IBM Security Key Lifecycle Manager Version 2.7.0 - Distributed Platforms Fix Pack 6 README

Abstract

Readme documentation for IBM Security Key Lifecycle Manager for Distributed Platforms, Version 2.7.0 Fix Pack 6 (2.7.0.6) including installation-related instructions, prerequisites and corequisites, and a list of fixes.

Fix pack publish date: 28^th July 2020

Contents

List of fixes and features
Download instructions
Supported platforms
Prerequisites
Known issues
Known limitations

Installation information
Installing the IBM Security Key Lifecycle Manager fix pack
Uninstalling the IBM Security Key Lifecycle Manager along with fix pack

Copyright and trademark information

List of fixes and features

Features included in Version 2.7.0.6

Security fixes

Features included in Version 2.7.0.2

New replication features.
- Start/stop replication server through UI.
- Forced replication through UI.
New UI features.
- Start/Stop IBM Security Key Lifecycle Manager Server through UI.
- View detailed server information through UI.
New REST services.
- Version Info REST Service - to obtain version information of installed IBM Security Key Lifecycle Manager and its components. You can also view the build level of IBM Security Key Lifecycle Manager.

APAR fixes included in Version 2.7.0.6

APAR No.	Sev.	Abstract
IJ26295	1	backup.DailyStartReplicationBackupTime is not working as expected.

APAR fixes included in Version 2.7.0.5

APAR No.	Sev.	Abstract
IJ10562	3	UNABLE TO USE ALIASRANGE IN TKLMKEYEXPORT FOR OLD-STYLE KEYS.
IJ14615	4	GET CTGKM0929E ERROR AS EXECUTE "PRINT ADMINTASK.TKLMVERSIONINFO()".
IJ03118	3	"FAILED TO LOAD DATA!" IS DISPLAYED ON KEY AND DEVICE MANAGEMENT PANEL.

APAR fixes included in Version 2.7.0.4

APAR No.	Sev.	Abstract
IJ04609	2	SOME KEYS AND CERTIFICATES HAVE NOT BEEN BACKED UP, AND WILL NOT BE SAVED TO DEVICES" STUCK ON 2.7.0.3.
IJ04943	2	DELETES WITHOUT COMMITS CAUSING DB2 TRANSACTION LOGS TO NEVER STOP BEING PRODUCED ON CLONE.
IJ06460	2	UNABLE TO EXPORT CUSTOM DEVICE GROUP AFTER UPGRADE FROM 2.5 TO 2.7.

APAR fixes included in Version 2.7.0.3

APAR No.	Sev.	Abstract
IV95137	2	WHEN TRYING TO REGISTER SECRET DATA OBJECT WITH KEY BLOCK SIZE OF 128 BYTES, GET ERROR CTGKM1520E.
IJ01532	2	Enabling debug via the CLI as a clone is failing with: CTGKM2935E Requested operation not supported on this System.
IJ01578	2	Replication UI bad message for Clone: "Create a backup to ensure that you can restore data.

APAR fixes included in Version 2.7.0.2

APAR No.	Sev.	Abstract
IV93931	2	NEED RECORDS IN AUDIT.LOG MONITORING SKLM LOGIN AND LOGOUT FOR SECURITY MONITORING.
IV94086	2	SKLM 2.7.0.1 - REPLICATION FAILING TO DELETE OLDEST FILE WHEN LIMIT IS REACHED.
IV94960	2	SKLM V2.7 - MULTIPLE KMIP OPS. ON MULTIPLE PROCESSES CAUSES: SQLTRANSACTIONROLLBACKEXCEPTION: DB2 SQL ERROR: SQLCODE=-911.
IV95924	2	REPLICATION RESULTS IN THE MESSAGE "SOME KEYS HAVE NOT BEEN BACKUP UP" ON THE CLONE, WHEN BACKUP.KEYCERT.BEFORE.SERVING.
IV96975	2	REPLICATION OCCURRING EVERY TIME THE VERSION FIELD IS UPDATED IN THE KMT_DEVICE TABLE.
IV97140	2	GUI SHOWS WRONG DEFAULT VALUE FOR 'REPLICATION LOG FILE NAME' AS REPLICATIONMASTER.LOG.
IV97220	3	SKLM 2.7:REPLICATION CONFIG WHEN UPDATED VIA GUI DOES NOT UPDATE THE REPLICATION CONFIG FILE.

