Tivoli® Security Compliance Manager
5.1.0-TIV-SCM-IF0001 Release Notes
Version 5.1 — 5.1.0-TIV-SCM-IF0001 — November 7, 2004
���
Tivoli® Security Compliance Manager
5.1.0-TIV-SCM-IF0001 Release Notes
Version 5.1 — 5.1.0-TIV-SCM-IF0001 — November 7, 2004
���
Note
Before using this information and the product it supports, read the information in “Notices,” on page 23.
First Edition (November 2004)
This edition applies to interim fix 5.1.0-TIV-SCM-IF0001 of version 5, release 1, modification 0 of IBM Tivoli Security
Compliance Manager (product number 5724-F82) and to all subsequent releases and modifications until otherwise
indicated in new editions.
© Copyright International Business Machines Corporation 2004. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. 5.1.0-TIV-SCM-IF0001 overview . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2. Administration console changes . . . . . . . . . . . . . . . . . . . . 3
Client types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 3. Command changes . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Handling of special characters in options . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
scmcreatesnapshot command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
scmregisterclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
scmrunpolicycollectors command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
scmsuspendclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
scmunregisterclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 4. Documentation updates . . . . . . . . . . . . . . . . . . . . . . . 15
Supported operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Uninstalling components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Obtaining IBM HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Updating clients from server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
win.any.NavV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
win.any.SnmpActiveV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 5. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
© Copyright IBM Corp. 2004 iii
Chapter 1. 5.1.0-TIV-SCM-IF0001 overview
Interim fix 5.1.0-TIV-SCM-IF0001 for IBM® Tivoli® Security Compliance Manager
Version 5.1 provides several enhancements.
Enhancements have been made to the administration console to permit operations
to be performed on multiple collectors at a time, and to provide the ability to run
all the collectors associated with a policy on a client or client group. A snapshot
can be created for a single client or client group as well.
The data collection activity on a client or client group can be suspended using the
new scmsuspendclient command. Clients that are suspended are shown in the
administration console with different icons. Use the scmsuspendclient command to
resume data collection.
A new environment variable, SCMRMI_TIMEOUT, is provided to adjust the
amount of time that administration commands wait for a response from the server.
Additional information has been added describing the handling of special
characters, such as an ampersand (&) or forward slash (/) in command options.
© Copyright IBM Corp. 2004 1
Chapter 2. Administration console changes
A number of enhancements have been made to the administration console.
Client page changes
v Multiple collectors can now be selected and have operations performed on them.
v The Actions → Check client connection option can now be used on clients that
are shown as inactive. The connection checking has been enhanced to verify not
only that the server can contact the client, but also that the client can contact the
server.
v After one or more collectors are run using the Run collector option, the data
collected is immediately sent to the server and stored in the database. You no
longer need to wait for the next client/server heartbeat or use the Actions → Soft
reset request option to view the latest collected data.
v The icon for a client changes if data collection on the client has been suspended.
The icon returns to normal when data collection is resumed.
v Two new options have been added to the Policies drop-down menu. After
selecting a client or client group in the left pane, right-click on a policy. The new
Run policy collectors option causes all the collectors associated with the policy
to be run on the selected client or client group. The data collected is immediately
sent to the server and stored in the database. Similarly, the new Create Snapshot
option creates a policy snapshot for the selected client or client group.
Previously, snapshot creation could be done only from the Policies page, and
only for a client group, not a specific client.
Users/Roles page changes
The following menu options have been changed to use consistent terminology:
v Manage actions is now Manage permissions
v Manage objects is now Manage resources
Client types
Clients are of one of three types. The icon preceding the alias of the client indicates
the type of the client. When the data collection on a client is suspended, the icon
changes. The client types and their associated icons are described in Table 1.
Table 1. Client types
Client type Icon
Icon when
suspended
Description
push client
A client that permits communication with the
server to be initiated by either the client or the
server.
pull client
A client that permits communication with the
server to be initiated by only the server.
© Copyright IBM Corp. 2004 3
Table 1. Client types (continued)
Client type Icon
Icon when
suspended
Description
DHCP push
client
A client that has a dynamic IP address that
permits communication with the server to be
initiated by either the client or the server.
