ibm tivoli access manager for operating systems: release notes

IBM Tivoli Access Managerfor Operating Systems

Release NotesVersion 4.1

GI11-0951-00

��

NoteBefore using this information and the product it supports, read the information Chapter 6, “Notices” on page 29.

First Edition, (October 2002)

This edition applies to version 4, release 1, of IBM Tivoli Access Manager for Operating Systems (product number5698-PDO) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 2000, 2002. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Tables . . . . . . . . . . . . . . . v

Preface . . . . . . . . . . . . . . viiWho Should Read This Document. . . . . . . viiWhat This Document Contains . . . . . . . . viiPublications . . . . . . . . . . . . . . viii

Tivoli Access Manager for Operating SystemsLibrary . . . . . . . . . . . . . . viiiPrerequisite Publications. . . . . . . . . viiiAccessing Publications Online . . . . . . . viiiOrdering Publications . . . . . . . . . . ixProviding Feedback about Publications . . . . ix

Contacting Customer Support . . . . . . . . ixConventions Used in This Book . . . . . . . . ix

Typeface Conventions . . . . . . . . . . ix

Chapter 1. About This Release . . . . . 1

Chapter 2. Installation and UpgradeNotes . . . . . . . . . . . . . . . . 3Hardware Requirements for Installing Tivoli AccessManager for Operating Systems . . . . . . . . 3Supported Operating System Levels and RequiredPatches . . . . . . . . . . . . . . . . 4Installation Notes . . . . . . . . . . . . . 7

ISMP: The File uninstall.jar Disappears After anUninstall Fails . . . . . . . . . . . . . 7ISMP/AIX: Scrollbar warning. . . . . . . . 7ISMP/Solaris: Font Not Found Errors WhenStarting ISMP . . . . . . . . . . . . . 7ISMP/Solaris: Installation Fails with # in PathName. . . . . . . . . . . . . . . . 7ISMP: Install Fails with Illegal Argument Error . . 8ISMP: Optional Installation Directory Not CleanedUp During Uninstall . . . . . . . . . . . 8ISMP/Solaris: Optional Installation Directory NotSupported on Solaris . . . . . . . . . . 9ISMP/Solaris: ISMP Failures During Installationon Solaris 7 Machines . . . . . . . . . . 9ISMP: Response Files Might Contain SensitiveData if an Install Fails . . . . . . . . . . 9Install of IBM SecureWay Directory Client MightFail . . . . . . . . . . . . . . . . 9Compatibility Issues on Solaris Systems RunningTivoli SecureWay Policy Director Connection . . 10Patch Required for Tivoli SecureWay PolicyDirector Connection Version 3.7 . . . . . . 10

Upgrade Notes . . . . . . . . . . . . . 10Changes to Initial Policy . . . . . . . . . 10Upgrading a Configured Linux System . . . . 10

Chapter 3. Known Issues andWorkarounds . . . . . . . . . . . . 13

Runtime Problems on SPARCstation-5 runningSolaris 8 . . . . . . . . . . . . . . . 13Red Hat Linux authconfig Command andLogin/Password Policy Configuration . . . . . 13Linux for zSeries Problem with More than One CPU 13Recommended Patch for HP-UX 11.11 Systems . . 14AIX NIS Client and Tivoli Access Manager forOperating Systems Startup Order . . . . . . . 14Policy Updates Occurring During ConfigurationMight Cause Errors. . . . . . . . . . . . 14pdosucfg Command Completes with Errors . . . 15Failed Password Changes on AIX Systems NotAudited . . . . . . . . . . . . . . . 16Files Protected with Rename Permission Can BeRenamed on Linux Systems Using mv Command . 16Policy Not Enforced on Solaris Systems Using NFSVersion 2 . . . . . . . . . . . . . . . 16No Trace Events for Processes Started Before TivoliAccess Manager for Operating Systems . . . . . 16Trace Events for CDE-Originated Logins Might BeMissed . . . . . . . . . . . . . . . . 16Tivoli Access Manager for Operating Systems LoginActivity Policy on HP-UX with rexec/remsh . . . 16Grace Login Behavior is Different on AIX Systems 17Cannot Remove the Logfile Adapter During aDistribution . . . . . . . . . . . . . . 17Logfile Adapter Fails to Start on AIX 5.1 SystemsAfter Reboot . . . . . . . . . . . . . . 17Logfile Adapter on Solaris Systems Fails UnderHeavy Load . . . . . . . . . . . . . . 17Considerations When Running on HACMP for AIXSystems . . . . . . . . . . . . . . . 17Tasks Do Not Encrypt Tivoli Access ManagerAdministrator Password . . . . . . . . . . 18Extraneous Text Shown for Hostname in Events inTivoli Risk Manager . . . . . . . . . . . 18Auth Requisite Modules on PAM Platforms . . . 18Problems Unlocking CDE Screen Lock on AIXSystems after Installation/Configuration. . . . . 19Execution of PDOS Tasks Without root inosseal-admin . . . . . . . . . . . . . . 19Tivoli Access Manager for Operating Systems LoginActivity Policy with $HOME/.rhosts and/etc/hosts.equiv. . . . . . . . . . . . . 20Limitation of the pdosexempt Command . . . . 21Group Name Used to Maintain Branch Membershipis not Case-Sensitive . . . . . . . . . . . 21

Chapter 4. Documentation Notes . . . 23Tivoli Access Manager Documents Located withTivoli Access Manager for Operating SystemsDocuments on Support Web Site . . . . . . . 23Error in Password Management Policy AttributesTable . . . . . . . . . . . . . . . . 23

© Copyright IBM Corp. 2000, 2002 iii

Chapter 5. Internationalization Notes 25General Notes . . . . . . . . . . . . . 25

Language Limitations Involving Non-ASCIICharacters . . . . . . . . . . . . . . 25

Notes Regarding AIX Systems . . . . . . . . 25PDOSD Daemon Does Not Autostart on AIXSystems LC_MESSAGES=c@lft in/etc/environment . . . . . . . . . . . 25

Notes Regarding Linux Systems . . . . . . . 26Japanese Locale and Language Setting Supportedon Linux Systems . . . . . . . . . . . 26Tivoli Access Manager for Operating SystemsConsiderations When Using International Localeson Linux Systems . . . . . . . . . . . 26

Configuration Change Needed on SomeInternationalized Versions of Red Hat Linux 7.1 . 27

Notes Regarding Solaris Systems . . . . . . . 27Setting the Locale for CDE Login on Solaris 2.8 27

To Properly Display Window Panels on TraditionalChinese and Japanese TMR Servers . . . . . . 27Characters Do Not Display Properly in PortugueseBrazilian Environment . . . . . . . . . . . 28

Chapter 6. Notices . . . . . . . . . . 29Trademarks . . . . . . . . . . . . . . 30

iv IBM Tivoli Access Manager for Operating Systems: Release Notes

Tables

1. Typeface Conventions . . . . . . . . . ix2. Memory Requirements . . . . . . . . . 33. Disk Space Requirements for Installation . . . 3

4. Supported Operating System Levels andRequired Patches . . . . . . . . . . . 4

© Copyright IBM Corp. 2000, 2002 v

vi IBM Tivoli Access Manager for Operating Systems: Release Notes

Preface

IBM Tivoli Access Manager for Operating Systems provides a layer ofauthorization policy enforcement in addition to that provided by the nativeoperating system. The IBM Tivoli Access Manager for Operating Systems provides anoverview of the changes introduced in this release of the product. This documentalso provides information that is either incorrect in or missing from the productdocumentation. It also describes workarounds for any known problemsencountered during the final testing of the product.

Information in this revised document supersedes information in the productdocumentation or in the product itself.

