IBM Security Access Manager, Version 8.0, Appliance Standard Operating Procedures Version 1.2
by user
Comments
Transcript
IBM Security Access Manager, Version 8.0, Appliance Standard Operating Procedures Version 1.2
IBM Security Systems Access Management July, 2014 IBM Security Access Manager, Version 8.0, Appliance Standard Operating Procedures Version 1.2 Author: Martin Schmidt 2|Page Note: Before using this information and the product it supports, read the information in "Notices." Edition notice This edition applies to version 8.0 of IBM Security Access Manager and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2014. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. 3|Page 4|Page Table of Contents 1 Introduction .......................................................................................8 1.1 Resources............................................................................................................................... 8 2 Accessing the appliance and committing changes ..........................8 2.1 Local management interface ............................................................................................... 8 2.2 Command line interface....................................................................................................... 9 2.3 REST APIs ............................................................................................................................ 9 3 Backup Strategy...............................................................................10 3.1 Backing up the virtual appliance ...................................................................................... 10 3.2 Appliance snapshots (Suggested) ...................................................................................... 11 3.3 Importing snapshots........................................................................................................... 13 3.3.1 Network Timeouts ........................................................................................................................................... 13 3.3.2 Uploading the snap file .................................................................................................................................... 14 3.4 Exporting and importing a security policy ...................................................................... 14 3.4.1 Importing ACLs ............................................................................................................................................... 14 3.4.2 Importing objects ............................................................................................................................................. 14 3.5 Backup Integration Example ............................................................................................ 15 3.5.1 Overview.......................................................................................................................................................... 15 3.5.2 PowerShell script ............................................................................................................................................. 16 3.5.3 Simplified bash and curl script ........................................................................................................................ 18 4 Monitoring........................................................................................20 4.1 Notifications ........................................................................................................................ 20 4.2 Monitoring the appliance .................................................................................................. 22 4.3 Monitoring instances.......................................................................................................... 25 4.4 Messages Catalog................................................................................................................ 27 5 Performance & Health ....................................................................27 5.1 Checking the state of the policy server (MGR) ............................................................... 27 5.2 Checking the state of WebSEAL instances ...................................................................... 28 6 Troubleshooting ...............................................................................30 6.1 Support Files....................................................................................................................... 30 6.2 Networking.......................................................................................................................... 30 6.2.1 Using the command line interface ................................................................................................................... 30 5|Page 7 Networking .......................................................................................32 7.1 Managing the M.1 and M.2 interfaces.............................................................................. 