Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Preface.........................................................................................................................................................7
Introduction and Common Criteria Orientation and Roadmap....................................................................7
What is Common Criteria?.......................................................................................................................7
What this guide describes........................................................................................................................8
Network Device Protection Profile...........................................................................................................8
Specifications and References for the CC-Evaluated System........................................................................9
About the evaluated version of IBM BigFix Endpoint Manager...............................................................9
How to obtain the CC-evaluated product..............................................................................................10
Component specifications for the CC-evaluated system........................................................................11
IBM BigFix Endpoint Manager technical documentation library...........................................................11
Evaluated and non-evaluated security functionality..............................................................................12
Evaluated security functionality.........................................................................................................12
Protected Communications........................................................................................................12
Verifiable Updates......................................................................................................................12
Audit of activities........................................................................................................................12
Display Banner............................................................................................................................12
Administration ...........................................................................................................................13
Access Control ...........................................................................................................................13
Clearing of Residual Information ...............................................................................................13
Session Lock ...............................................................................................................................13
Self-Tests.....................................................................................................................................13
Security functionality not evaluated...........................................................................................13
Description of the Target of Evaluation (TOE)........................................................................................14
TOE Hardware....................................................................................................................................14
TOE Software.....................................................................................................................................14
Installation and Environmental Configuration...........................................................................................15
Network description and assumptions..................................................................................................16
Installing rhel2 (DB2 /Audit Server Machine).........................................................................................16
RAID Controller Configuration...........................................................................................................16
Create RAID 0 virtual drive.................................................................................................................16
Initialize the Virtual Drive..................................................................................................................17
Restore the RHEL Image.....................................................................................................................17
Logging into rhel2..............................................................................................................................18
Configuring DB2 on rhel2...................................................................................................................18
Installing and configuring DB2....................................................................................................19
Configuring stunnel for secure networking between rhel1 and rhel2........................................20
Configuring stunnel server on rhel2...........................................................................................20
Install rhel1 (IBM BigFix Server and Client - TOE)..............................................................................21
RAID Controller Configuration...........................................................................................................21
2
Preface
This guidance document is broken down into 4 high level areas. The information contained in each is as
follows:
(I) Introduction and Common Criteria (CC) Orientation and Roadmap General introduction and
explanation of Common Criteria and the Protection Profile.
(II) Specifications And References for the IBM BigFix CC-Evaluated System Describes the TOE and
evaluated components as well as how to obtain the CC-Evaluated product
(III) Installation and Environmental Configuration Initial install procedure for the TOE and supporting
components.
(IV) Enhanced Security Configuration and References Outlines all required steps taken after install that
are necessary for bringing the TOE into compliance. Describes enhanced security features and how to
use them.
A product that passes a Common Criteria evaluation receives officially recognized certification. Common
Criteria certification is widely recognized among IT professionals, government agencies, and customers
as a seal-of-approval for mission-critical software. Common Criteria evaluation can take place in any
certificate issuing member country. The Common Criteria Mutual Recognition Arrangement (CCMRA)
ensures that certified products are accepted globally. New members are regularly and frequently added
to the list of countries. You can find the information about Common Criteria at the following Web site:
http://www.commoncriteriaportal.org
include routers, firewalls, IDSs, audit servers, and switches that have Layer 3 functionality. Examples of
devices that connect to a network but are not suitable for evaluation against this PP include mobile
devices ("smart phones"), end-user workstations, SQL servers, web servers, application servers, and
database servers.
Compliant TOEs will provide security functionality that addresses threats to the TOE and implements
policies that are imposed by law or regulation. Compliant TOEs must protect communications to and
between elements of a distributed TOE (e.g., between a network IDS sensor and the centralized IDS
manager) or instantiations of the TOE in a single enterprise (e.g., between routers). The TOE must offer
identification and authentication services that support the composition of moderate complex passwords
or passphrases, and make these services available locally (that is, a local logon) as well as remotely
(remote login). The TOE must also offer auditing of a set of events that are associated with securityrelevant activity on the TOE, although these events will be stored on a device that is distinct from the
TOE. The TOE must offer some protection for common network denial of service attacks and must also
provide the ability to verify the source of updates to the TOE.
While the protocols required by this PP make use of certificates, this version of the PP does not levy
requirements on the certificate infrastructure (for example, using OCSP to verify a certificate's validity).
Such requirements will be included in future versions of this document.
It is intended that the set of requirements in this PP is limited in scope in order to promote quicker, less
costly evaluations that provide some value to end users. STs that include a large amount of additional
functionality (and requirements) are discouraged. Future modules will be used to specify sets of
additional functionality (e.g., Firewalls, VPNs), which can then be used by ST writers looking to specify
additional functionality.
configuration described in this guide. Any deviation from this configuration may result in a nonevaluated system, but does not necessarily mean that the security of the system is reduced.
The TOE and supporting environment comprises 3 ISO images to be installed according to the steps
contained in this guide. Once installed and configured these will provide the complete platform
necessary to operate the IBM BigFix BigFix Endpoint Manager in compliance with this evaluation. In
this guide we will refer to that set of ISO images as The CC-Evaluated Product.
Software Acceptance:
The CC Evaluated DVD set will include a printed serial number/hash key code on each DVD.
After you receive the DVDs you will contact the sending representative and the matching hash code will
be separately provided to you by via email in a password protected file. You will then verify that the
codes on your DVD packages matches that which was sent.
Hardware:
The customer can purchase the hardware components matching those used in the TOE evaluation that
host the software components from IBM/Lenovo. Please see the specifications in section TOE Hardware
below. Please contact your IBM U.S. Federal Sales Representative to acquire matching hardware.
IBM uses a known courier to ship the boxes containing the TOE hardware to ensure their integrity during
shipping. This courier supports the ability to track the packages against a tracking number. Upon receipt
of the packages, please check that the boxes are factory sealed and have not been opened and check the
contents against the packing slip.
Please note that shipments are sent requiring signature for delivery to ensure they are not handed off in
an insecure fashion.
Please also check the serial numbers on each machine with those on record with your Sales
Representative to ensure they match.