Who Should Read This DocumentThis document is intended for systems administrators who have some knowledgeof these topics:v UNIX®operating systemv Internet protocols, including HTTP, TCP/IP, FTP, Telnet, SSLv Security managementv Directory servicesv Authenticationv Authorizationv IBM Tivoli Access Manager

Supplementary information that systems administrators may find useful includesknowledge of the following topics:v Tivoli Management Environment® frameworkv Tivoli Distributed Monitoringv Tivoli Enterprise Console®

v Tivoli Risk Managerv Tivoli Security Managerv Tivoli User Administration

What This Document ContainsThe IBM Tivoli Access Manager for Operating Systems Release Notes contains thefollowing sections:v Chapter 1, “About This Release” on page 1

Introduces Tivoli Access Manager for Operating Systems and its functions.v Chapter 2, “Installation and Upgrade Notes” on page 3

Describes the hardware and software prerequisites for installing Tivoli AccessManager for Operating Systems. Notes on installing or upgrading an existinginstallation also are provided.

v Chapter 3, “Known Issues and Workarounds” on page 13Describes any limitations or problems encountered in Tivoli Access Manager forOperating Systems during testing that could not be fixed in the final version ofthe product, along with any known workarounds.

© Copyright IBM Corp. 2000, 2002 vii

v Chapter 4, “Documentation Notes” on page 23Describes any errors or omissions in the documentation provided with theproduct.

v Chapter 5, “Internationalization Notes” on page 25Describes any limitations or problems encountered in testing theinternationalized versions of Tivoli Access Manager for Operating Systems thatcould not be fixed in the final version of the product, along with any knownworkarounds.

PublicationsThis section lists publications in the Tivoli Access Manager for Operating Systemslibrary and any other related documents. It also describes how to access Tivolipublications online, how to order Tivoli publications, and how to make commentson Tivoli publications.

Tivoli Access Manager for Operating Systems LibraryThe following documents are available in the Tivoli Access Manager for OperatingSystems library:v IBM Tivoli Access Manager for Operating Systems Installation Guide

Provides information about installing Tivoli Access Manager for OperatingSystems.

v IBM Tivoli Access Manager for Operating Systems Administration Guide

Provides information on using Tivoli Access Manager for Operating Systems andincludes a reference of the commands available.

v IBM Tivoli Access Manager for Operating Systems Problem Determination Guide

Provides information about troubleshooting, message logging, trace logging,other diagnostic tools, and reference information about Tivoli Access Managerfor Operating Systems. Also contains the product error message log.

Prerequisite PublicationsTo be able to use the information in this guide effectively, you must have someprerequisite knowledge, which you can get from the following books:v IBM Tivoli Access Manager Base Administrator’s Guide, Version 4.1, SC32-1132v IBM Tivoli Access Manager Base Installation Guide, Version 4.1, SC32-1131v IBM Tivoli Access Manager for eBusiness Release Notes, Version 4.1, SC32-1130v IBM Tivoli Access Manager Command Reference, Version 4.1, SC32-1107v IBM Tivoli Access Manager Problem Determination Guide, Version 4.1, GC32-1106v IBM Tivoli Access Manager Performance Tuning Guide, Version 4.1, SC32-1145v IBM Tivoli Access Manager Error Message Reference, Version 4.1, SC32-1144

For your convenience, these Tivoli Access Manager documents can be found withthe Tivoli Access Manager for Operating Systems documents at the CustomerSupport Web site described in the next section.

Accessing Publications OnlineYou can access many Tivoli publications online at the Customer Support Web site:

http://www.tivoli.com/support/documents/

viii IBM Tivoli Access Manager for Operating Systems: Release Notes

http://www.tivoli.com/support/documents/

These publications are available in PDF or HTML format, or both. Translateddocuments are also available for some products.

Ordering PublicationsYou can order many Tivoli publications online at the following Web site:

http://www.ibm.com/shop/publications/order

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968v In other countries, for a list of telephone numbers, see the following Web site:

http://www.tivoli.com/inside/store/lit_order.html

Providing Feedback about PublicationsWe are very interested in hearing about your experience with Tivoli products anddocumentation, and we welcome your suggestions for improvements. If you havecomments or suggestions about our products and documentation, contact us in oneof the following ways:v Send an e-mail to [email protected] Complete our customer feedback survey at the following Web site:

http://www.tivoli.com/support/survey/

Contacting Customer SupportIf you have a problem with any Tivoli product, you can contact Tivoli CustomerSupport. See the Customer Support Handbook at the following Web site:

http://www.tivoli.com/support/handbook/

The handbook provides information about how to contact Customer Support,depending on the severity of your problem, and the following information:v Registration and eligibilityv Telephone numbers and e-mail addresses, depending on the country you are inv What information you should gather before contacting support

Conventions Used in This BookThis book uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface ConventionsThe following typeface conventions are used in this book:

Table 1. Typeface Conventions

Convention Definition

Bold Lowercase and mixed-case commands, command options, and flagsthat appear within text appear like this, in bold type.

Graphical user interface elements (except for titles of windows anddialogs) and names of keys also appear like this, in bold type.

Preface ix

http://www.ibm.com/shop/publications/order

http://www.tivoli.com/inside/store/lit_order.html

http://www.tivoli.com/support/survey/

http://www.tivoli.com/support/handbook/

Table 1. Typeface Conventions (continued)

Convention Definition

Italic Variables, values you must provide, new terms, and words andphrases that are emphasized appear like this, in italic type.

Monospace Commands, command options, and flags that appear on a separateline, code examples, output, and message text appear like this, inmonospace type.

Names of files and directories, text strings you must type, when theyappear within text, names of Java methods and classes, and HTMLand XML tags also appear like this, in monospace type.

x IBM Tivoli Access Manager for Operating Systems: Release Notes

Chapter 1. About This Release

The IBM Tivoli Access Manager for Operating Systems, Version 4.1, releaseincludes the following new features and enhancements:v New operating systems supported:

– Red Hat Linux 7.3 (x86)– SuSE Linux 8.0 (x86)– SuSE Linux Enterprise Server 7 (SLES7) for S/390 and zSeries– SuSE Linux Enterprise Server 7 (SLES7) for IBM zSeries– Red Hat Linux 7.2 for S/390 and zSeries

v Improved ease of installation with the InstallShield Multiplatform Editioninstallation utility (ISMP). This utility provides Windows-style installation aswell as install packages suitable for use with distributed install products, such asIBM Tivoli Configuration Manager. Optionally, you can specify where the TivoliAccess Manager for Operating Systems Runtime environment and itsdependencies are installed.

v New resource type for Password Management policy that allows passwordstrength rules to be enforced on password changes. For example, this policyincludes maximum password length and use of alphabetic versus numericcharacters. The product enables you to use consistent password rules across allplatforms from a centrally configured policy.

v LDAP groups are used to provide an information only record of configured TivoliAccess Manager for Operating Systems branches and machines configured intothose branches.

v The pdosobjsig command will take a new option, -C. The -C option tellspdosobjsig to recheck the signatures of all objects in the object signaturedatabase.

v New problem determination utilities and the IBM Tivoli Access Manager forOperating Systems Problem Determination Guide.

v The credential acquisition service is vital to the PDOSD daemon’s authorizationdecision process. New pdoscfg options for tuning the credential acquisitionservice have been added:– -cred_response_wait—Minimum length of time to wait (in minutes) for a

response to a credential request before entering isolation mode. The default istwo minutes.

– -critical_cred_group—The name of the Tivoli Access Manager group whosemembers are to be treated as critical system users whose credentials shouldalways be available in the credential cache.