Use this option for systems using DHCP, or for
systems that frequently change their host name
or IP address.
4 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
Chapter 3. Command changes
Changes have been made to existing commands and new commands have been
added.
Timeout value increased and customizable
The amount of time that the administration console and the administration
commands wait for a response from the server has increased from 5 minutes to 30
minutes. A new environment variable, SCMRMI_TIMEOUT, is provided to
customize the value.
Changed commands
The scmcreatesnapshot command now permits you to create a snapshot for a
specific client. A new option is provided to control whether the results of a
snapshot are stored in the database.
The scmregisterclient command has a new -pull option that permits pull clients to
be registered. A new -clientport option also has been added.
New commands
The scmrunpolicycollectors command is provided to run all the collectors
associated with a policy on a specific client or client group.
The scmsuspendclient command is provided to suspend the data collection activity
on a client or client group. This command is subsequently used to resume a client
or client group that has had data collection suspended.
Handling of special characters in options
Enclose option values containing spaces in quotation marks. Some command shells
perform special processing when certain characters, such as an ampersand (&) or a
forward slash (/) are encountered in the command stream. Enclose options
containing special characters in quotation marks to ensure that they are processed
as expected by the command.
Note: On Windows® systems, the quotation mark character must be preceded by a
backslash character (\).
For example, to add a group called Windows 2000 using the scmaddgroup
command:
UNIX® and Linux™
./scmaddgroup -u admin -s myserver.mycomp.com -group "Windows 2000"
Windows
scmaddgroup -u admin -s myserver.mycomp.com -group \"Windows 2000\"
Option values that are the same as command options must be enclosed in
quotation marks. For example, to create a group called -group:
scmaddgroup -u admin -pw mypw -s a4serv.mycomp.com -group \"-group\"
© Copyright IBM Corp. 2004 5
Environment variables
Environment variables can be used to provide default values for options on the
administration commands.
Use the following environment variables to provide default values for some
options on the administration commands:
SCMCLI_USER
The user ID to use to authenticate with the server. Used if the –user option
is not specified on the command.
SCMCLI_PASSWORD
The password corresponding to the specified user ID. Used if the
–password option is not specified on the command. If neither the
–password option is specified or the SCMCLI_PASSWORD environment
variable is set, the user is prompted to enter the password.
SCMCLI_SERVER
The host name of the server. Used if the –server option is not specified on
the command.
SCMCLI_PORT
The port number to use to communicate to the server. Used if the –port
option is not specified on the command. If neither the –port option is
specified nor the SCMCLI_PORT environment variable is set, 1955 is used
as the port number.
SCMRMI_TIMEOUT
The amount of time to wait, in seconds, for a response from the server. If
not specified, the default value is 1800 seconds (30 minutes).
Note: On Windows systems, setting this variable as a system environment
variable also changes the amount of time that the administration
console on that system waits for a response from the server.
Options specified on the command override the setting of the corresponding
environment variable. The environment variables are used only if set.
scmcreatesnapshot command
Creates a policy snapshot and, optionally, writes the result of the snapshot to a file.
Syntax
scmcreatesnapshot {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
{-policy|-pol} policy_name
[ [{-group|-g} group_name] |
[ {-clientid|-c} client_ID] ]
[{-file|-f} policy_snapshot_file_name]
[-nosave] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
6 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–policy | –pol policy_name
The name of the policy to use to create the snapshot. This option is
required.
–group | –g group_name
Optional. The name of the client group that the policy snapshot should be
restricted to. Cannot be specified with the –clientid parameter.
–clientid | –c client_ID
Optional. The ID of the client that the policy snapshot should be restricted
to. Cannot be specified with the –group parameter.
–file | –f policy_snapshot_file_name
Optional. The name of the file where the policy snapshot is saved.
–nosave
Optional. If specified, the results of the snapshot are not saved in the
database.
Note: If this parameter is specified without the –file parameter, no
snapshot is taken.
–? The usage statement for the command.
Notes
The results of the snapshot are saved in the database by default. Use the –nosave
and –file parameters to write the results of the snapshot to a file but not save the
results in the database. If the –nosave parameter is specified without the –file
parameter, no snapshot is taken.