If the serial numbers do not match or is any box appears to have been tampered with please contact
your sales representative immediately and do not proceed with the install.
revised for version 9.2. Any deviation from these manuals for Common Criteria certification will be
specified in this Common Criteria Guide: http://www01.ibm.com/support/knowledgecenter/SS63NW_9.2.0/com.ibm.tem.life.doc_9.2/platform.html
Protected Communications
Verifiable Updates
Audit of activities
Display Banner
Administration
Access Control
Clearing of Residual Information
Session Lock
Self Test
Protected Communications
The IBM BigFix Endpoint Manager provides uses encryption and digital signatures to guarantee the
communications between all components.
Verifiable Updates
The IBM BigFix Endpoint Manager provides the capability to ensure that any updates to the TOE can be
verified by the administrator to be unaltered and from a trusted source.
Audit of activities
The IBM BigFix Endpoint Manager is capable of auditing internal events (such as the modification of
policies or the creation of new users) by generating audit information for all transactions and storing this
information remotely in the system log. The local logs are created in the cache during normal operation
and rsyslogs is used to store them remotely. The local logs are equivalent to the local 1GB cache.
Display Banner
12
The IBM BigFix Endpoint Manager displays a warning banner advisory on its console which is viewed
prior to logging in.
Administration
IBM BigFix Endpoint Manager identifies users (including administrators) by user name and authenticates
them by password. IBM BigFix Endpoint Manager users are persons having an account on the IBM BigFix
Endpoint Manager system. Users can be organized by membership in BigFix Admin groups. Only hashes
of the passwords are stored in the IBM BigFix Endpoint Manager system. Password policies can be
applied to enforce requirements on the quality of the password that a user chooses. Lockout
mechanisms prevent password guessing attacks.
Access Control
IBM BigFix Endpoint Manager performs authorization for user actions, commonly referred to as
requests, based on access control . Functionality and data in an IBM BigFix deployment can be restricted
to certain users or groups . Users and user groups can be granted administrator privileges over specific
data or functionality.
Creation of users
Session Lock
The IBM BigFix Endpoint Manager provides mechanisms that mitigate the risk of unattended sessions
being hijacked via timeouts for locking and subsequently terminating idle sessions.
Self-Tests
The IBM BigFix Endpoint Manager provides the capability to test some subset of its security
functionality to ensure it is operating properly.
Client authentication
Use of the BESAdmin tool to change client authentication settings
Key rotation
PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains,
is assumed to be provided by the environment.
TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all administrator
guidance in a trusted manner.
TOE Hardware
TOE Software
TOE Hardware
The physical TOE hardware consists of
TOE Software
The TOE software consists of
Standard Red Hat Linux Version 6.6
IBM BigFix Endpoint Manager 9.2 Server
14
1 RHEL RPM containing necessary security patches ( RHEL OpenSSL RPM (openssl-1.0.1e42.el6_7.2.x86_64.rpm)
As previously mentioned, the CC-Evaluated product is contained in three ISO images corresponding to
the above three components. The installation process involves copying those software (ISO) images to
the appropriate hardware components using Clonezilla.
Clonezilla is a system imaging package. Use of this tool facilitates installation of system image, including
operating system and database, on the required hardware that is almost completely configured to meet
the Common Criteria evaluated configuration. This removes the added complexity of needing to
configure generic RHEL 6.6 and DB2 installations to meet the Common Criteria Security Target.
15
configuration in order to use the installed disk drive. A virtual disk must be created in order to
set the RAID level, which in our case is RAID 0 because there is only one disk.
DVD, and answer the Clonezilla prompts to restore the image. wRestoring the image will
permanently overwrite any existing data". Keep answering yes, and the image will self
install. Please refer to the following link for instructions on cloning a RHEL Linux image:
https://www.linux.com/learn/tutorials/783416-how-to-image-and-clone-hard-drives-withclonezilla
1. Place the IBM BigFix CC Evaluated installation DVD into the DVD device on rhel2 (DB2 machine)
2. Boot the machine from the DVD and follow the directions under the heading Restoring a
Clonezilla Image using the DVD device from step 2 as the source.
3. When Clonezilla is finished, select Reboot
18
19
will have their passwords set to the same text as the user name (e.g. dasusr1/dasusr1). These should be
changed prior to production deployment.
Applying OpenSSL, RHEL Patches
We have provided a RHEL rpm for applying the latest security patches prior to deploying the
environment.
0. you must be root
1. copy openssl-1.0.1e-42.el6_7.2.x86_64.rpm from the CC media to /tmp
2. apply the patch with the following command:
rpm -Uvh /tmp/openssl-1.0.1e-42.el6_7.2.x86_64.rpm
21
1. Place the IBM BigFix CC Evaluated installation DVD into the DVD device on rhel1 (IBM BigFix
Server machine)
22
2. Boot the machine from the DVD and follow the directions under the heading Restoring a
Clonezilla Image using the DVD device from step 2 as the source.
3. When Clonezilla is finished, select Reboot
Configure rsyslog
On rhel1, syslog will be pre-configured to send logging messages to the rhel2 machine via secure stunnel
TLS forwarding. All that needs to be done is modify the stunnel configuration if the hostname for the
rhel2 machine has been changed from its pre-configured value. This is detailed below.
24
Following the Airgap network approach, handling the license authorization file needs to be copied from
an external machine for installation.
The key material is copied over to the rhel1 server manually per the steps below.
4. The database will be remote on rhel2, but the connection point to it is the local stunnel endpoint
on the TOE (rhel1). We must initially tell the install program that the database is remote so the
TOE will use the network interface to communicate with the database, but the installation
program won't accept a local hostname or IP address during configuration since normally you
should have selected local database for that. We have to force the TOE to use stunnel.
25
6. After reading the License Agreement, enter <1> to accept it and continue.
7. For the installation type, enter <2> for Production:
Select the type of installation
[1] Evaluation: Request a free evaluation license from IBM Corp.
This license allows you to install a fully functional copy of the
IBM Endpoint Manager on up to 30 clients, for a period of 30 days.
[2] Production: Install using a production license or an authorization
for a production license.