– -critical_cred_refresh—Refresh interval of critical_cred_group credentials inminutes. The default is 720 minutes.

v Support for the IBM Tivoli Enterprise Data Warehouse, when IBM Tivoli RiskManager’s Tivoli Data Warehouse Enablement Pack is used in conjunction withTivoli Access Manager for Operating Systems. The Tivoli Access Manager forOperating Systems Enterprise Console Integration component must be installedand set up to forward audit events to Tivoli Risk Manager. Tivoli RiskManager’s Tivoli Enterprise Data Warehouse Enablement Pack can be used toforward events to the Tivoli Data Warehouse. See the Tivoli Risk ManagerRelease Notes, Version 4.1, for information about the availability of the TivoliRisk Manager’s Tivoli Data Warehouse Enablement Pack.

© Copyright IBM Corp. 2000, 2002 1

The following items have been removed in this release:v Support for Sun Solaris 2.6, Red Hat Linux 6.2, AIX 4.3.1, and AIX 4.3.2v Tivoli Framework-based installation CD (this is replaced by the use of

InstallShield Multiplatform combined with Tivoli Configuration Manager orTivoli Software Distribution)

v Ezinstall has been removed and replaced with InstallShield Multiplatformv Support for the Endpoint Audit Log Report Task (available through Tivoli

Identity Management).

2 IBM Tivoli Access Manager for Operating Systems: Release Notes

Chapter 2. Installation and Upgrade Notes

This chapter provides the hardware and software requirements that must be met toinstall Tivoli Access Manager for Operating Systems. The information providedhere supersedes information provided in the Tivoli Access Manager for OperatingSystems Installation Guide.

Hardware Requirements for Installing Tivoli Access Manager forOperating Systems

The memory requirements for a Tivoli Access Manager for Operating Systemsmachine are provided in the following table.

Table 2. Memory Requirements

Minimum RAM 64 MB

Recommended RAM 128 MB or greater

The Tivoli Access Manager for Operating Systems installation package consists ofthe following software products:v Tivoli Access Manager for Operating Systemsv Tivoli Access Manager Basev IBM Global Security Toolkit (GSKit)v IBM SecureWay Directory Client (LDAP)

These products are installed in different directories based on the operating systemplatform. The following table outlines the disk space requirements for installingTivoli Access Manager for Operating Systems and these related products.

Table 3. Disk Space Requirements for Installation

Platform Approximate Space Needed

AIX 88 MB in /opt for Tivoli Access Manager forOperating Systems and Tivoli AccessManager runtime

67 MB in /usr for GSKit and LDAP

HP-UX 56 MB in /opt for Tivoli Access Manager forOperating Systems, GSKit, LDAP, and TivoliAccess Manager runtime

Solaris 85 MB in /opt for Tivoli Access Manager forOperating Systems and Tivoli AccessManager runtime

Linux 45 MB in /opt for Tivoli Access Manager forOperating Systems and Tivoli AccessManager runtime


Linux for zSeries 26 MB in /opt for Tivoli Access Manager forOperating Systems and Tivoli AccessManager runtime



Note: During runtime, Tivoli Access Manager for Operating Systems storesauthorization policy database replicas, the Trusted Computing Base objectsignature database, audit logs, and error logs under the directory /var/pdos.Consider creating /var/pdos, /var/pdos/audit, /var/pdos/log as separatefile systems. The minimum recommended size is 100 MB total. The spacerequired can increase over time. It is mainly dependent upon the definedpolicy and the configured audit levels.

Supported Operating System Levels and Required PatchesTivoli Access Manager for Operating Systems is supported on the operating systemplatforms listed in Table 4. In addition, the following operating systems patchesmust be installed before installing Tivoli Access Manager for Operating Systems.Contact your operating system vendor to obtain the necessary patches.

Table 4. Supported Operating System Levels and Required Patches

Operating System and Version Patches Required

AIX 4.3.3 Latest patches, plus bos.rte.libpthreads patchat level 4.3.3.51

AIX 5.1.0 AIX 5100–01 maintenance package.Downloadable fromhttp://techsupport.services.ibm.com/server/aix.fdc51?toggle=DNLDML

HP-UX 11.0 No specific patches at this time

HP-UX 11i No specific patches at this time

Red Hat Linux 7.1 (x86)kernel rpms supported:

v kernel-2.4.2-2.i586.rpm*


v kernel-smp-2.4.2-2.i586.rpm*


v kernel-2.4.9-31.i586.rpm


v kernel-smp-2.4.9-31.i586.rpm






See note 3 below.


Table 4. Supported Operating System Levels and Required Patches (continued)














See note 3 below.








See note 3 below.

SuSE Linux 7.3 (x86)kernel rpms supported:

v k_deflt-2.4.10-12.i386.rpm*

v k_smp-2.4.10-12.i386.rpm*

v k_deflt-2.4.16-37.i386.rpm

v k_smp-2.4.16-38.i386.rpm

See note 3 below.

SuSE Linux 8.0 (x86)kernel rpms supported:

v k_deflt-2.4.18-58.i386.rpm*

v k_smp-2.4.18-57.i386.rpm*

See note 3 below.

Sun Solaris Operating Environment 2.7(32–bit systems)

Patches:

v 106950–18

v 106327–13


Patches:

v 106950–18

v 106327–13

v 106300–14


Patches

v 109147–15

v 108434–05

v SUNWuiu8

v SUNWjiu8

Chapter 2. Installation and Upgrade Notes 5

Table 4. Supported Operating System Levels and Required Patches (continued)



Patches

v 109147–15

v 108434–05

v 108435–06

v SUNWuiu8

v SUNWjiu8

SuSE Linux Enterprise Server 7 (SLES7) forS/390 and zSeries (31-bit kernel)kernel rpms supported:

v k_deflt-2.4.7-31.s390.rpm*

See note 3 below.

SuSE Linux Enterprise Server 7 (SLES7) forzSeries (64-bit kernel with 31-bitcompatibility mode) kernelrpms supported:

v k_deflt-2.4.17-21.s390.rpm*

See note 3 below.

Red Hat Linux 7.2 for S/390 and zSeries(31-bit kernel)kernel rpms supported:

v kernel-2.4.9-37.s390.rpm*

See note 3 below.

Notes:

1. For the Red Hat Linux and SuSE Linux operating systems, only the listed kernelpackages are supported by Tivoli Access Manager for Operating Systems. Thekernel packages indicated with an asterisk (*) are the kernels that get installedby default during the Linux installation process. The other specified Linuxpackages are updates that are available from the respective vendors.

2. Tivoli Access Manager, Version 4.1, and Tivoli Access Manager for OperatingSystems, Version 4.1, are not supported on SPARCstation-5 hardware installedwith Solaris 8. A problem has been encountered when running Version 4.1executables on this combination of hardware and Solaris level. Executables, forexample, pdversion, fail as follows:#pdversionld.so.1: /opt/PolicyDirector/sbin/ivprintmsg: fatal: /usr/lib/libCstd.so.1:bad ELF flags value: 256

It appears that the Solaris 8 system file, /usr/lib/libCstd.so.1, is notcompatible with this hardware platform.

3. On all the Linux platforms, a back-level version of the libstdc++ library mustbe available on the system prior to installing Tivoli Access Manager forOperating Systems and its prerequisite software. Installing thecompat-libstdc++ package available with the Linux distribution satisfies thisrequirement. For the x86 Linux platforms, this requirement can also be satisfiedby installing the libstdc++-2.95.2-12mdk.i586.rpm patch. This package can befound at http://rpmfind.net/ by searching for libstdc++ and looking for thepackage name. This package adds libraries of a specific version. For operatingsystems with higher-numbered versions of libstdc++ already installed, thispackage must be installed using the –force option of the rpm install tool.


http://rpmfind.net/

Installation NotesBefore installing Tivoli Access Manager for Operating Systems, review thefollowing notes to determine if they pertain to your installation environment.

