------ README ------ ****************************************************************** * All patches are cumulative unless explicitly stated otherwise. * ****************************************************************** Date: June 19, 2017 Fix: 8.0.1.2-ISS-ISDS_20170607-0918 Component: ========== IBM Security Directory Suite VA 8.0.1.2 Directory: 8.0.1.2 Webadmin: 8.2001 GSKit: 8.0.50.67 Java: 8.0.4.2 DB2: 10.5.0.6 WLP: 16.0.0.4 Contents: ========= - General Description - Platforms - Notices - Installing a new appliance: - Upgrading an existing appliance: Before installing the fix Installing the fix After installing the fix - Problem Tracking Information APARs from 8.0.1.2-ISS-ISDS_20170607-0918 APARs from 8.0.1.1-ISS-ISDS_20170301-2234 APARs from 8.0.1.0-ISS-ISDS_20160607-1251 - Functionality/Behavior Impact: Impacts from 8.0.1.2-ISS-ISDS_20170607-0918 Impacts from 8.0.1.1-ISS-ISDS_20170301-2234 Impacts from 8.0.1.0-ISS-ISDS_20160607-1251 General Description: ==================== IBM Security Directory Suite appliance 8.0.1.2 contains all accumulated fixes and new features for all components of the appliance, including the Directory client, server and web administration, GSKit, Java, DB2 and Websphere Application Server. Platforms: ========== The fix is available as either a firmware upgrade (*.pkg) for an existing V8.0.1.1 or earlier appliance, or as a refresh image for installing a new V8.0.1.2 appliance in either VMWare or KVM (*.iso) or Xen Server (*_vhd.zip) format. Platform filename bytes cksum MD5 ------------------- -------------------------------------- ---------- ---------- -------------------------------- firmware upgrade 8.0.1.2-ISS-ISDS_20170607-0918.pkg 1611291355 2550361915 52e8e3acec520b5f28d70c4f8009ea96 VMWare or KVM image 8.0.1.2-ISS-ISDS_20170607-0918.iso 1672116224 442944174 88b38dd373c4e767acd0f57cd5aa4319 Xen Server image 8.0.1.2-ISS-ISDS_20170607-0918_vhd.zip 3001273197 740954978 e64544199c82221b833d3da14303d0cc Notices: ======== 1) Upgrade from IBM Security Directory Suite appliance 8.0.0 is NOT supported. http://www.ibm.com/support/docview.wss?uid=swg21999883 2) New PERMANENT RESTRICTION of no support for ldapsearch using -C Shift-JIS, or charset: Shift-JIS in an ldif file to be imported or used in a modify (ldapadd, ldapmodify, ldif2db and bulkload), when the data contain 4 byte characters using the TDS client (other clients are supported). Shift-JIS characters 4 bytes in length cannot be converted and are not supported using the TDS client; use utf-8 or utf-8 base64 coded data. Please see technote #1691475: "UTF-8 support in Security Directory Server" http://www.ibm.com/support/docview.wss?uid=swg21691475 Installing a new appliance: =========================== If you are installing a new appliance rather than upgrading an existing one, installation images for the latest version the IBM Directory Suite appliance 8.0.1 can be found via the download document: http://www.ibm.com/support/docview.wss?uid=swg24042303 Instructions for configuring the virtual machine and installing the appliance can be found in the IBM Security Directory Suite 8.0.1 knowlege center: https://www.ibm.com/support/knowledgecenter/en/SS3Q78_8.0.1/com.ibm.IBMDS.doc_8.0.1/ds_ig_va_installation.html IMPORTANT: You MUST reboot the appliance after the end of "Setting up the virtual appliance", step 13 (Press 1 to accept the configuration) when "A message indicates that the policy changes are successfully applied and the local management interface is restarted." https://www.ibm.com/support/knowledgecenter/en/SS3Q78_8.0.1/com.ibm.IBMDS.doc_8.0.1/ds_ig_va_configuring_initial_VAsettings.html Upgrading an existing appliance: ================================ To upgrade an existing V8.0.1 appliance to a newer version, the latest firmware upgrade can be found via the support document: http://www.ibm.com/support/docview.wss?uid=swg27049508 Before installing the fix ------------------------- WARNING: If the appliance is configured to use a remote database, it must be manually reconfigured after applying the firmware upgrade. Do not proceed unless you have the remote database configuration parameters needed for "After installing the fix", step 3. 1) Log in to the IBM Security Directory Suite virtual appliance console as "admin". 