IBM InfoSphere Identity Insight Version 8.1 Fix Pack 3 – installation and release notes These release notes contain information to ensure the successful installation and use of IBM® InfoSphere® Identity Insight Version 8.1 Fix Pack 3. Included is information about updates, fixed problems, usage notes, and known problems. These release notes are provided with the installation download and media and are included in the product information center. The very latest version is available from the IBM InfoSphere Identity Insight Support portal.
Table of Contents IBM InfoSphere Identity Insight Version 8.1 Fix Pack 3 – installation and release notes...... 1 About IBM InfoSphere Identity Insight...... 2 Summary of product enhancements and fixes for Version 8.1 Fix Pack 3...... 2 IBM InfoSphere Identity Insight Plug-in for IBM i2 Analyst's Notebook...... 2 Basic Console for Identity Insight configuration...... 2 Enhancements to the Expanded Service API...... 3 Fix Pack 3 fixes and corrections...... 3 Product documentation...... 4 Installation files and checksum information...... 5 Installing Fix Pack 3 for IBM InfoSphere Identity Insight Version 8.1...... 5 Required actions and considerations before installing Fix Pack 3...... 6 Considerations and issues for Microsoft Windows 7 and Microsoft SQL Server 2008 users 6 Considerations and issues for Oracle database users...... 7 Considerations and issues for IBM Informix users...... 7 Considerations if you have custom Output Documents or DQM Rules...... 10 Database schema changes...... 10 Starting the Fix Pack 3 installation program...... 13 Completing Fix Pack 3 installation...... 15 Verifying Fix Pack 3 installation...... 16 Launching Basic Console...... 16 Updating the database with SUIT...... 17 Known issues and changes when using the product...... 18 ILOG and Web services performance improvements...... 20 Graph server initialization parameters...... 20 To see the latest information about known problems and issues...... 22 System requirements updates...... 23 Announcements...... 23 SUIT: Schema Upgrade and Installation Tool version 8.1.0.0...... 23
1 About IBM InfoSphere Identity Insight IBM InfoSphere Identity Insight helps organizations solve business problems related to recognizing the true identity of someone or something ("who is who") and determining the potential value or danger of relationships ("who knows who") among customers, employees, vendors, and other external forces. IBM InfoSphere Identity Insight provides immediate and actionable information to help prevent threat, fraud, abuse, and collusion in all industries. This product was formerly titled IBM Relationship Resolution.
Summary of product enhancements and fixes for Version 8.1 Fix Pack 3 Fix Pack 3 includes the following product enhancements and fixes.
IBM InfoSphere Identity Insight Plug-in for IBM i2 Analyst's Notebook The IBM InfoSphere Identity Insight plug-in for IBM i2® combines the power of Identity Insight’s resolution, relationship, and alert detection engine with the visualization and analytical tools of IBM i2 Analyst's Notebook® (ANB).
The Identity Insight plug-in lets you include and integrate Identity Insight entities and alerts into the Analyst Notebook's visual environment. The plug-in provides a dockable interface that can be displayed with i2 ANB.
This information guides you through installing and configuring the Identity Insight plug-in to work with i2 ANB. It also describes how to work with Identity Insight entities and alerts in the ANB environment.
An “Up and running guide” for the plug-in is available for download at the IBM InfoSphere Identity Insight Support portal.
Basic Console for Identity Insight configuration The Basic Console provides a task-oriented interface to help you more easily do some of the most essential tasks to get up and running with Identity Insight. All of these configuration tasks can also be done in the Configuration Console as in previous releases. Use Basic Console to configure data sources, attributes, role alert rules, and basic system parameters to get up and running with IBM InfoSphere Identity Insight. Basic Console is installed with Fix Pack 3. Launching the console is described in the installation section of this document. Additional information is provided in the product information center.
2 Enhancements to the Expanded Service API Fix Pack 3 includes many enhancements to the Expanded Service API. This API updates IBM Identity Insight Web services by providing an object-rich SOAP API and corresponding UMF API of Web services operations. The SOA expansion enhances retrieval of data from data sources, system parameters, characteristic confirmation, alert rules, and alert summary and filters. The pipeline has been enhanced to support the new APIs. The new APIs are primarily in the Configuration and Alerting method packages sections and detailed in the product information center.
Support for IBM InfoSphere QualityStage Address Verification Adds support for IBM InfoSphere QualityStage Address Verification Interface, Version 10 (QSAVI v10). Support is ending for prior versions of QSAVI.
Fix Pack 3 includes the updates and changes that were provided with Fix Pack 1 and Fix Pack 2. For additional details about changes and enhancements that are included, see the release notes for each of them: Fix Pack 1 Release Notes: http://pic.dhe.ibm.com/infocenter/easrr/v8r1m0/topic/com.ibm.iis.ii.whatsnew.doc/topics/eas_ref_iireln otes_v8_r1_fp1.html
Fix Pack 1 Release Notes: http://pic.dhe.ibm.com/infocenter/easrr/v8r1m0/topic/com.ibm.iis.ii.whatsnew.doc/topics/eas_ref_iireln otes_v8_r1_fp2.html
Fix Pack 3 fixes and corrections Fix Pack 3 includes many fixes and corrections. It is also inclusive in terms of the fix pack and hot fix fixes and enhancements for version 8.1.