ISMP: The File uninstall.jar Disappears After an Uninstall FailsAfter a successful installation, the InstallShield Multiplatform utility creates anuninstaller in the directory /var/pdos_ismp/_uninst.

To uninstall the product, use the following command:java -cp /var/pdos_ismp/_uninst/uninstall.jar

Even if the uninstall fails, InstallShield Multiplatform utility will remove theuninstall.jar file, thus leaving no way to attempt the uninstall again. The currentworkaround is for the user to back up the /var/pdos_ismp/_uninst directory.

ISMP/AIX: Scrollbar warningWhen the InstallShield Multiplatform installation program of Tivoli AccessManager for Operating Systems is running on some X windows systems, thefollowing message appears:Warning:Name: HorScrollBarClass: XmScrollBarThe specified scrollbar value is greater than the maximum scrollbar value minusthe scrollbar slider size.

This warning is caused by a bug in Motif and requires a patch for the operatingsystem. See http://support.installshield.com/kb/view.asp?articleid=Q10648 foradditional details.

ISMP/Solaris: Font Not Found Errors When Starting ISMPWhen the InstallShield Multiplatform installation program of Tivoli AccessManager for Operating Systems is running on some Solaris systems, the followingmessage appears:Font specified in font.properties not found [-urw-itczapfdingbats-medium-r-normal--*-%d-*-*-p-*-sun-fontspecific]Font specified in font.properties not found [-urw-itczapfdingbats-medium-r-normal--*-%d-*-*-p-*-sun-fontspecific]Font specified in font.properties not found [-urw-itczapfdingbats-medium-r-normal--*-%d-*-*-p-*-sun-fontspecific]Font specified in font.properties not found [-urw-itczapfdingbats-medium-r-normal--*-%d-*-*-p-*-sun-fontspecific]Font specified in font.properties not found [-urw-itczapfdingbats-medium-r-normal--*-%d-*-*-p-*-sun-fontspecific]

This is a problem with the setup of the Java runtime environment. There is a filenamed font.properties that is located under the java runtime directory. Forexample, /usr/java1.3.0_01/jre/lib/font.properties. This file maps java fonts tothe system fonts. If a system font is not installed, then the warning message will bedisplayed. The solution is to install the system fonts from the Solaris operatingsystem media.

ISMP/Solaris: Installation Fails with # in Path NameInstallation on Solaris using ISMP can sometimes fail with the following errormessage:


# install_pdosrte Exception in thread "main" java.lang.NoClassDefFoundError: run

This problem occurs when the Tivoli Access Manager for Operating Systems CD ismounted with a # in the path name. For example, the CD is normally mounted as/cdrom/amos_amos. When the CD gets mounted with something similar to/cdrom/amos_amos#1, the install will fail. The workaround is to clean up the /cdromdirectory so that the CD gets mounted as /cdrom/amos_amos. A reboot of the systemmight be required to fix this problem.

ISMP: Install Fails with Illegal Argument ErrorThe InstallShield Multiplatform installation program requires a Java runtime levelof 1.3.1 or higher. When executing the install_pdsorte script from the Tivoli AccessManager for Operating Systems, Version 4.1, CD, you will see an error similar tothe following error if a down-level version of the java command is used:# ./install_pdosrte-cp: illegal argumentUsage: java [-options] class

where options include:

-help Print out this message.-version Print out the build version.-fullversion Print out the full version information.-v -verbose Turn on the verbose mode.-debug Enable remote Java debugging.-noasyncgc Do not allow asynchronous garbage collection.-verbosegc Print a message when garbage collection occurs.-noclassgc Disable class garbage collection.-cs -checksource Check if source is newer when loading classes.-ss number Set the maximum native stack size for any thread.-oss number Set the maximum Java stack size for any thread.-ms number Set the initial Java heap size.-mx number Set the maximum Java heap size.-D name= value Set a system property.-classpath directories separated by colons List directories in which to lookfor classes.-prof[:file] Output profiling data to ./java.prof or ./file-verify Verify all classes when read in.-verifyremote Verify classes read in over the network (default).-noverify Do not verify any class.

The workaround is to install the Jave 1.3.1 version and to ensure that your PATHvariable is set up correctly so that the install_pdosrte script will find the javacommand associated with the Java 1.3.1 or higher version.

The Java 1.3.1 installation package is available on the Tivoli Access Manager forOperating Systems, Version 4.1, CD.

ISMP: Optional Installation Directory Not Cleaned Up DuringUninstall

The InstallShield Multiplatform uninstall program does not clean up the followingfour directories on the /opt installation directoryv /gsk

v /ldapc

v /ldaps

v /pdos


ISMP/Solaris: Optional Installation Directory Not Supported onSolaris

The symbolic linking option is not supported on Solaris. The InstallShieldMultiplatform panel will display /opt as the default directory but will not acceptinput.

ISMP/Solaris: ISMP Failures During Installation on Solaris 7Machines

If, during the InstallShield Multiplatform installation of Tivoli Access Manager forOperating Systems on a Solaris 7 machine, you experience a problem with thefollowing characteristics:1. The Welcome panel is displayed. You click Next.2. The License Agreement panel is displayed. You accept the license and click

Next.3. The installation fails immediately with a JVM error

you should install the following Solaris patches and retry the InstallShieldMultiplatform installation:v 108376–38v 107656–09v 107081–45

ISMP: Response Files Might Contain Sensitive Data if anInstall Fails

Sensitive data might be stored in the response files that are generated during theinstall_pdosrte process. Delete this response file after the completion ofinstall_pdosrte. The location of the response files is based on operating systemplatform:

Solaris and HP-UX Platforms/var/tmp/instant.rsp/var/tmp/pdosrte.drv.rsp

AIX and Linux Platforms/tmp/instant.rsp/var/tmp/pdosrte.drv.rsp

Install of IBM SecureWay Directory Client Might FailIf the install of the IBM SecureWay Directory client on your Tivoli Access Managerfor Operating Systems system fails because it is unable to establish communicationwith the LDAP server, verify that you do not have another LDAP client alreadyinstalled on the system. Depending on how your operating system was installed,an LDAP client might have been automatically installed, which would conflict withthe IBM SecureWay Directory client installed and used by Tivoli Access Managerfor Operating Systems. To correct the problem, remove the other LDAP client andthen reinstall the IBM SecureWay Directory client. For example, some Linuxoperating systems require the removal of the nss_ldap package (rpm -evfnss_ldap) first.


Compatibility Issues on Solaris Systems Running TivoliSecureWay Policy Director Connection

Tivoli SecureWay Policy Director Connection, Versions 3.7 and 3.8, will not workcorrectly with the Tivoli Access Manager, Version 4.1, runtime on Solaris systems.There is no workaround to this problem. Do not install Tivoli Access Manager forOperating Systems and its prerequisites on a Solaris system where you are runningTivoli SecureWay Policy Director Connection.

Patch Required for Tivoli SecureWay Policy DirectorConnection Version 3.7

If you plan to install Tivoli Access Manager for Operating Systems on a systemthat has the Tivoli SecureWay Policy Director Connection Version 3.7 componentalready installed, you must apply a patch to prevent problems that might occurduring distributions and populates. Apply E-Fix PDP37002 or patch3.7.1-SEC-0006E, or later, to your system.

