Facility (TACF), Version 3.7

� TACF Installation Utilities, Version 3.7 (for installing TACF on UNIX endpoints)

� TACF Tasks, Monitors, and Event Integration, Version 3.7

� Tivoli SecureWay Security Manager for AS/400, Version 3.7, Server

� Tivoli SecureWay Security Manager for AS/400, Version 3.7, Gateway

� Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Server

� Tivoli SecureWay Security Manager for Windows 2000, Version 3.7, Gateway

The following upgrade modules are part of Tivoli SecureWay Security Manager, Version 3.7:

� Tivoli SecureWay Security Manager Upgrade, Version 3.6/3.6.1/3.6.2 to 3.7


� Tivoli Access Control Facility (TACF) Upgrade, Version 3.6/3.6.1/3.6.2 to 3.7

� TACF Installation Utilities Upgrade, Version 3.6/3.6.1/3.6.2 to 3.7 (for installing TACF on UNIX endpoints)

� TACF Tasks, Monitors, and Event Integration Upgrade, Version 3.6/3.6.1/3.6.2 to 3.7

� Tivoli SecureWay Security Manager for AS/400 Upgrade, Version 3.6/3.6.1/3.6.2 to 3.7, Server

� Tivoli SecureWay Security Manager for AS/400 Upgrade, Version 3.6/3.6.1/3.6.2 to 3.7, Gateway

PrerequisitesRefer to the Tivoli Framework User’s Guide and the Tivoli Framework Release Notes for details about the Framework and information about operating system patches needed to run the Tivoli Framework.

For proper operation of Windows NT managed nodes, Tivoli SecureWay Security Manager, Version 3.7 requires a Tivoli Framework patch appropriate to the version of Tivoli Framework that you are running. Tivoli Framework 3.6.3 requires patch 3.6.3-TMF-0010. Tivoli Framework 3.6.4 requires patch 3.6.4-TMF-0005. Tivoli Framework 3.7 requires patch 3.7-TMF-0006.

When upgrading Tivoli Framework on UNIX machines on which TACF is installed, you must perform additional steps for a successful upgrade. For more information, see “Upgrading to Tivoli Framework, Version 3.6.3, on UNIX Machines with TACF Installed” on page 17.

Tivoli SecureWay Security Manager is a prerequisite for using the TACF Tasks, Monitors, and Event Integration product. You can, however, install these modules in any order.

If you wish to install TACF onto a TMR server, it should be installed using the managed node installation. This ensures that TACF is configured properly to allow programs such as the oserv to access required resources.

Tivoli SecureWay Security Manager for AS/400, Version 3.7, Gateway requires AS/400 patch 3.6.2-OS4-0001. This patch provides an AS/400


Tivoli management agent required for populating from AS/400 endpoints.

Other Tivoli ProductsThe Tivoli products listed in this section are optional. Tivoli User Administration can be used to manage users and link them with security group records. Tivoli Distributed Monitoring and Tivoli Enterprise Console must be installed to use all of the features of the TACF Tasks, Monitors, and Event Integration modules.

The following table lists the versions and patches of the Tivoli products that Tivoli SecureWay Security Manager supports:

Note: For the Tivoli Enterprise Console (TEC) server to receive events from the TACF monitors, you must install Tivoli Distributed Monitoring on your TEC server. Be sure to install TEC and Distributed Monitoring before you install TACF Tasks, Monitors, and Event Integration. If you install TME 10 Enterprise Console and Tivoli Distributed Monitoring after TACF Tasks, Monitors, and Event Integration, you must re-install TACF Tasks, Monitors, and Event Integration.

Installing with the Tivoli Software Installation Service

Tivoli Software Installation Service (SIS) is a product that can install multiple Tivoli products on multiple systems in parallel. This Java-based product can, therefore, install more products on more systems in

Product Release Patches

Tivoli User Administration 3.6, 3.6.1, 3.6.2

None required

Tivoli Distributed Monitoring 3.6, 3.6.1, 3.6.2

None required

Tivoli Enterprise Console 3.6, 3.6.1, 3.6.2, 3.6.3

None required


much less time than the Framework’s installation facility. SIS performs product prerequisite checks and, if defined, user-specified prerequisite checks, ensuring as few installation failures as possible. In most cases, failures now occur only when machines are turned off or removed from the network.

SIS also creates an install repository (IR) into which you can import the installation image of one or more Tivoli products. You can import only those interpreter (operating system) types needed in your environment, which saves you disk space and import time. The IR is then the source of all your Tivoli installations. You can even share a single IR across multiple TMRs.

Tivoli recommends upgrading the Framework installation facility in your current Tivoli installation by installing SIS. If you are installing Tivoli for the first time, install SIS on the first managed node running an SIS-supported operating system. After SIS is installed, you should use SIS to install other Tivoli products.