8. For the IBM Endpoint Manager features, enter <2> to install Server and Client only:
Select the IBM Endpoint Manager features that you want to install:
[1]
[2]
[3]
9. You will see the following display regarding database replication configuration, enter <1> to
create a single/master database (no replication):
Select the database replication:
[1]
[2]
26
10.For the database server configuration, enter <2> to use the remote rhel2 database:
Select the database:
[1]
[2]
11.To configure IBM Endpoint Manager for use of the rhel2 DB2 instance, perform the following
steps:
a. Install the DB2 server on the remote workstation. <already done>
b. Install a DB2 client on the workstation from where you run the Endpoint Manager Server
installation <already done>
c. Stunnel for the DB must be configured beforehand. At this point the inbound port for the
stunnel would be used to configure the DB2 connection
d. Connect the DB2 server to the DB2 client installed on the workstation from where you
run the installation, that is, the port of the DB2 database (default 50000) must be
reachable by the workstation where the installation is running.
e. Provide the following information in the installation procedure:
e.i.
the remote DB2 node **
e.ii.
the DB2 port number
e.iii.
the user name of the local DB2 instance owner
Note: ** This will NOT be the remote DB2 node (rhel2). Please be aware this is NOT the final
configuration. The remote DB2 connection is equivalent to the local stunnel. The name of the
DB2 node should be the special db2-specific hostname currently associated with rhel2 db2host
in our installation example - but that will be changed to point to rhel1 later
12.For configuration of the Root Server's root folder (called web server in the install message)
message)configuration, press <Enter> to accept the default location:
Choose the web server's root folder:
Specify the location for the web server's root folder or
press <Enter> to accept the default: /var/opt/BESServer
13.Enter <db2inst1> for the user name for the local DB2 Administrative user
14.Enter <db2inst1> for the DB2 Local Administrative user password, if prompted.
15.Enter the DB2 instance configuration. Please note it is a DB2 requirement for having a remote
installation that there are 3 accounts.
27
16.Enter the user ID and the password to define the IBM Endpoint Manager administrative user. The
default user name is: IEMAdmin.
17.For the firewall configuration, enter <2> as the firewall is pre-configured:
Firewall configuration
The firewall of the operating system is active on the local
server. To enable the communication using the specified ports you
can:
[1] Configure the firewall now
[2] Configure the firewall later
18.For the setup type, enter <1> to install with a BES license authorization file:
Choose
[1] I
[2] I
[3] I
Note that if you are re-installing using an existing license the steps will differ. You will instead be
prompted to Specify a folder for your site masthead
(masthead.afxm) or pres <Enter> to accept the default value."
This is followed by a prompt to "Specify the hostname of the remote DB2 system,"
followed by prompt for port, username, and password.
19.For the proxy usage, enter <2> as in the Airgap architecture, RHEL1 will not be leveraging a proxy
to access the Internet.
Proxy usage
[1]
[2]
20.For the License authorization location, point the installer to the token file that was manually
copied to the RHEL1 server in step 2 above.
License Authorization Location
Enter the location of the license authorization file that you received
from IBM or press <Enter> to accept the default
21.For the Server DNS name, enter the DNS name of the RHEL1 server:
28
24.For the license folder, specify a folder to maintain the site-admin credentials
Choose the license folder:
Specify a folder for your private key (license.pvk), the license
certificate (license.crt), and the site masthead (masthead.afxm)
or press <Enter> to accept the default value
25.The license request file will be generated. Enter <2> to save the request file
Request license
Your request is now ready for submission to IBM.
[1] Submit the request from this machine over the Internet. The
request is redeemed for a license certificate (license.crt) and
then saved in your credential folder.
[2] Save request to a file and send it to IBM at the URL:
'http://support.bigfix.com/bes/forms/BESLicenseRequestHandler.html'. This method might be necessary if your
deployment is isolated from the public Internet.
26.At this point, the BESLicenseRequest file (whose location on RHEL1 will be specified in an Info
message of the installation) must be manually copied to a machine with Internet access, and
sent to IBM via the following URL in order to obtain the license.crt to continue the installation:
a. http://support.bigfix.com/bes/forms/BESLicenseRequestHandler.html
29
a.i.Click Choose File and browse to the copied license request from RHEL1, then
click Submit
a.ii.Save the resulting license.crt and manually copy it to RHEL1
27.Once the license.crt file has been copied to RHEL1 per step 24, continue with the installation by
entering <1> to import the license certificate
Import the license certificate
[1] Continue with the installation by importing the certificate
(license.crt).
[2] Exit from the installation, I will import the certificate at
a later time.
28.Enter the License certificate location on RHEL1 per step 24 ii.
License certificate location
Enter the location of the license certificate file or press
<Enter> to accept the default value
29.For the advanced masthead parameters, enter <1> to use the defaults, which are suitable for
most deployments.
Advanced masthead parameters
The masthead will be created using the following defaults:
Server port number: 52311
Use of FIPS 140-2 compliant cryptography: Disabled
30
[2]
30.For the Server port number, press <Enter> to accept the default value of 52311:
####################
Server port number
Specify the server port or press <Enter> to accept the default: 52311
31
33. For the initial action lock, press <enter> to accept the default value (unlocked):
####################
Initial action lock
[1] Locked
[2] Lock duration
[3] Unlocked
Choose one of the options above or press <Enter> to accept the default
value [3]
34. For the action lock controller, press <enter> to accept the default value (Console):
####################
Action lock controller
[1] Console
[2] Client
[3] Nobody
Choose one of the options above or press <Enter> to accept the default
value
35. For lock exemptions, press <enter> to accept the default value (disabled):
####################
Enable lock exemptions
[1] Lock exemption enabled (fairly unusual)
[2] Lock exemption disabled
Choose one of the options above or press <Enter> to accept the default
value
36. For Unicode filenames in archives, press <enter> to accept the default value (enabled):
####################
Enable the use of Unicode filenames in archives
[1] The use of Unicode filenames in archives is enabled.
[2] The use of Unicode filenames in archives is disabled.
Choose one of the options above or press <Enter> to accept the default
value
37. The system will proceed with the installation:
Info: The license masthead was successfully generated.