Applying the patch corrects an incompatibility that exists between the TivoliSecureWay Policy Director Connection Version 3.7 component and the Tivoli AccessManager, Version 4.1, runtime environment, which is installed as part of theinstallation of Tivoli Access Manager for Operating Systems, Version 4.1. Noreinstallation or reconfiguration is required after installing the patch.

Applying the patch corrects an incompatibility that exists between the TivoliSecureWay Policy Director Connection Version 3.7 component and the Tivoli AccessManager, Version 4.1 runtime environment, which is installed as part of theinstallation of Tivoli Access Manager for Operating Systems.

Upgrade NotesBefore upgrading your existing version of Tivoli Access Manager for OperatingSystems, review the following notes to determine if they pertain to yourinstallation environment.

Changes to Initial PolicyChanges were made to the initial Tivoli Access Manager for Operating Systemspolicy. This is the policy that is defined by default when the first Tivoli AccessManager for Operating Systems system is initially configured, and when the firstsystem is configured in a new policy branch.

These changes were not automatically applied during your upgrade of TivoliAccess Manager for Operating Systems. A utility, pdos_defpolicy_update, isprovided to help upgrade existing environments to use this new policy. See″Upgrade Post-Installation Procedures″ in the IBM Tivoli Access Manager forOperating Systems Installation Guide for details.

Upgrading a Configured Linux SystemOn configured Linux systems, you must unconfigure Tivoli Access Manager forOperating Systems, Version 3.8, before you upgrade to Version 4.1. This is true forboth the InstallShield Multiplatform and native Linux installation processes. Youcan retain the defined policy by running the pdostecucfg and pdosucfg commandswith no options. This will unconfigure without removing the defined policy fromthe policy database.


After Tivoli Access Manager for Operating Systems is installed, configured, andstarted, the existing policy will be downloaded from the policy server. Review thefollowing files to see how the system is configured:v /opt/pdos/etc/osseal.conf

v /opt/pdos/etc/pdosauditd.conf

v /opt/pdos/etc/pdosd.conf

v /opt/pdos/etc/pdoswdd.conf


Chapter 3. Known Issues and Workarounds

Extensive IBM and customer field testing of Tivoli Access Manager for OperatingSystems has revealed a number of behaviors that are documented in this section.These behaviors should be reviewed and the workarounds (where provided)employed to avoid any adverse effects. Some of the behaviors may be remedied infuture product updates, other relate to items outside of Tivoli Access Manager forOperating Systems’s control. Issues related to internationalized versions of theproduct can be found in Chapter 5, “Internationalization Notes” on page 25.

Runtime Problems on SPARCstation-5 running Solaris 8A problem has been encountered running Tivoli Access Manager, Version 4.1 andTivoli Access Manager for Operating Systems, Version 4.1 executables on aSPARCstation-5 installed with Solaris 8. Tivoli Access Manager executables (forinstance pdversion) fail as follows:#pdversionld.so.1: /opt/PolicyDirector/sbin/ivprintmsg: fatal: /usr/lib/libCstd.so.1:bad EFF flags value: 256

It appears that the Solaris 8 system file /use/lib/libCstd.so.1 is not compatiblewith this hardware.

Due to this problem, Tivoli Access Manager, Version 4.1 and Tivoli Access Managerfor Operating Systems, Version 4.1, are not supported on SPARCstation-5 installedwith Solaris 8.

Red Hat Linux authconfig Command and Login/Password PolicyConfiguration

The configuration of login activity and password management policy on Red HatLinux systems might cause the /etc/pam.d/system-auth file to be updated. Sincethe /etc/pam.d/system-auth is generated by running the authconfig command,any changes made for Tivoli Access Manager for Operating Systems configurationwill be lost if the authconfig command is rerun.

If it is necessary to rerun the authconfig command after login activity andpassword management policy has been configured, the following steps should beperformed:1. Unconfigure login/password policy using the following command:

pdoscfg -login_policy off

2. Run authconfig.3. Reconfigure login/password policy, using the following command:

pdoscfg -login_policy on

Linux for zSeries Problem with More than One CPUTests have identified a Linux kernel bug related to using IUCV while runningLinux for zSeries images under VM with more than one CPU (the result could be aVM or network hang). If you encounter this problem, the current workaround is toonly run with one CPU.


Recommended Patch for HP-UX 11.11 SystemsDuring testing, a problem was encountered on an HP-UX 11.11 system that is fixedby the installation of the HP-UX patch PHNE_25064.

The symptom of the problem was that one of the threads in the PDOSD daemonwas hung in a socket call. The socket call is hanging in the initialization of the HPSTREAMS layer. Other PDOSD threads are blocked in operating system routineswaiting for a mutex lock held by hung socket call. The PDOSD daemon went intoisolation mode and never came out. It also stopped responding to requests forauthorization decisions from the Tivoli Access Manager for Operating Systemskernel server, causing the kernel service to make default decisions under errorconditions. Accesses initiated by the root user were permitted but accesses bynon-root users were denied. During investigation of these problems, we were ableto identify an HP-UX patch, PHNE_25064, that addresses this problem. Theproblem was not seen again after the patch was applied on the machine.

The patch information is as follows:Patch Name: PHNE_25084Patch Description: s700_800 11.11 Cumulative STREAMS PatchCreation Date: 01/10/30Post Date: 01/11/01...Symptoms:

PHNE_25084:1. In a multi-threaded socket application when a threadcloses a socket on which another thread is doingaccept(), the closing thread hangs. JAGad88349

...9. Threads hung sleeping in ioctl_sleep. JAGad86805_swtch+0xc4_sleep+0x4ccioctl_sleep+0x30cioctl_bufcall+0x80str_async_ioctl+0x670hpstreams_ioctl_int+0xf8streams_ioctl+0x34

The symptom 9 is a match for the problem being observed.

AIX NIS Client and Tivoli Access Manager for Operating SystemsStartup Order

On AIX systems, if the system is a NIS client, then the NIS client must be startedprior to starting Tivoli Access Manager for Operating Systems. This is the defaultwhen Tivoli Access Manager for Operating Systems is configured for automaticstart at system boot time. If you manually modify the /etc/inittab file after TivoliAccess Manager for Operating Systems is configured, you must ensure that theentry for Tivoli Access Manager for Operating Systems comes after the entry forthe NIS client.

Policy Updates Occurring During Configuration Might Cause ErrorsThe pdoscfg command might fail if policy updates are occurring during theconfiguration process. This situation might arise if any of the following activitiesare occurring within the Tivoli Access Manager domain at the same time as theconfiguration of a new Tivoli Access Manager for Operating Systems system. Theyare listed in decreasing order of likelihood of causing the configuration to fail:


v Performing policy administration while configuring a Tivoli Access Manager forOperating Systems system

v Configuring Tivoli Access Manager for Operating Systems on the first system tosubscribe to a new policy branch

v Unconfiguring a Tivoli Access Manager for Operating Systems on a systemspecifying the -remove_per_policy on option of the pdosucfg command

v Configuring Tivoli Access Manager for Operating Systems as the second or latermachine subscribing to an existing policy branch

v Unconfiguring Tivoli Access Manager for Operating Systems on a system

If the Tivoli Access Manager for Operating Systems configuration process failsbecause of concurrent policy updates, an error is recorded in the error logassociated with the pdoscfg command, /var/pdos/log/msg__pdoscfg.log. Tocorrect the problem, issue the pdoscfg command again after the conflictingoperations have completed.

pdosucfg Command Completes with ErrorsThe pdosucfg command completes Tivoli Access Manager for Operating Systemsunconfiguration even if errors are encountered during some of the unconfigurationsteps. Some manual cleanup might need to be performed to complete the TivoliAccess Manager for Operating Systems unconfiguration.v If the pdosucfg command reports that it has completed with errors, check the