See the Tivoli Software Installation Service User’s Guide for instructions on how to install SIS in your Tivoli installation and how to install products using SIS.

Additional Installation InformationTivoli SecureWay Security Manager; Tivoli SecureWay Security Manager Gateways; TACF Installation Utilities; TACF; and TACF Tasks, Monitors, and Event Integration can be installed on managed nodes and endpoints as described in the Tivoli SecureWay Security Manager User’s Guide. The subsections in this section provide information that is not included in the Tivoli SecureWay Security Manager User’s Guide.

Upgrading to Tivoli Framework, Version 3.6.3, on UNIX Machines with TACF Installed

When upgrading the Tivoli Framework on UNIX servers and managed nodes on which TACF is installed, or when upgrading Tivoli endpoints on which TACF is installed, you must perform the following steps for a successful upgrade:


1. Make root a TACF administrator. To do this, use the Add/Remove TACF Administrator/Auditor task in the Security Manager TACF Tasks task library.

2. Stop the TACF daemons using the Stop TACF Servers task.

3. Perform the Tivoli Framework or Tivoli endpoint upgrade. For more information about how to do this, see the Tivoli Framework Planning and Installation Guide and the Tivoli Framework Release Notes.

4. As root, use the selang –l utility to explicitly retrust oserv (and possibly task_endpoint) on a server or managed node, or to retrust lcfd on an endpoint. This is illustrated in the following examples.

For a server or managed node running TACF, Version 3.2, or running TACF, Version 3.6, 3.6.1, or 3.6.2 that has previously been upgraded from TACF, Version 3.2, run the following CLI commands:

/usr/seos/bin/selang -lTACF> cr PROGRAM /path/oserv trustTACF> cr PROGRAM /path/task_endpoint trustTACF> quit

For a server or managed node running TACF, Version 3.6, 3.6.1, or 3.6.2 that has not been upgraded from TACF, Version 3.2, run the following CLI commands:

/usr/seos/bin/selang -lTACF> cr PROGRAM /path/oserv trustTACF> quit

For an endpoint:

/usr/seos/bin/selang -lTACF> cr PROGRAM /path/lcfd trustTACF> quit

Note: You can create a task to perform the retrust on all of the UNIX machines on which programs must be retrusted.

5. Restart the TACF daemons using the Start TACF Servers task.

Note: You can now remove the TACF administrator role from root using the Add/Remove TACF


Administrator/Auditor task in the Security Manager TACF Tasks task library.

Migration from SeOS

The TACF installation process supports migration from SeOS Version 2.5, including SeOS, Version 2.5 with Service Packs 1, 2, or 3. Use the winstall and winsttacf commands or the GUI to install TACF. Migration is handled automatically during the installation process.

For automatic migration to occur on endpoints, the following conditions must be true:

� root is defined as an administrator

� SeOS is not running (the daemons have been stopped)

There are no special requirements for automatic migration on managed nodes.

For more information on installing TACF, see the Tivoli SecureWay Security Manager User’s Guide.

Disabling Automatic TACF Startup

The TACF installation allows you to select automatic start-up of TACF on system reboot. The following commands disable and reenable automatic TACF start-up for Solaris, HP and AIX operating systems.

Note: You must run all commands as root.

� TACF disable command for Solaris:

rm /etc/rc2.d/S99SEOS

� TACF reenable command for Solaris:

cp -p /usr/seos/bin/S99SEOS /etc/rc2.d/S99SEOS

� TACF disable command for HP:

rm /sbin/rc2.d/S890seos

� TACF reenable command for HP:

ln -s /sbin/init.d/rc.SEOS.base /sbin/rc2.d/S890seos

� TACF disable command for AIX:

rmitab "seos"


� TACF reenable command for AIX:

mkitab seos:2:once:/user/seos/rc.SeOS.base

Upgrading Tivoli SecureWay Security Manager

All Tivoli SecureWay Security Manager, Version 3.7 components can be installed as upgrades to Tivoli SecureWay Security Manager, Version 3.6, 3.6.1, or 3.6.2 components. The steps required to upgrade Tivoli SecureWay Security Manager components on managed nodes are similar to the steps required to install the products for the first time. The key difference is that instead of installing the product, you are installing a patch for the product. You can upgrade the products from either the desktop or the command line. After upgrading TACF from Version 3.6 or 3.6.1 to Version 3.6.2, be sure to reboot all upgraded systems.

Notes:

• Tivoli SecureWay Security Manager, Versions 3.6, 3.6.1, 3.6.2, and 3.7 support gateways and endpoints. To implement gateway support, you must install Tivoli SecureWay Security Manager Gateway.