General corrections and enhancements Fix Pack 3 includes the following general corrections and enhancements: ◦ Corrects problems in character transliteration. ◦ Corrects problems in address restructuring. ◦ Implements of DQM Function 254 to address a problem with IBM Global Name Management Name Parser. Function 254 parses a name according to Name Parser parsing libraries and uses arguments and return codes identical to Function 252, the standard parsing rule. ◦ Provides the latest IEHS security fixes and other updates for the locally installed product information center. Note that the content in the locally installed information center has not
3 been updated for FP3. See instead the online version ibm.com: information center or download a PDF version available at the Support portal.
Errors and problems corrected Fix Pack 3 resolves a number of errors and problems: ◦ Prevents watch list records from relating to themselves. ◦ Provides granular insight into generic names by providing new XML tags in the name segment. ◦ Fixes a pipeline issue in which reprocessing large entities caused the pipeline to consume large amounts of memory and eventually to crash. ◦ Improves pipeline performance as part of other pipeline enhancements. ◦ Fixes an ILOG web services issue related to recognizing commas and decimal points in numbers. ◦ Files generated by MSSQL are now .sql not .bat. ◦ Provides performance improvements for new installs. ◦ Adds a search SOA null pointer if nothing for entity_id. ◦ Corrects APAR # PJ40306 - Memory leak identified in XML Parser. ◦ Corrects APAR # PJ41120 - Decimal Number Value in path strength convert. All of these are in addition to enhancements and fixes provided in FP1, FP2, and various hotfixes. See the related release notes and readme documents for details.
Product documentation Version 8.1 Fix Pack 3 product documentation can be found in the following places: Product installation downloads Contain release notes with additional installation instructions.
Version 8.1 information center Access the information center (http://pic.dhe.ibm.com/infocenter/easrr/v8r1m0/index.jsp).
The locally installed information center is not being updated for Fix Pack 3. Use the FP3 information center at ibm.com or download the PDF version of the product information from the Support portal.
IBM product Support home Access at Support portal (http://www.ibm.com/support/entry/portal/Software/Information_Management/InfoSphere_Identity_Insight) In addition to Technotes and other support information, the portal contains links to the information center, PDF versions of the information, and the latest updates to the release notes.
4 Installation files and checksum information Fix Pack 3 is installed using the following installation file packages: Platform File Size Checksum AIX 8.1-IM-ISII-AIX_pwr5-FP003.tar.gz 506.9 Mb 500013815 506912366
Linux x86 8.1-IM-ISII-Linux_x86-FP003.tar.gz 430.2 Mb 279607360 430242429
Linux x64 8.1-IM-ISII-Linux_x64-FP003.tar.gz 433.9 Mb 3038445767 433925737
Linux s390 8.1-IM-ISII-Linux_s390-FP003.tar.gz 445.6 Mb 270283851 445614427
Windows x64 8.1-IM-ISII-Win_x64-FP003.zip 447.7 Mb 3915050531 447709103
Installing Fix Pack 3 for IBM InfoSphere Identity Insight Version 8.1 To install Fix Pack 3, you must have Version 8.1 installed. There are at least several basic fix pack installation scenarios: Version 8.1 installed - add Fix Pack 3 You have installed Version 8.1. Install Fix Pack 3 using the fix pack installation program. FP3 includes all of the fixes released with 8.1 GA release, including Fix Pack 1 and Fix Pack 2. For information about installing Version 8.1 see the product installation guide that is provided with the product installation downloads.
Version 8.1 with Fix Pack 1 installed - add Fix Pack 3 You have installed Version 8.1 and Fix Pack 1. Install Fix Pack 3 using the fix pack installation programs.
Version 8.1 with Fix Pack 2 installed - add Fix Pack 3 You have installed Version 8.1 and Fix Pack 2. Install Fix Pack 3 using the fix pack installation programs.
Version 8.1 is not installed You must first install or upgrade to Version 8.1. Then install Fix Pack 3.
For more information see: S upport portal . Planning, installation, and configuration information is also available in the product information center at ibm.com. Note the installation-related items in this document.
Required actions and considerations before installing Fix Pack 3 Important: You must do the following before installing or upgrading to Fix Pack 3.
5 Pipeline Windows installation: Pipeline services must be stopped and deleted prior to upgrade. When installing on Windows, stop and delete old pipeline services prior to running the installer to upgrade to Version 8.1 Fix Pack 3.
Non-Windows Installation: Make sure that no pipeline is running. The upgrade will fail if a pipeline is running. Database Environment: Before launching the fix pack installer, validate that the database directory and environment variables are set for the type of database you are using.
User ID required for upgrade: User should use the same user id that installed the product. It can be found in the install log.
Upgrading from future v8.0 fix packs and hotfixes This fix pack supports upgrading from Version 8.1 to Version 8.1 Fix Pack 3.
Version 8.1 Fix Pack 3 includes: • Fix Pack 1 and Fix Pack 2 updates. • All previous hotfixes on the v8.1 branch. • All previous hotfixes and fix packs from the v8.0 branch, up to and including 8.0.0.147.
If you apply hotfixes after hotfix 147 to your v8.0 branch installation, please contact IBM Support before upgrading to Version 8.1 Fix Pack 3.