Info: Creating the database for the server component, please wait ...
Info: The database for the server component was created successfully.
Info: Configuring the database for the server component, please wait ...
32
Info: The database for the server component was configured successfully.
Info: The service 'BESRootServer' started successfully.
Info: The service 'BESFillDB' started successfully.
Info: The service 'BESGatherDB' started successfully.
Info: The service 'BESClient' started successfully.
The installation of 'IBM Endpoint Manager' completed successfully.
38.
33
Logging in to win7box
If the hostname for rhel1 has been changed, then the hosts file on win7box must be changed to reflect
this. Run Notepad as administrator, and open the file C:\Windows\System32\drivers\etc\hosts. Replace
the text "rhel1" with the new hostname for the rhel1 machine. Save the changes
1. On a Windows machine connected to the Internet ( call it Win1), download and extract the
Airgap tool available from the Utilities page
(https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli
%20Endpoint%20Manager/page/Utilities)
2. On rhel1 (the TOE; Linux BigFix Server), run the Air-Gap script
(/opt/BESServer/bin/airgap.sh). This generates an airgap.tar file on the Linux server.
35
3. On Linux BigFix Server, extract the tar file created and copy the 'AirgapRequest.xml' to Win1 (the
Windows machine connected to the internet) in the same folder as the extracted airgap tool
utility
4. On Win1, run the BESAirgaptool.exe (which will leverage the request xml from the Linux server,
and create an AirgapResponse file, which is just a BigFix archive)
5. Copy the AirgapResponse file from the Windows machine to the Linux Server (where the tar file
was extracted) using a removable device such as a USB key.
6. Run the airgap.sh Air-Gap script on Linux Server to process AirgapResponse
Detailed Instructions
In an air-gapped environment where a secure network is physically isolated from insecure
networks, such as the public Internet or an insecure local area network, and the computers on
opposite sides of the air gap cannot communicate, to download and transfer files to the main
Endpoint Manager server running on a Linux system, you can use the Airgap utility.
This utility can also help download patch contents in a Fixlet site or single file downloads from a
url.
Note: The AirGap utility does not support a configuration where the clients are air-gapped
separately from the main Endpoint Manager server. The clients must be air-gapped together
with the main Endpoint Manager server to be able to gather across the network from the main
Endpoint Manager server.
In addition to the Endpoint Manager server which is being configured on the isolated network,
you need a Windows computer that has access to the public Internet, to download Fixlet site
content using the BESAirgapTool.exe utility. The downloaded site content and files are
transferred to the Endpoint Manager server on the Linux computer.
To run the Airgap utility on Linux servers, you must have a Windows computer with the following
environment:
It must be connected to the Internet to download contents from the Fixlet sites. For additional
information, see the Administration Tool documentation.
The BESAirgapTool.exe tool must be installed. You can download the Windows Endpoint
Manager Airgap utility (BESAirgapTool.exe), from the Utilities page.
The following libraries must be copied to the Windows computer, in the same directory as
BESAirgapTool.exe:
libBEScrypto.dll
libBEScryptoFIPS.dll
36
You can copy these libraries from the folder where you installed the Endpoint Manager console.
The default folder is %PROGRAM FILES%\Bigfix Enterprise\BES Console.
Perform these steps to run the Airgap utility on the Linux Endpoint Manager server:
1. Ensure that on the Linux computer, the Airgap utility is in the path where you installed
the Endpoint Manager server. The default path is /opt/BESServer/bin.
2. Open the Linux Terminal, and type these commands to create a tar file named
airgap.tar, containing the AirgapRequest.xml based on the information about
the Endpoint Manager database:
# cd /opt/BESServer/bin
# ./Airgap.sh -run
where:
-run
Runs Airgap to generate the tar file with the request in the local folder.
-remotedir directory
Runs Airgap to generate the tar file with the request in the specified folder.
-proxy [user:password@]host[:port]
Specifies the proxy information as follows:
Authenticating_proxy:
-proxy user:password@ipaddress:port
Non-authenticating proxy:
-proxy ipaddress:port
-help
Lists the Airgap usage.
On the Linux computer, extract the airgap.tar file with the following command under the
airgap sub-folder::
# tar -xf airgap.tar
3. Copy the file AirgapRequest.xml, created in the airgap folder, to the folder containing
the BESAirgapTool.exe file of the Windows computer.
4. On the Windows computer, run BESAirgapTool.exe to download the data related to the
AirgapRequest.xml request into the AirgapResponse file.
5. Copy the AirgapResponse file, generated by BESAirgapTool.exe, from the Windows
computer to the airgap folder of the Linux workstation.
37
6. On the Linux computer, from the airgap folder, run the Airgap tool to load the data on the
database:
# cd /opt/BESServer/bin
# ./Airgap.sh -run
38
39
The IBM BigFix Site Administrator operator is responsible for installing and maintaining the IBM
Endpoint Manager components, as well as advanced deployment-wide configurations. This role
is used primarily during initial installation and configuration of the TOE.
The IBM BigFix Console Master Operators will be used for all run time operations and
corresponds to the Authorized Administrator described in the NDPP. The security functionality
available to this user are:
The IBM BigFix Site Administrator authenticates with both a password and private key. IBM
BigFix Console Master Operators authenticate via password.
Other roles and operators described in the general IBM BigFix documentation should not be
used in the evaluated configuration.
Access Banner
The TOE displays an initial banner describing restrictions of use, legal agreements, or any other
appropriate information to which users consent by accessing the TOE.
Authentication Verification: The TOE only uses the local RHEL user account and password
mechanism for the RHEL console and that IBM BigFix only uses its local mechanism for the IBM
BigFix console. Remote authentication mechanisms, such as LDAP, are not part of the evaluated
configuration.
All the messages have the process name identifier, so IBM Endpoint Manager audit events can
be seen using the filter BESRootServer.