• When you upgrade Tivoli SecureWay Security Manager to Version 3.7 on UNIX endpoints, you must also upgrade the TACF software to Version 3.7. Special instructions for upgrading TACF are provided in the Tivoli SecureWay Security Manager User’s Guide. Do not run a previous version of one product with Version 3.7 of the other on the same endpoint.

• If you have an earlier version of TACF installed on your TMR (managed node or endpoint), you should first upgrade that to 3.7 before installing TACF 3.7 to any new endpoints or managed nodes on the same TMR.

Note: TACF 3.7 does not support the HP-UX 11 platform and the 64 bit version of Solaris 7, which were supported by TACF 3.6.2. A TACF 3.7 patch will be provided in December 2000 to support HP-UX 11 (both 32 and 64 bit), Solaris 7 (64 bit) and Solaris 8 (both 32 and 64 bit). Contact your Tivoli Service Representative to obtain this patch.


• Before you upgrade TACF on HP-UX, make sure selogrd is not running. You can stop selogrd using the “Stop TACF Servers” TACF task.

• Before upgrading an AS/400 endpoint or a system that manages AS/400 endpoints to Tivoli SecureWay Security Manager, Version 3.7, examine all 3.6.2 profiles with OS4 resource records. If any of these records have DefAccess set to None, change the DefAccess setting to No Access. See the error description on page 39 for a discussion of how to avoid potential problems and how to correct problems if they do occur.

• On AS/400 endpoints, local copies of security profiles are kept in native AS/400 database tables. When you upgrade AS/400 endpoints, any database tables remaining from a previous version of Tivoli SecureWay Security Manager must be deleted. Deleting these tables does not affect the endpoint. To delete the tables, run the following series of commands on each AS/400 endpoint running Tivoli SecureWay Security Manager (when you issue the DLTJRN command you will receive a warning message which can be safely ignored.):

QSYS/ENDJRNAP FILE(*ALL) JRN(QUSRSYS/QLCFJRN)QSYS/ENDJRNPF FILE(*ALL) JRN(QUSRSYS/QLCFJRN)DLTF FILE(QUSRSYS/WLCF*)DLTJRN JRN(QUSRSYS/QLCFJRN)DLTJRNRCV JRNRCV(QUSRSYS/QLCFJR*)

See Chapter 2 of the Tivoli SecureWay Security Manager User’s Guide for detailed instructions on upgrading Tivoli SecureWay Security Manager products.

Upgraded Dialogs in Security Manager Version 3.6.1

To support some of the new features in Security Manager, Version 3.6.1, the following dialogs on the SecurityProfileGui presentation object were upgraded:

� RoleNTResAccRight

� RoleNTTMEResAccRight

� RoleNTResList


� RoleNTTMEResList

� RoleUNIXResAccRight

� RoleUNIXTMEResAccRight

� RoleUNIXResList

� RoleUNIXTMEResList

� ResDefAccess

� ResAccessAuditCtrl

� RoleNames

This upgrade process overwrites AEF customizations to these dialogs. The wcatcher command finds customizations that you have made, and the wmrgaef command reapplies these changes to the new dialogs. For more information on these commands, please see the Tivoli Framework Reference Manual.

Upgraded Dialogs in Security Manager Version 3.6.2

To support some of the new features in Version 3.6.2, the following dialogs on the SecurityProfileGui presentation object were upgraded in Security Manager, Version 3.6.2:

Group Record

� GrpGlobalAuditCtrl

� GrpGlobalLoginTime

� GrpNTAuditCtrl

� GrpNTLoginTime

� GrpNTUserList

� GrpNames

� GrpTMERoleAssign

� GrpTMEUserList

� GrpUNIXAuditCtrl

� GrpUNIXLoginTime


� GrpUNIXUserList

Role Record

� RoleNTGroupList

� RoleNTResAccAudit


� RoleNTResList

� RoleNTResTypeAccRight

� RoleNTTMEResAccAudit


� RoleNTTMEResListRoleNames

� RoleTMEGroupList

� RoleUNIXGroupList


� RoleUNIXResList

� RoleUNIXResTypeAccRight



Resource Record


� ResAccessTime

� ResAuditCtrl

� ResDefAccess

� ResMembers

� ResResType

� ResTCPAccess

System Policy Record

� SysPolGlobalLoginPol


� SysPolGlobalPasswordPol

� SysPolNTEventTypeAudPol

� SysPolNTLoginPol

� SysPolNTPasswordPol

� SysPolNTResTypeAccPol

� SysPolUNIXLoginPol

� SysPolUNIXPasswordPol

� SysPolUNIXResTypeAccPol

Populate

� SecProPopulate

This upgrade process overwrites AEF customizations you have made to these dialogs. The wcatcher command finds customizations that you have made, and the wmrgaef command reapplies these changes to the new dialogs. For more information on these commands, see the Tivoli Framework Reference Manual.

