Hardware Management Console Readme For use with Version 8 Release 8.5.0 SP1 Updated: 7 February 2017 Contents <#ibm-content> The information in this Readme contains the fix list and other package information about the Hardware Management Console. * PTF MH01681 <#MH01681> * Package information <#package> * List of fixes <#fixes> * Installation <#install> * Additional information <#additional> PTF MH01681 This package include a fix for HMC from HMC Version 8 Release R8.5.0 Service Pack 1. You can also reference this package by PTF MH01681 and APAR MB04065. This image must be installed on top of HMC Version 8 Release 8.5.0 Service Pack 1 (PTF MH01633) with or without additional PTFs. Note: This PTF supersedes MH01664, MH01663, MH01669, and MH01673. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# MH01681.iso 1622833152 fb73231a617eebb917ef91fef9cce8256de46cb1 MB04065 MH01681 Splash Panel information (or lshmc -V output) "version= Version: 8 Release: 8.5.0 Service Pack: 1 HMC Build level 20170124.1 MH01681: Fix for HMC V8R8.5.0 SP1 (01-24-2017) ","base_version=V8R8.5.0 " Install Notes 1. *Special Install Instructions: *Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced GUI, log off the HMC. 3. Install using the normal installation instructions. Alternatively, install this PTF using the CLI updhmc command. List of fixes **Security fixes* * * Fixed Apache Tomcat vulnerabilities: CVE-2016-6816, CVE-2016-6817 and CVE-2016-0762 * Fixed BIND vulnerability: CVE-2016-8864 * Disabled HTTP compression for the necessary URIs and data types to fix vulnerability: CVE-2013-3587 * Removed support for all Triple DES ciphers from the Web UI (HMC ports 443 and 12443) to address vulnerability: CVE-2016-2183 * General fixes* * Fixed an issue where HMC performance degrades over time until the command server and/or web servers hang requiring a reboot to resolve. Logs will show a large number of blocked threads for the unified JRE and may include an error of "too many open files". The issue is typically seen on HMCs where external scripts are running dozens or hundreds of commands. * Fixed a problem causing a blank window to be opened when the ASM interface for a server is launched when the server is in Failed Authentication state. * Fixed an issue causing call-home to fail if the HMC that opened the problem could not connect to IBM, even if another call-home server console was configured. * Fixed a problem that caused many PowerVC deploy operations to fail. The PowerVC error messages may include "/PC-F162C70 Error creating storage adapters/" and "/PC-5169BFD Unable to create virtual adapters on Virtual I/O Server/". The underlying HMC error is "/HSCL025A Service processor lock failed/." This problem only occurs if redundant HMCs are in use and the virtual machines being deployed are enabled for simplified remote restart. To circumvent this issue, disconnect the redundant HMC. * Fixed an intermittent problem that caused IBM.LparCmdRMd to terminate abnormally and cause various operations that use RMC to fail. This problem only occurs on HMCs that are managing servers in a Power enterprise pool, and only if the HMCs have multiple network adapters. If IBM.LparCmdRMd terminates abnormally, an error will be logged in /var/log/messages such as "/0513-020 The IBM.LparCmdRM Subsystem did not end normally/." * Prevent custom HMC users that have a task role of hmcsuperadmin and a resource role of AllSystemResources from accessing tasks that were intended for hmcpe users only. *Previously released fixes also included in this PTF: ** * * MH01673* 12/9/16 * Improved the performance of the Enhanced GUI, REST API interface and HMC command line for non-hscroot custom HMC users that have a task role of hmcsuperadmin and a resource role of AllSystemResources. * Fixed an issue with pedbg log collection that caused ctsnap_out data to be missing and also could cause SRC E212E136 to be called home due to /tmp filling up with ctsnap data. * Fixed a problem that caused various operations that use RMC to fail. Failing operations include PowerVC operations, DLPAR operations, the Enhanced GUI, and the lspartition command. Symptoms include: o PowerVC logging REST API error "2610-639 The user could not be authenticated by the RMC subsystem" o lspartition -dlpar returning "Can't start local session rc=39!" o diagrmc including error "2612-024 Could not authenticate user." The recovery is to reboot the HMC. This problem only impacts HMC V8R8.5.0 SP1 (PTF MH01633) with or without earlier iFixes. * MH01669* 11/21/16 * Added DST timezone changes for Turkey, leap second to 31 Dec 2016. * Changed the HMC install process to report the error SRC E3558801 when the installation of a service pack or iFix fails due to a rare RPM installation failure. Prior to this fix, the service pack or iFix installation appeared to finish successfully. * Fixed another issue to prevent call home SRC E3D46FFF combined with System_Auth SRC E3D43104 due to a scheduled change credential password task that no longer is needed. * Fixed a problem that caused a blank window to be opened when the ASM interface for a server is launched. This problem only occurs for servers which have newer versions of POWER 8 system firmware installed. * Fixed a problem in the Manage Software Service Information Transmission GUI window that sometimes prevented a partition from being successfully added to or removed from the list of partitions from which to collect software service information to call home even though no error was reported. This problem can only occur when the partition being added or removed has the same partition ID as another partition on another managed system the HMC is managing*.