40
You must configure auditd to start at boot time using the following command as the root user:
# chkconfig auditd on
A number of other actions can be performed on auditd using the service auditd action
command, where action can be one of the following:
stop stops auditd.
restart restarts auditd.
reload or force-reload reloads the configuration of auditd from the
/etc/audit/auditd.conf file.
rotate rotates the log files in the /var/log/audit/ directory.
resume resumes logging of Audit events after it has been previously suspended, for
example, when there is not enough free space on the disk partition that holds the Audit log files.
condrestart or try-restart restarts auditd only if it is already running.
status displays the running status of auditd.
Note that the above list of actions will not work once root has been disabled (see Administrator
Access to TSF Data.
Rules Configuration:
The following commands must be carried out on rhel1 adding the following to
/etc/audit/audit.rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
41
42
user : the user login name initiating the action being logged
origin : the IP address of the user carrying out the event being logged
platform : operating system platform for which the IBM BigFix package was built
privilege list : list of IBM BigFix privileges being manipulated (changed, added, removed) for the
user in the given command event being logged
role : list of IBM BigFix operator roles being manipulated (modification, user assignment) in the
command event being logged
Note: the failure reasons for audit entries corresponding with failed actions
such as connection failure are contained in the syslog log record (see the
Audit Records section below). The diagnostic message from that subsystem
(e.g. OpenSSL) is captured and passed along in the audit record.
<user>
<user>
<user>
<user>
<user>
<user>
<user>
<user>
<user>
at
at
at
at
at
at
at
at
at
<origin>:
<origin>:
<origin>:
<origin>:
<origin>:
<origin>:
<origin>:
<origin>:
<origin>:
44
45
46
Examples:
Different errors may be issued by OpenSSL, depending on the timing of the error.
Example 1:
Oct 7 11:48:58 localbuild stunnel: LOG5[1391:140117046093568]: rsyslog
accepted connection from 127.0.0.1:58547
Oct 7 11:48:58 localbuild stunnel: LOG3[1391:140117046093568]:
connect_blocking: getsockopt 10.1.1.4:50001: No route to host (113)
Oct 7 11:48:58 localbuild stunnel: LOG5[1391:140117046093568]: Connection
reset: 0 bytes sent to SSL, 0 bytes sent to socket
Oct 7 11:55:53 localbuild stunnel: LOG3[1391:140117046232832]: SSL_read:
Connection reset by peer (104)
Oct 7 11:55:53 localbuild stunnel: LOG5[1391:140117046232832]: Connection
reset: 51761581 bytes sent to SSL, 582187280 bytes sent to socket
Example 2:
Oct 7 11:48:58 localbuild stunnel: LOG5[1391:140117046093568]: rsyslog
accepted connection from 127.0.0.1:58547
Oct 7 11:48:58 localbuild stunnel: LOG3[1391:140117046093568]:
connect_blocking: connect_blocking: s_poll_wait 10.10.10.3:50001: timeout (111)
Oct 7 11:48:58 localbuild stunnel: LOG5[1391:140117046093568]: Connection
reset: 0 bytes sent to SSL, 0 bytes sent to socket
LOG3 severity corresponds to error. In both rhel1(TOE) and rhel2, stunnel is configured to send
every event LOG5 (notice) and below to rsyslog. So the TOE stunnel will have rsyslog entries for
emerg, alert, crit, error, warning, and notice.
DB2 events will involve an outgoing connection to port 50001, while rsyslog errors will have
outgoing port 61515.
Outgoing trusted connection to DB2 have the format
Connection opened:
<date> <time> <TOE hostname> stunnel: LOG<severity>[<PID>:<thread
number>]: db2 connected remote server from <IP address>:<port>
Where LOG<severity> is one of
0 - emerg
1 - alert
2 - crit
3 - error
4 - warning
5 - notice
6 - info
7 - debug
This is syslog convention
47
Example:
Aug 3 21:31:31 localbuild stunnel: LOG5[2090:140223453308672]: db2 connected
remote server from 10.1.1.3:47910
Connection closed:
<date> <time> <TOE hostname> stunnel: LOG5[<PID>:<xxx>]: Connection
closed: <yyy> bytes sent to SSL, <zzz> bytes sent to socket
Example:
Aug 3 21:32:43 localbuild stunnel: LOG5[2090:140223453308672]: Connection
closed: 3965 bytes sent to SSL, 164365 bytes sent to socket
Connection Failure
The IBM BigFix Sver (BESRootServer) will generate only untrusted outbound UDP
messages.
Since all trusted outbound connections are via stunnel, stunnel logs those failures.
<date>time> <TOE Hostname><stunnel: LOG<severity>[<PID>:<thread
number>]: <reason for failure>
Examples.
Oct 7 11:48:58 localbuild stunnel: LOG5[1391:140117046093568]: db2 accepted
connection from 127.0.0.1:58547
Oct 7 11:48:58 localbuild stunnel: LOG3[1391:140117046093568]:
connect_blocking: getsockopt 10.1.1.4:50001: No route to host (113)
Oct 7 11:48:58 localbuild stunnel: LOG5[1391:140117046093568]: Connection
reset: 0 bytes sent to SSL, 0 bytes sent to socket
Oct 7 11:55:53 localbuild stunnel: LOG3[1391:140117046232832]: SSL_read:
Connection reset by peer (104)
Oct 7 11:55:53 localbuild stunnel: LOG5[1391:140117046232832]: Connection
reset: 51761581 bytes sent to SSL, 582187280 bytes sent to socket
LOG3 severity corresponds to error. In both rhel1(TOE) and rhel2, stunnel is configured to send
every event LOG5 (notice) and below to rsyslog. So the TOE stunnel will have rsyslog entries for
emerg, alert, crit, error, warning, and notice.
DB2 events will involve an outgoing connection to port 50001, while rsyslog errors will have
outgoing port 61515.
48
SYSTEM UPDATE
Version numbers are logged when the server process starts. When the server
process shuts down and restarts with a higher version number is an implicit log of an
upgrade.
A filter script (fixlet) is provided that can be run from the IBM BigFix Console to
display these events.
Additionally, in the CC evaluated system, upgrade fixlets have been modified to use
the logger command (http://linux.die.net/man/1/logger)
49
Audit Records
Audit Records
Audit and rsyslog events are logged as generic rsyslog messages using LOG_USER and LOG_INFO
as the rsyslog flags.