APAR fixes included in Version 2.7.0.1

APAR No.	Sev.	Abstract
IV92219	2	sklm 2.7 Replication error: CTGKM0905E Backup failed: null StringIndexOutOfBoundsException.
IV93097	2	NEED SUPPORT FOR CREATING A SYMMETRIC KEY WITH CRYPTOALGORITHM SET TO HMAC-SHA512 IN SKLM V2.7.
IV93832	2	FAILED TO APPLY SKLM2.7.0.1 FP0001 ON RHEL 7.1 IN NON-ROOT.

Download instructions

Go to IBM Fix Central home page: http://www.ibm.com/support/fixcentral/
In the Product selector field, type IBM Security Key Lifecycle Manager, and select the product name when it appears.
From the Installed Version list, select 2.7.0.
From the Platform list, select the appropriate platform, and click Continue.
On the Identify Fixes page, ensure that the Browse for Fixes is selected, and click Continue.
On the Select Fixes page, select fix pack 2.7.0-ISS-SKLM-FP0006, and click Continue.
You might be prompted to Sign In. If you do not have an ID, click the Register now link and follow the registration steps as appropriate.
On the Download options page, select a download method (default is Download using Download Director).
Select the associated files and README for fix pack: 2.7.0-ISS-SKLM-FP0006 and click Download now.

Supported platforms

See IBM Security Key Lifecycle Manager Support Matrix.

Fix pack files per platform

Product/Component name	Platform	File name
IBM Security Key Lifecycle Manager version 2.7.0 Fix Pack - 2.7.0-ISS-SKLM-FP0006	AIX	2.7.0-ISS-SKLM-FP0006-AIX.tar.gz
IBM Security Key Lifecycle Manager version 2.7.0 Fix Pack - 2.7.0-ISS-SKLM-FP0006	Linux	2.7.0-ISS-SKLM-FP0006-Linux.tar.gz
IBM Security Key Lifecycle Manager version 2.7.0 Fix Pack - 2.7.0-ISS-SKLM-FP0006	zLinux (System z)	2.7.0-ISS-SKLM-FP0006-zLinux.tar.gz
IBM Security Key Lifecycle Manager version 2.7.0 Fix Pack - 2.7.0-ISS-SKLM-FP0006	Windows	2.7.0-ISS-SKLM-FP0006-Windows.zip

Known issues

IBM Security Key Lifecycle Manager installation fails on Red Hat Enterprise Linux, Version 6.7. Installation of IBM Security Key Lifecycle Manager, Version 3.0 halts during IBM WebSphere Application Server profile creation process and goes into irrecoverable state. To install IBM Security Key Lifecycle Manager, Version 3.0 on Red Hat Enterprise Linux, Version 6.7. follow the steps given in technote before you start with the SKLM installation. Click here for detail.
While installing IBM Security Key Lifecycle Manager 2.7.0.6, the panel to validate the password has the "Validate Credentials" button enabled, even without entering the Database password.
User can safely ignore this, enter all the passwords and then click on validate Credentials button.
Deletion of device group export file fails. You cannot delete the device group export file by using IBM Security Key Lifecycle Manager graphical user interface.

IBM Security Key Lifecycle Manager Version = 2.7.0.6 IBM Security Key Lifecycle Manager Build Level = 202007270400 WebSphere Application Server Version = 9.0.0.1 DB2 Version = 11.1.0.1527 Java Version = JRE 1.8.0 IBM J9 VM 2.8 Operating System Version = Windows Server 2016:10.0:amd64

Important: The following steps uninstall the entire product package, including IBM Security Key Lifecycle Manager, IBM Db2, and WebSphere Application Server, and all your data will be lost. Take a backup before uninstalling.

Uninstalling IBM Security Key Lifecycle Manager with the fix pack by using the graphical user interface

IM_INSTALL_LOCATION refers to the installation root directory for IBM Installation Manager.

PATH_TO_UNINSTALL_RESPONSE_FILE refers to the uninstallation response file provided or bundled with the fix pack installer.

platform refers to the operating system where the fix pack is being installed / uninstalled.

For example: SKLM_Uninstall_platform_Resp.xml on Linux will be SKLM_Uninstall_Linux_Resp.xml

Copyright and trademark information

http://www.ibm.com/legal/copytrade.shtml

Notices

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION

The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:

the Excluded Components are provided on an "AS IS" basis
IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
IBM will not be liable to you or indemnify you for any claims related to the Excluded Components
IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.

