This README contains information about the IBM(R) WebSphere(R) Everyplace(R)
Connection Manager Version 5.1.1 as well as any late-breaking information
that was not available for printed publications.

This product contains RSA encryption code.

This product is supported on:

o IBM AIX(R) 5.1 Maintenance Level 4 
o IBM AIX 5.2 Maintenance Level 1
o IBM AIX Version 5.3
o July 2003 C++ Runtime PTF (xlC.aix50.rte.6.0.0.7)
o Solaris 8, Solaris 9, and Trusted Solaris 8
o Linux(R) Red Hat Enterprise Linux 3.0 ES/AS, SuSE Linux Enterprise Server 
  8, SuSE 8.1, SuSE 8.2, or SuSE 9.0


To download AIX operating system fixes, see:

   http://www.ibm.com/servers/eserver/support/pseries

_____________________________________________________________________________
Table of Contents

1.0  Product Description
2.0  Getting Help
3.0  Installing and Configuring
4.0  Late-breaking Information
5.0  Fixed Authorized Problem Analysis Reports (APARs)
6.0  Trademarks and Copyright


_____________________________________________________________________________
1.0 Product Description

The IBM WebSphere Everyplace Connection Manager consists of the following
components:

  o Connection Manager runtime environment.
  o Gatekeeper, a Java(TM) graphical user interface for managing and
    configuring the Connection Manager system and subsystems.
  o Access Manager used to support Gatekeeper access to the
    runtime environment and persistent data store.
  o Mobility Client, an optional interface that provides an optimized and
    secure IP tunnel for communication with the Connection Manager using a
    variety of wireless and wireline networks.


_____________________________________________________________________________
2.0 Getting Help

Online help is available through the Gatekeeper and the Mobility Client.
Also see the web site at:
http://www.ibm.com/software/pervasive/ws_everyplace_connection_manager/support
for more information and the latest updates.


_____________________________________________________________________________
3.0 Installing and Configuring

3.1 See the IBM WebSphere Everyplace Connection Manager Administrator's Guide
for information about installing for the first time or applying maintenance.
The guide is in portable document format (PDF) and you will need Adobe Acrobat
Reader Version 3.0 or greater to display or print it.  This guide is on 
installation CD 2 and is also located at
http://publib.boulder.ibm.com/pvc/wecm/511/

_____________________________________________________________________________
4.0 Late-breaking Information

4.1  If you are using Secure Hashing Algorithm (SHA) to store passwords in
LDAP (the default for Netscape Directory), login sessions using the
native PPP protocol and CHAP for authentication will fail. If this
type of session is a requirement, use clear text for password storage.

