Readme File for IBM^® Spectrum Symphony RFE 148364

Readme file for: IBM Spectrum Symphony

Product release: 7.3

Fix ID: sym-7.3-build600667-cs

Publication date: September 5, 2021

 

Currently, the IBM Spectrum Symphony SSL client can only load certificate authority (CA) certificates from disk. With this enhancement, the client can load CA certificates from the Windows certificate store.

 

1.   Scope 

Before you install this enhancement to your cluster, note the following requirements:

Operating systems	·        Windows Server 2012 to 2016  ·        Windows 8 to 10
Product version	IBM Spectrum Symphony 7.3

 

2. Installation

Follow these instructions to download and install this enhancement on hosts in your cluster.

Prerequisites

·       Ensure that all CAs from the certificate chain have been registered to the certificate store.

·       Note that registering certificates to the certificate store using a local machine location is supported: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores

·       A thumbprint is treated as the unique ID of a certificate. You can acquire thumbprints for certificates using Windows PowerShell. For example:

       PS C:\Users\Administrator> Get-ChildItem -path cert:LocalMachine\root

   ……

C08599998F2E79900C4D7FEFB72E3EBB383723BF  E=test@example.com, CN=Symphony, OU=Platform, O=IBM, S=Province, C=CN

9BAF4FC8FD8D70D7148C9FFD9D3AF24BC19FDFC6  E=test@example.com, CN=Symphony, OU=Platform, O=IBM, L=City, S=Province, C=CN

   ……

 

Installing on the IBM Spectrum Symphony management hosts and compute hosts

a.        Log on to the primary cluster as the cluster administrator:

> egosh user logon -u Admin -x Admin

b.        Shut down the cluster:

> egosh service stop all

> egosh ego shutdown all  

c.        On each management host and compute host, copy the sym-7.3.0.0-egocore-3.8.0.0_build600667.msp and sym-7.3.0.0-soamcore-7.3.0.0_build600667.msp to a temporary location on the host and install the package:

o   For an interactive installation, double-click the .msp package and follow the prompts.

o   For a silent installation, enter the following command from the command prompt:

C:\>msiexec /update C:\sym-7.3.0.0-egocore-3.8.0.0_build600667.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus

C:\>msiexec /update C:\sym-7.3.0.0-soamcore-7.3.0.0_build600667.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus

The command syntax is as follows:

C:\>msiexec /update sym_package_name_path /l*v install.log /norestart /quiet REINSTALLMODE=omus

where:

o   sym_package_name_path is the fully qualified path to the .msp package; in this case, C:\sym-7.3.0.0-egocore-3.8.0.0_build600667.msp and C:\sym-7.3.0.0-soamcore-7.3.0.0_build600667.msp

             o   install.log is the log file for the enhancement.

d.        Use the pversions command to verify the installation:

> pversions

IBM Spectrum Computing family: SOAM core 7.3 for IBM Spectrum Symphony 7.3.0.0

Update for Symphony 7.3.0 (build"600667")

 

IBM Spectrum Computing family: EGO core 3.8.0.0

Update for Symphony 7.3.0 (build"600667")

 

Installing on IBM Spectrum Symphony Developer Edition hosts

a.      Log on to the IBM Spectrum Symphony Developer Edition host, and stop all applications:

> soamcontrol app disable all

b.        Stop IBM Spectrum Symphony Developer Edition:

> echo .| soamshutdown

c.        On each IBM Spectrum Symphony Developer Edition host, download the symde-7.3.0.0_build600667.msp package to a temporary location on the host and install the package:

o   For an interactive installation, double-click the symde-7.3.0.0_build600667.msp package and follow the prompts.

o   For a silent installation, enter the following command from the command prompt:

C:\>msiexec /update C:\symde-7.3.0.0_build600667.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus 

The command syntax is as follows:

C:\>msiexec /update sym_package_name_path /l*v install.log /norestart /quiet REINSTALLMODE=omus

where:

o   sym_package_name_path is the fully qualified path to the .msp package; in this case, C:\symde-7.3.0.0_build600667.msp.

o   install.log is the log file for the enhancement.