Upgraded Dialogs in Security Manager Version 3.7

To support some of the new features in version 3.7, the following dialogs on the SecurityProfileGui presentation object are upgraded in Tivoli SecureWay Security Manager, Version 3.7:

Group Record

� GrpGlobalAuditCtrl

� GrpGlobalLoginTime

� GrpNTAuditCtrl

� GrpNTLoginTime

� GrpNTUserList

� GrpNames

� GrpTMERoleAssign

� GrpTMEUserList


� GrpUNIXAuditCtrl

� GrpUNIXLoginTime

� GrpUNIXUserList

Role Record

� RoleNTGroupList

� RoleNTResAccAudit


� RoleNTResList

� RoleNTResTypeAccRight

� RoleNTTMEResAccAudit


� RoleTMEResList

� RoleNames

� RoleTMEGroupList

� RoleUNIXGroupList


� RoleUNIXResList

� RoleUNIXResTypeAccRight



Resource Record


� ResAccessTime

� ResAuAccess

� ResAuAccessAudit

� ResAuditCtrl

� ResCoAccess


� ResCoAccessAudit

� ResDefAccess

� ResHolidayDates

� ResIacAccess

� ResIacAccessAudit

� ResMembers

� ResNwAccess

� ResNwAccessAudit

� ResResType

� ResSUDO

� ResShareProps

� ResSysAccess

� ResSysAccessAudit

� ResTCPAccess


� SysPolGlobalLoginPol

� SysPolGlobalPasswordPol

� SysPolGlobalChgPwdPol

� SysPolNTEventTypeAudPol

� SysPolNTLoginPol

� SysPolNTPasswordPol

� SysPolNTChgPwdPol

� SysPolNTResTypeAccPol

� SysPolUNIXEventTypeAudPol

� SysPolUNIXLoginPol

� SysPolUNIXPasswordPol

� SysPolUNIXChgPwdPol

� SysPolUNIXResTypeAccPol


Populate

� SecProPopulate

This upgrade process overwrites AEF customizations you have made to these dialogs. The wcatcher command finds customizations that you have made, and the wmrgaef command reapplies these changes to the new dialogs. For more information on these commands, see the Tivoli Framework Reference Manual.

New Dialogs in Security Manager Version 3.7

To support some of the new features in version 3.7, the following new dialogs have been added to the SecurityProfileGui presentation object in Tivoli SecureWay Security Manager, Version 3.7:

Role Record

� RoleNTDesktopSettings

Resource Record

� ResPgmInfo


� NTCompNtwk

� NTCompNtEventLog

� NTCompNtNtwk

� NTCompNtPrinter

� NTCompNtRa

� NTCompNtShell

� NTCompNtSys

� NTDeskCtrlPnl

� NTDeskDesk

� NTDeskNtShell

� NTDeskNtSys

� NTDeskShell


� NTDeskSys

� SysPolNTDesktopSettings

� SysPolNTComputerSettings

� SysPolTMEAccountList

Populate

� SecProPopulate

Uninstalling Security Manager after a Version 3.7 Upgrade Using SIS

To uninstall Tivoli SecureWay Security Manager components after upgrading to Version 3.7 from a previous version using SIS, perform the steps listed in the following sections. These steps assume that /data/Tivoli is your top-level platform installation directory and that /data is your top-level TACF installation directory. These steps remove the entire Tivoli SecureWay Security Manager product.

Uninstalling Security Manager Gateway

To uninstall Security Manager Gateway, run the following CLI commands:

1. wuninst SECMGTGW $server –rmfiles

2. rm $BINDIR/.installed/SECMGTGW_*_BIN

3. rm $BINDIR/../lcf_bundle/.installed\/SECMGTGW_*_LCF

4. rm /data/Tivoli/msg_cat/.installed/SECMGTGW_*_CAT

Uninstalling TACF Tasks, Monitors, and Event Integration

To uninstall TACF Tasks, Monitors, and Event Integration, run the following CLI commands:

1. wuninst TACFPLUS $server –rmfiles

2. rm /data/Tivoli/msg_cat/.installed\/TACFPLUS_*_CAT


3. rm $BINDIR/.installed/TACFPLUS_*_BIN

4. rm $BINDIR/../generic_unix/.installed\/TACFPLUS_*_GBIN

5. rm $DBDIR/.installed/TACFPLUS_*_ALIDB

Uninstalling TACF Installation Utilities

To uninstall TACF Installation Utilities, run the following CLI commands:

1. wuninst TACFEPIU $server –rmfiles

2. rm $BINDIR/.installed/TACFEPIU_*_BIN

3. rm $BINDIR/../generic-unix/.installed\/TACFEPIU_*_GBIN

4. rm /data/Tivoli/msg_cat/.installed/TACFEPIU_*_CAT

Uninstalling TACF

To uninstall TACF, run the following CLI commands:

1. wuninst TACF $server –rmfiles

2. rm /data/.installed/TACF_*_TACFBIN

3. rm $BINDIR/.installed/TACF_*_BIN

4. rm /data/Tivoli/msg_cat/.installed/TACF_*_CAT

5. rm /data/Tivoli/man/$INTERP/.installed\/TACF_*_MAN

InternationalizationTivoli SecureWay Security Manager, Version 3.7 is an internationalized product that supports English and other languages. It derives its language behavior from the installed localization features and from the user’s language preference. The localization features consist primarily of translated X/Open message catalogs and codeset tables for text processing and interoperability.