2) Use the Server Control widget on the Appliance Dashboard and stop all server components one by one. 3) At this time its recommended to take a snapshot of the Virtual Machine at the virtual hypervisor level. Installing the fix ------------------ 1) The firmware upgrade must be uploaded to the appliance using the "upload_firmware_tool.zip" tool provided with the appliance in the "Custom File Management" / "idstools" folder. Download it and follow the instructions in "ReadMe.txt". For example (using the default certificate): # java -jar FileUpload.jar \ temptrust.jks WebAS 8.0.1.2-ISS-ISDS_20170607-0918.pkg File size: 1611291355 SERVER REPLIED: upload completed successfully. Note: After the "File size" response, there will be no progress indication until the file upload is completed and the tool displays the "SERVER REPLIED" message. This should take a few minutes, but could take longer depending on network speed. 2) Login to the CLI. Go to (top) / "sds" / "firmware_update". [hostname]> sds [hostname]:sds> firmware_update [hostname]:firmware_update> 3) run the "list_firmware" command. [hostname]:firmware_update> list_firmware Available firmware update files: 1: 8.0.1.2-ISS-ISDS_20170607-0918.pkg 4) run the "install_firmware" command. [hostname]:firmware_update> install_firmware Warning: This operation will require that the appliance is rebooted. Are you sure you want to update the firmware to the inactive partition ? Enter 'YES' to confirm: YES 1: 8.0.1.2-ISS-ISDS_20170607-0918.pkg Enter index: 1 The firmware update '8.0.1.2-ISS-ISDS_20170607-0918.pkg' will be installed to the inactive partition Signature verified Formatting partition 2 Installing 8.0.1.2-ISS-ISDS_20170607-0918 Installing postinstall script Finished updating. Please reboot appliance. Successfully installed firmware update '8.0.1.2-ISS-ISDS_20170607-0918.pkg' to the inactive partition Information about installed firmware images. 1: 8.0.1.0-ISS-ISDS_20160607-1251 [ACTIVE] Firmware Version: IBM Security Directory Suite 8.0.1.0 Installation Date: Mar 3, 2017 04:23:27 AM Installation Type: ISO Last Boot: Mar 3, 2017 10:43:42 AM Comment: 2: 8.0.1.2-ISS-ISDS_20170607-0918 Firmware Version: IBM Security Directory Suite 8.0.1.2 Installation Date: Jun 13, 2017 11:30:22 AM Installation Type: XPU Last Boot: Never Comment: Restart IBM Security Directory Suite appliance to apply the new settings. After installing the fix ------------------------ 1) Restart the virtual appliance to complete the upgrade process. 2) Verify the installation: [hostname]> firmware list 1: 8.0.1.0-ISS-ISDS_20160607-1251 Firmware Version: IBM Security Directory Suite 8.0.1.0 Installation Date: Mar 3, 2017 04:23:27 AM Installation Type: ISO Last Boot: Mar 3, 2017 10:43:42 AM Comment: 2: 8.0.1.2-ISS-ISDS_20170607-0918 [ACTIVE] Firmware Version: IBM Security Directory Suite 8.0.1.2 Installation Date: Jun 13, 2017 11:30:22 AM Installation Type: XPU Last Boot: Jun 13, 2017 11:58:46 AM Comment: 3) If the appliance is configured to use a remote database, then it must be reconfigured after applying the firmware upgrade. Failure to do so will result in the following errors when the directory server is started: [timestamp] GLPSRV247I Initializing primary REMOTE database 'ldapdb' and its connections. [timestamp] VAUUID check on the remote database failed. [timestamp] GLPSRV064E Failed to initialize be_config. To fix this, you must unconfigure and then reconfigure the remote database using the same parameters as originally used. See https://www.ibm.com/support/knowledgecenter/SS3Q78_8.0.1/com.ibm.IBMDS.doc_8.0.1/r_cr_idscfgdb.html a) unconfigure the remote db using cli: [hostname]> sds server_tools idsucfgdb -I sdsinst1 -Y -n b) reconfigure remote db with -F (force) flag: [hostname]> sds server_tools idscfgdb -I sdsinst1 -a sdsinst1 -t -w sdsinst1 -Y -S -l /home/sdsinst1 -P -u -p -F -n 4) Clear the browser cache and restart browser, if you want to access the virtual appliance console. 5) Restart the Directory services from Server Control widget on the Appliance Dashboard 6) Verify functionality of SDS/FDS/SCIM components. 