 

Installing on IBM Spectrum Symphony client hosts

a.      Log on to the IBM Spectrum Symphony client host, and stop the running client.

b.      On each IBM Spectrum Symphony client host, download the symclnt-7.3.0.0_build600667.msp package to a temporary location on the host and install the package:

o   For an interactive installation, double-click the symclnt-7.3.0.0_build600667.msp package and follow the prompts.

o   For a silent installation, enter the following command from the command prompt:

C:\>msiexec /update C:\symclnt-7.3.0.0_build600667.msp /l*v install.log /norestart /quiet REINSTALLMODE=omus 

The command syntax is as follows:

C:\>msiexec /update sym_package_name_path /l*v install.log /norestart /quiet REINSTALLMODE=omus

where:

o   sym_package_name_path is the fully qualified path to the .msp package; in this case, C:\symclnt-7.3.0.0_build600667.msp.

o  install.log is the log file for the enhancement.

 

3.   Configuration

CA_THUMBPRINT_LIST is used to configure the thumbprint of the CA. If there is only one CA, configure it with the format thumbprint@store. If there are multiple CAs in the certificate chain, separate each thumbprint@store string using a colon (:), for example, thumbprint1@store1:thumbprint2@store2. The system will use the thumbprint configured in CA_THUMBPRINT_LIST to acquire a CA certificate from the Windows certificate store. If CA_THUMNPRINT_LIST is configured, CAFILE and CAPATH will be ignored.

IBM Spectrum Symphony supports the following SSL communications:

·       Between VEMKD and the VEMKD client

·       Between SD and SDK

·       Between SSM and SDK

·       Between SSM and SIM

Configuring other types of SSL, will fail, as they are not supported.

 

Configuring SSL between VEMKD and the VEMKD client in the ego.conf file

Assuming that EGO_TRANSPORT_SECURITY, EGO_KD_TS_PORT, and EGO_DEFAULT_TS_PARAMS are properly configured, add the following configuration the ego.conf file:

EGO_CLIENT_TS_PARAMS="SSL[CIPHER=AES256-GCM-SHA384,CA_THUMBPRINT_LIST=c08599998f2e79900c4d7fefb72e3ebb383723bf@ca:9baf4fc8fd8d70d7148c9ffd9d3af24bc19fdfc6@root]"

 

Configuring SSL between SD and SDK, or SSM and SDK, in the sd.xml file

Assuming that SD_SDK_TRANSPORT, SD_SDK_TRANSPORT_ARG, SSM_SDK_TRANSPORT and SSM_SDK_TRANSPORT_ARG are properly configured, add the following configuration to your sd.xml file:

<ego:EnvironmentVariable name="SDK_TRANSPORT">TCPIPv4SSL</ego:EnvironmentVariable>

<ego:EnvironmentVariable name="SDK_TRANSPORT_ARG">SSL[CIPHER=AES256-GCM-SHA384,CA_THUMBPRINT_LIST=c08599998f2e79900c4d7fefb72e3ebb383723bf@ca:9baf4fc8fd8d70d7148c9ffd9d3af24bc19fdfc6@root]</ego:EnvironmentVariable>

 

Configuring SSL between SSM and SIM in the application profile

Assuming that SSM_SIM_TRANSPORT and SSM_SDK_TRANSPORT_ARG are properly configured, add the following configuration to your application profile:

<Security SSM_SIM_TRANSPORT="TCPIPv4SSL" SDK_TRANSPORT_ARG="SSL[CIPHER=AES256-GCM-SHA384, CA_THUMBPRINT_LIST= c08599998f2e79900c4d7fefb72e3ebb383723bf@ca:9baf4fc8fd8d70d7148c9ffd9d3af24bc19fdfc6@root]" SSM_SDK_TRANSPORT_ARG=" SSL[CERTIFICATE=C:\path\user.pem,CIPHER=AES256-GCM-SHA384,PRIVATE_KEY=C:\path\user.key]"/>