4.2  New features for Version 5.1

o  Dynamic transport profiles allowing recognition of the network type that 
   Mobility Clients use and automatically applying tuning characteristics to 
   achieve optimal performance. This feature simplifies the Mobility Client 
   configuration and enhances the seamless roaming capability by automatically 
   switching network specific performance settings when roaming occurs. 
o  Improved ease of use in small environments using the Linux operating system 
   for configuring mobile network interfaces (MNI) without the need for 
   external routing updates and subnetwork assignments. By using dynamic host 
   configuration protocol (DHCP) and proxy-ARP (address resolution protocol) 
   technologies, after an address is reserved by the Connection Manager, ARP 
   and route entries are automatically added to local system tables to give 
   the address a presence on the network. 
o  Improved ease of installation in smaller organizations, such as 
   proof-of-concept environments. This feature includes an installation and 
   configuration wizard that takes advantage of new configuration options for 
   the mobile network interface. See IBM WebSphere Everyplace Connection 
   Manager Quick Start Guide for more information. 
o  Improved ease of use in configuring the access for Gatekeeper administrators 
   as Super users or restricted to an access control list (ACL) profile. An ACL 
   profile is a collection of ACLs that you assign to administrators to define 
   their level of access to resources. 
o  Enhanced wg_monitor command line utility used to view the packet flow 
   through the Connection Manager to aid in debugging and gathering real time 
   information on the active session table in memory of the wgated process. 
o  Improved account troubleshooting to restrict message logging and filter it 
   to display only an individual user ID or device. 
o  Support for user administration portlets using WebSphere Portal Server 
   version 5.0.2.1. vii
o  Changed installation paths for the Connection Manager. 
o  The Connection Manager is enabled for use by IBM Tivoli License Manager. 
o  Removed support for account lookup as a method of validating WAP clients. 
o  Support for IBM Tivoli Directory Server version 5.2 
o  Support for IBM DB2 Universal Database Enterprise Edition version 8.1 with 
   FixPak 2 or Oracle 9i. 
o  New configuration properties for mobile access services include: 
   - Whether or not a single user ID is permitted to sign-on multiple times 
     from separate devices simultaneously. 
   - Whether the Connection Manager sends a message to Mobility Clients that 
     their sessions are terminated before the Connection Manager shuts down.
o  A new network management trap message (120289) is available for when the 
   mobile session has roamed to a new device. 
o  The device adapter name is now stored as a session database field. 
o  Removed support for Microsoft Windows 98, Windows Me, and Windows NT for 
   Gatekeeper and Mobility Clients. 
o  Removed support for Mobility Clients using Handheld Pocket PC. 
o  Added support for Symbian OS Mobility Clients using Sony Ericsson P900 
   devices. 
o  Added support for Mobility Clients using Windows Mobile 2003 Second Edition. 
o  The Mobility Client can be configured to check that certain programs are 
   running, like antivirus or personal firewall software, before allowing the 
   connection to start. This feature is not available on Palm OS or on the Sony
   Ericsson P900 device. 
o  The Mobility Client can be configured to automatically start one or more 
   programs after the initial connection successfully completes. On Palm OS, 
   only one program can be configured to automatically start. This feature is 
   not available on the Sony Ericsson P900 device. 
o  Mobility Client configuration files can be exported and imported which gives 
   an administrator the ability to set or change Mobility Client options, then 
   distribute the new configuration to the client. The user imports the new 
   configuration and accepts the changes. This feature is not available on the 
   Sony Ericsson P900 device. 
o  To aid in problem determination, Mobility Clients can automatically collect 
   troubleshooting information during a connection attempt. This information 
   aids in first failure data capture. This feature is not available on the 
   Sony Ericsson P900 device.  
o  The Mobility Client trace viewer is a free-standing window that displays 
   trace messages and can be configured to close after the connection is 
   successfully completed. This feature is not available on the Palm OS or 
   on the Sony Ericsson P900 device.  
o  Enhancements that enable WebSphere Everyplace Access version 5.0 clients to 
   seamlessly start connections to the Connection Manager during the 
   synchronization process.


4.3  Connection Manager locale

The Connection Manager requires requires the English UTF-8 locale: on AIX it 
is EN_US.UTF-8, on Solaris it is en_US.UTF-8, and on Linux it isen_US.utf8.
On the AIX operating system, obtain the English UTF-8 locale from the AIX 
installation media.


4.4  New DSS schema changes for Version 5.1 include:

The objectclass wlUser has been changed to ibm-wlUser and the attributes  
renamed correspondingly:
   wlUser                ibm-wlUser
-------------------------------------------   
oldpasswords	   -> passwordHistList
trace		   -> ibm-wlIpTrace
authreq		   -> ibm-wlAuthRequired
ipaddr		   -> ipAddress
lastfail           -> ibm-wlLastFailed
lastchg		   -> ibm-wlLastModified
expire	           -> ibm-wlUserExpires
locked		   -> isLocked
admchg		   -> ibm-wlForceChange
failed		   -> unsuccessfulLoginCount
addresstype	   -> ibm-wlAssignmentType
addresspool	   -> ibm-wlDhcpGroupRef
devicepool	   -> ibm-wlDeviceRef
mncauth		   -> ibm-wlMncRef
ibm-deviceIdVerify -> ibm-wlVerifyDeviceID