Considerations and issues for Microsoft Windows 7 and Microsoft SQL Server 2008 users If you use IBM InfoSphere Identity Insight on a Microsoft Windows 7 client or use Microsoft SQL 2008 as your database, be aware of the following before installing: Windows Server 2003 or 2008 for pipeline or Application Server with a DB2® v9.5 or v9.7 database server: A potential issue exists for IBM Identity Insight Version 8.1 customers who are using Windows Server 2003 or Windows Server 2008 operating systems for the pipeline or Application Server and IBM DB2 Version 9.5 or Version 9.7 database server. Latin-1 or UTF-8 data may not be encoded correctly by Identity Insight Version 8.1 with this operating system-database combination. If you are using a DB2 v9.5 or v9.7 database, you are strongly encouraged to install IBM Identity Insight Version 8.1 in a test environment and verify correct encoding of Latin-1 or UTF-8 data. Check the following columns:
Table=NAME Columns=LAST_NAME, FIRST_NAME, MID_NAME, NAME_PFX, NAME_SFX, NAME_GEN
Table=ADDRESS
6 Columns=ADDR1, ADDR2, ADDR3, CITY, STATE
Table=ATTRIBUTE Column=ATTR_VALUE
If the data in any of these tables appear to be incorrectly encoded, check the following Environment variable is set on your Windows pipeline server:
DB2CODEPAGE
This should be set to the same value as the DB2 Database 'CODEPAGE' variable. For example, if the DB2 Database configuration is:
CODEPAGE=1208 CODESET=UTF-8
The DB2CODEPAGE environment variable should be set as follows:
set DB2CODEPAGE=1208
Considerations and issues for Oracle database users If you use an Oracle database with IBM InfoSphere Identity Insight, be aware of the following additional known issues: Do not segment or partition database tables that are used for UMF input transports Database tables that are used for UMF input transports must not be segmented or partitioned. Segmenting or partitioning these transport tables will result in errors in the pipeline transport and lost data.
Visualizer usage note for Find-by-Attribute function (using an Oracle database) This issue is resolved.
Considerations and issues for IBM Informix users If you use IBM Informix as your database, be aware of the following additional known issues: IBM Informix Dynamic Server Release 11.70.xC4DE database support Support for IBM Informix Dynamic Server Release 11.70.xC4DE databases (Ultimate Edition and Ultimate Warehouse edition) is provided with the following Application Server architectures (Native OS implementation only): • IBM AIX 6.1 - 64 bit - POWER 5/6 • Linux x-86 • Linux x86_64 • 64-bit Linux on System z
7 • Novell SUSE Enterprise Linux 10 - 64-bit - IBM System z only • Novell SUSE Enterprise Linux 11 - 64-bit, x86_64 • RedHat Enterprise Linux 5 - 64-bit, x86_64 • Microsoft Windows 2008 Server - 64-bit, x86_64
Note: IBM Informix Dynamic Server 11.7 DataBlade functionality is not supported. See the section on system requirements for detailed information.
Installation prerequisites and setup information for Informix The environment variables INFORMIXSERVER,INFORMIXDIR must be set before you run the installer to properly configure an Informix installation. • INFORMIXSERVER should point to the instance of the target DB server, for example, ol_informix1170. • INFORMIXDIR should point to the root installation directory where the Informix client or server package is installed. On UNIX, this is typically /opt/IBM/informix and may have a version number appended. For Windows, it is usually in Program Files/IBM/Informix.
Minimum page sizes Page sizes for IBM Identity Insight databases managed with Informix need to be created with a minimum page size of 8K. If this is not done, installation will fail with an error similar to the following:
java.sql.SQLException: Total length of columns in constraint is too long.
Logging mode Logging mode must be enabled for the Informix database when it is created. Do not use the MODE ANSI keyword. Doing so can break pipeline transaction-handling functions.
Running SUIT When installing to an Informix database, the Schema Upgrade and Installation Tool (SUIT) must be run with the following command line parameter: -mbi 1. This disables statement "batching" and is required for version 11.50 and 11.70. If this is not done, the SUIT operation will fail with the error "maximum statement length exceeded" and abort. See SUIT: Schema Upgrade and Installation Tool version 8.1.0.0.
Environment variables Informix has two optional environment variables that must be set before running the installation: CLIENT_LOCALE and DB_LOCALE. The CLIENT and DB locale values must be the same or their code sets must be convertible. It is best if both are the same, but both must be UTF8. codeset name and language name must both be lower case when used in the JDBC call.
Enabling logging for Transactional support In order for transactions to work with Informix, the database must be created with logging enabled. You can do this through dbaccess using the menu options, or specify it when using DDL:
8 CREATE DATABASE
Transaction-handling configuration The following configuration settings are required for transaction-handling: • Row-Level table locking DEF_TABLE_LOCKMODE=ROW in onconfig database- configuration file • Row lock handling SET LOCK MODE TO WAIT on database connection definition. • Choice of plan optimization: UPDATE STATISTICS HIGH on database after some data has been loaded. This does not work on an empty database.