Entries into rsyslog have the following format:
<type> <date> <time> <TOE hostname> BESRootServer[<PID>]: <audit event entry>
Example:
Aug 3 21:25:45 localbuild BESRootServer[14271]: CONNECTION - Accepted connection from
127.0.0.1
<type> : The type of notification. Values can be Informational, warning, critical
<date> : Date of the record entry
<time> : Time the record is logged
<TOE hostname> : Hostname of the computer logging the entry
BESRootServer : The component issuing the event is always the BESRootServer. This is one of the
processes that make up the IBM BigFix Server.
<PID> : Process ID of the BESRootServer
<audit event entry> : Audit event log message (see Audit Events).
-Note: NDPP does not specify which types we are required to use. So we define all of our audit
events to be of the type "notice", and we omit the type field in the log entry since there are no
different audit events types to distinguish.
50
rsyslog delivers the message through a TCP connection connected to a local port managed by
stunnel. rsyslog attempts to keep a permanent connection to this TCP local port. This port is
managed by stunnel. When stunnel receives a new connection in the local port in the TOE from
rsyslog, it establishes a permanent connection to the remote system to set up the encrypted
tunnel.
When the system determines the TCP connection managed by stunnel between the TOE and the
remote syslog server has failed, the stunnel connection will be closed and stunnel will send a TCP
reset to the rsyslog connection, which will cause rsyslog to close this connection too. If there was
a syslog message in-flight when the connection failed either between rsyslog and stunnel or in
the encrypted tunnel connection, the message will not be written to the remote syslog, just to
the local syslog.
The local port managed by stunnel will remain open. The next time rsyslog receives a message,
since the TCP connection was lost, rsyslog will try to create a new TCP connection to the local
stunnel port. When stunnel receives this connection attempt, it will try to create a new tunnel
connection. If this succeeds the message will be sent correctly to the remote server and the
permanent TCP connections will remain in place for successive messages. If it doesn't succeed
because the network problem is not yet resolved, the message would be just written to the local
syslog in the TOE.
This means that the audit records during the connection downtime do exist in the local log files
on the TOE platform, but they are not in the log of the remote audit log server. So if the
administrator wishes to archive these records, they can be accessed in the audit logs of the local
server.
We recommend that when there is a connection loss to the remote audit server that the
administrator examine the local logs on the TOE for audit records to see if any events occurred
during the connection loss. As part of best practices, the administrator should manually copy the
segment of the local log file representing the connection downtime to the audit server machine
and name it in a meaningful way in support of any future audit tracing that might arise.
51
In order to disable certain open HTTP functionality you will need to make come client settings to
disable the diagnostics interface (it can be enabled as needed for trouble shooting) and make
the server and authenticating server. This will prevent remote access to any of the web
interfaces (admin or otherwise) without authentication, and for local access to the same
web interfaces, it will require authentication as well as HTTPS.
(1)
_BESRelay_Diagnostics_Enable = 0
Default: 1
Requires Restart: Yes
53
For example:
./BESAdmin.sh -setadvancedoptions
-sitePvkLocation=/root/backup/license.pvk
-sitePvkPassword=mypa55w0rd -update loginWarningBanner='new message'
Important: In order to display a console warning banner prior to user
login please log into the IBM BigFix Console (see Installing and
Logging In to the IBM BigFix Console) after setting or changing the
text in order to initialize the pre-login warning banner.
4755
4755
4755
4755
/bin/date
/sbin/shutdown
/sbin/halt
/sbin/reboot
/mnt
vfat
users 0
Note that FTP is not pre-installed on rhel1 and should not be installed later
IBM Feature on Demand functionality is not activated and should not be activated
if [ -w $(tty) ]; then
trap "exec $SCREENEXEC" 1 2 3 15
echo -n 'Starting session in 10 seconds'
sleep 10
exec $SCREENEXEC
fi
Note that each time a new session starts, a message will be displayed and the user will
have to wait ten seconds. To adjust the time to wait before starting a session, change the
value after the sleep command.
Add the following lines to the /etc/screenrc configuration file to lock the session after a
given period of inactivity:
This will set the time limit to 120 seconds. To adjust this limit, change the value after the
idle directive.
idle 120 lockscreen
autodetach off
This way, a password will be required to unlock the session.
The changes take effect the next time a user logs in to the system.
In order to configure the default minimum password length of 15 characters or greater please
carry out these steps:
(i) Use the text editor vim (prior to disabling root) to edit the file
/etc/pam.d/system-auth
56
(ii) Locate the line containing "cracklib", it currently looks like this (all on a single line):
password requisite
retry=3 type=
pam_cracklib.so
try_first_pass
TLS Ciphersuites
57
The IBM Endpoint manager provided on the CC Evaluated ISO image DVDs has been preconfigured to support TLS 1.0 or greater. TLS 1.2 is used for communication from the TOE to the
Console (1.0/1.1/1.2 is allowable). TLS 1.0 is used over stunnel to syslogs and DB2.
There are no steps to enable Enhanced Security mode to meet the requirements for TLS versions
and cipher suites. The CC Evaluated IBM BigFix package has been built to disable some cipher
suites that aren't allowed by the NDPP/Security Target.
The following cipher suites are allowed by the BES root server:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS v1.0, v1.1 and v1.2 are allowed. No configuration is required to enable these cipher suites
and protocols. None of the cipher suites can be disabled.
The stunnel uses TLS v1.0 to securely forward DB2 and rsyslog connections between rhel1 and
rhel2, and uses the following cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Software Versions
58
The version of the IBM Endpoint Manager agent that is installed on rhel1 can be determined by
issuing from the RHEL console the command
rpm -q --queryformat '%{VERSION}\n' BESAgent
RHEL
The version of Red Hat Enterprise Linux server that is installed on rhel1 can be determined by
issuing from the RHEL console the command
rpm -q --queryformat '%{RELEASE}\n' redhat-release-server
The version of the Linux kernel installed through the official Redhat mechanism can be
determined by issuing from the RHEL console the command
rpm -q --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}\n' kernel
To determine if this is the version of the kernel that is actually running, form the RHEL console
issue the command
uname -r
The kernel version from uname should match the kernel version from rpm.