To view the translated versions of Web pages used by products in the Tivoli 3.7 release, you must use a Web browser that supports Unicode


UTF-8 encoding, such as Netscape Navigator, Version 4.0.2 and above. You must also select a display font that includes the UTF-8 character set.

If you are unsure if your software meets these requirements or are not sure how to configure your system for UTF-8 support, contact the manufacturer of your Web browser or system software.

Enabling Language Support Tivoli SecureWay Security Manager is translated into the following languages:

� Brazilian Portuguese

� Chinese (simplified)

� Chinese (traditional)

� French

� German

� Japanese

� Korean

� Spanish

To enable these languages, install the appropriate language support pack from the Tivoli Security Management Language Support CD. You can also install multiple language support packs for a single product.

See “Installing a Tivoli Product or Patch” in the TME 10 Software Installation Service User’s Guide, Version 3.6 for instructions for installing the language support packs.

If Tivoli Software Installation Service is not installed, see Chapter 2, “Installing Tivoli SecureWay Security Manager” in the Tivoli SecureWay Security Manager User’s Guide for installation procedures. Substitute the desired language support pack names for the product names shown in the procedures.

For issues specific to using Tivoli SecureWay Security Manager in a non-English system environment, see the Tivoli Framework Release Notes for the Framework version running on your system.


Tivoli SecureWay Security Manager, Version 3.7 Internationalization Issues

The following are known defects, limitations, and workarounds (when applicable) affecting the international versions of Tivoli SecureWay Security Manager, Version 3.7:

1. Due to translation dependencies being addressed in later releases, some graphical user interface (GUI) text and command line interface (CLI) messages will appear in English.

2. APAR-IX81383. The TACF product does not currently support international characters (double-byte or extended-ASCII characters) when defining user, group, resource, path names, or similar entities. The characters are not readable in the records that contain them. (CMVC-37973)

3. When editing resource access rights, after adding a role record in a security profile, if you deny the permission the English name of the permission will be saved. (CMVC-106948)

4. You cannot use double-byte characters in the OS/400 text field of a role record in a security profile. You can disable the validation policy by opening the Security Role Records dialog and clicking Edit->Validation Policies and then changing the Default Type for OS4Name to None. (CMVC 106932)

5. The NT Endpoint Audit Log Report saved by Security Audit contains corrupted characters. (CMVC-105839)

6. In resource records on the Netware endpoint, there is no context help for the following options: NetWare Inherited Rights Filters, NetWare NDS Attributes, NetWare File System Attributes. Please see the documentation for help. (CMVC-105318)

7. When installing the Tivoli SecureWay Security Manager, Version 3.7 language pack on a Japanese or French system using either the Framework install GUI or the winstall command, the installation will complete with errors. All of the language files will be installed correctly; but not all of the old files will be deleted. (CMVC-104378)


Workaround:

a. Change the locale to English.

b. Run setup_env.

c. If on NT, enter bash at the command line.

d. Enter “odadmin reexec all” and wait for the TMR oserv to restart.

e. Either use the Framework desktop GUI to install the language pack OR enter “winstall -c d: -i SEC_XX.IND” where -c is the drive letter where the language pack is located and XX is either JA or FR.

f. Change the locale back to either French or Japanese.

g. Enter “odadmin reexec all” and wait for the TMR oserv to restart.

Patches Included in Version 3.7The following patches have been incorporated into Tivoli SecureWay Security Manager, Version 3.7:

Table 12. Security Manager

3.2-SEC-0001

3.2-SEC-0002

3.2-SEC-0003

3.2-SEC-0005

3.6-SEC-0003

3.6-SEC-0005

3.6.1-SEC-0004

3.6.1-SEC-0005

3.6.1-SEC-0009

3.6.2-SEC-0001


3.6.2-SEC-0002

3.6.2-SEC-0005E

3.6.2-SEC-0005

3.6.2-SEC-0006

3.6.2-SEC-0007

Table 13. TACF

3.2-SEC-0004

TACF-SP2-BETA-3

TACF-SP2-BETA-3

3.6.2-TACF-0002

Table 14. TACF Endpoint Installation Utilities

3.6.1-SEC-0008

3.6.2-SEC-0005E-EPIU

3.6.2-SEC-0007-EPIU

Table 15. TACF Tasks, Monitors, and Event Integration

3.6.1-SEC-0006

Table 16. Security Manager for AS/400, Server

3.6.1-SEC-0001 (Security Management, Version 3.6.1 for AS/400, Server)