7) Optional: Back up Partition 2 in to Partition 1 after the successful completion of the firmware upgrade. The backup process overwrites the information that is in Partition 1. Take the following actions: - Check and fix any errors if the upgrade process failed. - Set Partition 1 as the active partition and restart it. IMPORTANT NOTE: After the firmware upgrade, the appliance may be returned back into service, and it can start taking updates (add/mod/delete of ldap data). Once the appliance is returned back into service, its recommended not to revert back to snapshot taken before firmware update or to the non-active partition. Problem Tracking Information: ============================= The APAR number and abstract for all changes to the Directory Server components included in this fix are listed below. Further detail on individual APARs can be found by searching for the APAR number on the IBM Security Directory Server Support Web page: http://www.ibm.com/support/entry/portal/overview/software/security_systems/tivoli_directory_server APARs from 8.0.1.2-ISS-ISDS_20170607-0918 ------------------------------------------------------- APAR IO25019 (RTC 153685) Processed changes in replication change table inflating replication change table size. APAR IO25137 (RTC 157249) Unable to set backup folder with SDS VA provided WebAdmin Tool APAR IO25141 (RTC 155539) idscfgremotedb creates default tablespaces with 32k page size APAR IO25142 (RTC 155539) idscfgremotedb doesn't provide -l option on Unix p/f APAR IO25167 (RTC 158969) The Memory utilization graph on the LMI is incorrect APAR IO25260 (RTC 157653) Unlock instance user for admin backup/restore APAR IO25261 (RTC 158308) Scheduled online backup fails to start APAR IO25291 (IDI 141857) LDAP: error code 48 - Inappropriate Authentication APAR IO25294 (RTC 159774) SDS VA 8.0.1.1 idsperftune with "-A" options fails APAR IO25333 (RTC 152900) TDS Server crash during persistent search APAR IO25337 (RTC 155668) ldap client application crash APAR IO25340 (RTC 157501) ibmslapd crash in bindToMaster function APAR IO25343 (RTC 157502) Replica fails to connect with next available master via ldaps APAR IO25346 (RTC 156826 157747 158682) pta connection is dropped due to inactivity or idle. APAR IO25350 (RTC 157629) ldap search results in blank userpassword APAR IO25354 (RTC 159525) Return original old style non standard sha userpassword APAR IO25356 (RTC 161753 162596) SDS VA 8.0.1.1: idslogmgmt fails to archive audit.log to CustomOut directory APAR IO25384 (RTC 158471) Directory Server defaultwebadmin.jks keystore may have had defaultwebamin cert added when it is not neeeded. APAR IO25385 (IDI 142475) FDS - Built-in Directory Browser fails to handle the backslash escape character APAR IO25442 (RTC 153383) VA 8.0.1 LMI panel shows Status as config_only, even though back-end Directory server started fully. APAR IO25446 (RTC 158395) Update JRE to Java 8.0 SR 4 Fix Pack 2 APAR IO25449 (RTC 158396) Update WebSphere Application Server Liberty to Fix Pack 16.0.0.4 APAR IO25450 (RTC 158845 159205) SDS 8.0.1.1 idsimigr fails with unsupported migration path. APAR IO25451 (RTC 162470) Restrict SDS VA CLI commands to proper form(s). APAR IO25452 (RTC 158836 160272 162406) Reboot message added when security certificates are updated. APARs from 8.0.1.1-ISS-ISDS_20170301-2234 ------------------------------------------------------- APAR IO24299 (RTC 153594) Replication changes sent to a consumer may be lost APAR IO24305 (RTC 150083) Web administration tool is susceptible to a denial of service attack. APAR IO24322 (RTC 151553) Setting LDAP_OPT_SSL_EXTN_SIGALG may not have any affect APAR IO24678 (RTC 148747) unable to use idsldif2db on virtual appliance 801 APAR IO24742 (RTC 146116) getaddrinfo delay may lock other threads APAR IO24767 (RTC 150041) uploads fail with ext_lib.add_fail after idsimigr APAR IO24806 (RTC 155268 155862 155971) Directory Server related default certificates were expired on VA APAR IO24851 (RTC 151887) ibmslapd crashes when binding with invalid pass through auth creds APAR IO24891 (RTC 150167) Modifying length of custom attribute fails with error 53. APAR IO24898 (RTC 147243) java.lang.NoSuchMethodError when logging to Web Admin Tool. APAR IO24902 (RTC 147616) [Win64] backend directory server may crash in proxy env. APAR IO24906 (RTC 150039) On Solaris 5.10 a gskit init failure may cause core APAR IO24908 (RTC 151170) LDAPSync for 'delete' operation fails with error 'oldrdn not found' APAR IO24915 (RTC 147152) For paged search, server