Required entries for LD_LIBRARY_PATH:
1. Add the following required entries for LD_LIBRARY_PATH: • $INFORMIXDIR/lib • $INFORMIXDIR/lib/cli • $INFORMIXDIR/lib/esql
2. Ensure that $INFORMIXDIR/bin is in the $PATH.
3. After setting up the Informix database, you must update the ODBC configuration. For Unix and Linux, see: http://publib.boulder.ibm.com/infocenter/idshelp/v117/topic/com.ibm.odbc.doc/ids_odbc_ 062.html. For all platforms: http://publib.boulder.ibm.com/infocenter/idshelp/v117/index.jsp? topic=/com.ibm.relnotes.doc/notes/csdk_370xc3/mach/odbc.html
JDBC files Make sure that $INFORMIXDIR exists before installing. Some Informix installations do not automatically create the jdbc files. These files must exist before installing:
C:\PROGRA~1\informix_1170\jdbc\lib>dir Volume in drive C has no label. Volume Serial Number is D477-2F8F
Directory of C:\PROGRA~1\informix_1170\jdbc\lib
18/07/2012 12:31
9 23/09/2011 19:58 48.982 ifxtools.jar 6 File(s) 3.609.199 bytes 2 Dir(s) 1.093.832.704 bytes free
Do not segment or partition database tables that are used for UMF input transports Database tables that are used for UMF input transports must not be segmented or partitioned. Segmenting or partitioning these transport tables will result in errors in the pipeline transport and lost data.
Known issue: Informix sometimes returns trailing spaces on data Informix sometimes returns trailing spaces on data. If this occurs: 1. Edit the on_config_
2. Set the following parameter:
IFX_LEGACY_CONCAT 1
3. Then restart the server.
Considerations if you have custom Output Documents or DQM Rules If you have previously worked with IBM Professional Services, Support, or Engineering to create additional UMF Output Documents in your system (UMF_OUTPUT_RULE, UMF_OUTPUT_FORMAT, UMF_OUTPUT_PARAM table entries) note that Fix Pack 3 adds new entries to these tables in the RULE_ID 10000-30000 range. Any custom entries that you have created may conflict with these new entries, causing issues with the upgrade. Contact IBM Support prior to initiating this upgrade to Fix Pack 3. UMF Output Documents cannot be created or deleted via the Configuration Console, but may be viewed via: Setup > UMF > Output Documents. If you have added new DQM Rules without using the Configuration Console, your custom DQM Rules may also conflict with new rules being added in this release. Your DQM Rules should be numbered 1000000 or higher to avoid conflicts. Check the DQM_RULE.RULE_ID column to check for any new rules that you have added. If you have potentially conflicting rules, contact IBM Support prior to initiating this upgrade to Fix Pack 3.
Database schema changes Upgrading to Fix Pack 3 will modify existing views. No tables or columns are deprecated with this upgrade. Back up your modified view and tables to prevent loss if you are upgrading to Version 8.1 in preparation for installing Fix Pack 3. See related information in the information center (or PDF version) under Installing and upgrading > Upgrading the product > Upgrade items > Customized views overwritten or deleted during upgrade.
10 Schema changes when installing from Version 8.1 to Fix Pack 3 Installing Fix Pack 3 overwrites the product views from version 8.1. If you have modified any of the listed views, back up your changes to prevent them from being lost.
Fix Pack 3 modifies or adds the following views from the original version 8.1 base:
Changed columns from decimal to integer
MATCH_MERGE_ATTR.CONF_WEIGHT MATCH_MERGE_ATTR.DENIAL_WEIGHT MATCH_MERGE_CONF.SCORE_WEIGHT MATCH_MERGE_RULES.LIKE_CONF MATCH_MERGE_RULES.REL_CONF MATCH_MERGE_RULES.LAS_SCORE MATCH_MERGE_RULES.LAS_GN_SCORE MATCH_MERGE_RULES.LAS_SN_SCORE CONFLICT_RULES.MIN_ALERT_THRESHOLD
Recreated index
IX_CONF_RL_ID_DESC
Column addition
ENTITY_TYPE.INCLUDE_SAME_TYPE_AS_CANDIDATE
Modified views
BEST_ENTITY_INFO CONFLICT_RPT SOA_ALERT_ENTITY_LIST VIS_RELATEDENTITIES VIS_MAA_ASGN_DET VIS_MAA_UNASGN_DET VIS_RELATIONSHIP_SUMMARY RESUME_CONFLICTS VIS_GEM_EVENT_ALERT_UNASGN_DET VIS_GEM_EVENT_ALERT_ASGN_DET VIS_GEM_EVENT_ALERT_DET COG_ROLE_ALERT_DETAIL COG_RESUME_CONFLICTS RPT_RE_UNION RPT_RESUME_RELS1_SUB RPT_RESUME_RELS2_SUB COG_RELATIONSHIP_SUMMARY COG_CONFLICT_PATHS VIS_INBOX_GET_RULE VIS_INBOX_ROLE_ALERT_RAW VIS_INBOX_ROLE_ALERT
11 COG_INBOX_ROLE_ALERT COG_ROLE_ALERT_DETAIL VIS_INBOX_ROLE_ALERT_RAW_ASGN VIS_INBOX_ROLE_ALERT_RAW_CLSD VIS_INBOX_ROLE_ALERT_ASGN VIEW VIS_INBOX_ROLE_ALERT_CLSD VIS_RA_UNASGN_SUM COG_RPT_RE_UNION COG_RELATED_ENTITIES SOA_RELATED_ENTITIES SOA_ENT_NTWRK_STATS SOA_ENTITY_SUMMARIES SOA_ALERT_ENTITY_LIST SOA_ROLE_ALRT_HDR_MULTI VIS_ENTITY_PROPERTIES VIS_DISTINCT_COUNTS COG_ENTITY_DISCLOSURES COG_DISCLOSURES_NAMES VIS_CONFLICT_DESC SOA_ER_RESULT_HEADER VIS_ENTITY_CONFLICTS VIS_CONFLICT_LOG SOA_ROLE_ALRT_HDR_ENT SOA_CONFLICT_RULE