/var/pdos/log/msg__pdoscfg.log file for more information about the specificerrors.

v If errors were encountered when running the svrsslcfg command to unregisterwith Tivoli Access Manager, on the system where unconfiguration failed, typethe following srvsslcfg command on the command line:/opt/PolicyDirector/bin/svrsslcfg –unconfig –f /dev/null \

-n pdosd –P sec_master_password

where sec_master_password is your Tivoli Access Manager security masterpassword. Ensure that the Tivoli Access Manager policy server is operatingnormally before issuing the command.

v If errors were encountered while unregistering the machine-specific policyinformation, enter the following pdadmin command to complete themachine-specific policy removal:pdadmin> group modify pdosd-branch/policy-branch remove pdosd/hostname

where policy-branch is the name that was specified for the -branch option of thepdoscfg command and hostname is the hostname of the machine on which thepdoscfg command failed. Ensure that the Tivoli Access Manager policy server isoperating normally before issuing the command.

v If the -remove_per_policy on option of the pdosucfg command was specifiedand errors were encountered while unregistering the policy-specific policyinformation, type the following pdadmin command on the command line tocomplete the policy branch removal:pdadmin> objectspace delete /OSSEAL/policy_branch

where policy_branch is the name that was specified for the -branch option of thepdoscfg command. Ensure that the Tivoli Access Manager policy server isoperating normally before issuing the command.

Chapter 3. Known Issues and Workarounds 15

Failed Password Changes on AIX Systems Not AuditedFailed attempts to change a password on AIX systems due to system restrictions,such as failing to match the old password, are not audited by Tivoli AccessManager for Operating Systems.

Files Protected with Rename Permission Can Be Renamed on LinuxSystems Using mv Command

A file protected with an ACL of Rename can be renamed using the mv commandon Linux. This is caused by the mv command on Linux copying the file to thedestination directory after its use of the rename system call. Using the renamecommand results in the action being denied, as expected.

Policy Not Enforced on Solaris Systems Using NFS Version 2Tivoli Access Manager for Operating Systems policy is not enforced for files anddirectories that reside on volumes mounted using NFS Version 2 on Solarissystems. Volumes mounted using NFS Version 3 are protected as expected. Filesand directories to be protected on Solaris systems should only be mounted usingNFS Version 3.

No Trace Events for Processes Started Before Tivoli Access Managerfor Operating Systems

As described in the IBM Tivoli Access Manager for Operating Systems AdministrationGuide, trace_file and trace_exec audit events are not generated for processes thatwere running before Tivoli Access Manager for Operating Systems was started. Tryto arrange your start sequence so that Tivoli Access Manager for OperatingSystems is started and active before starting processes that you want to monitor.

Trace Events for CDE-Originated Logins Might Be MissedAs described in the IBM Tivoli Access Manager for Operating Systems AdministrationGuide, trace_file and trace_exec audit events might not be generated for processesthat are starting at the same time as Tivoli Access Manager for Operating Systems.This problem can occur on systems where a CDE-originated login occurs after theinitialization of Tivoli Access Manager for Operating Systems has started, butbefore it has completed. To reduce the chance of this occurring, you can change theorder that the processes on the system start and perhaps introduce a sleep intervalof 30 seconds or more.

Tivoli Access Manager for Operating Systems Login Activity Policy onHP-UX with rexec/remsh

The Tivoli Access Manager for Operating Systems login activity policy does notwork with the HP-UX login programs rexecd and remshd on HP-UX 11.00 levelsprior to HP-UX 11.11 (11i). This is a limitation of the HP-UX 11.00 platform becausethese programs are not PAM-enabled. Other login policy (such as terminal, time ofday, holiday) is still applied. Login using rexecd or remshd on an HP-UX 11.00machine should be disabled if there is a need to enforce login activity policy.

These programs are PAM-enabled in HP-UX, release 11.11 (11i), as described in the″rexecd, remshd - used PAM for authentication″ document, under the heading


″HP-UX 11i non-critical enhancement impacts″ athttp://devresource.hp.com/STK/impactlist.html.

Grace Login Behavior is Different on AIX SystemsOn AIX systems running in an NIS environment, the handling of grace logins isdifferent than that on other platforms, or on AIX systems where passwordinformation is maintained locally. Normally, when your password expires and thegrace logins value is set to zero, you are is prompted to change your passwordupon your next login attempt. However, because AIX does not use PluggableAuthentication Modules (PAM) for authorization, this condition in an NISenvironment results in the login attempt being denied. A new password changedate must be set for the user before that user can successfully log in.

Cannot Remove the Logfile Adapter During a DistributionThe Tivoli Enterprise Console UNIX logfile adapter cannot be removed fromendpoints when an adapter configuration profile, either PDOS-ACPROF orPDOS-RISKMGR-ACPROF, is being updated to remove adapter records and thendistributed.

To remove the logfile adapter in this case, do the following:1. Stop the logfile adapter. This can be done using the Stop TEC Adapter task

from the Tivoli desktop.2. Remove the adapter record in the appropriate adapter configuration profile.3. Distribute the updated adapter configuration profile.

Logfile Adapter Fails to Start on AIX 5.1 Systems After RebootThe Tivoli Enterprise Console UNIX logfile adapter can fail to start on AIX 5.1systems after a reboot. This problem occurs because the/etc/Tivoli/tecad/pdos/bin/init.tecad_logfile file provided with TivoliEnterprise Console, Version 3.7.1, does not handle the AIX 5.1 uname.

To correct the problem, modify the/etc/Tivoli/tecad/pdos/bin/init.tecad_logfile file to add the following fourlines after line 168 in the existing file:*:AIX:*:5)INTERP="aix4-r1"..,,

Logfile Adapter on Solaris Systems Fails Under Heavy LoadThe Tivoli Enterprise Console UNIX logfile adapter can fail on Solaris systemswhen the volume of generated audit events is high. If the logfile adapter fails, youcan restart it using the Start TEC Adapter task from the Tivoli desktop.

Considerations When Running on HACMP for AIX SystemsWhen running on a High Availability Cluster Multiprocessing (HACMP) for AIXsystem, you need to ensure that the appropriate actions are taken when a system istaken down and rolled over to another system in the HACMP cluster. This isnecessary because Tivoli Access Manager for Operating Systems relies on IPaddresses when communicating with the LDAP server. In a HACMP pre-event


script, shut down Tivoli Access Manager for Operating Systems. In a HACMPpost-event script, which runs on the new system, restart Tivoli Access Manager forOperating Systems. This ensures that Tivoli Access Manager for Operating Systemsruns in a consistent network environment. Consult the HACMP for AIXdocumentation for additional details.

Tasks Do Not Encrypt Tivoli Access Manager Administrator PasswordThe following tasks, provided in the Tivoli Access Manager for Operating SystemsManagement Tasks component, do not hide the Tivoli Access Manageradministrator password when it is entered on the display on a UNIX server. Thetasks are provided for optional use in a Tivoli Framework environment. The tasksare:v Configure PDOS Server

v Import UNIX Users and Groups

v Migrate TACF to PDOS

v Add/Remove PDOS Auditors/Administrators

v Configure PDOS Server

v Import UNIX Users and Groups

v Migrate TACF to PDOS

v Query Branch Membership

v Show PDOS Auditors/Administrators

Passwords are subsequently sent over the network to the target machineunencrypted, which could result in the passwords being intercepted and securitybeing compromised.

Extraneous Text Shown for Hostname in Events in Tivoli Risk ManagerWhen integrating Tivoli Access Manager for Operating Systems events with TivoliRisk Manager, Version 3.8, events are displayed with extraneous text in thehostname field. The hostname field displayed might look similar to the following:<Event Base Class>:<Machine hostname> <Event Source Hostname>:N/ADestination Hostname

The character string N/A should be ignored.