Attention: A snapshot is created regardless of whether any data has been
collected. Running a snapshot against a client group that does not have
the policy added does not generate an error, but does complete
indicating no violations.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
Create a snapshot of the policy and restrict the snapshot to the data collected by
clients in the AIXEast client group:
Chapter 3. Command changes 7
scmcreatesnapshot -u becky -pw qwerty4z -s s44srv.mycomp.com -p 1955
-policy AIX2004 -group AIXEast -file AIX2004_AIXEast_20040509_snapshot.html
Create a snapshot of the policy using all collected data:
scmcreatesnapshot -u rashid -pw q9y3y42b -s scmrules.mycomp.com
-policy Windows_2000
Create a snapshot of the policy on the client with an ID of 44. In addition, save the
results of the snapshot to a file and do not save the results in the database:
scmcreatesnapshot -u woj -pw big4fun -s itscm.mycomp.com
-p 1955 -policy Windows_XP -c 44 -f winxp.htm -nosave
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmregisterclient command
Registers one or more clients with a server.
Syntax
scmregisterclient {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
{-client|-c} client_name[{,|:}alias]
[ client_name[{,|:}alias] ]...
[{-clientport|-cp} client_port] [{-pull | -push}]
[-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–client | –c client_name [ {,|:}alias] [client_name{,|:}alias]...
The clients to be registered. The client_name is the host name or IP address
of the client to be registered and the alias is the optional client alias. If alias
is not specified, client_name is used.
8 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
–clientport | –cp client_port
The port number used by the client to communicate with the server. If this
option is not specified, 1950 is used.
–push Optional. Indicates that the clients are to be registered as push clients. If
neither this option nor the –pull option is specified, clients are registered
as push clients.
–pull Optional. Indicates that the clients are to be registered as pull clients. If
neither this option nor the –push option is specified, clients are registered
as push clients.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v Register a push client to a server:
scmregisterclient -u a_user -pw password -s scmserver.myco.com -p 1955
-client amail422.dev.myco.com -push
v Register three push clients with aliases on a UNIX system:
scmregisterclient -u a_user -pw password -s scmserver.myco.com -p 1955
-client jclam.myco.com,Jaya pcoole.nyco.com,Jose rhuen.myco.com,Rachel
v Register two push clients (with aliases with spaces in them) on a Windows
system:
scmregisterclient -u a_user -pw password -s scmserver.myco.com -p 1955
-client \"zsmith.myco.com:Zachary Smith\" \"pdogh.myco.com:Pratish Dogh\"
v Register a pull client with an alias and using client port 2000:
scmregisterclient -u a_user -pw a_password -s server.myco.com -p 1955
–client theone.myco.com5:theOne –pull –clientport 2000
v Register two pull clients with aliases and using client port 2004:
scmregisterclient -u a_user -pw a_password -s server.myco.com -p 1955
–client test.myco.com:Tester nway.myco.com:NoWay –pull –cp 2004
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmrunpolicycollectors command
Runs all the collectors in the specified policy on a specific client or client group.
Syntax
scmrunpolicycollectors {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
{-policy|-pol} policy_name
{ {-clientid|-c} client_ID | {-group|-g} group_name }
[-wait] [-?]
Chapter 3. Command changes 9
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–policy | –pol policy_name
The name of the policy containing the collectors that are to be run. This
option is required.
–clientid | –c client_ID
The numeric ID of the client where the collectors associated with the
specified policy are to be run. Either this option or the –group option is
required.
–group | –g group_name
The name of the client group where the collectors associated with the
specified policy are to be run. Either this option or the –clientid option is
required.
–wait Optional. If specified, the command does not return until the data
associated with running the collectors has been stored in the database.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Notes
This command is used to run all the collectors associated with a policy on the
specified client. Before running this command, ensure that the client is a member
of the specified client group, and the policy is assigned to that client group. By
default, the command returns after scheduling the collectors to be run on the
specified client or client group. Use the –wait option to cause the command to wait
until the data has been collected and stored in the database tables.
After correcting compliance issues on a client, use this command, with the –wait
option, to collect updated security compliance data for the client. After the
command completes, a snapshot can be taken to verify whether or not all issues
have been resolved.