New views
SEP_RELATIONS_VALID VIS_INBOX_ROLE_ALERT_RAW_FLTD VIS_INBOX_ROLE_ALERT_FLTD SOA_ROLE_ALERT_SUMMARY_UNASGN SOA_ROLE_ALERT_SUMMARY_ASGN SOA_ROLE_ALERT_SUMMARY_CLSD SOA_ROLE_ALERT_SUMMARY_FLTD SOA_ROLE_ALERT_SUMMARY SOA_DSRC_CODE SOA_SYSTEM_PARAMETERS SOA_CHARACTERISTIC_CONF SOA_RESOLUTION_CONFIG
Schema changes installing from Version 8.1 Fix Pack 2 to Fix Pack 3 Fix Pack 3 modifies or adds the following views from the original version 8.1 base:
Changed columns from decimal to integer
MATCH_MERGE_ATTR.CONF_WEIGHT MATCH_MERGE_ATTR.DENIAL_WEIGHT MATCH_MERGE_CONF.SCORE_WEIGHT MATCH_MERGE_RULES.LIKE_CONF MATCH_MERGE_RULES.REL_CONF
12 MATCH_MERGE_RULES.LAS_SCORE MATCH_MERGE_RULES.LAS_GN_SCORE MATCH_MERGE_RULES.LAS_SN_SCORE CONFLICT_RULES.MIN_ALERT_THRESHOLD
Recreated index
IX_CONF_RL_ID_DESC
Column addition
ENTITY_TYPE.INCLUDE_SAME_TYPE_AS_CANDIDATE
Modified views
VIS_CONFLICT_DESC VIEW VIS_INBOX_ROLE_ALERT VIEW VIS_INBOX_ROLE_ALERT_ASGN VIEW VIS_INBOX_ROLE_ALERT_CLSD CONFLICT_RPT SOA_ER_RESULT_HEADER COG_CONFLICT_PATHS VIS_ENTITY_CONFLICTS VIS_CONFLICT_LOG RESUME_CONFLICTS COG_RESUME_CONFLICTS SOA_ROLE_ALRT_HDR_MULTI SOA_ROLE_ALRT_HDR_ENT SOA_CONFLICT_RULE
New views
VIS_INBOX_ROLE_ALERT_RAW_FLTD VIS_INBOX_ROLE_ALERT_FLTD SOA_ROLE_ALERT_SUMMARY_UNASGN SOA_ROLE_ALERT_SUMMARY_ASGN SOA_ROLE_ALERT_SUMMARY_CLSD SOA_ROLE_ALERT_SUMMARY_FLTD SOA_ROLE_ALERT_SUMMARY SOA_DSRC_CODE SOA_SYSTEM_PARAMETERS SOA_RESOLUTION_CONFIG SOA_CHARACTERISTIC_CONF
Starting the Fix Pack 3 installation program Complete the following steps to start the product installation program for install Fix Pack 3. On Microsoft Windows:
13 You must copy the product installation file to a local drive. The product installation program will not run from either the installation media or from a network drive.
On AIX and Linux: To enable the License-print function within the Installer running in GUI mode, you need to define your printer within the X-windows subsystem that you are running on the client machine. To enable the License-print function within the Installer running in command line mode, you need to set up a default print-queue and printer on the machine you are installing on.
1. Obtain the IBM InfoSphere Identity Insight product software download package.
2. Do one of the following steps: a. On Microsoft Windows: If obtaining a .tar file, unzip the file to temporary directory on a local drive of the target installation machine. Note: On Microsoft Windows, you must copy the product installation file to a local drive. The product installation program will not run from either the installation media or from a network drive. Ensure that the .tar file is unzipped with the directory structure intact. b. On AIX and Linux: If obtaining a .tar file, unzip the file to temporary directory on a local drive of the target installation machine. Note: Ensure that the .tar file is unzipped with the directory structure intact. Ensure that the product installation file's parent directory structure of \Disk1\InstData\VM\ is retained if you copy the installation file to another location.
3. Navigate to the /platform/Install/Disk1/InstData/VM/ directory, and run the installer program. a. To run the installer in GUI mode, double-click or launch the installer program. b. To run the installer in command line mode, from the command line, append -i console when executing the installer program. For example: prompt> ISII_81_FP3_aix_ppc.bin -i console
Operating System platform Installer file Microsoft Windows Server x86_64 ISII_81_FP3_win_x64.exe IBM AIX ISII_81_FP3_aix_ppc.bin Linux x86 ISII_81_FP3_linux_x86.bin Linux x86_64 ISII_81_FP3_linux_x64.bin 64-bit Linux on System z ISII_81_FP3_linux_s390x.bin
4. On the License Agreement - Software License Agreement panel, review the license agreement and select the Agree to Continue button.
14 5. Follow the instructions on the installation program wizard or the command line.
Completing Fix Pack 3 installation Complete the following installation program panels to install Fix Pack 3. . 1 On the Introduction panel, review the screen. . 2 On the License Agreement - Software License Agreement panel, review the license agreement and select the Agree to Continue button. . 3 On the Destination - Choose Install Folder panel, type or browse to the directory (fully qualified path) where IBM InfoSphere Identity Insight is installed.