Auth Requisite Modules on PAM PlatformsTivoli Access Manager for Operating Systems login activity policy requires thatthere be no pluggable authentication module (PAM) auth modules that arerequisite for login purposes. This means that in the PAM configuration files, nomodule can have its control flag set to requisite. (See documentation on PAMconfiguration files for more information.) This setting bypasses necessary steps thatare performed by the Tivoli Access Manager for Operating Systems login activityPAM module. These modules must have their control flags set to required.

Some platforms (for example, SuSE Linux) ship some PAM configuration files thatspecify auth modules as requisite. These configuration files must be edited and thecontrol flag changed from requisite to required. PAM configuration files vary,depending on the platform: HP-UX and Solaris systems use the /etc/pam.conf fileto configure PAM; Linux platforms use files under the /etc/pam.d directory; AIX


does not support PAM. Any line in the configuration files that specifies both authand requisite must be modified to specify auth and required.

Problems Unlocking CDE Screen Lock on AIX Systems afterInstallation/Configuration

If Tivoli Access Manager for Operating Systems is installed, configured, and startedon an AIX system with an active CDE environment that has been screen-locked,attempts to unlock the CDE screen lock might fail. This is due to the fact that, onAIX systems, the CDE-related processes do not fully reevaluate the AIXauthentication plug-in configuration files when they are updated while the CDEprocesses are running. Notably, the /usr/lib/security/methods.cfg file is notreprocessed. As a result, the login (or screen unlock) processing does not completesuccessfully. This behavior seems to have been introduced in AIX, Version 5, andon the most recent maintenance levels of AIX, Version 4.3.3.

There are two ways to work around this behavior:v reboot the machine, after the configuration of Tivoli Access Manager for

Operating SystemsOR

v stop (kill -9) all the CDE-related processes and the X server. Then restart CDEwith /etc/rc.dt start. Following is an example of this procedure initiated froma remote login window:#ps -ef|grep dtroot 3922 7228 0 08:49:30 - 0:00 /usr/dt/bin/dtloginroot 4206 3922 0 08:49:31 - 0:00 /usr/lpp/X11/bin/X -D /usr/lib/X11//rgb

-T -force :0 -auth /var/dt/A:0-SUdRiaroot 18736 22978 0 09:13:23 - 0:00 dtgreetroot 19900 7746 2 09:13:39 pts/0 0:00 grep dtroot 22978 3922 0 09:13:23 - 0:00 dtlogin <:0>#ps ef|grep Xroot 4206 3922 0 08:49:31 - 0:00 /usr/lpp/X11/X -D /usr/lib/X11//rgb

-T -force :0 -auth /var/dt/A:0-SUdRiaroot 16264 1 0 08:04:08 - 0:00 /usr/bin/AIXPowerMgtDaemonroot 23040 7746 0 09:13:43 pts/0 0:00 grep X

#kill -9 3922 4206 18736 22978

# /etc/rc.dt startStarting AIX Windows Desktop....

Execution of PDOS Tasks Without root in osseal-adminIf root is removed from the osseal-admin group, the PDOS Tasks must be modifiedto run under a user ID that has been added to the osseal-admin group. Severalother actions should be taken due to the architecture of Tivoli Management Agent(TMA) task execution. The basic execution of a Task on an endpoint is as follows.Solaris is used in the example, but the steps apply to all platforms.1. The user runs a task on a Solaris endpoint for the first time.2. The executable that contains the run_task() method for an endpoint is named

task_endpoint. The TMA knows that this is supposed to live at$LCFROOT/dat/1/cache/bin/solaris2/TAS/TASK_LIBRARY/task_endpoint.

3. The TMA checks its cache index to determine if the file exists.4. Because this is a brand new endpoint install, it does not exist.


5. The TMA contacts the gateway it is connected to and downloads task_endpointfrom the gateway’s lcf_bundle directory. It then updates its cache index withunique information about task_endpoint. The information is basically asignature that uses the date of the file.

6. The TMA spawns$LCFROOT/dat/1/cache/bin/solaris2/TAS/TASK_LIBRARY/task_endpoint as rootto execute the requested task.

7. Before spawning the actual task, task_endpoint must switch to the user IDunder which the task is supposed to run. If a group ID was specified, it mustbe changed to this ID as well.

8. The user runs the task on the same endpoint again.9. The TMA checks its cache index, finds task_endpoint, and then requests that

the gateway compare the signature to task_endpoint in the gateway’slcf_bundle directory. If they match, task execution proceeds. If they do notmatch, meaning that task_endpoint in the gateway’s lcf_bundle is newer (froma patch) than what is in the cache, then the TMA downloads the newtask_endpoint and task execution proceeds.

Steps 7 and 9 can cause problems in a Tivoli Access Manager for OperatingSystems environment. For Step 7, appropriate policy must be implemented toallow task_endpoint to switch to execution ID. This can be accomplished byregistering task_endpoint as an impersonator program using/OSSEAL/branch/TCB/Impersonator-Programs/LCFROOT/dat/1/cache/bin/cache/bin/solaris2/TAS/TASK_LIBRARY/task_endpoint

If a new task_endpoint is downloaded, as in Step 9, then task_endpoint becomesuntrusted. The pdosbjsig command can be used to retrust task_endpoint.

Take this information into account when changing the user ID that the PDOS Tasksrun under and implement policy appropriate to your environment.

Tivoli Access Manager for Operating Systems Login Activity Policywith $HOME/.rhosts and /etc/hosts.equiv

The use of the system files $HOME/.rhosts and .etc/hosts.equiv is discouragedwhen Tivoli Access Manager for Operating Systems login activity policy isconfigured because the files are viewed as insecure. The behavior of thisconfiguration depends on the platform. On AIX systems, $HOME/.rhosts and/etc/hosts.equiv completely circumvent Tivoli Access Manager for OperatingSystems login activity policy with programs that use these files for authentication(rlogin, rsh, and so forth). Other login policy (such as terminal, time of day,holiday) is still enforced. This is a limitation of the AIX platform, as the TivoliAccess Manager for Operating Systems authentication plug-in is not invoked whenauthentication occurs through $HOME/.rhosts and /etc/hosts.equiv.

On pluggable-authentication-module (PAM) platforms, Solaris, HP-UX, and Linux,Tivoli Access Manager for Operating Systems correctly enforces login activitypolicy, even if the $HOME/.rhosts or /etc/hosts.equiv entries are used duringauthentication by programs such as rlogin and rsh. If an account is suspended orlocked due to login activity policy enforcement, subsequent access will be denied.


Limitation of the pdosexempt CommandThe pdosexempt command only works for processes that Tivoli Access Managerfor Operating Systems is aware of. Tivoli Access Manager for Operating Systemsgains awareness when it sees a process start. Processes that exist prior to the firststart of Tivoli Access Manager for Operating Systems on a system after a rebootcannot be exempted from authorization policy by the pdosexempt command. Anysuch process must be restarted so that Tivoli Access Manager for OperatingSystems is aware of the process before the pdosexempt command can be used torender that process exempt from policy.

Group Name Used to Maintain Branch Membership is notCase-Sensitive

The group name used to maintain the Branch Membership information(pdosd-branch/policybranch) is not case-sensitive. For example, assume that twoTivoli Access Manager for Operating Systems clients are configured with the samebranch name but with different alphabetic characters in the branch namecapitalized (for example, Test and test). Each client will have a distinct object space(/OSSEAL/Test and /OSSEAL/test) for enforcing policy, but will have the sameLDAP group name (pdosd-branch/test) to maintain the information-only copy ofthe branch membership. As a result, the branch membership report returns themachines in both the policy branches as members. To work around this problem,ensure that the policy branch names are unique (ignoring case) in the Tivoli AccessManager for Operating Systems environment.