10 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
Examples
Run all the collectors defined in the HPUX04 policy on the client with an ID of 5
and do not return until the data collected has been stored in the database tables:
scmrunpolicycollectors -u admin -pw pd4qr3yt29s -s jcas.mycom.com
-p 1955 –policy HPUX04 -clientid 5 -wait
Run all the collectors defined in the WIN2003 policy on all the clients in the
Workstation client group:
scmrunpolicycollectors -u clyde -pw ba1942xz -s scm.mycomp.com
-p 1955 –policy WIN2003 -group Workstation
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmsuspendclient command
Suspends or resumes data collection activity on a specific client or client group.
Syntax
scmsuspendclient {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
{ {-clientid|-c} client_ID | {-group|-g} group_name }
[ [-suspend [-begin yyyy/mm/dd[:hh:mm]]
[ [-until yyyy/mm/dd[:hh:mm]] |
[-length duration_in_minutes] ] ]
| [-resume] ] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–clientid | –c client_ID
The numeric ID of the client that is to be suspended or resumed. Either
this option or the –group option is required.
Chapter 3. Command changes 11
–group | –g group_name
The name of the client group that is to be suspended or resumed. Either
this option or the –clientid option is required.
–suspend
Optional. Causes the data collection on the specified client or client group
to be suspended. The start and end times of the suspension are specified
using the –begin, –length, and –until options. Cannot be specified with the
–resume option.
–begin yyyy/mm/dd[:hh:mm]
Optional. Indicates the date, and optionally the time, when the data
collection on the affected clients is to be suspended. If time is omitted, then
midnight (00:00) is assumed. If this option is not specified, data collection
is suspended immediately.
–until yyyy/mm/dd[:hh:mm]
Optional. Indicates the date, and optionally the time, when the data
collection on the affected clients is to resume. If time is omitted, then
midnight (00:00) is assumed. If neither this option nor the –length option is
specified, data collection is suspended until explicitly resumed using the
scmsuspendclient command with the –resume option.
–length duration_in_minutes
Optional. Indicates the length of time, in minutes, that the affected clients
are to be suspended. After the time elapses, the affected clients are
resumed.
–resume
Optional. If specified, resumes the data collection on the specified client or
client group. Cannot be specified with the –suspend option.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Notes
If neither the –suspend or the –resume option is specified, the default action is to
suspend the specified client or client group.
Only one suspend and resume request can be scheduled at a time for a client. If a
client is currently active and is scheduled to be suspended, making another
suspend request replaces the one that is currently scheduled. After a client has
been suspended, other requests to suspend the client are rejected. Similarly, if a
client is currently suspended and is scheduled to be resumed, another resume
request replaces the one that is currently scheduled.
Examples
Suspend the data collection on a particular client immediately. The client remains
suspended until resumed.
scmsuspendclient -u admin -pw pd4qr3yt29s -s jcas.mycom.com
-p 1955 –clientid 55 -suspend
Resume the data collection on the specified client.
12 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
scmsuspendclient -u admin -pw pd4qr3yt29s -s jcas.mycom.com
-p 1955 –clientid 55 -resume
Suspend the data collection on a client starting on April 1, 2005 at midnight:
scmsuspendclient -u clyde -pw bonnie1 -s scm.mycomp.com
-clientid 41 -suspend -begin 2005/04/01
Suspend the data collection on all clients in client group WindowsXP for 30
minutes, starting immediately:
scmsuspendclient -u bonnie -pw clyde1 -s scm.mycomp.com
-group WindowsXP -suspend -length 30
Suspend the data collection on all clients in client group Accounts until 8:00 a.m.
on January 3, 2005:
scmsuspendclient -u bonnie -pw clyde1 -s scm.mycomp.com
-group Accounts -suspend -until 2005/01/03:08:00
Suspend the data collection on all clients in client group Tax2004 from 4:30 p.m.
until 6:30 p.m. on Friday, April 15, 2005:
scmsuspendclient -u bonnie -pw clyde1 -s scm.mycomp.com
-group Tax2004 -suspend -begin 2005/04/15:16:30 -length 120
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmunregisterclient command
Unregisters one or more clients from a server.
