RFE 148364 for IBM Spectrum Symphony 7.3.1

Readme File for IBM^® Spectrum Symphony RFE 148364

Readme file for: IBM Spectrum Symphony

Product release: 7.3.1

Fix ID: sym-7.3.1-build600590-cs

Publication date: July 23, 2021

The IBM Spectrum Symphony SSL client can only load CA certificate from disk. With this enhancement, the client can load CA certificates from the Windows certificate store.

1. Scope

Before you install this enhancement to your cluster, note the following requirements:

Operating systems

· Windows Server 2012 to 2016

· Windows 8 to 10

Product version

IBM Spectrum Symphony 7.3.1

2. Installation

Follow these instructions to download and install this enhancement on hosts in your cluster.

Prerequisites

All CA from the certificate chain have been registered to the Trusted Root Certification Authorities certificate store: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store

Currently, only registering certificates to the certificate store using a local machine location is supported: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores

A thumbprint is treated as the unique ID of a certificate. You can acquire thumbprint for certificates using Windows PowerShell. For example:

PS C:\Users\Administrator> Get-ChildItem -path cert:LocalMachine\root

……

C08599998F2E79900C4D7FEFB72E3EBB383723BF E=test@example.com, CN=Symphony, OU=Platform, O=IBM, S=Province, C=CN

9BAF4FC8FD8D70D7148C9FFD9D3AF24BC19FDFC6 E=test@example.com, CN=Symphony, OU=Platform, O=IBM, L=City, S=Province, C=CN

……

Installing on the IBM Spectrum Symphony management hosts and compute hosts

a. Log on to the primary cluster as the cluster administrator:

> egosh user logon -u Admin -x Admin

b. Shut down the cluster:

> egosh service stop all

> egosh ego shutdown all

c. On each management host and compute host, copy the sym-7.3.1.0-egocore-3.9.0.0_build600590.msp and sym-7.3.1.0-soamcore-7.3.1.0_build600590.msp to a temporary location on the host and install the package:

o For an interactive installation, double-click the .msp package and follow the prompts.

o For a silent installation, enter the following command from the command prompt:

C:\>msiexec /update C:\sym-7.3.1.0-egocore-3.9.0.0_build600590.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus

C:\>msiexec /update C:\sym-7.3.1.0-soamcore-7.3.1.0_build600590.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus

The command syntax is as follows:

C:\>msiexec /update sym_package_name_path /l*v install.log /norestart /quiet REINSTALLMODE=omus

where:

o sym_package_name_path is the fully qualified path to the .msp package; in this case, C:\sym-7.3.1.0-egocore-3.9.0.0_build600590.msp and C:\sym-7.3.1.0-soamcore-7.3.1.0_build600590.msp

o install.log is the log file for the upgrade.

d. Use the pversions command to verify the installation:

> pversions

IBM Spectrum Computing family: SOAM core 7.3.1 for IBM Spectrum Symphony 7.3.1.0

Update for Symphony 7.3.1 (build"600590")

IBM Spectrum Computing family: EGO core 3.9.0.0

Update for Symphony 7.3.1 (build"600590")

Installing on IBM Spectrum Symphony Developer Edition hosts

a. Log on to the IBM Spectrum Symphony Developer Edition host, and stop all applications:

> soamcontrol app disable all

b. Stop Spectrum Symphony Developer Edition:

> echo .| soamshutdown

c. On each Spectrum Symphony Developer Edition host, download the symde-7.3.1.0_build600590.msp package to a temporary location on the host and install the package:

o For an interactive installation, double-click the symde-7.3.1.0_build600590.msp package and follow the prompts.

o For a silent installation, enter the following command from the command prompt:

C:\>msiexec /update C:\symde-7.3.1.0_build600590.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus

The command syntax is as follows:

C:\>msiexec /update sym_package_name_path /l*v install.log /norestart /quiet REINSTALLMODE=omus

where:

o sym_package_name_path is the fully qualified path to the .msp package; in this case, C:\symde-7.3.1.0_build600590.msp.

o install.log is the log file for the upgrade.

