------ README ------ ****************************************************************** * All patches are cumulative unless explicitly stated otherwise. * ****************************************************************** Date: December 18, 2018 Fix: 8.0.1.9-ISS-ISDS_20181207-0045 Component: ========== IBM Security Directory Suite VA 8.0.1.9 Directory: 8.0.1.9 Webadmin: 8.2005 GSKit: 8.0.50.89 Java: 8.0.5.25 DB2: 10.5.0.6 WLP: 18.0.0.1 Contents: ========= - General Description - Platforms - Notices - Installing a new appliance: - Upgrading an existing appliance: Before installing the fix Installing the fix After installing the fix - Problem Tracking Information APARs from 8.0.1.9-ISS-ISDS_20181207-0045 APARs from 8.0.1.8-ISS-ISDS_20180917-2142 APARs from 8.0.1.7-ISS-ISDS_20180701-2312 APARs from 8.0.1.6-ISS-ISDS_20180313-1835 APARs from 8.0.1.5-ISS-ISDS_20171219-1425 APARs from 8.0.1.4-ISS-ISDS_20171004-1128 APARs from 8.0.1.3-ISS-ISDS_20170913-1500 APARs from 8.0.1.2-ISS-ISDS_20170607-0918 APARs from 8.0.1.1-ISS-ISDS_20170301-2234 APARs from 8.0.1.0-ISS-ISDS_20160607-1251 - Functionality/Behavior Impact: Impacts from 8.0.1.9-ISS-ISDS_20181207-0045 Impacts from 8.0.1.8-ISS-ISDS_20180917-2142 Impacts from 8.0.1.7-ISS-ISDS_20180701-2312 Impacts from 8.0.1.6-ISS-ISDS_20180313-1835 Impacts from 8.0.1.5-ISS-ISDS_20171219-1425 Impacts from 8.0.1.4-ISS-ISDS_20171004-1128 Impacts from 8.0.1.3-ISS-ISDS_20170913-1500 Impacts from 8.0.1.2-ISS-ISDS_20170607-0918 Impacts from 8.0.1.1-ISS-ISDS_20170301-2234 Impacts from 8.0.1.0-ISS-ISDS_20160607-1251 General Description: ==================== IBM Security Directory Suite appliance 8.0.1.9 contains all accumulated fixes and new features for all components of the appliance, including the Directory client, server and web administration, GSKit, Java, DB2 and Websphere Application Server. Platforms: ========== The fix is available as either a firmware upgrade (*.pkg) for an existing appliance, or as a refresh image for installing a new V8.0.1.9 appliance in either VMWare or KVM (*.iso) or Xen Server (*_vhd.zip) format. Platform filename bytes cksum MD5 ------------------- -------------------------------------- ---------- ---------- -------------------------------- firmware upgrade 8.0.1.9-ISS-ISDS_20181207-0045.pkg 1702927067 886403991 438ad8a56b88c3bc1c54b0dd5d8a544b VMWare or KVM image 8.0.1.9-ISS-ISDS_20181207-0045.iso 1764806656 1203454360 15af439f7c8da18e239beb6b3382a558 Xen Server image 8.0.1.9-ISS-ISDS_20181207-0045_vhd.zip 3176147412 1659817834 644e7a7dab0f76016e142305247429d8 Notices: ======== 1) Upgrade from IBM Security Directory Suite appliance 8.0.0 is NOT supported. http://www.ibm.com/support/docview.wss?uid=swg21999883 2) New PERMANENT RESTRICTION of no support for ldapsearch using -C Shift-JIS, or charset: Shift-JIS in an ldif file to be imported or used in a modify (ldapadd, ldapmodify, ldif2db and bulkload), when the data contain 4 byte characters using the TDS client (other clients are supported). Shift-JIS characters 4 bytes in length cannot be converted and are not supported using the TDS client; use utf-8 or utf-8 base64 coded data. Please see technote #1691475: "UTF-8 support in Security Directory Server" http://www.ibm.com/support/docview.wss?uid=swg21691475 Installing a new appliance: =========================== If you are installing a new appliance rather than upgrading an existing one, installation images for the latest version the IBM Directory Suite appliance 8.0.1 can be found via the download document: http://www.ibm.com/support/docview.wss?uid=swg24042303 Instructions for configuring the virtual machine and installing the appliance