The following attributes were removed from wlUser and added to ibm-wlWapUser 
which is only attached if WAP is turned on and a non-default setting is needed:
  wlUser            ibm-wlWapUser              
-------------------------------------------   
hproxyauth     -> ibm-wlproxyauth
hproxyuserid   -> ibm-wlproxyuserid
hproxypassword -> ibm-wlproxypassword
httpproxyport  -> ibm-wlproxyport
httpproxyaddr  -> ibm-wlproxyaddr
defwaphomepage -> ibm-wldefwaphomepage

The new objectclass ibm-wlTransProfile includes new attributes of:
cn                    Common name                                   
ibm-wlOtherOu         Additional Organizational Units               
description           Description                                   
tcpopt                TCP protocol optimization                     
ibm-wlEnableCompr     Compress data                                 
ibm-wlReduceIpHdr     Reduce IP headers                             
retransttl            TCP retransmit suppression timer              
ibm-wlBurstRate       Packet burst rate                             
minwindowsize         Minimum TCP window size                       
maxwindowsize         TCP receive window size                       
ibm-wlMaxPktSize      Maximum TCP packet size                       
ibm-wlMaxRetransmit   Maximum number of retransmits                 
ibm-wlsarbalance      Balance size of PDU fragments                 
fragttl               Fragment time to live                         
ibm-wltransmitdelay   Outbound transmission delay (ms)              
ibm-wlbuffersize      Maximum size of a multi-packet buffer         
ibm-wlminfree         Minimum free space required to load packets   
ibm-wlpTcpSrvRef      TCP-Lite service                              
ibm-wlNegMTU          Maximum Transmission Unit                     
ibm-wlTransmitMTU     Default MTU                                   
ibm-wlReceiveMTU      Client MTU                                    
ibm-wlSpeed           Data throughput rate                          
ibm-wlFilterOther     Filter other ports (protocol/port)            
ibm-wlFilterKnown     Filter well-known ports                       
ibm-wlLcpEcho         WLP-LCP keepalive timer                       
ibm-wlClientMP        Enable client-side multi-packet buffering     
ibm-wlServerMP        Enable server-side multi-packet buffering     
ibm-wlIpStackMtu      Client IP stack MTU                           
ibm-wlTcpInitialRTT   TCP SYN retransmit interval (sec)             
ibm-wlackdelay        TCP ACK delay (ms)                            
ibm-wlIpForward       Allow IP forwarding                           
keywords              Key words and phrases to match on  

These objectclasses: wlCm, ibm-wlWapServer, ibm-wlHttpService, 
ibm-wlApplService, and ibm-wlPassthruService include new attributes of:
ibm-wlSSLFIPSMode         Only use FIPS 140-2 approved          
ibm-wlSSLFIPSV3Ciphers    V3 Ciphers        
ibm-wlSSLFIPSTLSCiphers   TLS Ciphers         
ibm-wlSSLV2Ciphers        V2 Ciphers 
ibm-wlSSLV3TLSCiphers     V3 and TLS Ciphers

A new objectclass named ibm-wlIpDataProfile which is derived from 
ibm-wlDataProfile and includes new attributes of:
cn                          Common name                           
ibm-wlOtherOu               Additional Organizational Units       
description                 Description                           
version                     Version                               
hdrreduction                Protocol header reduction             
keyrotation                 Enable encryption key rotation        
allowpppneg                 Allow generic PPP negotiation         
authenticationtype          Key exchange algorithm                
keyinterval                 Key rotation interval (minutes)       
allowuseridneg              Client validation model               
encrypttype                 Minimum level of encryption           
ibm-wlAuthRef               Authentication profile                
compresstype                Compression algorithm                 
ibm-wlMaxThreads            Maximum number of processing threads  
ibm-wlSarDelay              Transmission delay between fragments  
ibm-wlTransProfileRef       Transport profile(s)                  
ibm-wlDfltTransProfileRef   Default transport profile             

The objectclass wlmni includes new attributes of:
eTargetAdapter       Network interface adapter to bind
ibm-wlNatAddresses   Number of NAT addresses to request

The objectclass ePasswordPolicy includes new attributes of:
ibm-wlConsecChar     Maximum consecutive characters
ibm-wlMinCharGroup   Minimum characters from 2 of 3 groups (alpha, numeric, other)

The objectclass ibm-wlWlpServer includes new attributes of:
ibm-wlMultiSignon   Allow multiple sessions per user ID
ibm-wlSendTermAck   Send terminate message on shutdown

4.5 AIX Version 5.2 ML 1

If you are using AIX version 5.2 and are experiencing problems with only
loopback-related transactions either to the MNI or outside of Connection Manager
completely, try installing AIX 5.2 maintenance level (ML) 1. Note that ML 1 may
cancel AIX 5.2 common criteria certification, which nullifies the Connection
Manager FIPS 140-2 certification.