 

4.   Uninstallation

Uninstalling from IBM Spectrum Symphony management hosts and compute hosts

a.        Log on to the primary cluster as the cluster administrator:

> egosh user logon -u Admin -x Admin

b.        Shut down the cluster:

> egosh service stop all

> egosh ego shutdown all

c.        On management host and compute host, uninstall the enhancement:

o   To roll back from the Windows Control Panel, go to Control Panel > Programs and Features > View installed updates, click Update for Symphony 7.3.0 (build “600667”) and click Uninstall.

o   To roll back from the IBM Spectrum Symphony command prompt, uninstall the .msp packages:

·       To uninstall the egocore.msp package, run the following command:

C:\>msiexec /uninstall {ADB7D1C6-D02E-4883-A795-41E41D4F37D8} /package {CB3AB822-032B-4052-89BC-E791E96107E5} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\>msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o   interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {ADB7D1C6-D02E-4883-A795-41E41D4F37D8}.

o    product_code is the identifier of the .msi file for the original product installation package, in this case, {CB3AB822-032B-4052-89BC-E791E96107E5}.

o   rollback.log is the name of the log file to capture details of the rollback.

 

·       To uninstall the soamcore.msp package, run the following command:

C:\>msiexec /uninstall {685C7EE2-32E5-4043-83F4-05E39F27BF03} /package {5B7B0C11-4DDB-4C5F-96A2-D1DCF66DBB64} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\>msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o   interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {685C7EE2-32E5-4043-83F4-05E39F27BF03}.

o    product_code is the identifier of the .msi file for the original product installation package, in this case, {5B7B0C11-4DDB-4C5F-96A2-D1DCF66DBB64}.

o   rollback.log is the name of the log file to capture details of the rollback.

 

Uninstalling from IBM Spectrum Symphony Developer Edition hosts

a.      Log on to the IBM Spectrum Symphony Developer Edition host, and stop all applications:

> soamcontrol app disable all

b.        Stop IBM Spectrum Symphony Developer Edition:

> echo .| soamshutdown

c.        On each IBM Spectrum Symphony Developer Edition host, uninstall the enhancement:

o   To roll back from the Windows Control Panel, go to Control Panel > Programs and Features > View installed updates, click Update for Symphony 7.3.0 (build “600667”) and click Uninstall.

o   To roll back from the IBM Spectrum Symphony command prompt, enter the following command:

C:\>msiexec /uninstall {23A7F1A4-CC8C-4EB7-8C00-8BF37752DD9A} /package {22654A06-21CF-422C-B5E1-387C1EDC788E} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\>msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o   interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {23A7F1A4-CC8C-4EB7-8C00-8BF37752DD9A}.

o    product_code is the identifier of the .msi file for the original product installation package, in this case, {22654A06-21CF-422C-B5E1-387C1EDC788E}.

o   rollback.log is the name of the log file to capture details of the rollback. 

 

Uninstalling from IBM Spectrum Symphony client hosts on Windows

a.      Log on to the IBM Spectrum Symphony client host, and stop the running client.

b.      On each IBM Spectrum Symphony client host, uninstall the enhancement:

o   To roll back from the Windows Control Panel, go to Control Panel > Programs and Features > View installed updates, click Update for Symphony 7.3.0 (build “600667”) and click Uninstall.

o   To roll back from the IBM Spectrum Symphony command prompt, enter the following command:

C:\> msiexec /uninstall {DF854676-7335-4A71-ABF0-D060230327C9} /package {D0374E2E-2D3C-4240-9642-D99621AD5463} /norestart /quiet /l*v rollback.log

The command syntax is as follows:

C:\> msiexec /uninstall interim_fix_code /package product_code /norestart /quiet /l*v rollback.log

where:

o   interim_fix_code is the identifier of the .msp package for this interim fix, in this case, {DF854676-7335-4A71-ABF0-D060230327C9}.

o    product_code is the identifier of the .msi file for the original product installation package, in this case, {D0374E2E-2D3C-4240-9642-D99621AD5463}.

o   rollback.log is the name of the log file to capture details of the rollback.