can be found in the IBM Security Directory Suite 8.0.1 knowledge center: https://www.ibm.com/support/knowledgecenter/en/SS3Q78_8.0.1/com.ibm.IBMDS.doc_8.0.1/ds_ig_va_installation.html IMPORTANT: You MUST reboot the appliance after the end of "Setting up the virtual appliance", step 13 (Press 1 to accept the configuration) when "A message indicates that the policy changes are successfully applied and the local management interface is restarted." https://www.ibm.com/support/knowledgecenter/en/SS3Q78_8.0.1/com.ibm.IBMDS.doc_8.0.1/ds_ig_va_configuring_initial_VAsettings.html Upgrading an existing appliance: ================================ To upgrade an existing V8.0.1 appliance to a newer version, the latest firmware upgrade can be found via the support document: http://www.ibm.com/support/docview.wss?uid=swg27049508 Before installing the fix ------------------------- 1) Log in to the IBM Security Directory Suite virtual appliance console as "admin". 2) Use the Server Control widget on the Appliance Dashboard and stop all server components one by one. 3) At this time its recommended to take a snapshot of the Virtual Machine at the virtual hypervisor level. Installing the fix ------------------ 1) The firmware upgrade must be uploaded to the appliance using the "upload_firmware_tool.zip" tool provided with the appliance in the "Custom File Management" / "idstools" folder. Download it and follow the instructions in "ReadMe.txt". For example (using the default certificate): # java -jar FileUpload.jar \ temptrust.jks WebAS 8.0.1.9-ISS-ISDS_20181207-0045.pkg File size: 1702927067 SERVER REPLIED: upload completed successfully. Note: After the "File size" response, there will be no progress indication until the file upload is completed and the tool displays the "SERVER REPLIED" message. This should take a few minutes, but could take longer depending on network speed. 2) Login to the CLI. Go to (top) / "sds" / "firmware_update". [hostname]> sds [hostname]:sds> firmware_update [hostname]:firmware_update> 3) run the "list_firmware" command. [hostname]:firmware_update> list_firmware Available firmware update files: 1: 8.0.1.9-ISS-ISDS_20181207-0045.pkg 4) run the "install_firmware" command. [hostname]:firmware_update> install_firmware Warning: This operation will require that the appliance is rebooted. Are you sure you want to update the firmware to the inactive partition ? Enter 'YES' to confirm: YES 1: 8.0.1.9-ISS-ISDS_20181207-0045.pkg Enter index: 1 The firmware update '8.0.1.9-ISS-ISDS_20181207-0045.pkg' will be installed to the inactive partition Signature verified Formatting partition 2 Installing 8.0.1.9-ISS-ISDS_20181207-0045 Installing postinstall script Finished updating. Please reboot appliance. Successfully installed firmware update '8.0.1.9-ISS-ISDS_20181207-0045.pkg' to the inactive partition Information about installed firmware images. 1: 8.0.1.0-ISS-ISDS_20160607-1251 [ACTIVE] Firmware Version: IBM Security Directory Suite 8.0.1.0 Installation Date: Mar 3, 2017 04:23:27 AM Installation Type: ISO Last Boot: Dec 10, 2018 07:41:08 AM Comment: 2: 8.0.1.9-ISS-ISDS_20181207-0045 Firmware Version: IBM Security Directory Suite 8.0.1.9 Installation Date: Dec 10, 2018 11:25:10 AM Installation Type: XPU Last Boot: Never Comment: Restart IBM Security Directory Suite appliance to apply the new settings. After installing the fix ------------------------ 1) Restart the virtual appliance to complete the upgrade process. 