4.6 Maximum limit of MNIs for each mobile access services

The maximum number of mobile network interfaces (MNIs) that you can add to
mobile access services is 1024.

4.7 Reboot after installation on AIX

The AIX kernel extension modifications that address potential message 
queue overflows and lockups require a system reboot when upgrading to the 
Connection Manager version 5.1. After you install the Connection Manager on 
an AIX system, be sure to reboot the machine before starting the Connection 
Manager.

4.8 Recreate all LDAP-bind authentication profiles

Because of modifications to made to the LDAP-bind authentication profile, 
recreate all LDAP-bind authentication profiles after upgrading to Connection 
Manager version 5.1 from a prior release.

4.9 New features in version 5.1.0.1

o Added support for limiting the Mobility Clients that are permitted to 
  log on to the Connection Manager by device class. This capability is a 
  security feature of the connection profile that is assigned to the 
  mobile network connection (MNC) to which the client logs in.  

4.10 New features in version 5.1.0.2

o Added support for the Mobility Clients on the CE .NET operating system
  using Psion 7535 devices.
o Added support for DB2(R) Universal Database(TM) Express Edition - Before 
  completing the configuration of version 5.1.0.2, there is a setupDB script 
  that requires changing.  Edit the file:
  AIX /usr/opt/wecm/bin/setupDB
  Linux or Solaris /opt/IBM/wecm/bin/setupDB
  
  Inside the Make_V8_ResponseFile() function at line 233, add this line:
  echo "PROD=UDB_EXPRESS_EDITION" >> $(DB2RSPFILE)
  
  Save the file, then begin the configuration.
  
4.11 New features in version 5.1.1

o Added support for AIX version 5.3 
o Removed support for IBM Directory 4.1 
o Added support for DB2(R) Universal Database(TM) version 8.2 and removed 
  support for DB2 version 7.2 
o Added mobile network connection support for Motorola ASTRO 25 networks. This 
  network connectivity is available only for Mobility Clients on desktop 
  Windows(R). 
o Enhanced third-party authentication using certificates that includes: 
  - Verifying the subject name. The subject key is defined as the subject field 
    of the certificate credentials which are passed to the Connection Manager 
    from the Mobility Client during authentication. 
  - Verifying that certificates are not on a revocation list from a certificate 
    authority.
o Enhanced LDAP-bind authentication to include optional group membership 
  verification 
o Added support for running the Connection Manager using VMware Workstation 
  4.5.2 in a VMWare-hosted Linux environment. Make sure the Linux distribution 
  installed on the virtual machine is one listed under required operating 
  systems in the Administrator's Guide.
o Removed support for adding an additional organizational unit (OU) to an OU. 
o Documented procedure for configuring mobile access services to broadcast user 
  datagram protocol (UDP) on a given port. See Using broadcast groups in the
  Administrator's Guide.
o Enhanced recording in the session database of Mobility Client information, 
  such as version number, platform type, and the number of accounts with failed 
  login status. 
o The Mobility Client for Windows supports dialing a third-party network access 
  server using Microsoft(R) Dial-Up Networking. For IP-based connections that 
  are connection-oriented, you can choose to place the connection in short-hold 
  mode when it is not the active connection or suspend the connection after a 
  configurable amount of time to wait. 
o Added TCP-Lite and HTTP codec support for the Mobility Client for Windows 
  Mobile 2003 and selected Windows CE .NET devices 
o Added support for selected Windows CE .NET devices. 
o Added the capability to configure several user interface parameters to display 
  or not display in the Mobility Client for Linux.
o Added support for Nokia 9300 and removed the use of network ID-based 
  connection selection.
o Added support for Sony Ericsson P910 and added support for Diffie-Hellman key 
  exchange.
o Documented new procedures on how to use secondary authentication and how to 
  set configuration parameters using the command line in the Mobility Client 
  for Palm OS. 
o Enhanced default filters available for Mobility Client traffic, including the 
  ability to allow ICMP or deny FTP, telnet, HTTP, NETBIOS, and SNMP traffic.