Note: If browsing to an installation directory, you must click the Browse button, then browse to the directory one level above the install directory (create the new directory if needed). Then select the install directory and click the Open button. . 4 On the Product Features panel you will see the enhancement included in this fix pack. . 5 On the Database Information panel, review the installed database information on the screen. It should be pre-filled. Validate to ensure you are updating the right database. Note the database information. You will need it for a database update task after the product upgrade and installation is complete. . 6 On the Database Update panel select one of three options:
◦ Create tables automatically ◦ Generate SQL statements ◦ Skip database population
If you choose to Generate SQL statements to run them manually, they will be saved in
If you choose the Skip option, you must run SUIT to upgrade your database after the installation or upgrade is complete. See Updating the database with SUIT on page 17. . 7 On the Pre-Installation Summary panel, review the summary. Click the Previous button if any changes are needed. Then click the Install button to start the product upgrade. . 8 After installation completes: If you have enabled SOA security, you must re-encrypt the passwords in the srd-home/easws directory using the wspwd utility and the -p option. You must do this to allow users to log in. FP3 changes the encryption algorithm from the less secure MD5 to the more secure SHA-1. This requires administrator authority. Detailed steps : ) a Navigate to the
15 ) b Run wspswd with the -p option with no arguments: ) c ./wspswd -p ( for AIX/Linux ) ) d ./wspswd -p ( for Windows ) ) e The tool displays a prompt asking to confirm the resetting of passwords. Enter 'Y' to continue. ) f The new passwords for each user will be displayed to the screen. ) g Restart WebSphere for the changes to take effect.
Below is an example output:
jqsmith@lnxqa11:~/ISII_FP/srd-home/easws$ ./wspwd -p
This will reset all passwords to new generated values, and display those values on the console. Do you want to proceed [Y/N]? Y User: admin Generated Password: U3GOuY6i5P075u7KZa53
User: john Generated Password: jOJB6rg5mcEOvpVQTyHZ
Verifying Fix Pack 3 installation Verify that you have successfully upgraded to Fix Pack 3: 1. Verify that the pipeline has been updated. Run the pipeline command without options and confirm that the output shows: ** pipeline v8.1.0.184
2. Verify that Web services have been updated. Open a Web browser and enter the URL for your installation: http://w2k8qa1.svl.ibm.com:17110/easws/api/soap (example). You should see the following: 8.1.0.184 - 20130227_2134 ------RESOURCE_SUBDIRECTORY = soap WRAPPED_DOCUMENT_LITERAL = true SERVICE_NAME = EntityResolver
16 Launching Basic Console After you have verified that you have successfully installed a version of the product that includes Basic Console, you can launch it in one of the supported browsers. Make sure that the pipeline has been started before using Basic Console. Basic Console reads data through SOA calls to the pipeline.
Procedure 1. Open a browser and enter a URL as follows:
http://localhost:13510/basicconsole localhost is the fully qualified host name where the IBM Identity Insight and its embedded WebSphere Application Server are installed. 13510 is the default port number.
The login screen should be displayed. 2. Enter your login information and click Enter. The Basic Console interface should display. Note: Basic Console uses the same user and login authorization as Configuration Console. Fix Pack 3 introduces security changes that require you to re-encrypt passwords. See the related installation steps above. There is a known minor issue with the display of the Basic Console interface when using IE 8. It should not affect function or performance. IE 9 and 10 and Firefox browsers do not have this issue.
Updating the database with SUIT You must update the database that you are using with IBM Identity Insight after the product is installed or upgraded if you chose to skip the database population on the Database Update panel (recommended above). Use the Schema Upgrade and Installation Tool (SUIT) to update the database. You must update the following: • RELRES.NO_HIST • EAS-Console • CMEAdmin
You can use SUIT to make changes directly to the database with the -auto option, or create a sql file that you can examine before running against the database. 1. Update the database that you are using with Identity Insight with the SUIT .
Database Example Notes Informix suit -t informix -s dbHost -d Automatically upgrade dbName -u jdoe -n ol_informix RELRES.NO_HIST on RELRES.NO_HIST upgrade -auto IBM Informix host dbHost (default port 9088), database name
17 Database Example Notes dbName, server name 1_informix, user ID 'jdoe'. Will prompt for password. DB2 suit -t db2 -s dbHost -o 50000 -u Print SQL to upgrade db2inst1 -d dbInstance RELRES.NO_HIST on RELRES.NO_HIST upgrade DB2 host dbHost, port 50000, instance dbInstance, user ID 'db2inst1'. Will prompt for password. Oracle suit -t oracle -s dbHost -u frank -d Print SQL to install dbInstance RELRES.NO_HIST install RELRES.NO_HIST on Oracle host dbHost, instance dbInstance, user ID 'frank'. Will prompt for password. SQL Server suit -t mssql2008 -s dbHost -d Automatically upgrade dbName -u jdoe RELRES.NO_HIST RELRES.NO_HIST on upgrade -auto SQL Server 2008 host dbHost (default port 1433), database name dbName, user ID 'jdoe'. Will prompt for password.
See SUIT: Schema Upgrade and Installation Tool version 8.1.0.0 at the end of this document for a list of SUIT commands and options.
Known issues and changes when using the product Be aware of the following considerations and known issues related to using the product: Match/Merge processing and From/Thru dates If you have a specific requirement for From/Thru dates to be taken into account during Match/Merge processing, you should explicitly set the DATERANGETHRESHOLD value to '0' in the Console as part of this FP1 upgrade. This ensures that From/Thru dates continue to be honored. Note that setting this to '0' is not the recommended value. Please contact IBM Support for further information and guidance.