2) Verify the installation: [hostname]> firmware list 1: 8.0.1.0-ISS-ISDS_20160607-1251 Firmware Version: IBM Security Directory Suite 8.0.1.0 Installation Date: Mar 3, 2017 04:23:27 AM Installation Type: ISO Last Boot: Dec 10, 2018 07:41:08 AM Comment: 2: 8.0.1.9-ISS-ISDS_20181207-0045 [ACTIVE] Firmware Version: IBM Security Directory Suite 8.0.1.9 Installation Date: Dec 10, 2018 11:25:10 AM Installation Type: XPU Last Boot: Dec 10, 2018 11:29:20 AM Comment: 3) Clear the browser cache and restart browser, if you want to access the virtual appliance console. 4) Restart the Directory services from Server Control widget on the Appliance Dashboard 5) Verify functionality of SDS/FDS/SCIM components. 6) Optional: Back up Partition 2 in to Partition 1 after the successful completion of the firmware upgrade. The backup process overwrites the information that is in Partition 1. Take the following actions: - Check and fix any errors if the upgrade process failed. - Set Partition 1 as the active partition and restart it. IMPORTANT NOTE: After the firmware upgrade, the appliance may be returned back into service, and it can start taking updates (add/mod/delete of ldap data). Once the appliance is returned back into service, its recommended not to revert back to snapshot taken before firmware update or to the non-active partition. Problem Tracking Information: ============================= The APAR number and abstract for all changes to the Directory Server components included in this fix are listed below. Further detail on individual APARs can be found by searching for the APAR number on the IBM Security Directory Server Support Web page: http://www.ibm.com/support/entry/portal/overview/software/security_systems/tivoli_directory_server APARs from 8.0.1.9-ISS-ISDS_20181207-0045 ------------------------------------------------------- APAR IO25143 (RTC 180345) Directory Server fails to start after configuring remote changelog db APAR IO25558 (RTC 179031) bulkload fails to drop or add unique constraint APAR IO26213 (RTC 179831) SDS VA Server in replication crashed when data is loaded to the Primary Master server APAR IO26254 (RTC 177737) SDS VA: Doc update required on how to get com.tivoli.pd.rgy.jar APAR IO26267 (RTC 179459) ISDS Web Admin Tool gives error when configuring QRadar settings APAR IO26304 (RTC 180697 181147) SDS VA: LMI certificate renewed automatically APAR IO26533 (RTC 179383) pwdChangedTime fails to get updated APAR IO26554 (RTC 178893) SDS cores when searching as PASSWORDADMIN with some operational attributes APAR IO26583 (RTC 178983) pwdMaxAscChars and pwdMaxDscChars policy enforcement failures APAR IO26586 (RTC 178231) SDS Server Cores if the value of pwdNoSpaces is blank while enabling Advanced pwd policy APAR IO26589 (RTC 171140) GLPSRV163E message is missing details APAR IO26696 (RTC 180695) SDS VA: Update JRE to Java 8.0 SR 5 Fix Pack 25 APAR IO26722 (RTC 157254) SDS VA: firmware upgrade creates a new VA uuid APAR IO26723 (RTC 180154) SDS VA: documentation update for RHEL 7 KVM support steps APAR IO26727 (RTC 179457 180524) SDS VA: Provide Advanced Tuning Parameters link on VA LMI APAR IO26728 (RTC 180089) SDS VA: stop important daemons before shutdown or restart APAR IO26729 (RTC 180449) [RFE] SDS VA - provide script to remotely download backup files APAR IO26730 (RTC 179451) SDS VA: option to disable Mitigation for Spectre and Meltdown APAR IO26731 (RTC 180075) SDS VA: tools ikeycmd does not work for lmi.jks APAR IO26732 (RTC 178236) Remote migration from 6.4.0.13 onwards to 8.0.1 fails APAR IO26733 (RTC 177417) SDS VA: Change Admin DN Credentials from LMI shows an invalid user DN error APAR IO26734 (RTC 161747 181141) SDS VA: Proper error tracking for various commands APAR IO26736 (RTC 173450) last-login and adv-pwd-policy plug-ins will not load together