59
Logging into the TOE RHEL machine is done via the physical console connected to that machine.
The warning banner is displayed and by proceeding with login the user agrees to the conditions
therein.
After completion of the Common Criteria set-up steps contained in this guide, the root login will
be disabled, so the administrator must create another user account during installation in order
to log in.
Reliable time-stamps
The RHEL operating system maintains the system time that is used for all time-stamps issued,
including such sensitive events as audit record generation, certificate validation, session locking,
and timeouts for remote sessions. As such, changing the system time requires root access.
Official Red Hat guidance on how to change the RHEL 6 operating system time can be found in
Section 2.2 of the RHEL 6 Deployment Guide: https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/index.html
Firewall configuration
Note that port number 52311 (the default) must be accepted during installation to correspond to the
pre-configured firewall settings.
And be aware that the firewall on the rhel1 is pre-configured to block all ICMP packets.
After installation of the Clonezilla image on rhel1, the firewall will be on and configured to have only the
following ports open on the external network interfaces:
Changing the firewall settings falls outside the scope of the Common Criteria evaluated configuration.
There will be additional ports open for DB2 and rsyslog on the internal loopback device to allow stunnel
to securely forward those connections to rhel2 using TLS.
60
stunnel runs at hardware privilege level ring 3 , and at a low user RHEL system privilege level
through the account 'nobody'.It provides secure forwarding of DB2 and rsyslog connections
using TLS to the rhel2 machine. This process only has outbound connections, on port 50001 to
forward the DB2 connection, and on port 61515 to forward the rsyslog connection.
Power on self-test
The TOE, specifically the RHEL OpenSSL package, performs a series of power-up self-tests when invoked.
First, the TOE performs an integrity test on the cryptographic module using HMAC-SHA-256. If the integrity
test passes, then the TOE performs a set of Known Answer Tests (KATs) on individual algorithms. If the KAT
tests pass, then the cryptographic module enters FIPS mode. The following cryptographic algorithms are
tested during the KAT tests: AES, RSA, HMAC-SHA1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384,
HMAC-SHA-512, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and CTR_DRBG.
The IBM BigFix Server additionally calls FIPS_mode_set() upon start up, which in turn calls
FIPS_self_test(). If this test fails an error message is displayed (Cryptographic module failed to
initialize required FIPS mode: FIPS selftest failed ) and openSSL fails to load. The sever will then
throw an exception and will exit. The following message is written to the log : "Failed FIPS setup!
Exiting"
Cryptography self-tests
The RHEL operating system, stunnel, and the BES server all use the same shared OpenSSL 1.0.1ebased library provided by the RHEL operating system, and all components are operating with
OpenSSL cryptography in FIPS mode. In FIPS mode, the OpenSSL library performs a series power
on self-tests to ensure the reliable operation of cryptography algorithms. The RHEL operating
system performs the self-test at boot time, while stunnel and the BES server components
perform the self-test as part of process initialization anytime the executable are run. If any of the
cryptography self-tests fail, the following will happen:
RAND_R_PRNG_STUCK
-two matching 128 bit values were consecutively generated by the random number
generator.
The above errors are flagged through the normal ERR interface of the OpenSSL library. For
details please see the OpenSSL manual page.
Fatal Errors: These occur if the crypto module is in an error state due to having failed a self test
and a crypto function form the module is called by the application that cannot return an error
message (void return value) . The error message: 'FATAL FIPS SELFTEST FAILURE' is sent to stderr
and the application is terminated via the abort() call.
Recovery: application must be restarted. If failures reoccurs, the module must be reinstalled.
In downloading the software, remember to verify the package hash to ensure the correct
download. If the problem persists, contact IBM Technical Support.
Stunnel
The self-tests are done when the executable is launched as a part of process initialization. If the
self-tests fail, stunnel will terminate itself and not allow forwarding of DB2 or rsyslog
connections outside the TOE. The stunnel logs will state that it could not enter FIPS mode and
contain further information on why the self-tests failed.
Recovery: To recover from this error, check error logs and consult the Stunnel documentation.
Verify that the correct version of Open SSL is installed. If the problem persists, contact IBM
Technical Support.
62
Only root can read the three main BES private keys locate at:
/var/opt/BESClient/KeyStorage/__ClientKey.pvk, /var/opt/BESServer/ClientCAKey, and
/var/opt/BESServer/ServerSigningKey
Run the following so a regular user can create and untar airgap.tar to perform an update.
>chmod +w /opt/BESServer/bin
After root is disabled the following actions will require renabling root.
Trusted update
63
Have the trusted admin with physical access to the machine take the TOE offline and
boot into single-user mode from the local RHEL console.
When the TOE begins its boot process, a screen showing the Linux kernel name will
appear with a message saying it will boot in a few seconds.When you see this
screen, hit the ESCAPE to interrupt the boot sequence.The GRUB boot loader screen
will be presented, allowing you to modify the boot process. Type a to append to
the current boot command. Then type single to append the word single to the
end of the boot command. Then hit RETURN. The system will boot into single-user
mode. Then reactivate (unlock) the root account and exit single-user mode.
# passwd u root
# exit
When you exit single-user mode, the machine will reboot normally with
the root account enabled.
Hardware Hardening
64
Assumptions
The TOE is assumed to exist in a locked, secure data center with physical access limited to
authorized personnel.
The TOE (rhel1) is connected to win7box and rhel2 on a closed or air-gap network that has no
physical or virtual connection to any outside network.
No further hardening of the hardware is required.
Upgrade process
The upgrade process for the CC-Evaluated IBM Endpoint Manager follows the normal upgrade
process for upgrades in air-gap networks. Please refer back to the section Manual Policy Gather
Step fpr Air-Gap Networks to review the process for manual gather. Upgrade actions are
implemented as policies to be gathered in the IBM BigFix environment.
After performing the manual step to gather new content using the airgap tool from the IBM
Corporate fixlet hosting site, an upgrade fixlet will appear in the IBM BigFix Console in the
BESSupport QA site which can be launched by an Administrator user to perform the in-place
upgrade.