Table 12. Security Manager


Defects Fixed in Version 3.7The following defects have been fixed for release 3.7 of Tivoli SecureWay Security Manager:

1. Transaction failure on script; constant policy change (GUI). (CMVC-35245)

2. The HolidayDate attribute accepts invalid dates. (CMVC-76253)

3. When a role template populate is performed from the GUI and the tmesec user is populated, the resource populate fails. The point at which the populate fails is determined by where the Windows NT node is located in the endpoint list. This failure occurs only when there are a combination of UNIX and Windows NT systems in the endpoint list. (CMVC-79627)

4. When populating a large number of records, the SecPro process grows to a large size and eventually uses all system resources, such as memory and swap space. This may cause the populate to fail. (CMVC-79757)

3.6.1-SEC-0003

3.6.2-SECOS4-0001

3.6.2-SECOS4-0002

Table 17. Security Manager for AS/400, Gateway

3.6-SEC-0002 (Security Management, Version 3.6 for AS/400, Gateway)

3.6-SEC-0004

3.6.1-SEC-0002 (Security Management, Version 3.6.1 for AS/400, Gateway)

3.6.2-SECOS4GW-0002

Table 16. Security Manager for AS/400, Server


5. When populating resources for a role template populate using the USER+ option on a TACF endpoint or managed node, the user access control entry should override the group access control entry. This does not occur because the permissions are being merged so that the role will be granted both the user and group permissions. However, if either the user access control entry or group access control entry is No Access, this will override all other permissions. (CMVC-80667)

6. Installation of Security Manager, Version 3.6.2 can fail in an interconnected TMR environment if the connected TMR has Tivoli Security Manager installed and the @PolicyRegion:TivoliDefaultSecurityPolicyRegion, @ProfileManager:TivoliDefault SecurityProfileManager, or @SecurityProfile:TivoliDefaultSecurityProfile resources registered in the Name Registry. This can occur if the wchkdb -u command has been used to clean up the TME object database in the connected TMR. (CMVC-81345)

7. If the /etc/resolv.conf file exists, it must specify the domain keyword and value or the TACF install or upgrade will fail. (CMVC-81632)

8. In certain scenarios, a distribute of a SystemPolicy record with the UXLockout attribute set will fail to start or stop the serevu daemon that is used for lockout policy. (CMVC-82081)

9. There is a known problem when distributing to a Group/Role combination from Tivoli in which the Group name is already allocated as a User ID on an AS/400 endpoint. During processing of the Role on the AS/400 endpoint, the code checks to ensure that all groups assigned to the endpoint are valid AS/400 Group IDs. If a group that already exists on the AS/400 endpoint as a User ID is discovered, the SECURITY program crashes and the distribution will eventually time out. (CMVC-82100)

10. The OS/400 SystemPolicy attribute OS4ResTypeAudit cannot be modified using the wmodsec CLI command. This attribute can be modified using the GUI. (CMVC-82261)

11. The validation policy script for the OS/400 SystemPolicy attribute OS4MaxInactiveDays has a syntax that does not function


correctly on Solaris systems. As a result, attempting to create a SystemPolicy record on Solaris fails because the validation script crashes. (CMVC-82727)

12. When you use the Pluggable Authentication Module (PAM) option call_segrace, two grace logins are used with each login. (MEMCO-B30091)

Software Defects, Limitations, and Workarounds Reported Prior to Version 3.7

This section describes known defects reported since the Tivoli SecureWay Security Manager 3.6 release and prior to the Tivoli SecureWay Security Manager, Version 3.7 release that have not yet been fixed.

Note: The APAR number that customers use for reporting defects is listed at the beginning of the defect description, and the CMVC number that developers use for defect tracking is listed at the end of the defect description.

Tivoli SecureWay Security ManagerThe following is a list of significant defects that apply to Tivoli SecureWay Security Manager.

1. When you invoke the wlssec command without the appropriate roles, a No records found message is displayed instead of a descriptive authorization error. (CMVC-55226)

2. If a TMR server has been upgraded to Distributing Monitoring 3.6.1, the installation of TACF Tasks, Monitors, and Event Integration 3.6 may fail. (CMVC-60844)

This failure returns the following error message:

Problems with monitoring collections:-> An instance named "TACF Security Monitors" of resource"MonitoringCapabilityCollection" was not found.