If you have previously set [MM] DATERANGETHRESHOLD = -1 in your configuration, your system will now correctly ignore the From/Thru dates during Match/Merge processing. Do not specify ODBC Isolation level=1 (uncommitted Read) on any ODBC client
18 Do not specify ODBC Isolation level=1 (uncommitted Read) on any ODBC client. This is particularly true when using a multi-threaded pipeline, or multiple pipelines. Doing so can cause data corruption or unexpected pipeline shutdown. Example pipeline output:
08/07 14:49:38 [pipeline:503380304] CRIT: CRITICAL ERROR: 08/07 14:49:38 [pipeline:503380304] CRIT: { 08/07 14:49:38 [pipeline:503380304] CRIT: Requested resolve config for an invalid entity type: 0 08/07 14:49:38 [pipeline:503380304] CRIT: Check logs or UMF_EXCEPT table for more information. 08/07 14:49:38 [pipeline:503380304] CRIT: }
MERGE_ID and NUM_MERGED tags not used or required The
ILOG graph generates error for custom number types The Attribute Alert section of the ILOG graphing tool can generate an error when displaying an entity that contains custom number type.
If new Number-Types or Attribute-Types are added to the system via the Configuration Console, you must restart the pipelines and the "Graph server" within eWAS (or the entire eWAS) before the iLOG Graph can display these new types correctly.
Viewing ILOG graphs Do not to use the browser back arrow when viewing ILOG graphs.
It’s possible to get an unresponsive script when viewing graphs in Firefox or other browsers. Click the "Don't show message" check box and the "Continue running script" option to prevent subsequent messages and issues when loading graphs in the browser. MATCH_ID column on the SEP_CONFLICT_REL table The MATCH_ID column on the SEP_CONFLICT_REL table is currently defined as a NUMBER (10). This can artificially limit the size of values that can be stored in this table and cause SQL insert failures and pipeline shutdown with large data volumes. To allow larger Match-ID numbers to be stored, this column-type for the MATCH_ID column can be safely altered to be: "max" precision / BIGINT.
Handling names that include single-name aliases (Main Name 'a/k/a' Alias Name) To handle names that include single-name aliases (Main Name 'a/k/a' Alias Name) do the following: 1. The ' Main Name' can be processed using the standard 'M'
19
The alias name is passed in via the
This approach enables the alias name to be encoded in a way that maximizes the possibility of name-matching. This is particularly useful if the alias is a single-token name. Configuration utility (eacfg) known behavior In the AIX environment when running the configuration utility (eacfg) with LOCALE set to 'en_UTF8' , it is possible that a secondary window will appear that steals focus from the main window. It does not affect the operation of the tool and can be worked around by temporarily setting $LOCALE='C' prior to launching the tool.
ILOG and Web services performance improvements Fix Pack 3 includes changes to ILOG and Web services (SOAP) functions in order to improve performance, including: Resource intensive SOA function calls for graphs are diffused All "multi" calls to SOA functions made by graphs are now diffused or "chunked" in order to avoid overwhelming the pipeline and SOA server with one massive, memory-consuming request. The default is ten entity ID's at a time. Server-side prefetching is limited to the graph in the browser When the user moves off a graph in the browser, any ongoing server-side prefetching for that graph is stopped and server-side memory for that graph is "de-referenced" or removed from user's session. Locking granularity has been fine-tuned Locking granularity has been fine-tuned to allow for better interleaving between server-side thread handling user commands from browser and the server-side prefetching thread. Five new graph server initialization parameters have been added Server administrators can set additional graph server initialization parameters in the graph.properties file to improve performance. These are described in more detail below.
Graph server initialization parameters Server administrators can set graph server initialization parameters in the graph.properties file to improve performance. These parameters are: getEntityDetailMultiple_chunkSize=nn 10 is the default. 1 is the minimum. getEntityDetailMultiple_usePreFetching=true/false True is the default and is recommended. getEntityRelationshipsMultiple_chunksize=nn 10 is the default. 1 is the minimum.
20 getEntityRelationshipsMultiple_usePreFetching=true/false True is the default and is recommended. getEntityRelationshipsMultiple_limit=nnnnn 10000 is the default. 1 is the minimum.
To set these parameters: 1. Open the graph.properties file, located in the srd-home/graphs. 2. Look for and edit the line that contains the one of the above parameters. 3. Save the file. 4. Restart the graph server. Changes will not take effect until the graph server is restarted. These parameters affect all of the graphs for the duration of the server configuration. The default value is used for any absent or unspecified parameters. It is helpful to understand the sequence of SOA calls that are made when a user browses a graph and how that sequence and the graph properties parameters affect performance. When a user browses to a graph, the following six SOA calls are made (among others) in sequential order: 1. getEntityDetail (entity of focus - 1 entity ID) 2. getDirectEntityRelationships (entity of focus - 1 entity ID) 3. getEntityDetailMultiple (all 1-degree entities) 4. getDirectEntityRelationshipsMultiple (all 1-degree entities) The graph is displayed in the browser at this point. The next two calls are for pre-fetching data into graph serve. 5. getEntityDetailMultiple (all 2-degree entities) 6. getDirectEntityRelationshipsMultiple (all 2-degree entities) chunkSize parameters The purpose of getEntityDetailMultiple_chunkSize and getDirectEntityRelationshipsMultiple_chunkSize is to avoid consuming large amounts of SOA server memory and pipeline memory in a single SOA call. The larger the values used for those two parameters, the fewer total SOA calls will be made to the pipeline, and the faster the total amount of data for the graph will be retrieved. With larger chunk sizes each SOA call will require more memory. This is a typical "time versus space" trade-off. For example, the parameter getEntityDetailMultiple_chunkSize affects SOA calls in step 3 and step 5 above. If there are 150 entities in a given level of the graph, then instead of making a single call togetEntityDetailMultiple for all 150 entities at once, the graph server will instead make ceiling (150 / getEntityDetailMultiple_chunkSize) calls, each call requesting ceiling (getEntityDetailMultiple_chunkSize) number of entities. The total of all these multiple calls is somewhat slower, but also less memory intensive. This parameter can be adjusted based on your data and hardware to obtain the an optimal balance. This is also true for getDirectEntityRelationshipsMultiple_chunkSize.