APARs from 8.0.1.8-ISS-ISDS_20180917-2142 ------------------------------------------------------- APAR IO26527 (RTC 178633) SDS VA: Large file size data fails to copy in firmware upgrade APAR IO26537 (RTC 178777) SDS VA: Working with snapshot stops the directory server APARs from 8.0.1.7-ISS-ISDS_20180701-2312 ------------------------------------------------------- APAR IO25803 (RTC 168970) SDS VA: SCIM and REST API not returning members of a group. APAR IO25941 (RTC 176819) SDS VA: With LMI, unable to create snapshot having size > 1GB. APAR IO26014 (RTC 175949) SDS VA: Set derby.drda.logConnections=false by default to FDS APAR IO26147 (RTC 174197) LDAPSync - Moving an entry from one ou to another may fail APAR IO26149 (RTC 177127) SDS VA: Firmware upgrade fails to copy SDS instance data APAR IO26175 (RTC 175944) SDS VA: log management feature update APAR IO26246 (RTC 175947) SDS VA: Memory Monitor shows incorrect used and free memory APAR IO26348 (RTC 177029) SDS VA: Update WebSphere Application Server Liberty to 18.0.0.1 APAR IO26344 (RTC 175957) SDS VA: Update JRE to Java 8.0 SR 5 Fix Pack 15 APAR IO26352 (RTC 176554) SDS VA: deletefile command fix APAR IO26353 (RTC 177128) [RFE]SDS VA: boot process may take long time APAR IO26369 (RTC 176554) [RFE]SDS VA: CLI to list contents of CustomIn/CustomOut/ Certificates directories APAR IO26375 (RTC 176352) LDAP application may crash during referral chase operation APAR IO26377 (RTC 173398) Display utility input parameters during startup in log files APAR IO26378 (RTC 173458) ibmslapd crash when conf file is not readable APAR IO26379 (RTC 175667) Crashes occuring while doing repeated paged searches APAR IO26381 (RTC 117722) IDS Proxy server crash APAR IO26382 (RTC 174540) Usage value of LDAP_GRP_DESC table gets updated incorrectly by multi-threads processing APAR IO26383 (RTC 176355) Replication of userpassword may fail when configured encryption method is changed APAR IO26385 (RTC 173604) PTA password migration may fail APAR IO26386 (RTC 173972) Bad search filter error or Protocol error with wild card embedded in a search value APAR IO26387 (RTC 174258) LDAPSync doesn't consistently sync all group members APAR IO26388 (RTC 176351) Application crash when using ldap client lib in ldap_delete_error_msgs api APAR IO26389 (RTC 175666) ibmslapd may crash during paged search operations APAR IO26390 (RTC 175762) Enhancement to Audit log to include security/protocol type APAR IO26391 (RTC 176353) Print GSKit returned error messages in ibmslapd.log APAR IO26392 (RTC 177063) IDSLDAP Client support for SASL EXTERNAL bind to OpenLDAP server APAR IO26402 (RTC 174889) Enhancement to support LDAP Password Modify Extended Operation (RFC 3062) APARs from 8.0.1.6-ISS-ISDS_20180313-1835 ------------------------------------------------------- APAR IO25466 'Log Schedule' missing in WAT for db2 log and lost and found log APAR IO25615 (RTC 173754) Db2cli and lostandfound log files require log management APAR IO25772 (RTC 173736) SDS VA: idslogmgmt fails to archive logs to CustomOut directory APAR IO25788 (RTC 173754) Idslogmgmt needs to be restarted for changes in parameters to take effect. APAR IO26080 (RTC 173733) SDS VA: Mitigation for Spectre and Meltdown vulnerabilities APAR IO26082 (RTC 173758) [RFE] SDS VA: Enable and configure SDI password synchronization plugin from LMI panels. APAR IO26169 (RTC 173754) Idslogmgmt.log is not getting archived/rotated. APAR IO26170 (RTC 173754) Higher cpu spike on idslogmgmt/java process APAR IO26171 (RTC 173754) Idslogmgmt.xml - Qradar LEEF entry incorrectly reports non-secure port when SSL port should be reported. APARs from 