 

5.   List of files

sym-7.3.0.0-egocore-3.8.0.0_build600667.msp d4551d949a22e182a1e251e2bceab177

3.8\etc\vemkd.exe 46cb51773206619cf5aa9fada6065de7

3.8\etc\vemkd.pdb 0224432b91183bcaff1178aa3282ba69

3.8\etc\egosc.exe 928cf4d7c3bb5763f9c895151c81809e

3.8\etc\egosc.pdb 1b4a2d499099f9709b7dbc580f6e61ca

3.8\etc\wsm.exe a9a35a9f137f4baf9f4797accd532a99

3.8\bin\egosh.exe a802eb2c8d10045bf71e72c4374bbdda

3.8\bin\egosh.pdb 46e72e6046bddd776f9608ceab39e667

3.8\lib\libvem.dll 2089e5844a4cee0f5e516307270154b3

3.8\lib\libvem.pdb fedb577133a5a94a3375446c0e9145f6

3.8\lib\libvem380.dll b5dc4d8fb311e93bea2edc754a97a074

3.8\lib\libvem380.pdb 5054bf4a246724f7f5e419538cd50d52

3.8\lib\libsec.dll f76a17391a0d714173a1eb268baad99a

 

sym-7.3.0.0-soamcore-7.3.0.0_build600667.msp 898abb3a8416a8f677bf28ad979e8ac7

soam\7.3\w2k3_x64-vc7-psdk\etc\sd.exe 81792fc698234114e2b43d8dd4f2db4f

soam\7.3\w2k3_x64-vc7-psdk\etc\sd.pdb 2f175e8b596056c74bc1ac0038730451

soam\7.3\w2k3_x64-vc7-psdk\etc\ssm.exe 358ece6ef61702f36c3dd2be75f1b079

soam\7.3\w2k3_x64-vc7-psdk\etc\ssm.pdb f9d73913e560c6f1bfdc22f776e9d89a

soam\7.3\w2k3_x64-vc7-psdk\etc\sim.exe 1156e9717d523949bc1e01a9929639d7

soam\7.3\w2k3_x64-vc7-psdk\etc\sim.pdb c97afa7204865e1a34f6d18613eb4086

soam\7.3\w2k3_x64-vc7-psdk\lib64\soambase.dll b51b2f1b8a8c6e7f51f5a5fb041e93fb

soam\7.3\w2k3_x64-vc7-psdk\lib64\soambase.pdb c4b8262e8c11f2187556b844c3b30ba3

soam\7.3\w2k3_x64-vc7-psdk\lib\soambase.dll d6db66dbbaa936926850aa47cf889145

soam\7.3\w2k3_x64-vc7-psdk\lib\soambase.pdb 7e32a5247b5d3c3e31b06d12d40ea223

soam\7.3\w2k3_x64-vc7-psdk\lib64\libsec.dll f76a17391a0d714173a1eb268baad99a

soam\7.3\w2k3_x64-vc7-psdk\lib64\libvem.dll 2089e5844a4cee0f5e516307270154b3

soam\7.3\w2k3_x64-vc7-psdk\lib64\libvem380.dll b5dc4d8fb311e93bea2edc754a97a074

soam\7.3\w2k3_x64-vc7-psdk\lib\libsec.dll 845667a80b2f4cbd5795c3cf2a32caac

soam\7.3\w2k3_x64-vc7-psdk\lib\libvem.dll e801ede3478d768b131629c957314db6

soam\7.3\w2k3_x64-vc7-psdk\lib\libvem380.dll 7d8a513ff180ece50554ea4b181eb8b5

soam\7.3\w2k3_x64-vc7-psdk\lib\libsec.dll 845667a80b2f4cbd5795c3cf2a32caac

soam\7.3\w2k3_x64-vc7-psdk\lib64\libsec.dll f76a17391a0d714173a1eb268baad99a

 