4.12  New DSS schema changes for Version 5.1.1 include:

The objectclass ibm-wlAuthCert includes new attributes of:
ibm-wlCertUserKey     Certificate user key match string
ibm-wlCertSubjectKey  Certificate subject key match string
ibm-wlCertCrlDir      Directory containing certificate revocation lists

The objectclass ibm-wlAuthLdap includes new attributes of:
ibm-wlEnableSearchGrp Perform additional distinguished name validation
ibm-wlSearchAttr      Search attribute
ibm-wlSearchSyntax    Syntax (X.500)
ibm-wlGrpServerRef    Directory server

The objectclasses ibm-wlDataProfile and ibm-wlTransProfile include a new 
attribute of:
ibm-wlFilterRef       Filters

The objectclass ibm-wlWlpServer includes new attributes of:
ibm-wlHashRestrict    Restrict hashing algorithm
ibm-wlHashAlgorithm   Algorithm
ibm-wlHashRounds      SHA rounds

The objectclass ibm-wlGateway includes a new attribute of:
acctdbconntbl         Login packet data record table name

The objectclass wlCm includes a new attribute of:
ibm-wlPath            Response path

4.13  Changes to accounting records with version 5.1.1

The current accounting database needs to be cleared before installing version
5.1.1.   If you are using filesystem-based accounting, the wg.acct file needs 
to be reset, removed, or renamed and will no longer be viewable with  the 
wg_acct command. Before starting the Connection Manager, run the setupDB 
command to clear the database:
/usr/opt/wecm/bin/setupDB -local -type acct -u <db userrid> -pw <db password> -cleanup

New command line options for wg_acct are available and
documented in the Troubleshooting Guide in the information center.

_____________________________________________________________________________
5.0 Fixed Authorized Problem Analysis Reports (APARs)

For more information, see the product Support web site at:
http://www.ibm.com/software/pervasive/ws_everyplace_connection_manager/support


5.1 APARs fixed in version 5.1.0.1

IY57169 - Connection Manager database configuration fails with DB2 8.1 
          Fixpak 7, DB  
IY63090 - "Duplicate CONFREQ" error received when more than 2 routes are
          defined in an MNI
IY63361 - Timing error in TCP-OPT retransmit after roam may cause core dump.  
          Stack trace shows FireRetransmitAll as offending function.
IY63725 - HTTP codec for TCP-Lite inserting "Connection: close" when
          "Connection" token is not present for http responses
IY63813 - WECM coredump if Mobitex MTU is greater than 512.
IY62737 - External User DSS mode requires root inorder to see the User DSS
          tree in Gatekeeper.
IY64173 - Add configuration attributes to support WES-AST in a non WES
          environment.  These attributes are available only from the
	  command line.
IY64509 - Allow dynamic update of trace flag for VPN users.
IY64839 - LDAP Schema error when adding Connection Profiles at install time
IY64961 - Linux gateway cores on relogin of existing session.

5.2 APARs fixed in version 5.1.0.2

IY64173   Add 3 attributes to the Connection Manager resource to allow the
          configuration of an AST in a non-WES environment
IY64961   WGATED core dump on Linux
IY65357 - Schema file for IDS (ibm-wecm.ldif) missing attributes: 
	  authreq, personalid, httpproxyaddr, devicepool, defwaphomepage
IY65477 - GK may delete resource if update involves LDAP storage
          failure.  If the DN is changed for the resource and the
          change is invalid, WECM may delete the original resource.
IY66154 - MNI intermittently fails to initialize on Linux
IY66415 - Unable to add users in User DSS mode.  GK will not display
          the correct primary OU tree in the make/properties panels.
IY66650 - LDAP-bind with single sign on (SSO) using HTTP access services
          fails to create LDAP record and returns a 503 to the
          HTTP client
IY66870 - Add configuration option to SMS-SMPP MNC to allow override
          of the "replace_if_present" flag.
IY67255 - HTTP Access with Ldap bind or radius authentication fails to
          create shadow user account with ldap schema error message.