Installing on IBM Spectrum Symphony client hosts

a. Log on to the IBM Spectrum Symphony client host, and stop the running client.

b. On each IBM Spectrum Symphony client host, download the symclnt-7.3.1.0_build600590.msp package to a temporary location on the host and install the package:

o For an interactive installation, double-click the symclnt-7.3.1.0_build600590.msp package and follow the prompts.

o For a silent installation, enter the following command from the command prompt:

C:\>msiexec /update C:\symclnt-7.3.1.0_build600590.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus

The command syntax is as follows:

C:\>msiexec /update sym_package_name_path /l*v install.log /norestart /quiet REINSTALLMODE=omus

where:

o sym_package_name_path is the fully qualified path to the .msp package; in this case, C:\symclnt-7.3.1.0_build600590.msp.

o install.log is the log file for the upgrade.

3. Configuration

CA_THUMBPRINT_LIST is used to configure the thumbprint of the CA. If there are multiple CAs in the certificate chain, separate each thumbprint using a colon (:). The system will use thumbprint configured in CA_THUMBPRINT_LIST to acquire CA certificate from the Windows certificate store. If CA_THUMNPRINT_LIST is configured, CAFILE and CAPATH will be ignored.

IBM Spectrum Symphony supports the following SSL communications:

· Between VEMKD and the VEMKD client

· Between SD and SDK

· Between SSM and SDK

· Between SSM and SIM

Configuring other types of SSL, will fail, as they are not supported.

Configuration for SSL between VEMKD and the VEMKD client in the ego.conf file

Assuming that EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_DEFAULT_TS_PARAMS are properly configured:

EGO_CLIENT_TS_PARAMS="SSL[CIPHER=AES256-GCM-SHA384,CA_THUMBPRINT_LIST=c08599998f2e79900c4d7fefb72e3ebb383723bf:9baf4fc8fd8d70d7148c9ffd9d3af24bc19fdfc6]"

Configuration for SSL between SD and SDK, or SSM and SDK in the sd.xml file

Assuming that SD_SDK_TRANSPORT, SD_SDK_TRANSPORT_ARG, SSM_SDK_TRANSPORT and SSM_SDK_TRANSPORT_ARG are properly configured:

<ego:EnvironmentVariable name="SDK_TRANSPORT">TCPIPv4SSL</ego:EnvironmentVariable>

<ego:EnvironmentVariable name="SDK_TRANSPORT_ARG">SSL[CIPHER=AES256-GCM-SHA384,CA_THUMBPRINT_LIST=c08599998f2e79900c4d7fefb72e3ebb383723bf:9baf4fc8fd8d70d7148c9ffd9d3af24bc19fdfc6]</ego:EnvironmentVariable>

Configuration for SSL between SSM and SIM in the application profile

Assuming that SSM_SIM_TRANSPORT and SSM_SDK_TRANSPORT_ARG are properly configured:

4. Uninstallation

Uninstalling from IBM Spectrum Symphony management hosts and compute hosts

a. Log on to the primary cluster as the cluster administrator:

> egosh user logon -u Admin -x Admin

b. Shut down the cluster:

> egosh service stop all

> egosh ego shutdown all

c. On management host and compute host, uninstall the enhancement:

o To roll back from the Windows Control Panel, go to Control Panel > Programs and Features > View installed updates, click Update for Symphony 7.3.1 (build “600590”) and click Uninstall.

o To roll back from the IBM Spectrum Symphony command prompt, enter the following command:

Uninstall egocore .msp package:

C:\> msiexec /uninstall {5D28F114-3592-49E9-BE01-1BB22E435103} /package {CA4CC028-8ED7-4DF7-964A-823D5A2AA78C} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\> msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {5D28F114-3592-49E9-BE01-1BB22E435103}.

o product_code is the identifier of the .msi file for the original product installation package, in this case, {CA4CC028-8ED7-4DF7-964A-823D5A2AA78C}.

o rollback.log is the name of the log file to capture details of the rollback.

Uninstall soamcore .msp package:

C:\> msiexec /uninstall {E5B4A2E7-AFB4-45B5-8CF4-CED1394D73D7} /package {91FF0A77-C792-4BCD-B657-5B1D1762836E} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\> msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {E5B4A2E7-AFB4-45B5-8CF4-CED1394D73D7}.

o product_code is the identifier of the .msi file for the original product installation package, in this case, {91FF0A77-C792-4BCD-B657-5B1D1762836E}.

o rollback.log is the name of the log file to capture details of the rollback.

