Hardware Management Console Readme *Version 10 Release 1 Maintenance 1011 (V10 R1 M1011) README* Date: 10 January 2022 (C) Copyright International Business Machines Corp., 2021 All rights reserved. Contents <#ibm-content> The information in this Readme contains the fix list and other package information about the Hardware Management Console. * Terminology <#term> * PTF MF69180 <#MF69180> * PTF MF69181 <#MF69181> * Update Notes <#insnotes> * Enhancements and New Features <#enhance> * List of fixes <#fixes> * Command line changes <#command> * Known issues and limitations <#known> * Best Practices <#best> * Installation <#install> Terminology *x86* - This term is used to reference the Intel hypervisors (KVM, VMWare, Xen) on which Virtual HMC can be installed. *Note:* HMC V10R1 release for x86 is not supported on bare metal (7042 hardware appliances). * ppc64 or ppc64le* - describes the Linux code that is compiled to run on Power-based servers or LPARS (Logical Partitions) PTF MF69180 HMC V10 R1 M1011 – for vHMC for x86_64 hypervisors (5765-VHX) This package represents a service pack image that can be used to update your vHMC from HMC V10 R1 M1010 on x86_64 hypervisors. You can also reference this package by APAR MB04303 and PTF MF69180. * Service packs are cumulative and as such will include all the fixes for the PTFs released up to and including the last service pack(s) for this HMC version. Please read the individual Readme files for each PTF to see the list of fixes. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# HMC_Update_V10R1M1011_x86.iso 3830235136 b0259a66f7f1ba43ec15575cf9fea03e48719655 MB04303 MF69180 Splash Panel information (or lshmc -V output) "version= Version: 10 Release: 1 Service Pack: 1011 HMC Build level 2111180904 MF69180 - HMC V10R1 M1011 ","base_version=V10R1 " PTF MF69181 HMC V10 R1 M1011 – for 7063 Hardware or vHMC for PowerVM (5765-HMB) This package represents a service pack image that can be used to update your HMC from HMC V10 R1 M1010 on 7063 machine type or vHMC for PowerVM. You can reference this package by APAR MB04302 and PTF MF69181. * Service packs are cumulative and will include all the interim fixes for the PTFs released up to and including the last service pack(s) for this HMC version. Please read the individual Readme files for each PTF to see the list of fixes. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# HMC_Update_V10R1M1011_ppc.iso 3843870720 c94da1c6de1c242e9115ebb5a7958d6cf040573a MB04302 MF69181 Splash Panel information (or lshmc -V output) "version= Version: 10 Release: 1 Service Pack: 1011 HMC Build level 2111180904 MF69181 - HMC V10R1 M1011 ","base_version=V10R1 " Update Notes * A rare timing event during boot of the 7063-CR2 HMC can result in different conditions depending on the version of BMC FW currently functional on the HMC. For workarounds and symptoms refer to: https://www.ibm.com/support/pages/node/6520826 *For CR2 HMCs with PNOR OP9-v2.5-4.123 / BMC op940.hmc-11.1 or older:* *For CR2 HMCs with PNOR OP9-v2.5-4.124 / BMC op940.hmc-16 and newer:* The timing event results in a side switch of the active side of the BMC. The previously inactive side (now active), will contain stale BMC settings information, such as network settings, and passwords, which lead to loss of connectivity to the BMC. On the OS, the ipmi0 device is missing. This impacts the ipmitool command and any commands that rely on it. The timing event results in a restart of the BMC. On the OS, the ipmi0 device is missing. This impacts the ipmitool command and any commands that rely on it. Enhancements and New Features * HMC V10 R1 M1011 allow user to configure a vTPM 2.0 enabled partition, migrate a vTPM 2.0 enabled client partition to a different managed system and related operations on managed systems capable of vTPM2.0 * This service pack enables the Periodic Transmission of Service Information independent of the "Enable the local console as a call home server" and outbound connectivity configuration. Transmission settings can be configured using the Transmit Service Information panel and/or the "Enable Electronic Service Agent" panels. List of fixes *General fixes* * Fixed the delay in HMC startup during reboot when PCM is enabled and has multiple PCM sample files collected. * Fixed slow performance of backup CCD due to a core file issue. * Fixed an issue with invalid data getting collected for RR or DR operation resulting in errors during validate such as /HSCLA319/. * Fixed an issue at HMC startup that resulted in a delay for around 30 minutes with messages:"/Console not Ready. You cannot log on at this time. Console is still initializing and not yet ready for users to login. Allow the console to finish initializing and then try to login again./" * Fixed an error for 7063-CR1 failing to boot with 1901 error when cabled to dcbx enabled Jupiter switch. * Fixed an issue when performing the dump restart operation on a partition to avoid a waiting delay. * Fixed a IBMi OS shutdown issue that throws the error code /HSCL0DB4/. * Fixed a LPM validation issue that causes an error to be thrown when the target machine VF has only 2 VF resulting in call home SRC E3550037. * Fixed an issue where Service event for a PEL with LP section is missing the reporting lpar id/name field in both ui and cli in 950 and later. The fields: "/"reporting_partition_id"/" and "/"reporting_partition_name"/" are now deprecated and are replaced respectively by: "/"partition_id"/" and "/"partition_name"/" * Fixed a VMRM Disaster Recovery restart issue following a deletion of partition from the target system that resulted in an incorrect error message /HSCLAF0D/.Circumvention is to issue a rebuild server after deleting VNICs or SRIOV logical ports (or a partition with them) on the target server. * Fixed an issue that prevents the user to change the from address when using secure email, defaulting to the email user. * Allow firmware update on functional SRIOV adapters to continue from GUI when selecting group that includes adapter in failed or error state. * Fixed the UI refresh issue post LPM operation, where the gallery view of enhanced UI shows RMC state as "No Connection" even though RMC is active. * Fixed an issue that throws an error for P8 systems managed by HMC950 and above -"/HSCL1552 The firmware operationfailed with extended error./" when toggling an lpar between SRR enabled/disabled. * Fixed an issue with simplified remote restart in a dual HMC environment when the restart fails on the target and is successfully recovered. The partition(s) on the source may incorrectly be left in source remote restarting state instead of remote restartable. * Fixed an issue that caused CEC into recovery state when co-management mode was quickly changed on a non-comanaged server. * Added a console log entry whenever a call home snmp trap is sent out. * Added Power On/Off Unit force close session option. * Fixed an issue that can cause the *chhmcfs -o f* command or the *lshmcfs *command to fail with "/HSCL8016 An unknown error occurred while trying to perform this command. Retry the command. If the error persists, contact your software support representative/." * Fixed an issue where PCM fails to display when PCM data is migrated from an older HMC to a new HMC model via the *saveupgdata –migrate* command. * Fixed an issue with the "Must use redundant MSPs" option of migration that caused failures to migrate some partitions due to the MSPs running out of concurrent migration thread resources. Rerunning the LPM for the partitions that did not migrate is the workaround. * Fixed an issue where LPM validation may incorrectly fail with an error stating that additional free memory is needed on the target server when the migrating partition has a very large memory setting and the target system is tight on available memory. Errors include: /HSCL3656 There is an insufficient amount of memory available on the destination managed system for the configuration of the partition/. * Fixed an issue that causes the HMC to report E212E161 SRC due to too many open files This error is due to excessive socket count. * Enabled firmware update wizard to allow firmware of both FSP and BMC systems to be updated simultaneously. * Fixed an issue where removal of last registerd management console is not reflected in the GUI from Events Manager for Call even though the console is actually removed. *Security **fixes* * Disable the listing of TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 in the available list. * Addressed CVE issue for bind CVE-2021-25215 * Addressed CVE issue for bash CVE-2019-18276 * Addressed the httpd vulnerabilities: CVE-2018-17199 and CVE-2020-11993 * Addressed the krb5 vulnerability: CVE-2019-17498 * Addressed the glib2 vulnerabilities: CVE-2021-27218 and CVE-2021-27219 * Addressed the tomcat vulnerabilty: CVE-2021-42340 * Fixed Cross-Site Scripting issue with HMC legacy panels. * Fixed issue of Nessus reporting Backup Files Disclosure CGI abuses. * Fixed an issue that allowed root access by an hmc user profile. * Addressed the mod_proxy vulnerability: CVE-2021-40438 Command Line Changes * The *chsyscfg*, *lssyscfg*, and *mksyscfg *commands have been enhanced to support vTPM 2.0. * The /reporting_partition_id/ and /reporting_partition_name/ attributes output by the *lssvcevents –t hardware *command have been deprecated and replaced by the attributes/partition_id/ and /partition_name/. In addition, these attributes are now output for all serviceable events. The /reporting_partition_id/ and /reporting_partition_name/ attributes will still be output when specified with -F. Known issues and limitations * *lpar_netboot* with *-D -A* selects a ping failed adapter to perform netboot instead of a ping success adapter. * Login using a Kerberos user fails if the user id is different from the remote user id. * After migration of save upgrade data from 942 to the 1010 level, PCM operations result in exception failures. * Kerberos user cannot login from GUI, the user should continue to use CLI as a workaround. * Kerberos server requires to be reconfigured using below CLI after update from 950 SP1 and PTFs. Recommended CLI commands : *chhmc -c kerberos -s remove –realm -a ** **chhmc -c kerberos -s add --realm -a * Best Practices * User sessions - The following best practices helps avoid performance degradations gradually over a period of time due to increased login sessions as well as security vulnerabilities such as unauthorized access to the active HMC sessions. o It is a best practice to logoff from HMC UI and then close the browser tab instead of directly closing the tab o Set Idle session timeout for all the users and not leave the timeout as '0' which leaves it as no timeout. Installation Installation instructions for HMC Version 10 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 10 Updating, upgrading, and migrating your HMC machine code Update(s) for HMC V10R1M1010 Back to top