Syntax
scmunregisterclient {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
{-clientid|-c} client_ID [client_ID]... [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
Chapter 3. Command changes 13
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–clientid | –c client_ID [client_ID... ]
The numeric IDs of the clients to be unregistered.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
Remove a client from a server:
scmunregisterclient -u a_user -pw password -s jacserver.mycomp.com -p 1955
-clientid 425
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
14 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
Chapter 4. Documentation updates
Several problems in the documentation have been corrected.
Supported operating systems
The list of supported operating systems in IBM Tivoli Security Compliance Manager
Installation Guide has been updated to reflect that no specific patch or maintenance
level is required.
The following tables list the supported operating systems for the Tivoli Security
Compliance Manager server, client, collectors, and administration utilities. No
specific patch or maintenance level is required for any operating system. However,
keeping installed systems at the most current patch or maintenance level helps to
ensure that known security vulnerabilities in the operating system are corrected.
Table 2. Server
Operating system Level
IBM AIX® 5.1
IBM AIX 5.2
IBM AIX 5.3
Microsoft® Windows 2000 Server
Sun Solaris Operating Environment 2.8
Sun Solaris Operating Environment 2.9
SUSE Linux Enterprise Server 8
Table 3. Clients, collectors, and proxy relay
Operating system Level
IBM AIX 5.1
IBM AIX 5.2
IBM AIX 5.3
HP-UX 11.0
HP-UX 11i
Red Hat Linux for Intel™ IA32 and xSeries® 6.2
Red Hat Linux for Intel IA32 and xSeries 7.0
Red Hat Linux for Intel IA32 and xSeries 7.1
Red Hat Linux for Intel IA32 and xSeries 7.2
Red Hat Linux for Intel IA32 and xSeries 7.3
Red Hat Linux for Intel IA32 and xSeries 8.0
Red Hat Linux for Intel IA32 and xSeries 9.0
Sun Solaris Operating Environment 2.6
Sun Solaris Operating Environment 2.7
Sun Solaris Operating Environment 2.8
Sun Solaris Operating Environment 2.9
© Copyright IBM Corp. 2004 15
Table 3. Clients, collectors, and proxy relay (continued)
Operating system Level
Microsoft Windows NT® 4.0 Server
Microsoft Windows NT 4.0 Workstation
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows XP Professional
Microsoft Windows 2003 Server Standard Edition and
Enterprise Edition
Red Hat Enterprise Linux for Intel IA32 and xSeries 2.1
Red Hat Enterprise Linux Advanced Server for Intel IA32
and xSeries
3.0 (see note below)
Red Hat Enterprise Linux for zSeries® 3.0
Red Hat Enterprise Linux for iSeries™ or pSeries® 3.0
Red Hat Enterprise Linux for zSeries 7.2
Red Hat Enterprise Linux Advanced Server 2.1
SUSE LINUX 7.0
SUSE LINUX Enterprise Server 8
SUSE LINUX Enterprise Server for zSeries 8
SUSE LINUX Enterprise Server for iSeries or pSeries 8
Note: The Red Hat Enterprise Linux Advanced Server 3.0 platform can only be
installed using the console mode on Japanese language systems.
Table 4. Administration console
Operating system Level
Microsoft Windows 2000 Professional
Microsoft Windows XP Professional
Table 5. Administration command line interface
Operating system Level
IBM AIX 5.1
IBM AIX 5.2
IBM AIX 5.3
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows XP Professional
Sun Solaris Operating Environment 2.8
Sun Solaris Operating Environment 2.9
HP-UX 11
HP-UX 11i
16 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
Table 5. Administration command line interface (continued)
Operating system Level
SUSE LINUX Enterprise Server 8
Red Hat Linux for Intel IA32 and xSeries 9
Red Hat Enterprise Linux Advanced Server for Intel IA32 and
xSeries
3.0
Red Hat Enterprise Linux for iSeries or pSeries 3.0
SUSE LINUX Enterprise Server for iSeries or pSeries 8
Uninstalling components
Additional information on uninstalling IBM Tivoli Security Compliance Manager
components on Microsoft Windows systems is provided.
On Microsoft Windows systems, do not use the Add/Remove Programs option
from the Control Panel to uninstall components of Tivoli Security Compliance
Manager. That option does not completely remove the product from the system,
and might leave one or more components listed as Windows services. Instead, use
the procedure described in the section entitled ″Uninstalling Tivoli Security
Compliance Manager″ in the IBM Tivoli Security Compliance Manager Installation
Guide.