End of Document

S.No.	Instruction	Windows Commands	UNIX/Linux Commands
1.	Windows - Open a command prompt. Linux / AIX - Open a ksh or bash shell.	Click the Start button, click Run, type cmd, and click the OK button.	If your default shell is not ksh or bash, run "exec ksh" or "exec bash".
2.	Stop WebSphere Application Server.	WAS_HOME\bin\stopServer.bat server1 -username WAS_ADMIN -password WAS_PASSWORD	WAS_HOME/bin/stopServer.sh server1 -username WAS_ADMIN -password WAS_PASSWORD
3.	Make a temporary directory.	mkdir WAS_BACKUP_DIRECTORY For example: mkdir c:\wasbackup	mkdir WAS_BACKUP_DIRECTORY For example: mkdir /tmp/wasbackup
4.	Change directory to the temporary directory.	cd c:\wasbackup	cd /tmp/wasbackup
5.	Copy or archive the files from the directory where WebSphere Application Server is installed.	xcopy /y /e /d WAS_HOME c:\wasbackup	tar -cvf wasbackup.tar WAS_HOME/*
6.	Start WebSphere Application Server.	WAS_HOME\bin\startServer.bat server1 Where: WAS_HOME is the directory where WebSphere Application Server is installed (default: C:\Program Files\IBM\WebSphere\AppServer).	WAS_HOME/bin/startServer.sh server1 Where: WAS_HOME is the directory where WebSphere Application Server is installed (default: /opt/IBM/WebSphere/AppServer).

S. No.	Instruction	Steps
1.	Make a repository directory.	Open a command prompt. Make a repository, that is, a directory where you extract the fix pack installer. Windows Default repository directory is C:\sklminstall_windowsfp mkdir C:\sklminstall_windowsfp UNIX/Linux Default repository directory is /sklminstall_linuxfp mkdir /sklminstall_linuxfp
2.	Change directory to the repository directory.	Windows cd C:\sklminstall_windowsfp UNIX/Linux cd /sklminstall_linuxfp
3.	Download the fix pack into the repository directory.	See Download Instructions
4.	Extract the downloaded file.	Windows 2.7.0-ISS-SKLM-FP0006-Windows.zip UNIX/Linux For example: 2.7.0-ISS-SKLM-FP0006-Linux.tar.gz Note: Use the platform-specific file.

S. No.	Instruction	Steps
1.	Stop WebSphere Application Server, update Java SDK, and then start Installation Manager in GUI mode.	Windows Open a command prompt, and change the directory to the repository directory. For example: C:\sklminstall_windowsfp Run the following command: updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD For example: updateSKLM.bat "c:\Program Files\IBM\Installation Manager" "c:\Program Files\IBM\WebSphere\AppServer" wasadmin wasadminpwd UNIX/Linux Open a command prompt, and change the directory to the repository directory. For example: /sklminstall_linuxfp Run the following commands: chmod +x ./updateSKLM.sh ./updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD For example: updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd Where: IM_INSTALL_LOCATION refers to the installation root directory for IBM Installation Manager. Default value: Windows: c:\Program Files\IBM\Installation Manager Linux: /opt/IBM/InstallationManager WAS_HOME refers to installation root directory for WebSphere Application Server (WAS). Default value: Windows: c:\Program Files\IBM\WebSphere\AppServer Linux: /opt/IBM/WebSphere/AppServer WAS_ADMIN refers to the ID for the WebSphere Application Server Administrator. WAS_PASSWORD refers to the password for the WebSphere Application Server Administrator.
2.	Select the IBM Security Key Lifecycle Manager, Version 2.7.0 software package group.	1. Select the base offering software package group (IBM Security Key Lifecycle Manager, Version 2.7.0). 2. Click Next. 3. In the Update Packages panel, select Version 2.7.0.6, and click Next.
3.	Provide credentials for WebSphere Application Server admin user (default: wasadmin) SKLM admin user (default: SKLMAdmin) and Db2 user (default: sklmdb27).	In the Update Packages Configuration for IBM Security Key Lifecycle Manager v2.7.0.6 panel: Enter Username and Password for Application Server Administrator. Enter Username and Password for IBM Security Key Lifecycle Manager Application Administrator. Enter Username and Password for IBM DB2 user. Click Validate Credentials. Validation might take few minutes. Wait till the Next button is enabled. Click Next.
4.	Complete the final step.	In the Update Packages > Summary panel, review the software packages that you want to install, and click Update. After Installation Manager successfully updates the fix pack for the services that you select, a message is displayed.