8.0.1.5-ISS-ISDS_20171219-1425 ------------------------------------------------------- APAR IO24353 (RTC 170639) idsldapdiff fails with error "GLPJBP043E Exception occurred" APAR IO25660 (RTC 170908) SDS VA idslogmgmt creates archive filenames that cannot be downloaded from VA console APAR IO25767 (RTC 168012) Proper sizelimit not used for global admin group members APAR IO25779 (RTC 168403) idsldapdiff schema check fails with NullPointerException APAR IO25856 (RTC 170907) inbound traffic and outbound traffic observed on different interfaces APAR IO25862 (RTC 170883) snapshot creation using REST API may return random failure APAR IO25866 (RTC 170589) Fix for correcting idsrun permissions and ownership in SDS VA APAR IO25893 (RTC 168925) Attribute encryption schema information is not preserved on remote migration to ISDS 6.4 APAR IO25936 (RTC 155143) [RFE] Externalize command line tools; gsk8capicmd_64 and ikeycmd APAR IO25940 (RTC 171041) [RFE] add bootstrap and upgrade logs to LMI and support package APAR IO25966 (RTC 168787 168857 169239) [RFE] Enable SDI password synchronization plug-ins with SDS VA APARs from 8.0.1.4-ISS-ISDS_20171004-1128 ------------------------------------------------------- APAR IO25325 (RTC 164846 165399 165401 167330 167351 167425 167618 167732) "Start/Stop log management" on WAT fails with error GLPWSA132E APAR IO25729 (RTC 152029) Enhancements to IDS Client trace messages APAR IO25732 (RTC 167142) ibmslapd crash in trace api during replication APAR IO25735 (RTC 166413) many communication and socket closed errors in LDAPSync.log APAR IO25738 (RTC 166232) ibmslapd.log shows several GLPCOM036E messages with errno 9 APAR IO25745 (RTC 167304) idsideploy fails to copy instance as peer APARs from 8.0.1.3-ISS-ISDS_20170913-1500 ------------------------------------------------------- APAR IO24556 (RTC 165312) ibmslapd should run in console (-c) mode if tracing to stderr APAR IO24828 (FDS 131677) Second execution of initial synchronization of a flow returns no results. APAR IO25398 (RTC 160575) Paged ldapsearch fails if -Q > 383 and -C ISO-8859-15 options are used APAR IO25425 (RTC 163204) "select frequency:" shows wrong unit of time in Japanese env APAR IO25499 (RTC 164181) Increase the maximum number of connections to the LDAP server APAR IO25520 (RTC 165877 166124) Log management for SDS VA logs that increase by number of files APAR IO25556 (RTC 161935) migration tool removes 'SINGLE-VALUE' from attribute definition APAR IO25567 (RTC 163206) ibmslapd may leak memory when evaluating group pwd policies APAR IO25602 (RTC 163981) Log management for the SDS VA logs that grow in size APAR IO25628 (RTC 154855) bulkload generates core dump when processing binary data APAR IO25636 (RTC 158821) Couldn't get access to mutex controlled resource (wait of 60 seconds expired.). : SERVER TERMINATES APAR IO25643 (RTC 160571) SDS 6.4 crashes when debug enabled APAR IO25647 (RTC 163015) idsdbmaint may fail with SQL0501N error APAR IO25651 (RTC 163679) idsdbback utility modifies "ibmdiradmservice.cmd". APAR IO25685 (RTC 161585) ibmldapd crash during initial startup after VA configuration APAR IO25689 (RTC 164289) Renumber message GLPWRM9838W to GLPWRM990W APAR IO25713 (RTC 164313) Userpassword change rejected by consumer (but successful on supplier) - replication gets blocked APAR IO25714 (RTC 165110) Missing IBMAttributetypes schema definitions for attributes 'ibm-prevBindTimestamp' and 'ibm-latestBindTimestamp' APARs from 8.0.1.2-ISS-ISDS_20170607-0918 ------------------------------------------------------- APAR IO25019 (RTC 153685) Processed changes in replication change table inflating