21 PreFetching parameters The purpose of getEntityDetailMultiple_usePreFetching and getDirectEntityRelationshipsMultiple_usePreFetching is to throttle back or turn off prefetching. To stop all prefetching, set both of those flags to false. To have some but not all prefetching, set either of those flags to true. In general, getDirectEntityRelationshipsMultiple (steps 4 and 6 above) takes longer than getEntityDetailMultiple, you can control prefetching as follows:
Prefetching "mostly on" Set getEntityDetailMultiple_usePreFetching=false with getDirectEntityRelationshipsMultiple_usePreFetching=true.
Prefetching "mostly off" Set getEntityDetailMultiple_usePreFetching=true and getDirectEntityRelationshipsMultiple_usePreFetching=false.
Parameter getDirectEntityRelationshipsMultiple_limit This parameter should be used cautiously. It puts an absolute ceiling on the number of input entity ID's that may be accepted by a call to getDirectEntityRelationshipsMultiple(). For example, if a single call to getDirectEntityRelationshipsMultiple()is supplied 150 input entities, then a value of getDirectEntityRelationshipsMultiple_limit=50 would mean that the final 100 of those input entities will not have any relationships returned for them. The first 50 input entities will receive all of their relationships. Unfortunately, that subtly changes the meaning of a blue rectangle in the graph. Before this parameter was introduced, a blue rectangle represented the number of relationships and entities not currently on graph for a given node. With the introduction of this parameter, that blue rectangle represents only the number of relationships not on the graph for that node - some or all of the other "remaining" related entities may actually be on the graph.
Note: A second way that prefetching for an individual graph can be turned off is if any call to getDirectEntityRelationshipsMultiple() is supplied more than the limit specified in getDirectEntityRelationshipsMultiple_limit in the input array. This becomes a signal that the current graph is "large" and no more prefetching is done for that graph.
Known behaviors: getDirectEntityRelationshipsMultiple() and getDirectEntityRelationships() return null in both the following scenarios: • Entity exists but has no relationships. • Entity does not exist.
To see the latest information about known problems and issues Known problems are documented in the form of individual technotes in the Support portal. (http://www.ibm.com/support/entry/portal/Software/Information_Management/InfoSphere_Identity_Ins ight)
22 1. Use the Search Support feature and in the Enter terms, error code or APAR # field, enter a keyword, phrase, error code, or APAR number to search on. 2. Select Solve a problem. 3. Click Search. As problems are discovered and resolved, the IBM Support team updates the Support portal. By searching the Support portal, you can quickly find solutions to problems. Check the Support portal for the most current information.
System requirements updates For the latest information about hardware and software compatibility, see the detailed system requirements document at: http://www.ibm.com/support/entry/portal/Software/Information_Management/InfoSphere_Identity_Insi ght.
Announcements You can search for the IBM InfoSphere Identity Insight Version 8.1 announcement at http://www.ibm.com/common/ssi/OIX.wss. See the announcement for the following information: • Detailed product description, including a description of new functions • Product-positioning statement • Packaging and ordering details • International compatibility information
SUIT: Schema Upgrade and Installation Tool version 8.1.0.0 SUIT is a Schema Upgrade and Installation Tool that comes with IBM Identity Insight. When installing to an Informix database, the Schema Upgrade and Installation Tool (SUIT) must be run with the following command line parameter: -mbi 1. This disables statement "batching" and is required for version 11.50 and 11.70. If this is not done, the SUIT operation will fail with the error "maximum statement length exceeded" and abort. SUIT is used to update the schemas for other databases as part of the installation program and is located in II installer\suit\sql. suit [-t
23 db2: IBM DB2 (Default on AIX) informix: IBM Informix
Supported encodings include UTF-8, UTF-16, UTF-16LE, UTF-16BE, ISO-8859-1 (ISO Latin-1), cp1252 (Windows Latin-1). Other encodings may be supported by your Java environment, see: http://www.iana.org/assignments/character-sets
24 Prints the SQL for upgrading the schema for this product to the current version from the specified version. Using -auto will automatically upgrade the schema (not recommended for most systems). verify [-v] Examines the current schema against the master schema, and prints information about any missing objects. Specifying -v will cause information about extra objects to be generated as well.
Copyright IBM Corporation 2003, 2014. All Rights Reserved. IBM and the IBM logo are registered trademarks of International Business Machines Corporation in the United States, other countries, or both.
25