The following link describes the generic upgrade process. From the air gap perspective, the only
difference is in copying the installation image/package to the TOE .
http://support.bigfix.com/index/Upgrading.html
The general process for downloading files and patches for the Air-Gap scenario is described at
this link. The rest of this section describes the upgrading process for the TOE specifically.
http://www01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/
Config/c_airgap_tool_overview.html?lang=en
Note that all fixlets are digitally signed with RSA 2048 and SHA1 which provides protection when
downloading the fixlet and when uploading to the TOE. The existing certificate present in the
IBM BigFix installation will be used to validate the signature on the upgrade fixlet used during
upgrade, this license file is named license.crt.
Note: It is advisable to make a DB2 database backup prior to carrying out the upgrade. If there is
an error during this process, the database can be restored to reset the state to the known good
one. Please see DB2 documentation for more detail on taking database backups. See the note
below for steps to take in case of failure.
65
As the TOE is in an air-gapped network, it is necessary to use the BigFix standard manual process
for caching the payload (the binaries constituting the upgrade) in air-gap network environments.
In order to modify the protected files, root will be re-enabled prior to the upgrade steps.
Re-Enabling Root Access:
There are various files and directories encountered during upgrade process that require root
privileges to modify. Prior to carrying out the upgrade process, the trusted administrator with
physical access to the TOE must temporarily enable root.
Follow the instructions in this section to re-enable root to allow updating protected files:
Re-Enabling Root
After root is re-enabled, proceed with the upgrade steps below.
Upgrade Steps
Caching the Files for later use by the Upgrade Fixlet
Prior to running the upgrade fixlet, the binaries must be cached on the server (TOE). Caching
files on the IEM Server is a simple process:
i. Obtain the file you wish to cache on the BES Server *
ii. Calculate the sha1 checksum of the file.**
iii. Rename the file to its sha1 checksum value. (Remove file extension if it exists)
iv. Place the renamed file in the IEM Server download cache folder.***
Once the file is cached on the IEM Server, any action deployed that checks for the same sha1 will
use the file in the cache instead of downloading it from the Internet.
For more details on how the IEM Server/Relay caches work, see: http://www01.ibm.com/support/docview.wss?uid=swg21505905
*In this case the file to be cached is the new binary/binaries to upgrade the IBM BigFix software
on the TOE. The binary will be accessible via hashed link, which will be sent to you via signed
email. The public key for validating the email signature will be provided to you by your IBM
Federal Sales representative.
**You can calculate the sha1 checksum of a file by using the sha1.exe tool available
here: https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?
lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/SHA1%20Tool
*** the Server download cache directory on a Linux system is located at
/var/opt/BESServer/wwwrootbes/bfmirror/downloads/sha1
66
Recall that this directory is writable only by root and root has been re-enabled/
Assuming the binary file had been previously copied to /tmp:
cp /tmp/serverinstaller.tgz /var/opt/BESServer/wwwrootbes/bfmirror/downloads/sha1/<sha1>
Once the binary has been manually cached and previously the fixlet has been transferred to the
server (the air-gap gather step) you then proceed to the Console, navigate to the BES Support
QA site and run the upgrade fixlet (example: for a given patch 200, you would run the fixlet
titled IBM Endpoint Manager - Updated Platform Server Components version 9.2.3.200 Now
Available).
For further operation details on using the IBM BigFix Console see the "IBM Endpoint Manager
Version 9.2 Console Operators Guide" to cover general usage and navigation in the Console.
If the upgrade completed successfully, a message is displayed 'Upgrade successful' and the
product version number will be changed (normally to a higher number).
Once the upgrade is finished, disable root by following the instructions here:
Set Root back To Disabled
Failure During the Upgrade Process
If the upgrade did not complete successfully an error message will be displayed, with an error
number (such as 'error 94').
If the upgrade process fails, restore the DB2 database on rhel2. If all cables are in place and the
IBM BigFix processes are running, contact technical support.
In addition to being displayed, the error message will be saved in the error log file please see the
following information on which logs to check (http://www01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Adm/c
_upgrade_the_tem_server_linux.html).
67
Support
For support with your IBM BigFix Common Criteria deployment, please contact your federal Sales
representative to arrange for a technician to contact you. For general information on IBM Federal Sales,
please see:
IBM Federal Sales
For more general information about this product, see the following resources:
IBM BigFix Support site
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in
your area. Any reference to an IBM product, program, or service is not intended to state or imply that
only that IBM product, program, or service may be used. Any functionally equivalent product, program,
or service that does not infringe any IBM intellectual property right may be used instead. However, it is
the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or
service.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not grant you any license to these patents. You can
send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual
Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law:
68
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore,
this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in
any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part
of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and other programs (including this
one) and (ii) the mutual use of the information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases,
payment of a fee.
The licensed program described in this document and all licensed material available for it are provided
by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or
any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the
results obtained in other operating environments may vary significantly. Some measurements may have
been made on development-level systems and there is no guarantee that these measurements will be
the same on generally available systems. Furthermore, some measurements may have been estimated
through extrapolation. Actual results may vary. Users of this document should verify the applicable data
for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. IBM has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
69
All statements regarding IBM's future direction or intent are subject to change or withdrawal without
notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without
notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject to change before the
products described become available.
This information contains examples of data and reports used in daily business operations. To illustrate
them as completely as possible, the examples include the names of individuals, companies, brands, and
products. All of these names are fictitious and any similarity to the names and addresses used by an
actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs
in any form without payment to IBM, for the purposes of developing, using, marketing or distributing
application programs conforming to the application programming interface for the operating platform
for which the sample programs are written. These examples have not been thoroughly tested under all
conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these
programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be
liable for any damages arising out of your use of the sample programs.
If you are viewing this information softcopy, the photographs and color illustrations may not appear.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the "Web at
Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or
trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications
Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel
SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in
the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government
Commerce, and is registered in the U.S. Patent and Trademark Office.
70
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other
countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and
Quantum in the U.S. and other countries.
71