gives error - DSA unwilling to perform APAR IO24922 (RTC 150653) 6.4 - Files still exists of deprecated feature - ADSync. APAR IO25009 (RTC 153398) ldapsearch does not show result, if bind DN is not member of any group but its alias is a member of group having proper access. APAR IO25020 (RTC 151897 152303) LDAP server crashes during ISIM data feed operation APAR IO25024 (RTC 153525) WAT shows wrong icon for master in replication topology. APAR IO25028 (RTC 152684 153568 153649 153663) Disable TripleDES ciphers for CVE-2016-2183 (Sweet32) APAR IO25090 (RTC 149981 151325 151569 151641 151992 152144 156087 156329) Update WebSphere Application Server Liberty to Fix Pack 16.0.0.2 APAR IO25092 (RTC 153311 153473 153506 153520 154119) Update JRE to Java Version 8 Service Refresh 3 Fix Pack 20 APAR IO25108 (RTC 153679) ISDS RDBM server with ChangeLog enabled, fails to start when changing its role to Virtual Directory or PROXY server. APAR IO25181 (RTC 153643) ISDS 8.0.1 LMI panel does not show notification of "Server needs to be restarted" when modifying attribute mapping. APAR IO25183 (RTC 153079) runretailcode tool not restoring retail code libraries APAR IO25184 (RTC 150038) SDS 6.4 core when SSL replication connection setup fails. APAR IO25188 (RTC 154818) dbrestore fails when password length is greater than 18 chars APAR IO25189 (RTC 147140) ldapdiff with ssl options fails to connect to ldap server APARs from 8.0.1.0-ISS-ISDS_20160607-1251 ------------------------------------------------------- APAR IO24555 (RTC 142110) Web administration tool is susceptible to a Path Traversal attack. APAR IO24563 (RTC ?) GLPRDB111E message displayed during replication initialization APAR IO24580 (RTC 139722 142084) Server crash during startup. APAR IO24593 (RTC 141183) idsbulkload command fails with GLPBLK108E error message. APAR IO24594 (RTC 141427) Last Successful Authentication menu not shown in webadmin tool APAR IO24748 (RTC 145062) Advanced password policy not followed for DirDataAdmin role APAR IO25064 (RTC ?) GLPRDB111E message displayed during db2 password monitoring Functionality/Behavior Impact: ============================== Notable or unexpected changes in functionality or behavior associated with the APARs documented in this fix: Impacts from 8.0.1.2-ISS-ISDS_20170607-0918 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO25019 LOW By default, the replication change table is cleaned up every 15 minutes. A new environment variable has been added to control this time: IDS_REPL_CLEANUP_TIMER=x where 'x' is an integer number of minutes from 1 to 15 IO25354 LOW The environment variable IBMSLAPD_FORMAT_OLDSTYLE_SHA=FALSE can be used to prevent the server from converting older SHA encoded passwords to base64 encoding. This is not recommended. Impacts from 8.0.1.1-ISS-ISDS_20170301-2234 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO25028 HIGH For all existing instances of client or server, the following ciphers will be actively filtered out of any cipher or cipher_EX settings passed to GSKit. (SSLV3,TLS10,TLS11) 00 - TLS_RSA_WITH_NULL_NULL 01 - TLS_RSA_WITH_NULL_MD5 02 - TLS_RSA_WITH_NULL_SHA 03 - TLS_RSA_EXPORT_WITH_RC4_40_MD5 04 - TLS_RSA_WITH_RC4_128_MD5 05 - TLS_RSA_WITH_RC4_128_SHA 06 - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 09 - TLS_RSA_WITH_DES_CBC_SHA 0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA 62 - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 64 - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (TLS12) TLS_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA This means that even if they are configured, they will no longer be used. GSK_ENFORCE_TDEA_RESTRICTION is also enabled by default. Triple DES CipherSuites will be restricted to 2^32 64 bit blocks (32 GBytes). Once the byte limit is reached the SSL/TLS connection will be terminated with the error GSK_ERROR_BYTECOUNT_EXHAUSTED (445). If you have a need to enable any of the above mentioned WEAK ciphers, you must explicitly enable them, disable FIPS mode and the set following environment variables: - For server connections: IBMSLAPD_ALLOW_WEAK_CIPHERS=TRUE - For client connections: LDAP_OPT_ALLOW_WEAK_CIPHERS=TRUE Impacts from 8.0.1.0-ISS-ISDS_20160607-1251 -------------------------------------------------------- none ------ README ------