S. No.	Instruction	Steps
1.	Launch the Installation Manager utility to encrypt the passwords for users as required.	Open a command prompt. Change the directory to the IM_INSTALL_LOCATION/eclipse/tools directory. Windows Run the following command to generate an encrypted password: imcl.exe encryptString password_to_encrypt UNIX/Linux Run the following command to generate an encrypted password: ./imcl encryptString password_to_encrypt
2.	Back up the response file.	Rename the original response file to create a backup of the file: SKLM_Silent_Update_platform_Resp.xml For example: SKLM_Silent_Update_platform_Resp_original.xml The response file is located in the repository/sklm directory where the fix pack is extracted.
3.	Edit the response file.	Windows Edit the response file SKLM_Silent_Update_platform_Resp.xml. Edit the repository location to point to the current location of the installer. Sample: <repository location='C:\sklminstall_windowsfp\sklm'/> Edit WASAdmin user name and password (Password needs to be encrypted). Sample: <data key='user.WAS_ADMIN_ID,com.ibm.sklm27.win>value='wasadmin'/> <data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm27.win> value='e9PjN93MeQxwnSs9VXJFMw=='/> Edit SKLMAdmin user name and password (Password need to be encrypted). Sample: <data key='user.SKLM_ADMIN_ID,com.ibm.sklm27.win>value='SKLMAdmin'/> <data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm27.win> value='9YTRJMRIydDSdfhaHPs1ag=='/> Edit Db2 user name and password (Password need to be encrypted). Sample: <data key='user.DB2_ADMIN_PWD,com.ibm.sklm27.db2.win.ofng' value='sklmdb27'/> <datadata key='user.CONFIRM_PASSWORD,com.ibm.sklm27.db2.win.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/> UNIX/Linux Edit the response file: SKLM_Silent_Update_platform_Resp.xml Edit the repository location to point to the current location of the installer. Sample for Linux: <repository location='/sklminstall_linuxfp/sklm'/> Edit WASAdmin user name and password (Password needs to be encrypted). Sample: <data key='user.WAS_ADMIN_ID,com.ibm.sklm27.linux>value='wasadmin'/> <data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm.Linux> value='e9PjN93MeQxwnSs9VXJFMw=='/> Edit SKLMAdmin user name and password (Password needs to be encrypted). Sample: <data key='user.SKLM_ADMIN_ID,com.ibm.sklm27.linux>value='SKLMAdmin'/> <data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm27.linux> value='9YTRJMRIydDSdfhaHPs1ag=='/> Edit the user name and password of the Db2 user (Password need to be encrypted). Sample: <data key='user.DB2_ADMIN_ID,com.ibm.sklm27.db2.lin.ofng' value='sklmdb27'/> <data key='user.DB2_ADMIN_PWD,com.ibm.sklm27.db2.lin.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/>
4.	Install the fix pack.	Windows Open a command prompt, and change the directory to the repository directory. For example: C:\sklminstall_windowsfp Run the following command: silent_updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD For example: silent_updateSKLM.bat "c:\Program Files\IBM\Installation Manager" "c:\Program Files \IBM\WebSphere\AppServer" wasadmin wasadminpwd UNIX/Linux Open a command prompt, and change the directory to the repository directory. For example: /sklminstall_linuxfp Run the following commands: chmod +x ./silent_updateSKLM.sh ./silent_updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD For example: ./silent_updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd Where: IM_INSTALL_LOCATION refers to the installation root directory for IBM Installation Manager. Default value: Windows: C:\Program Files\IBM\Installation Manager Linux: /opt/IBM/InstallationManager WAS_HOME refers to installation root directory for WebSphere Application Server. Default value: Windows: C:\Program Files\IBM\WebSphere\AppServer Linux: /opt/IBM/WebSphere/AppServer WAS_ADMIN refers to the ID for the WebSphere Application Server Administrator. WAS_PASSWORD refers to the password for the WebSphere Application Server Administrator.
5.	Verify the installation.	Review the log file to confirm a successful installation. Log files are located at: Installation_Manager_Home/logs/native