replication change table size. APAR IO25137 (RTC 157249) Unable to set backup folder with SDS VA provided WebAdmin Tool APAR IO25141 (RTC 155539) idscfgremotedb creates default tablespaces with 32k page size APAR IO25142 (RTC 155539) idscfgremotedb doesn't provide -l option on Unix p/f APAR IO25167 (RTC 158969) The Memory utilization graph on the LMI is incorrect APAR IO25260 (RTC 157653) Unlock instance user for admin backup/restore APAR IO25261 (RTC 158308) Scheduled online backup fails to start APAR IO25291 (IDI 141857) LDAP: error code 48 - Inappropriate Authentication APAR IO25294 (RTC 159774) SDS VA 8.0.1.1 idsperftune with "-A" options fails APAR IO25333 (RTC 152900) TDS Server crash during persistent search APAR IO25337 (RTC 155668) ldap client application crash APAR IO25340 (RTC 157501) ibmslapd crash in bindToMaster function APAR IO25343 (RTC 157502) Replica fails to connect with next available master via ldaps APAR IO25346 (RTC 156826 157747 158682) pta connection is dropped due to inactivity or idle. APAR IO25350 (RTC 157629) ldap search results in blank userpassword APAR IO25354 (RTC 159525) Return original old style non standard sha userpassword APAR IO25356 (RTC 161753 162596) SDS VA 8.0.1.1: idslogmgmt fails to archive audit.log to CustomOut directory APAR IO25384 (RTC 158471) Directory Server defaultwebadmin.jks keystore may have had defaultwebamin cert added when it is not neeeded. APAR IO25385 (IDI 142475) FDS - Built-in Directory Browser fails to handle the backslash escape character APAR IO25442 (RTC 153383) VA 8.0.1 LMI panel shows Status as config_only, even though back-end Directory server started fully. APAR IO25446 (RTC 158395) Update JRE to Java 8.0 SR 4 Fix Pack 2 APAR IO25449 (RTC 158396) Update WebSphere Application Server Liberty to Fix Pack 16.0.0.4 APAR IO25450 (RTC 158845 159205) SDS 8.0.1.1 idsimigr fails with unsupported migration path. APAR IO25451 (RTC 162470) Restrict SDS VA CLI commands to proper form(s). APAR IO25452 (RTC 158836 160272 162406) Reboot message added when security certificates are updated. APARs from 8.0.1.1-ISS-ISDS_20170301-2234 ------------------------------------------------------- APAR IO24299 (RTC 153594) Replication changes sent to a consumer may be lost APAR IO24305 (RTC 150083) Web administration tool is susceptible to a denial of service attack. APAR IO24322 (RTC 151553) Setting LDAP_OPT_SSL_EXTN_SIGALG may not have any affect APAR IO24678 (RTC 148747) unable to use idsldif2db on virtual appliance 801 APAR IO24742 (RTC 146116) getaddrinfo delay may lock other threads APAR IO24767 (RTC 150041) uploads fail with ext_lib.add_fail after idsimigr APAR IO24806 (RTC 155268 155862 155971) Directory Server related default certificates were expired on VA APAR IO24851 (RTC 151887) ibmslapd crashes when binding with invalid pass through auth creds APAR IO24891 (RTC 150167) Modifying length of custom attribute fails with error 53. APAR IO24898 (RTC 147243) java.lang.NoSuchMethodError when logging to Web Admin Tool. APAR IO24902 (RTC 147616) [Win64] backend directory server may crash in proxy env. APAR IO24906 (RTC 150039) On Solaris 5.10 a gskit init failure may cause core APAR IO24908 (RTC 151170) LDAPSync for 'delete' operation fails with error 'oldrdn not found' APAR IO24915 (RTC 147152) For paged search, server gives error - DSA unwilling to perform APAR IO24922 (RTC 150653) 6.4 - Files still exists of deprecated feature - ADSync. APAR IO25009 (RTC 153398) ldapsearch does not show result, if bind DN is not member of any group but its alias is a member of group having proper access. APAR IO25020 (RTC 151897 152303) LDAP server crashes