Workaround: Perform the following steps to recover from this installation failure:


a. On the TMR server, run:

mcsl -Ri $BINDIR \/../generic_unix/TME/TACFTASKS/Tacf_Monitors.col

b. Re-attempt the installation.

3. On NT, when you distribute a record with the ResAudit permission set and the ResAccessAudit permission not set, the auditing for some resource types is not properly configured. (CMVC-60957)

Workaround: Specify both the ResAudit and ResAccessAudit permissions.

Note: Tivoli recommends using ResAccessAudit on NT resources, because ResAudit will become obsolete for NT resources in a future release.

4. Non-English characters in host names and some other labels are not supported. (CMVC-68084)

Using non-English characters for the following may cause problems:

� User and group names

� Restriction Access roles

� Passwords

� File, directory, and object names

Workaround: Do not use non-English characters in names.

5. On an AS/400 endpoint, when a user created by Tivoli User Administration is specified as a member of a group, the user is not added to the group profile. (CMVC-45039)

6. When profiles with very large numbers of records are distributed, an endpoint time-out can occur. This problem can also occur when setting default access on all objects of a certain object type in system policies. (CMVC-45000)

Workaround: Enter the following Tivoli Framework command on the endpoint gateway:

wgateway gateway_name set_session_timeout timeout_value


This command increases the amount of time the gateway allows an endpoint to run the AS/400 endpoint methods. Note that this increases the amount of time for all methods on all platforms.

7. An authorization failure occurs when using the wlssec command on group, role, and resource records if the administrator has only security-related roles, including the security_admin role. This problem occurs when groups and resources are assigned to a role and when some Tivoli users are assigned to a group. (CMVC-77685)

Workaround: An administrator should have the super, senior, admin, user, or backref role, in addition to the required security role, when using the wlssec command.

TACF (MEMCO SeOS)The following is a list of significant defects for TACF reported prior to the Tivoli SecureWay Security Manager, Version 3.7 release:

1. Using TACF in HA/CMP environments on an AIX system can cause machine hangs. Tivoli has been working on this issue with our TACF supplier for several months. Tivoli plans to deliver a Tivoli Security Manager patch in December 1999 that contains a workaround for this problem. This patch is supposed to eliminate these machine hangs. However, based on experience working with some early customers with this patch, it may not eliminate all of the problems.

Workaround: If you must run Tivoli Security Manager and TACF on an AIX HA/CMP system, contact Customer Support for assistance.

2. When TACF is upgraded on a managed node on which the TACF daemons are not running or on an endpoint, the user mode for the root user is stripped of TACF admin and auditor privileges. (CMVC-77764)

Workaround: See the Tivoli SecureWay Security Manager User’s Guide for a description of the Add/Remove TACF Auditor/Administrator TACF task, which can be used to restore the admin and audit privileges to the root user.


Version 3.7 Software Defects, Limitations, and Workarounds

This section describes known defects reported for Tivoli SecureWay Security Manager, Version 3.7 that have not yet been fixed. See the previous section for a list of defects reported prior to the Tivoli SecureWay Security Manager, Version 3.7 release that have not yet been fixed.

Note: The APAR number that customers use for reporting defects is listed at the beginning of the defect description, and the CMVC number that developers use for defect tracking is listed at the end of the defect description.

Tivoli Security Manager1. Performing a Tivoli SecureWay Security Manager, Version 3.7

upgrade on a Tivoli SecureWay Security Manager, Version 3.6.2 system that contains OS/4 resource records in which the DefAccess attribute is set to None can cause instability in the security profile GUI. (CMVC-105858)

The following is an example of a returned error:

CES: SPRO: 0111Metadata cache internal error - profile= ’’ request=2args= args=’perm=None.

Workaround: Prior to upgrading, find all 3.6.2 security profiles with OS4 resource records that have DefAccess set to None and change the DefAccess setting to No Access. You could write a script to do this. If you have already upgraded and are observing errors, you can correct the problem using this procedure:

a. Use the following command to add the None permission to a security profile:

waddsecperm -p None -a None profilename

b. Now that you can access the profile without error, find the OS4 resource records that have DefAccess set to None and change the DefAccess setting to No Access.


c. Remove the None permission definition from the security profile.

2. Do not populate a security profile using wpopulate with the -o option, as this may corrupt the profile and make it unusable. (CMVC-106838)

Workaround: Use the wpopulate command without the -o option to populate the profile.

3. Unable to distribute or populate a security profile to or from an NT managed node after upgrading from 3.6.2 to 3.7. (CMVC-108212)

Workaround: Install the following Tivoli Framework patch appropriate to the version of Tivoli Framework that you are running. Tivoli Framework 3.6.3 requires patch 3.6.3-TMF-0010, Tivoli Framework 3.6.4 requires patch 3.6.4-TMF-0005, and Tivoli Framework 3.7 requires patch 3.7-TMF-0006.