symclnt-7.3.0.0_build600667.msp 9d925161367a8106416dfc785f110a70

      lib64\soambase.dll a5ee189d0711a1d5b977c814a237eaf7

      lib64\soambase.pdb 4702e714e9890b8de0a1a460d5f99a69

      lib\soambase.dll 7502bfa3aa58a358388d4e821f197790

      lib\soambase.pdb 285d863790d7dd23600223233cc1418d

      lib64\libvem.dll 28024a10781a1bbc161cd19e8e77a11d

      lib64\libvem380.dll 67c498953f18289b2f9b2bd5e8dc11f8

      lib64\libvem380.pdb 79ed9023cf4988ffb007486e245b8473

      lib\libvem.dll d0ee8237459a2f76bc91735c3ae8bca7

      lib\libvem380.dll d2f55beea64f05b99fb92cfa17a82b69

      lib\libvem380.pdb b80c4d2a7ecf5ce6556e07f82f50b592

      lib\libsec.dll 6d9c450dc1f73c948197e96f1c7d83df

      lib64\libsec.dll 44408d5acfde9fe8df9eb57338a700c9

 

symde-7.3.0.0_build600667.msp 4e2fcd078cbcb4d9d3d99d55c25ffb6e

      7.3\w2k3_x64-vc7-psdk\etc\sd.exe d51885a58ef72f9afe160a55fd1b986f

      7.3\w2k3_x64-vc7-psdk\etc\sd.pdb 24ca35c6784f731f816bc09bf9507fe7

      7.3\w2k3_x64-vc7-psdk\etc\ssm.exe 1cef38ad609061e474adecf80daa0453

      7.3\w2k3_x64-vc7-psdk\etc\ssm.pdb 3acfe3d9332b764c5a550fea78af9df8

      7.3\w2k3_x64-vc7-psdk\etc\sim.exe 71b8fc09029b222f61630d8fa0bb18d2

      7.3\w2k3_x64-vc7-psdk\etc\sim.pdb 1254569080a50b323a77c7493a679d7b

      7.3\w2k3_x64-vc7-psdk\lib64\soambase.dll a5ee189d0711a1d5b977c814a237eaf7

      7.3\w2k3_x64-vc7-psdk\lib64\soambase.pdb 4702e714e9890b8de0a1a460d5f99a69

      7.3\w2k3_x64-vc7-psdk\lib\soambase.dll 7502bfa3aa58a358388d4e821f197790

      7.3\w2k3_x64-vc7-psdk\lib\soambase.pdb 285d863790d7dd23600223233cc1418d

      7.3\w2k3_x64-vc7-psdk\ego_lib64\libvem.dll 28024a10781a1bbc161cd19e8e77a11d

      7.3\w2k3_x64-vc7-psdk\ego_lib64\libvem380.dll 67c498953f18289b2f9b2bd5e8dc11f8

      7.3\w2k3_x64-vc7-psdk\ego_lib\libvem.dll d0ee8237459a2f76bc91735c3ae8bca7

      7.3\w2k3_x64-vc7-psdk\ego_lib\libvem380.dll d2f55beea64f05b99fb92cfa17a82b69

      7.3\w2k3_x64-vc7-psdk\lib\libsec.dll 6d9c450dc1f73c948197e96f1c7d83df

      7.3\w2k3_x64-vc7-psdk\lib64\libsec.dll 44408d5acfde9fe8df9eb57338a700c9

 

6.   Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes. 

7.   Copyright and trademark information

© Copyright IBM Corporation 2021

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.