Chapter 4. Documentation Notes

Tivoli Access Manager Documents Located with Tivoli Access Managerfor Operating Systems Documents on Support Web Site

For your convenience, the Tivoli Access Manager documents listed as prerequisitesin the prefaces of these release notes are available at the same location on theCustomer Support Web site as the Tivoli Access Manager for Operating Systemsdocuments:

http://www.tivoli.com/support/public/Prodman/public_manuals/td/TD_PROD_LIST.html

In addition, some of the Tivoli Access Manager document numbers listed in theprefaces of Tivoli Access Manager for Operating Systems documents are incorrect.The correct document numbers can be found the Preface of this document at“Prerequisite Publications” on page viii.

Error in Password Management Policy Attributes TableIn Chapter 2, ″Policy″, of the IBM Tivoli Access Manager for Operating SystemsAdministration Guide, there is an error in Table 17, Password Management PolicyAttributes. The first column heading should be Password Management Attribute,not Login Activity Attribute.




Chapter 5. Internationalization Notes

Limitations and problems encountered during testing of internationalized versionsof Tivoli Access Manager for Operating Systems which could not be fixed in thefinal version of the product are outlined in this section, along with any knownworkarounds.

General NotesThe following general notes apply to one or more internationalized versions ofTivoli Access Manager for Operating Systems

Language Limitations Involving Non-ASCII CharactersThe following limitations apply when you run a Tivoli Access Manager policyserver and Tivoli Access Manager for Operating Systems in a non-Englishenvironment.

If user data contains characters other than those in the portable character set (7-bitUS-ASCII), you must ensure that all Tivoli Access Manager components run usingthe same code page to properly share data among these components.

Notes Regarding AIX SystemsThe following notes apply to AIX systems only.

PDOSD Daemon Does Not Autostart on AIX SystemsLC_MESSAGES=c@lft in /etc/environment

The PDOSD daemon will fail to start correctly at system boot time on AIX systemswhere the /etc/environment file contains the lines:LC_MESSAGES=C@lftexport LC_MESSAGES

One workaround to this problem is to edit the /etc/environment file and commentout those two lines. After making the change, shut down and reboot the system.The PDOSD daemon should start as expected.

If these lines are necessary for low-function terminals to work correctly in yourenvironment, an alternative workaround is to ensure that LC_ALL is set correctlyprior to the PDOSD daemon starting. For example, to accomplish this on aJapanese system, write a new script, /usr/local/bin/osseal_init.sh, that contains thefollowing lines:##osseal_init.sh#!/bin/shexport LC_ALL=Ja_JP/opt/pdos/bin/rc.osseal startexit 0

Then comment out the original rc.osseal entry in the /etc/inittab file and add anew entry that calls the new osseal_init.sh script:


##/etc/inittab(other lines):rc.osseal:2:wait:/opt/pdos/bin/rc.osseal startrc:osseal:2:wait:/usr/local/bin/osseal_init.sh

If you use the pdoscfg command to turn off the -autostart parameter, you must dothis workaround when you turn it on again.

Notes Regarding Linux SystemsThe following notes apply to Linux systems only.

Japanese Locale and Language Setting Supported on LinuxSystems

The only supported locale and language setting for Japanese is ja_JP.eucjp. Forexample:LANG=ja_JP.eucjpLC_ALL=ja_JP.eucjp

Note: Notice the case used in the locale name of ja_JP.eucjp. Using a locale namewith different case, such as ja_JP.eucJP, does not work.

Japanese SJIS is not currently supported.

Tivoli Access Manager for Operating Systems ConsiderationsWhen Using International Locales on Linux Systems

This section describes setting up Tivoli Access Manager on Red Hat Linux 7.1using international locales. The information is appropriate for Japanese EUC andTraditional Chinese (BIG5). Japanese SJIS is not currently supported.1. Install Red Hat Linux 7.1 with Japanese and Traditional Chinese support and

wth XWindows System Configure X, Launch X.2. Install the PDRTE package.3. Install the IBM Tivoli Access Manager Language Pack:

# ./pd_lp

4. Configure the PDRTE against a PDMgr that also supports the required locale.

For Japanese EUC:

1. Run the following commands:# export LC_ALL=ja_JP.eucjp# export LANG=ja_JP.eucjp# rxvt -km eucj &

2. In the rxvt terminal, load pdconfig and ensure that the configuration menuappears in Japanese.

For Traditional Chinese:

An additional package that contains the necessary fonts is required. These fonts arenot included with Red Hat Linux 7.1.1. Run the following commands:

# rpm -i cxterm-5.1p1-2.i386.rpm# export LANG=zh_TW# export LC_ALL=zh_TW# cxterm -big5


2. In the cxterm terminal, load pdconfig and ensure that the configuration menuappears in Chinese. The cxterm package can be downloaded from the followingWeb address:http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/cxterm-5.1p1-2.i386.html

Configuration Change Needed on Some InternationalizedVersions of Red Hat Linux 7.1

If you plan to install Tivoli Access Manager for Operating Systems on a Red HatLinux 7.1 system running in one of the following locales, you must change aconfiguration file before installing.v Japanese (eucjp) (ja_JP.eucjp)v Traditional Chinese (zh_TW)

Edit the /etc/ld.so.conf file and add the following line:/usr/lib/gconv

This change corrects a problem caused by the implementation of the iconvcharacter set conversion interface.

Notes Regarding Solaris SystemsThe following notes apply to Solaris systems only.

Setting the Locale for CDE Login on Solaris 2.8There is a known problem when using CDE login on a Solaris 2.8 system wherethe LC_MESSAGES variable is not set to the specified language chosen from theoptions button.

After a desktop login on a Solaris 2.8 system, if you do not see messages in theexpected language, the locale specific environment variables might not be setcorrectly. This is a known problem on Solaris 2.8 and is addressed by Solaris patch109778. The workaround for this problem is to explicitly set the locale specificenvironment variables to the correct values. For example, if you are usingBrazilian-Portuguese, set the following variables to the pt_BR locale:LANG=pt_BRLC_ALL=pt_BR

To Properly Display Window Panels on Traditional Chinese andJapanese TMR Servers

To set the locale for correct panel display on Traditional Chinese and JapaneseTMR servers through the Tivoli Desktop, use the following command:wsetlang -o -l locale

For example, to set the panel display for Japanese, run:wsetlang -o -l ja

Chapter 5. Internationalization Notes 27

http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/cxterm-5.1p1-2.i386.html

http://www.rpmfind.net/linux/RPM/contrib/libc6/i386/cxterm-5.1p1-2.i386.html

Characters Do Not Display Properly in Portuguese BrazilianEnvironment

During installation of the Tivoli Access Manager for Operating Systems, Version4.1, Language Pack on a machine running the Portuguese Brazilian environment,some characters may not display properly. Once the product is installed, messagesare properly displayed in the Portuguese Brazilian codepage.


Chapter 6. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION ″AS IS″ WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement might not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not appear.

TrademarksThe following terms are trademarks of International Business MachinesCorporation in the United States, other countries, or both:

AIXDB2IBMIBM logoOS/390SecureWayTivoliTivoli logozSeries

Lotus is a trademark of International Business Machines Corporation and LotusDevelopment Corporation in the United States, other countries, or both.


Microsoft and Windows NT are registered trademarks of Microsoft Corporation inthe United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.

Chapter 6. Notices 31

��

Printed in U.S.A.

GI11-0951-00