32 7.2 Managing the P.1-P.4 application interfaces ................................................................... 32 7.3 Managing network traffic routing .................................................................................... 32 7.4 Hosts File............................................................................................................................. 33 8 Certificate Maintenance..................................................................34 9 Appendix: Useful REST services....................................................35 6|Page 7|Page 1 Introduction This document is a collection of Standard Operating Procedures (SOP) for the IBM Security Access Manager, Version 8.0, appliance. It documents common tasks and practices for the daily operations and maintenance of a deployment. It shows the tasks performed using the local management interface, command line interface, and REST API whenever possible. It does not cover deployment or migration. 1.1 Resources The following are a list of resources that are available for managing the appliance. • • • Security Access Manager for Web product documentation on the IBM Knowledge Center at http://www01.ibm.com/support/knowledgecenter/SSPREK/welcome Security Access Manager for Mobile product documentation on the IBM Knowledge Center at http://www01.ibm.com/support/knowledgecenter/SSELE6/welcome Videos created by the IBM Security Systems Support team at http://www.youtube.com/playlist?list=PL5VchNLXhuu-wEte77Cb7zBO-8419_tqK 2 Accessing the appliance and committing changes You can access the appliance through three methods basic methods. The appliance uses a modify and commit change model, which means any changes are not effective until committed. The local management interface provides a visual reminder of this fact; the command line interface and REST API do not and requires due diligence. 2.1 Local management interface You can access the local management interface with any web browser either in non-secure (HTTP) or secure (HTTPS) mode. The local management interface requires basic authentication. The following illustration shows the login screen. The login ID is admin, and the default password is admin. The following illustration shows the notification panel for a pending change. This one shows the change deploy panel. 2.2 Command line interface The command line interface is available with the ssh port and protocol. Use any ssh client to connect to the management interface. You authenticate with the admin user. Even though you use ssh to connect to the appliance, the interface is not a Unix style shell. Type help to see the list of available commands. 2.3 REST APIs You can call REST with a various tools, which include cURL, Directory Integrator, Microsoft ®Windows® PowerShell™, and others. This document uses the Firefox™ REST Client plugin or other tools as appropriate. You can find REST API documentation on the appliance under Help. 9|Page Remember to always set the appropriate header for making a call. The following illustration shows how to use the REST client to list any pending changes. 3 Backup Strategy Perform backups either on a regular schedule or based on changes in the environment. The appliance creates snapshots, which you can use as part of the change management and backup processes. 3.1 Backing up the virtual appliance You can back up the virtual appliance at the virtualization level (ovf export). This level of backup is a full backup of the appliance with all settings. Make backups at this level before making any major changes in the environment. You must stop and shut down the appliance before an ovf export. Note: The ovf export is not a VMware snapshot; snapshots are not supported due to the clustering. See 10 | P a g e http://www01.ibm.com/support/knowledgecenter/SSPREK_8.0.0.2/com.ibm.amweb.doc_8.0.0.2/admin/concept/con_cluster_ba ckup.html?lang=en 3.2 Appliance snapshots (Suggested) The appliance provides an internal snapshot mechanism, which creates backups of configurations, and restores them as needed. See http://www01.ibm.com/support/knowledgecenter/SSPREK_8.0.0.2/com.ibm.amweb.doc_8.0.0.2/admin/task/alps_managing_sn apshots.html?lang=en Snapshots are compressed files that are stored on the system. You can download and then open them with any zip compliant utility, such as WinRAR. Store only a small number of snapshots on the system. Copy them regularly copied to a safe location and delete them on the appliance. Follow these steps: 1. 2. Select Manage -> System Settings -> Snapshots. Select New and enter a comment. 3. 4. Select the snapshot and perform the required tasks to download, delete, apply, or edit. Use the following REST APIs to automate this process. 11 | P a g e Create Snapshot List Snapshots Note: The ID field is required for download. 