during ISIM data feed operation APAR IO25024 (RTC 153525) WAT shows wrong icon for master in replication topology. APAR IO25028 (RTC 152684 153568 153649 153663) Disable TripleDES ciphers for CVE-2016-2183 (Sweet32) APAR IO25090 (RTC 149981 151325 151569 151641 151992 152144 156087 156329) Update WebSphere Application Server Liberty to Fix Pack 16.0.0.2 APAR IO25092 (RTC 153311 153473 153506 153520 154119) Update JRE to Java Version 8 Service Refresh 3 Fix Pack 20 APAR IO25108 (RTC 153679) ISDS RDBM server with ChangeLog enabled, fails to start when changing its role to Virtual Directory or PROXY server. APAR IO25181 (RTC 153643) ISDS 8.0.1 LMI panel does not show notification of "Server needs to be restarted" when modifying attribute mapping. APAR IO25183 (RTC 153079) runretailcode tool not restoring retail code libraries APAR IO25184 (RTC 150038) SDS 6.4 core when SSL replication connection setup fails. APAR IO25188 (RTC 154818) dbrestore fails when password length is greater than 18 chars APAR IO25189 (RTC 147140) ldapdiff with ssl options fails to connect to ldap server APARs from 8.0.1.0-ISS-ISDS_20160607-1251 ------------------------------------------------------- APAR IO24555 (RTC 142110) Web administration tool is susceptible to a Path Traversal attack. APAR IO24563 (RTC ?) GLPRDB111E message displayed during replication initialization APAR IO24580 (RTC 139722 142084) Server crash during startup. APAR IO24593 (RTC 141183) idsbulkload command fails with GLPBLK108E error message. APAR IO24594 (RTC 141427) Last Successful Authentication menu not shown in webadmin tool APAR IO24748 (RTC 145062) Advanced password policy not followed for DirDataAdmin role APAR IO25064 (RTC ?) GLPRDB111E message displayed during db2 password monitoring Functionality/Behavior Impact: ============================== Notable or unexpected changes in functionality or behavior associated with the APARs documented in this fix: Impacts from 8.0.1.9-ISS-ISDS_20181207-0045 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO26722 MED With releases 8.0.1 through 8.0.1.8 the firmware update required a reconfiguration (unconfigure/configure) of remote database to force the updated VAUUID. But with this APAR fix there is no need to reconfigure the remote database, the existing VAUUID will be maintained even after the firmware update. The concerned instructions in "Before Installing the fix" and "After Installing the fix" are now removed. IO26533 MED A new environment variable "IBMSLAPD_ALLOW_PWDCHANGEDTIME" has been added to control pwdChangedTime value change for every password reset. Please refer to below technote for more details: https://www-01.ibm.com/support/docview.wss?uid=ibm10791403 Impacts from 8.0.1.8-ISS-ISDS_20180917-2142 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO26537 MED The APAR change will invalidate the behavior change of previous release APAR IO25941. The code change with IO25941 was stopping the server gracefully before executing snapshot operations. Server will not be stopped while working with snapshots. Impacts from 8.0.1.7-ISS-ISDS_20180701-2312 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO25941 MED It is very important to stop the SDS server before we create or apply snapshot on Virtual Appliance through LMI or CLI. With this APAR fix, now server will be stopped gracefully before creating or applying snapshot on VA. You will need to start the server once snapshot process gets completed. IO26402 LOW Implication of Auditing an extended password Operation through ldappasswd tool - Currently if User1 tries to modify the Password of User2 (provided User1 has sufficient Acls ) the Audit record generated does not print the target dn is a known limitation. NA NA Recent releases have new commands. Also clarifications needed for existing commands in ISDS VA Command reference Guide. Please refer to below technote for more details: http://www.ibm.com/support/docview.wss?uid=ibm10717761 NA NA New topics have been added for ISDS VA troubleshooting. Please refer to below technote for more details: http://www.ibm.com/support/docview.wss?uid=ibm10718437 Impacts from 8.0.1.6-ISS-ISDS_20180313-1835 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO26080 LOW IBM Security Directory Suite VA 8.0.1.6 update includes an operating system mitigation for: VULNERABILITIES KNOWN AS SPECTRE AND MELTDOWN in response to CVE-2017-5753 and CVE-2017-5754. Full product regression was performed in a controlled environment with no issues reported and no obvious performance degradation was observed during testing in that environment Impacts from 8.0.1.5-ISS-ISDS_20171219-1425 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO25856 MED Need to add default gateway to Application Interface, if enabled an Application Interface at 8.0.1.4 or lower level. Please refer below technote for more details: http://www-01.ibm.com/support/docview.wss?uid=swg22015001 Impacts from 8.0.1.4-ISS-ISDS_20171004-1128 -------------------------------------------------------- none Impacts from 8.0.1.3-ISS-ISDS_20170913-1500 -------------------------------------------------------- none Impacts from 8.0.1.2-ISS-ISDS_20170607-0918 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO25019 LOW By default, the replication change table is cleaned up every 15 minutes. A new environment variable has been added to control this time: IDS_REPL_CLEANUP_TIMER=x where 'x' is an integer number of minutes from 1 to 15 IO25354 LOW The environment variable IBMSLAPD_FORMAT_OLDSTYLE_SHA=FALSE can be used to prevent the server from converting older SHA encoded passwords to base64 encoding. This is not recommended. Impacts from 8.0.1.1-ISS-ISDS_20170301-2234 -------------------------------------------------------- APAR Sev Functionality/Behavior Impact ------- ---- ------------------------------------------------------------ IO25028 HIGH For all existing instances of client or server, the following ciphers will be actively filtered out of any cipher or cipher_EX settings passed to GSKit. (SSLV3,TLS10,TLS11) 00 - TLS_RSA_WITH_NULL_NULL 01 - TLS_RSA_WITH_NULL_MD5 02 - TLS_RSA_WITH_NULL_SHA 03 - TLS_RSA_EXPORT_WITH_RC4_40_MD5 04 - TLS_RSA_WITH_RC4_128_MD5 05 - TLS_RSA_WITH_RC4_128_SHA 06 - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 09 - TLS_RSA_WITH_DES_CBC_SHA 0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA 62 - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 64 - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (TLS12) TLS_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA This means that even if they are configured, they will no longer be used. GSK_ENFORCE_TDEA_RESTRICTION is also enabled by default. Triple DES CipherSuites will be restricted to 2^32 64 bit blocks (32 GBytes). Once the byte limit is reached the SSL/TLS connection will be terminated with the error GSK_ERROR_BYTECOUNT_EXHAUSTED (445). If you have a need to enable any of the above mentioned WEAK ciphers, you must explicitly enable them, disable FIPS mode and the set following environment variables: - For server connections: IBMSLAPD_ALLOW_WEAK_CIPHERS=TRUE - For client connections: LDAP_OPT_ALLOW_WEAK_CIPHERS=TRUE Impacts from 8.0.1.0-ISS-ISDS_20160607-1251 -------------------------------------------------------- none ------ README ------