5.3 APARs fixed in version 5.1.1

IY57181   Only REVOKE authorities if WECM database is newly created 
IY57768 - Support of DB2 Express Edition 
IY61175 - LDAP-bind with Single Sign On (SSO) using the HTTP access services
          of WECM fails authentication
IY62925 - Cannot modify SMS MNC's maximum transmission unit
IY62928 - Deadlock in Messaging GW during SMS PUSH. Network Delay may cause an
	  LDAP query thread to become hung up, and eventually leads to the
          deadlock. Messages are accepted from the pushing application, but
          not delivered. This fix also deadlock detection code which attempts
          to detect messaging gw deadlock, save messages and restart.
IY63456 - TCP-Lite is broken in multi-MNI configurations if mn0 is down
IY64400 - WECM OMA client provisioning eith security causes incorrect
          content-type parameter in message
IY64495 - TCP-Lite's HTTP CODEC fails to encode date related HTTP header
          tokens that contain information in addition to the date
IY67243 - SERVICE_TYPE field in SMS should have an option of WAP or 
          empty string
IY67829 - When trying to send bootstrap and notifacation messages via
          WECM, the port values of the UDH header are incorrect
IY68118 - HTTP AS drops bytes if the data packet coming from the
          browser client is less than 3 bytes
IY68401 - SSO/LTPA fails with a 503 being returned to the HTTP Access
          Services client
IY69040 - Kernel panic upon wgstop.  WECM unresponsive prior to wgstop
IY69041 - SunOne (IPlanet) schema import warning on 'labeledURI' and
          'keywords' attributes
IY69044 - WGATED hangs
IY69048 - The HTTP Parser in the Connection Manager uses an unsigned 
          short value to keep track of bytes processed for a given packet
IY69509 - Gateway deadlock in mallinfo() query
IY69529 - Add date to wg_monitor -f output
IY69543 - Unable to manage / create users under the WECM controlled
          "System" container.  The container does not show up in the 
          primary OU listing and changes to users under this container
          cause the user record to be moved to a different OU.
IY70030 - SIGPIPE not caught on AIX 5.2 and later OS levels
IY70228 - Routes downloaded to client limited to 20
IY70286 - Error in RADIUS accounting retry logic, may cause of retries are
          exhausted
IY70365 - Duplicate roaming requests cause session teardown when using
          Diffie-Hellman and secondary authentication
IY70540 - PAP constraints not converted to SMPP.
IY70842 - Creating MNCs that use the same UDP port and direct bind to
          different addresses, fails to create
IY70924 - Top level administrators may want to put entitlement records in
	  additional organizational units (OU) to restrict access of lower
	  level administrators instead of granting them access to the
	  System > User OU
IY71116 - WECM deadlock occurs and LDAP-bind experiences authentication 
          extreme delays
IY71419 - Need capability to configure direct-bind MNCs in a clustered
          topolgy that includes return path through principal node
IY71501 - Deadlock in active session processing
IY71702 - WECM unable to change LDAP password via the Mobility Client
IY71727 - Gateway cores when logging in
IY71869 - Gateway doesn't deactivate old UID/device handle upon reconnect
IY72239 - The locale is being transmitted in lowercase through the SSL
          connection, causing a locale lookup to fail
IY72352 - Gatekeeper not displaying all WECM resources when the
	  userCertificates attribute contains binary data

_____________________________________________________________________________
6.0 Trademarks and Copyright

AIX, DB2, DB2 Universal Database, Everyplace, IBM, and WebSphere
are trademarks or registered trademarks of the IBM Corporation in the United
States or other countries or both.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.
in the United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, 
or both. 

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of 
Microsoft Corporation in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks
of others.

Copyright International Business Machines and others, 1994, 2005. All rights
reserved.