Uninstalling from IBM Spectrum Symphony Developer Edition hosts

a. Log on to the IBM Spectrum Symphony Developer Edition host, and stop all applications:

> soamcontrol app disable all

b. Stop IBM Spectrum Symphony Developer Edition:

> echo .| soamshutdown

c. On each IBM Spectrum Symphony Developer Edition host, uninstall the enhancement:

o To roll back from the Windows Control Panel, go to Control Panel > Programs and Features > View installed updates, click Update for Symphony 7.3.1 (build “600590”) and click Uninstall.

o To roll back from the IBM Spectrum Symphony command prompt, enter the following command:

C:\> msiexec /uninstall {F7BE8DB8-D849-4DC2-A044-3966EF790252} /package {B0C862C5-0439-4E94-8B25-E6E97254B79F} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\> msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {F7BE8DB8-D849-4DC2-A044-3966EF790252}.

o product_code is the identifier of the .msi file for the original product installation package, in this case, {B0C862C5-0439-4E94-8B25-E6E97254B79F}.

o rollback.log is the name of the log file to capture details of the rollback.

Uninstalling from IBM Spectrum Symphony client hosts on Windows

a. Log on to the IBM Spectrum Symphony client host, and stop the running client.

b. On each IBM Spectrum Symphony client host, uninstall the enhancement:

o To roll back from the Windows Control Panel, go to Control Panel > Programs and Features > View installed updates, click Update for Symphony 7.3.1 (build “600590”) and click Uninstall.

o To roll back from the IBM Spectrum Symphony command prompt, enter the following command:

C:\> msiexec /uninstall {4630DF94-53DE-4040-992B-1BEB432CEDEA} /package {D0374E2E-2D3C-4240-9642-D99621AD5463} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\> msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {4630DF94-53DE-4040-992B-1BEB432CEDEA}.

o product_code is the identifier of the .msi file for the original product installation package, in this case, {D0374E2E-2D3C-4240-9642-D99621AD5463}.

o rollback.log is the name of the log file to capture details of the rollback.