Obtaining IBM HTTP Server
Information on obtaining IBM HTTP Server for use with the IBM Tivoli Security
Compliance Manager Operational Reports.
In the ″Operational Reports″ section of the IBM Tivoli Security Compliance Manager
Release Notes, the procedure mentions that the IBM HTTP Server Version 1.x is
required but that it is not provided. To obtain IBM HTTP Server Version 1.x, go to:
http://www14.software.ibm.com/webapp/download/preconfig.jsp?id=2
Updating clients from server
An additional step might be needed before updating clients automatically from a
server running on a UNIX or Linux system.
The client software running on client systems can be updated automatically from
the server using the Server page of the administration console. On UNIX and
Linux systems, if a client update JAR file is already in use, you must ensure that
the permissions on the file permit the server to replace the file. If the file
ownership or permissions are not set correctly, an error might occur when you
attempt to replace the JAR file from the administration console.
This problem usually occurs after installing an interim fix or patch, where the JAR
file might have been installed by the root user with file permissions of 755. To
correct the problem, change the owner of the file to be the scmsrver user ID in the
scmsrver group. Alternately, the permissions on the JAR file can be set to 777, but
this permits any user to change the file. After correcting the problem, click Update
client code again to replace the file.
Chapter 4. Documentation updates 17
win.any.NavV1.jar
Collects information about Norton and Symantec AntiVirus Corporate Edition
software running on Windows systems. This information replaces the description
in the IBM Tivoli Security Compliance Manager Collector and Message Reference.
Tables
WIN_NAV_V1
Table 6. Column information for WIN_NAV_V1
Column Name Description Type (size)
NAV_CLIENT_VERSION The version of the Norton AntiVirus client. VARCHAR (50)
LIVE_UPDATE_TIME The time when virus definition Live Update occurs in
hh:mm format. If no Live Update is scheduled or if the
information is not available, null is returned.
VARCHAR (5)
LIVE_UPDATE_DAY_OF_WEEK The day of the week when the virus definitions are
updated, in the range 0 to 6, where 0 represents
Sunday. If no live update is scheduled or if the
information is not available, null is returned.
INTEGER
LIVE_UPDATE_DATE_OF_MONTH The day of the month when the Live Update is
performed. If no live update is scheduled or if the
information is not available, null is returned.
INTEGER
LAST_VIRUS_DEFN_UPDATE The time and date of the virus definition file. If the
information is not available, null is returned.
TIMESTAMP
LAST_SCAN_DATE The time and date of the last virus scan. If the
information is not available, null is returned.
TIMESTAMP
Parameters
None.
Notes
The values returned for each column are obtained from Windows registry keys.
Unless otherwise noted, the specified keys are used for all versions of the Norton
AntiVirus software.
Field Registry Keys
NAV_CLIENT_VERSION
InstallDir value of
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus
NT\Install and from
KEY_LOCAL_MACHINE\SOFTWARE\INTEL\DLLUsage\VP6
LIVE_UPDATE_TIME, LIVE_UPDATE_DAY_OF_WEEK,
LIVE_UPDATE_DATE_OF_MONTH
Type value of HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\
LANDesk\VirusProtect6\CurrentVersion\PatternManager\Schedule
LAST_VIRUS_DEFN_UPDATE
Version 5.x
SystemTime value of
18 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton
Antivirus\Virus Defs\LastUpdate
All other versions
PatternFileDate value of
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\
LANDesk\VirusProtect6\CurrentVersion
LAST_SCAN_DATE
Version 5.x
SystemTime value of
HKEY_LOCAL_MACHINE\Software\Symantec\Norton
Antivirus\LastScan
All other versions
TimeOfLastScan value of
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\
LANDesk\VirusProtect6\CurrentVersion
The weekly update information is not available on Microsoft Windows NT 4.0
systems. This collector returns null in the LAST_VIRUS_DEFN_UPDATE and
LAST_SCAN_DATE fields either when the registry key does not exist or the value
for the field does not exist in the registry key.
The collector can obtain information from supported versions of Norton AntiVirus
Corporate Edition software up to Version 7.x, and Version 8.x of the Symantec
AntiVirus Corporation Edition software.