12 | P a g e Download snapshot Delete Snapshot 3.3 Importing snapshots When you have large snapshot files, perform the import process with care to accommodate network timeouts and snapshot processing. 3.3.1 Network Timeouts Large snapshot processing can take longer than the specified network timeout. To prevent timeouts, either disable or set a high network timeout on your browser. Use the following steps to set the timeout in Firefox: 1. 2. 3. Open Firefox and navigate to about:config in the browser bar. Enter a filter of network.http.response.timeout. Set this value to either 0 (no timeout) or a large number of seconds. 13 | P a g e 3.3.2 Uploading the snap file When selecting and uploading the snap file with Browse, you MUST WAIT until Comment is populated. After Comment is populated, select Save Configuration. Wait on this page until the file shows up in the list. Note: There is no indicator that processing is taking place. Watch the spinner in the status bar. 3.4 Exporting and importing a security policy Use the Web Portal Manager interface to export and import parts of the security policy to XML. You can create backups of the policy used on a resource and documentation, or you can migrate the policy to another environment. 3.4.1 Importing ACLs 1. 2. Select Secure Web Settings -> Manage -> Policy Administration. Log in with the sec_master password. 3. 4. 5. 6. Select ACL -> Export All ACLs. Do not enter an encryption string. Select Export and save the file. Select Import ACL to load a file. 3.4.2 Importing objects 1. 2. 3. Select Object Space -> Browse Object Space. Navigate to the object you want to export and select it. Select Export. 14 | P a g e 4. 5. Mark Export Object including Children. Do not enter an encryption string. 6. 7. Save the file. Use Import Object to load the file. 3.5 Backup Integration Example When the backup infrastructure does not directly support the invocation of REST API calls, collect the snapshots on a shared drive on Windows or Unix system and then regularly back up this drive*. The script shown below will create email alerts if any part of the operation fails. You can schedule the script on a regular basis to create and collect the snapshots. 3.5.1 Overview The following diagram shows the architecture implementing this solution. A windows based server is used to collect the snapshot file from the appliances. The file is stored on a network drive. The files stored on the network drive are backed up using the existing backup solution. If any error is encountered during the process, an email is sent to the administrators. 15 | P a g e 3.5.2 PowerShell script You can use the following PowerShell script on the windows server to download the snap file as shown above. ########################################################################## # # A script to create appliance snapshots. # The script will create a snapshot, download it, and remove the # oldest snapshot on the appliance. # If there is an error, an email notification is sent. # ########################################################################## #------------------------------------------------------------------------# Create directory date string Function getDateString() { $a = Get-Date $d = "" [string]$d = "{0:D4}" -f ($a.Year) + "{0:D2}" -f ($a.Month) + "{0:D2}" -f ($a.Day) return $d } #------------------------------------------------------------------------# Send notification email. Function alertMail ($body) { $to = "[email protected]" $from = "[email protected]" $srv = "smtp.ibm.com" $sub = "Automated message: SAM Snapshot Alert" Send-MailMessage -To $to -From $from -Subject $sub -SmtpServer $srv -Body $body } #------------------------------------------------------------------------# Create the basic auth header entry. Function createAuth($name,$pwd) { $authInfo = ("{0}:{1}" -f $name,$pwd) $authInfo = [System.Text.Encoding]::UTF8.GetBytes($authInfo) $authInfo = [System.Convert]::ToBase64String($authInfo) return "Basic {0}" -f $authInfo } Function getSnapshots ($name,$pwd,$target) { 16 | P a g e $auth = createAuth $name $pwd $headers = @{Accept=("application/json");"ContentType"=("application/json");Authorization=$auth} $uri = "https://"+$target+"/snapshots" [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $web = New-Object System.Net.WebClient; $web.Headers.add("Accept","application/json"); $web.Headers.add("Content-Type","application/json"); $web.Headers.add("Authorization",$auth); $res = $web.DownloadString($uri); $res = $res | ConvertFrom-Json return $res } Function createSnapshot ($name,$pwd,$target,$desc) { $auth = createAuth $name $pwd $headers = @{Accept=("application/json");"ContentType"=("application/json");Authorization=$auth} $body = '{"comment":"'+ $desc + '"}'; $uri = "https://"+$target+"/snapshots" [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $res = Invoke-WebRequest -Uri $uri -headers $headers -Method POST -Body $body return $res } Function downloadSnapshot ($name,$pwd,$target,$id,$fn) { $auth = createAuth $name $pwd $headers = @{Accept=("application/json");"ContentType"=("application/json");Authorization=$auth} $uri = "https://"+$target+"/snapshots/download?record_ids="+$id [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $web = New-Object System.Net.WebClient; $web.Headers.add("Accept","application/json"); $web.Headers.add("Content-Type","application/json"); $web.Headers.add("Authorization",$auth); $fn $uri $res = $web.DownloadFile($uri,$fn); return $res } Function deleteSnapshot ($name,$pwd,$target,$id) { $auth = createAuth $name $pwd $headers = @{Accept=("application/json");"ContentType"=("application/json");Authorization=$auth} $uri = "https://"+$target+"/snapshots/"+$id [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $res = Invoke-WebRequest -Uri $uri -headers $headers -Method DELETE return $res } 17 | P a g e Function getLastSnapshotID($name,$pwd,$target) { $sl = getSnapshots $name $pwd $target return $sl[$sl.Count-1].id } Function getFirstSnapshotID($name,$pwd,$target) { $sl = getSnapshots $name $pwd $target return $sl[0].id } # # This function does the work for creating a snapshot and downloading it. Function performSnapshot($name,$pwd,$target,$root) { try { # create the snapshot on the appliance $snap = createSnapshot $name $pwd $target # Get the snapshot ID (always the first one) $bid = getFirstSnapshotID $name $pwd $target # Build the target file name and directory $d = getDateString $dest = $root +"/" + $d + "/" $a = md -Force $dest $dest = $root +"/" + $d + "/" + $target + ".zip" # Download the snapshot downloadSnapshot $name $pwd $target $bid "$dest" # Get the last (oldest) snapshot ID $lastid = getLastSnapshotID $name $pwd $target # Delete the snapshot on the target. deleteSnapshot $name $pwd $target $lastid } catch { #send an email alert if there is an error. alertMail $Error } } # Clear any existing Errors. $Error.Clear(); # Duplicate the below line for any additional appliances. # performSnapshot <adminid> <adminpwd> <appliance> <target Directory> performSnapshot admin admin appliance1.ibm.com c:/temp 3.5.3 Simplified bash and curl script The following script is a simplified version of the PowerShell script for AIX. It uses cURL and bash. #!/usr/bin/bash # -x # # Bash script that uses curl to backup a ISAM appliance. # # # A script to create appliance snapshots. # The script will create a snapshot, download it, and remove it # from the appliance. # 18 | P a g e #------------------------------------------------------------------------# The root directory for the backups. TODAY=`date +%Y%m%d` BACKDIR="/BACKUP/DEV/${TODAY}/" DOMAIN=".ibm.com" #------------------------------------------------------------------------function getSnapshots { curl -H "Accept:appliaction/json" --user "$1" "https://$2/snapshots" 2>>/dev/null } #------------------------------------------------------------------------function getLastSnapshotID { sl=`getSnapshots $1 $2` echo $sl | sed 's/,/ \ /g' | grep "\"id\":" | tail -1 | sed 's/.*":"//' | sed 's/"//' } #------------------------------------------------------------------------function getFirstSnapshotID { sl=`getSnapshots $1 $2` echo $sl | sed 's/,/ \ /g' | grep "\"id\":" | head -1 | sed 's/.*":"//' | sed 's/"//' } #------------------------------------------------------------------------function createSnapshot { data="{\"comment\":\"$3\"}" curl -H "Accept:appliaction/json" -d "$data" --user "$1" "https://$2/snapshots" 2>>/dev/null } #------------------------------------------------------------------------function createGetSnapshot { r=`createSnapshot $1 $2 "$3"` echo $r | sed 's/,/ \ /g' | grep "\"id\":" | sed 's/.*":"//' | sed 's/"//' } #------------------------------------------------------------------------function downloadSnapshot { curl -H "Accept:appliaction/json" --user "$1" "https://$2/snapshots/download?record_ids=$3" > "$4" 2>>/dev/null } #------------------------------------------------------------------------function deleteSnapshot { curl -H "Accept:appliaction/json" -X DELETE --user "$1" "https://$2/snapshots/$3" 2>>/dev/null } #========================================================================= function takeShot { sid=`createGetSnapshot $1 "$2${DOMAIN}" "Created by backup script"` if [ -z "$sid" ]; then echo "ERROR Trying to backup $2" echo "ERROR Trying to backup $2" | mail -s "Backup Error" [email protected] else `downloadSnapshot $1 "$2${DOMAIN}" $sid "${BACKDIR}${2}.zip"` `deleteSnapshot $1 "$2${DOMAIN}" $sid ` Fi } #========================================================================= # Main program. R=`mkdir -p ${BACKDIR}` takeShot 'admin:admin' appmgr01 takeShot 'admin:admin' appweb01 19 | P a g e exit 0 4 Monitoring You can monitor the appliance for system alerts with the methods documented at http://www01.ibm.com/support/knowledgecenter/SSPREK_8.0.0.2/com.ibm.amweb.doc_8.0.0.2/admin/task/alps_configuring_ system_alerts.html?lang=en You can also use third-party monitoring tools for REST API queries to obtain the system’s state information and perform actions based on predefined criteria. 