TACF (MEMCO SeOS)1. APAR-IY05095. If you use TACF rules to limit root access, unless

the terminal is console or 0.0.0.0, oserv does not re-exec or start up as term. This defect occurs intermittently on Solaris and HP-UX terminals.

Workaround: Restart TACF.

2. TACF does not work on the HP-UX 11 system (either 32 or 64 bit). (CMVC-101813 and CMVC-105517)

The following are examples of returned errors.

When distributing a security profile to an HP-UX 11 system with TACF 3.7 installed, the error messages is:

A failure was detected by the oserv daemon: O_errs:0040 Transaction Error

When populating a security profile from an HP-UX 11 system with TACF 3.7 installed, the error message is:

TACF is not accessible (ErrorCode: 12033)

Due to last-minute enhancements, the support for these platforms is not included on the Tivoli SecureWay Security Manager 3.7 CD


(LK3T-5743-00). The components to support these platforms as well as Solaris 8 will be available in a Security Manager patch (SEC-3.7.0_0001) in December 2000. Contact your Tivoli Service Representative to obtain this patch.

3. If a previous version of TACF has been installed on a TMR managed node server, and you then upgrade to Tivoli SecureWay Security Manager, Version 3.7 without installing TACF 3.7, an error is returned if you try to install TACF 3.7 on a newly created managed node or endpoint in the TMR. (CMVC-105412)

The following is an example of a returned error:

InstallOpsCatalog: 0017The revision levels of the installation and media do not match 3.6 <-> 3.7.

Workaround: Upgrade earlier versions of TACF on managed nodes or endpoints to version 3.7 before installing TACF 3.7 to new endpoints or managed nodes on the same TMR.

4. An error in uninstalling TACF in previous versions may prevent installing TACF, Version 3.7. (CMVC-105575)

The following is an example of a returned error when installing TACF:

The revision levels of the installation and media do not match: “3.7<->3.6.2”

Workaround: Run the following commands:

a. Prod_oid=’wlookup -r ProductInfo TACF

b. idlcall $Prod_oid TMF_SysAdmin::PolicyDrivenBase::remove

5. The TACF task “Synchronize TACF / UNIX Users & Groups” may create SURROGATE records for users and groups. These SURROGATE records can restrict the ability of sendmail to change User IDs. (CMVC-105698)

Note: If you install TACF onto a TMR server, install it using the managed node installation. This ensures that TACF is configured properly to allow programs like sendmail and oserv to access required resources.


Workaround: Modify the sendmail SPECIALPGM resources in the TACF database to bypass the SURROGATE records for specified users. Another option is to add sendmail as a LOGINAPPL resource in TACF. This allows it to change to any valid user ID.

6. Intermittent timeout errors have been observed when distributing a security profile with more than 100 to 200 records to Solaris 7 64 bit endpoints. (CMVC-105798)

The following is a typical error message:

ipc_timed_send failed: peer=69.200.33.73+14000, error=o_errs:0047 IPC shutdown (67)

Workaround: Distribute security profiles with fewer records.

7. The “Add/remove TACF Auditor/Administrator” TACF task is broken. (CMVC-107587)

It returns the following error message:

TACF is not installed.

Workaround: Install the security manager TACF patch (SEC-3.7.0_0001) which will be available in December, 2000. Contact your Tivoli service representative to obtain this patch.

8. AC-PROF distribution does not restart TACF daemons. (If TEC has been installed, AC-PROF is created when installing TACF Tasks, Monitors, and Event Integration.) (CMVC-107938)

Workaround: Restart TACF using the “Start TACF servers” TACF task.

9. TACF upgrade fails on HP-UX system if selogrd is running. (CMVC-108115)

Workaround: Stop selogrd using the “Stop TACF Servers” TACF task before upgrading.

10. The TACF Install will fail if UIDs exceed 30000 or GIDs exceed 30000. (CMVC 108138)

During installation, TACF creates a tmesec user ID using the next available UID and a tme_sec group using the next available GID.


Workaround: If the next available UID is above 30000, you must create the tmesec account before installing TACF. If the next available GID is above 30000, you must create the tme_sec group before installing TACF.

Once TACF is installed, we recommend that you change the untouchable range. For example, to protect all the user and group IDs that are below 100 and above 60000, enter the following commands

seini -s passwd.AllowedUidRange 100,60000

seini -s passwd.AllowedGidRange 100,60000

The maximum upper bound is system dependent. Consult your operating systems documentation for the maximum value allowed.

Documents

Tivoli SecureWay Security Manager Release Notespublib.boulder.ibm.com/tividd/td/security/GI11-0802-00/en_US/PDF/... · transcribed, stored in a retrieval system, or translated into