Error messages
v HCVHC0000E
v HCVHC0012E
v HCVHC0013E
v HCVHC0016E
v HCVHC0017E
v HCVHC0025E
v HCVWA0100W
v HCVWA0101W
v HCVWA0102W
v HCVWU0003E
v HCVWU0004E
v HCVWU0005E
v HCVWU0006E
v HCVWU0007E
v HCVWU0008E
v HCVWU0009E
win.any.SnmpActiveV1.jar
Returns indication of the existence of public and private SNMP Registry subkeys.
This information replaces the description in the IBM Tivoli Security Compliance
Manager Collector and Message Reference.
Chapter 4. Documentation updates 19
Tables
WIN_SNMP_V1
Table 7. Column information for WIN_SNMP_V1
Column Name Description Type (size)
PUBLIC_EXIST A Boolean flag indicating that the SNMP Public key
exists.
SMALLINT
PRIVATE_EXIST A Boolean flag indicating that the SNMP Private key
exists.
SMALLINT
Parameters
None.
Notes
The collector examines the
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SNMP\\
Parameters\\ValidCommunities registry key to obtain Simple Network
Management Protocol (SNMP) community information. If the registry key does not
exist, no SNMP communities exist and an empty row of headers is returned. If the
registry key exists, the fields are set based on the type of communities defined.
Error messages
v HCVHC0000E
v HCVWA0170W
20 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
Chapter 5. Troubleshooting
Additional information on diagnosing problems with IBM Tivoli Security
Compliance Manager.
Server and client connectivity
Connectivity between the server and a client can be tested from the Clients page of
the administration console. To verify that the server can communicate with the
client and that the client can communicate with the server, select the client and
then click Actions → Check client connection. This option is available for any
client registered on the server. The response from this operation can be used to
help diagnose connectivity problems. See Table 8 for possible responses and
suggested actions.
Table 8. Check client connection responses
Response from operation Meaning and corrective actions
Client id nnn response indicates it is suspended. The client has been suspended using the
scmsuspendclient command. Retry the operation after
the client has been resumed.
Client id nnn response indicates it cannot connect
to the server.
The server was able to contact the client, but the client
cannot communicate with the server. Verify that the port
and server names in the client.pref file are correct. Verify
that network connectivity exists between the client and
the server, and that any firewalls between the client and
server are properly configured to permit network
communication on the specified ports.
Client id nnn response indicates it cannot connect
to the server. The client encountered the following
error when attempting to connect to the server:
exception-message
The server was able to communicate with the client, but
an exception occurred when the client attempted to
communicate with the server. Review the error and trace
logs on the client and the server to determine the cause
of the exception and correct the problem.
AccountingServer (ID=nnn) -
com.ibm.jac.JACException: Error connecting to
client: Connection refused: connect
The server was able to communicate with the client
system, but the client is not running. Start the client and
try the operation again.
AccountingServer (ID=nnn) -
com.ibm.jac.JACException: Error connecting to
client: Operation timed out: connect
The server was unable to communicate with the client
system. Verify that the correct host name and IP address
are specified for the client. Verify that the client type and
port number are correct on the server. Verify that the
server name and port number in the client.pref file on
the client are correct. Verify that any firewalls between
the server and the client are properly configured to
permit network communication on the specified ports.
© Copyright IBM Corp. 2004 21
Appendix. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
500 Columbus Avenue
Thornwood, NY 10594
U.S.A
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2004 23
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
USA
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Customers are responsible for ensuring their own compliance with various laws
such as the Graham-Leach-Bliley Act, the Sarbanes-Oxley Act, and the Health
Insurance Portability and Accountability Act. It is the customer’s sole responsibility
to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws that may affect the customer’s business and any
actions the customer may need to take to comply with such laws. IBM does not
provide legal, accounting or auditing advice, or represent or warrant that its
products or services will ensure that customer is in compliance with any law.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM’s future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
24 IBM Tivoli Security Compliance Manager: 5.1.0-TIV-SCM-IF0001 Release Notes
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
DB2 Universal Database
IBM
IBM logo
iSeries
pSeries
Tivoli
Tivoli logo
xSeries
zSeries
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix. Notices 25
Top Related