4.1 Notifications The notifications panel in the Home Dashboard provides a quick view of the appliance’s health. It includes: • • • Certificates that are due to expire. Reverse proxy instances that are not currently running. Notices that: o The disk space utilization exceeded the warning threshold. o The database size reached the warning threshold, which is 80% capacity. o The CPU utilization exceeded the warning threshold. You can configure the following thresholds from Manage Systems Settings -> System Settings -> Advanced Tuning Parameters. The following list shows the defaults: • • • • • • • • sys.notifications.disk.usage_warning_percentage = 80 sys.notifications.disk.usage_alert_percentage = 90 sys.notifications.cpu.usage_warning_percentage = 80 sys.notifications.cpu.usage_alert_percentage = 90 sys.notifications.cert.expiration_date_warning_days = 30 sys.notifications.cert.expiration_date_alert_days = 14 sys.notifications.hvdb.usage_warning_percentage = 80 sys.notifications.hvdb.usage_alert_percentage = 90 In the following example, the value was set to 2 to show the resulting message: The following illustrations shows the resulting notifications with the instances stopped. You can also make the following REST call. 20 | P a g e Note: Any non-null return triggers an alert. This following illustration shows an empty result. The following Powershell script shows how to use the REST APIs. #------------------------------------------------------------------------# Convert epoch to a nice date Function get-epochdate ($epochdate) { [timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($epochdate)) } #------------------------------------------------------------------------# Create the basic auth header entry. Function createAuth($name,$pwd) { $authInfo = ("{0}:{1}" -f $name,$pwd) $authInfo = [System.Text.Encoding]::UTF8.GetBytes($authInfo) $authInfo = [System.Convert]::ToBase64String($authInfo) return "Basic {0}" -f $authInfo } Function getNotifications ($name,$pwd,$target) { $auth = createAuth $name $pwd $headers = @{Accept=("application/json");"ContentType"=("application/json");Authorization=$auth} 21 | P a g e $uri = "https://"+$target+"/isam/widgets/notifications.json" [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $web = New-Object System.Net.WebClient; $web.Headers.add("Accept","application/json"); $web.Headers.add("Content-Type","application/json"); $web.Headers.add("Authorization",$auth); $res = $web.DownloadString($uri); $res = $res | ConvertFrom-Json return $res } Function alertMail ($body) { $to = "[email protected]" $from = "[email protected]" $srv = "smptp.ibm.com" $sub = "Automated message: SAM Alert" Send-MailMessage -To $to -From $from -Subject $sub -SmtpServer $srv -Body $body } Function checkNotifications ($u,$p,$t) { $r = getNotifications $u $p $t if ($r.items) { $r.items | % { get-epochdate $_.timestamp $_.message alertMail($_.message); } } else { "No messages" } } checkNotifications "admin" "admin" "labsamweb01m1.tivlab.austin.ibm.com" 4.2 Monitoring the appliance Monitor the appliance from the local management interface dashboard for the following items: • • • • • • Notifications Disk Space Memory CPU Usage Certificate Life time Events The following illustration shows the dashboard. 22 | P a g e Use the following REST APIs to collect similar information: Hard Drive space The values of interest are the root entries for size, used, and avail. 23 | P a g e CPU Usage Memory Usage 24 | P a g e Certificates lifetime The result requires post processing to: • • • Extract the expiry. Convert from epoch to an actual date or compare to the current epoch + Xdays. Raise an alert if any are lower. Event Log 4.3 Monitoring instances Monitor various WEB instances for: • • Status Instance Log File 25 | P a g e Status Any health value that is not 0 denotes an issue. Instance Log File Retrieve the last 300 lines of the msg__webseald-xxx.log file. See the following example URL: https://<server>/wga/reverseproxy_logging/instance/Test/msg__webseald-Test.log?options=line-numbers&size=300 26 | P a g e 4.4 Messages Catalog The following table contains the more common messages. Use the message codes to filter these for special processing. (Note that some messages are Warnings as well as Errors!) Code Message WGASY0002W Certificate expires in <d> days: <name> WGASY0002E Certificate expires in <d> days: <name> WGASY0003E Certificate expired: <name> WGASY0004E Reverse Proxy is not running: <name> GLGRS1003I The CLI operator <name> has shut down the appliance. WGASY0000W High CPU utilization: <cpu>% WGASY0000E High CPU utilization: <cpu>% GLGPL1001I The LMI operator, <name>, has modified the System Alerts settings. 5 Performance & Health This section describes how to monitor the performance and health of the appliance and instances. Do this task after you apply changes to the system or end users experience problems. In general, access patterns for resources do not change unless there are changes in the environment. 