5. List of files

sym-7.3.1.0-egocore-3.9.0.0_build600590.msp 45fa3a96ae8fdc0fc29222b47a7c8b47

3.9\etc\vemkd.exe eab0d68a5e4f91faecd4980e2a79e3ed

3.9\etc\vemkd.pdb d9b58c498ddd0280f4b84251a6ce0a2b

3.9\etc\egosc.exe 24d7d14dd04d8d76f6a39faf70e57dd2

3.9\etc\egosc.pdb 7824085d35b00e5335b986cae61ea97c

3.9\etc\wsm.exe 2619b011346665945a617174e268a6c9

3.9\bin\egosh.exe 199278129a6e801661f5d3a4e81c7d33

3.9\bin\egosh.pdb 26fefa309ffe56159edef436cab9d6e0

3.9\lib\libvem.dll b3c4f3ae4f587edb59e5beba783c74b1

3.9\lib\libvem.pdb 0cccffa6809a2235fc6e5c4898529e04

3.9\lib\libvem390.dll 5a43205889fe173bedafe38af4200be8

3.9\lib\libvem390.pdb 4c3d96d56878d59caf4010c8a7a6e208

sym-7.3.1.0-soamcore-7.3.1.0_build600590.msp 5bb8356702a799ea6f937f2133e0ff9d

soam\7.3.1\w2k3_x64-vc7-psdk\etc\sd.exe 764df6e0384d8809598e0aae24661af2

soam\7.3.1\w2k3_x64-vc7-psdk\etc\sd.pdb 9d9c8b7c98cda4d8d647a71fadfcfaa5

soam\7.3.1\w2k3_x64-vc7-psdk\etc\ssm.exe a6cfb8cdf4f5cb6eb6a59ac82fb34464

soam\7.3.1\w2k3_x64-vc7-psdk\etc\ssm.pdb fd078c191b86294a43b3dec5b864088f

soam\7.3.1\w2k3_x64-vc7-psdk\etc\sim.exe ad6029faf27db1eb5289602a7300c0e3

soam\7.3.1\w2k3_x64-vc7-psdk\etc\sim.pdb b91501351afa24aeb7be4f6243b1b03d

soam\7.3.1\w2k3_x64-vc7-psdk\lib64\soambase.dll 9acff86bc71c547f163f0cae3c8ec4b1

soam\7.3.1\w2k3_x64-vc7-psdk\lib64\soambase.pdb 546626151297f5f44dbb338ad0312e4c

soam\7.3.1\w2k3_x64-vc7-psdk\lib\soambase.dll 9838ccc44484a606d168f24f7f6b72f3

soam\7.3.1\w2k3_x64-vc7-psdk\lib\soambase.pdb 0cb90f891f3e3d425947e3f7ef32a018

soam\7.3.1\w2k3_x64-vc7-psdk\lib64\libvem.dll b3c4f3ae4f587edb59e5beba783c74b1

soam\7.3.1\w2k3_x64-vc7-psdk\lib64\libvem390.dll 5a43205889fe173bedafe38af4200be8

soam\7.3.1\w2k3_x64-vc7-psdk\lib\libvem.dll 5aa102a48a21954d60347d6cb0bbb9ed

soam\7.3.1\w2k3_x64-vc7-psdk\lib\libvem390.dll 7d936598a2fe80c5688ff3f4920a9796

symclnt-7.3.1.0_build600590.msp 257b756ab11ef8e1c5fde35be832ceb7

lib64\soambase.dll 9acff86bc71c547f163f0cae3c8ec4b1

lib64\soambase.pdb 546626151297f5f44dbb338ad0312e4c

lib\soambase.dll 9838ccc44484a606d168f24f7f6b72f3

lib\soambase.pdb 0cb90f891f3e3d425947e3f7ef32a018

lib64\libvem.dll b3c4f3ae4f587edb59e5beba783c74b1

lib64\libvem390.dll 5a43205889fe173bedafe38af4200be8

lib64\libvem390.pdb 4c3d96d56878d59caf4010c8a7a6e208

lib\libvem.dll 5aa102a48a21954d60347d6cb0bbb9ed

lib\libvem390.dll 7d936598a2fe80c5688ff3f4920a9796

lib\libvem390.pdb 984fcd5bef6b3112ac24c0fab578a361

symde-7.3.1.0_build600590.msp 166defdc1f3a5e7c923db07746f7efdb

7.3.1\w2k3_x64-vc7-psdk\etc\sd.exe 764df6e0384d8809598e0aae24661af2

7.3.1\w2k3_x64-vc7-psdk\etc\sd.pdb 9d9c8b7c98cda4d8d647a71fadfcfaa5

7.3.1\w2k3_x64-vc7-psdk\etc\ssm.exe a6cfb8cdf4f5cb6eb6a59ac82fb34464

7.3.1\w2k3_x64-vc7-psdk\etc\ssm.pdb fd078c191b86294a43b3dec5b864088f

7.3.1\w2k3_x64-vc7-psdk\etc\sim.exe ad6029faf27db1eb5289602a7300c0e3

7.3.1\w2k3_x64-vc7-psdk\etc\sim.pdb b91501351afa24aeb7be4f6243b1b03d

7.3.1\w2k3_x64-vc7-psdk\lib64\soambase.dll 9acff86bc71c547f163f0cae3c8ec4b1

7.3.1\w2k3_x64-vc7-psdk\lib64\soambase.pdb 546626151297f5f44dbb338ad0312e4c

7.3.1\w2k3_x64-vc7-psdk\lib\soambase.dll 9838ccc44484a606d168f24f7f6b72f3

7.3.1\w2k3_x64-vc7-psdk\lib\soambase.pdb 0cb90f891f3e3d425947e3f7ef32a018

7.3.1\w2k3_x64-vc7-psdk\ego_lib64\libvem.dll b3c4f3ae4f587edb59e5beba783c74b1

7.3.1\w2k3_x64-vc7-psdk\ego_lib64\libvem390.dll 5a43205889fe173bedafe38af4200be8

7.3.1\w2k3_x64-vc7-psdk\ego_lib\libvem.dll 5aa102a48a21954d60347d6cb0bbb9ed

7.3.1\w2k3_x64-vc7-psdk\ego_lib\libvem390.dll 7d936598a2fe80c5688ff3f4920a9796

6. Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.

7. Copyright and trademark information

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.