5.1 Checking the state of the policy server (MGR) You can check the following files for the current state of the policy server. 1. Select Monitor -> Application Log Files ->isam_runtime -> policy_server. 27 | P a g e 5.2 Checking the state of WebSEAL instances You can check the following files for the current state of the WebSEAL instances. 1. 2. 3. Select Secure Web Settings -> Reverse Proxy. Mark the instance. Select Manage -> Logging. 4. Use the following additional local management interface pages to check the state of the junctions: a. Select Monitor ->Logs -> Reverse Proxy Log Files. b. Select Monitor -> Network Graphs -> Application Interface Statistics. 28 | P a g e c. Select Monitor -> Reverse Proxy Graphs -> Reverse Proxy Traffic. d. Select Monitor -> Reverse Proxy Graphs -> Reverse Proxy Throughput. 29 | P a g e 6 Troubleshooting This section describes some common troubleshooting steps. 6.1 Support Files The appliance has a built in function to create and manage support file snapshots. 1. 2. Select Manage -> System Settings -> Support Files. Use this page to create and download support snap files. 3. Delete the files when you no longer need them. 6.2 Networking You have several tools for evaluating network issues. If you cannot access the appliance, use either the attached or virtual console. 6.2.1 Using the command line interface 1. 2. 3. Log in to the command line interface or the console, if you cannot access the server cannot through the network. Enter tools. Use the ping and nslookup commands to determine network connectivity. a. Ping the appliance and the appliance gateway. b. If neither works, make sure the appliance networking (vlan) is set correctly. 4. Get current network setting for M.1 30 | P a g e 5. From the top, enter the following: a. management b. interfaces c. show 6. If the configuration values are incorrect, you can use the set command to make changes. It performs the same steps as documented for the initial appliance configuration. 31 | P a g e 7 Networking This section details steps for network- related operations. 7.1 Managing the M.1 and M.2 interfaces 1. Select Management -> Network Settings -> Management Interfaces. 2. Use the tabs to set the system related network settings, DNS, and the interface settings. 7.2 Managing the P.1-P.4 application interfaces 1. Select Management -> Network Settings -> Application Interfaces. 2. 3. Use the tabs and operations to set the interface settings. Use the Test button to validate networking with a ping operation. 7.3 Managing network traffic routing Manage the network traffic routing on the appliance. By default all traffic is routed through the M.1 interface, which means all network outgoing traffic goes through it. 1. Select Management -> Network Settings -> Routing. 32 | P a g e 2. Add static routes as needed. 7.4 Hosts File The appliance has a host file that is managed with the following interface. 1. Select Management -> Network Settings -> Hosts File. 2. Use this interface to manage the hosts file entries. Note: To add entries to an existing IP, make sure the IP is highlighted before you select New. 33 | P a g e 8 Certificate Maintenance The appliance greatly simplified the maintenance of the SSL certificates. The home page Certificate Expiry panel shows a list of certificates listed by expiration date. Inspect it regularly and renew or replace certificates as they are about to expire. In addition, the home page notification panel displays any expired certificates. 1. 2. 3. 4. 5. Select Manage -> Secure Settings -> SSL Certificates Select the Certificate Database. Select Manage -> Edit SSL Certificate Database. Find the expired certificate and delete them. Import new certificates or create certificate requests as needed. 34 | P a g e 9 Appendix: Useful REST services The following are some useful REST services. Get EPOCH Gets current time on the appliance as an epoch. 35 | P a g e 36 | P a g e Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 19-21, NihonbashiHakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law : INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on developmentlevel systems and there is no guarantee that these measurements will be the same on generally available systems. 37 | P a g e Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: © IBM 2014. Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp 2014. All rights reserved. If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml. Statement of Good Security Practices IT system security involves protecting systems and information through prevention, detection and response to improper access from in and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. 38 | P a g e © International Business Machines Corporation 2014 International Business Machines Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America 07-2014 All Rights Reserved References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in 39 | P a g e which IBM operates. 40 | P a g e