* * Fixed multiple OpenSSL vulnerabilities: CVE-2016-2180, CVE-2016-2182, and CVE-2016-6306 * MH01663* 10/20/2016 * Fixed a rare timing issue that can cause a partition migration operation to incorrectly fail with error "/HSCL2957 Either there is currently no RMC connection between the management console and the partition or the partition does not support dynamic partitioning operations/" even though the RMC connection is actually active. Circumvention: Confirm that the HMC lssyscfg -r lpar -m -Frmc_state command shows the RMC connection is active then try the partition migration operation again. * Fixed an issue where system initiated System Dump files were not being automatically called home. * Fixed a problem causing communication problems between the master HMC and the other HMCs managing a Power enterprise pool. This problem only occurs if the first HMC added to a pool has the same private IP address as the master HMC, which causes the master HMC to set its IP address for pool communication to that private IP address (you can confirm this by displaying the master HMC's IP address via the Power enterprise pool GUI or the lscodpool command). Symptoms include the inability to perform pool operations from managing HMCs, and an HMC connection status of unavailable or Unknown. If you have already been affected by this problem, after installing this service pack you must remove all of the managing HMCs from your pool, then add them all back. This action will correct the master HMC's IP address. * Fixed a problem that caused every attempt to add a managing HMC to a Power enterprise pool to fail with the error "The operation sent to management console has timed out." This problem occurs only if one of the following conditions is true: 1. The master HMC has an unconfigured Ethernet interface numbered lower than the interface used for HMC-HMC communication; 2. The IP address for an Ethernet interface numbered lower than the interface used for HMC-HMC communication or the IP address of the Ethernet interface used for HMC-HMC communication is updated on the master HMC and the HMC is not restarted after the update. To work around this problem, reconfigure the master HMC's Ethernet interfaces so that the Ethernet interface to be used for HMC-HMC communication is numbered lower than any unconfigured interfaces, then restart the HMC. * Fixed a problem where some GUI views of system firmware levels such as the Updates, System Code Levels table incorrectly show a deferred level of none (or blank) when a deferred level exists. * Fixed an issue causing the update of I/O device microcode from IBM microcode CD/DVD to fail with "/HSCF0179W Operation was partially successful for .// //An error occurred while attempting to update I/O microcode on : An error occurred copying a file from the CDROM. First verify the correct media is inserted in the drive, that there is space available on the target system, then try the operation again./" * Fixed a rare error that can occur when the HMC is processing a property change event for a tree node representing a managed object or group while a managed system is being added to the HMC. This error caused SRC E3551040 to be generated and called home. * Fixed a problem with persisted service data that can impact HMC model CR9s. Symptoms include: all dumps from the managed server being deleted immediately after offload; new serviceable events reported by the server being discarded without a serviceable event being opened on the HMC. * Fixed a problem that caused the wrong HMC machine type, model and serial number to be displayed on the following HMC GUI screens: Service Management -> Enable Electronic Service Agent and Service Management -> Manage Inbound Connectivity -> Prepare -> Remote Service Session. This problem occurs on CR9 model HMCs only. * Fixed a problem causing partition migration operations performed by PowerVC to fail when the ibmpowervm_mover_service_partitions attribute is specified in the nova.conf files. This problem occurs only with Virtual I/O Server versions 2.2.4 and later. * Fixed IBM Websphere Application Server (WAS) vulnerabilities: CVE-2016-0378 and CVE-2016-5986. * Fixed Apache Tomcat vulnerability: CVE-2016-3092. * Set the X-Frame-Options HTTP response header from all HMC /dashboard URLs to instruct the browser to not allow framing from other domains. This change is intended to prevent Clickjacking attacks. * Disabled TLS 1.0 for HMC port 443 in legacy security mode. * MH01664* 09/24/16 * Fixed a problem causing the WLP server not to start after the HMC is rebooted, causing the REST API functions to not be available. This impacts the enhanced GUI login, PowerVC, PCM and any other function that utilizes the REST API on the HMC. This problem only occurs if the user runs the save upgrade data task and subsequently reboots the HMC without actually performing an HMC upgrade. This fix prevents the problem from occuring again and also repairs HMCs previously impacted. * Fixed reports of 1100C001 and 1100C002 during an FSP repair procedure to be informational SRCs and not call home. * Fixed an issue where applying a fix or service pack could cause a user that launches vterm or other applets remotely to encounter a security error. The java console log will show error "javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name" even though the host name is correct. * Fixed the HMC readme content link when launched from the HMC GUI Installation *Special Install Instructions: *Installing this PTF using the Enhanced+ interface may hang. Prior to installing this PTF using the web browser graphical interface perform the following: 1. Log in again selecting the Log In option of "Classic". 2. If already logged in to the HMC using Enhanced GUI, log off the HMC. 3. Install using the normal installation instructions. Alternatively, install this PTF using the CLI updhmc command. Installation instructions for HMC Version 8 upgrades and corrective service can be found at these locations: Upgrading or restoring HMC Version 8 Installation methods for HMC Version 8 fixes Instructions and images for upgrading via a remote network install can be found here: HMC V8 network installation images and installation instructions Additional information Notes: 1. The Install Corrective Service task now allows you to install corrective service updates from the ISO image files of these updates. You can download these ISO image files for the HMC, and then use the ISO image file to install the corrective service update. You no longer need to burn CD-R or DVD-R media to use the ISO image file to install corrective service. 2. This image requires DVD -R media. 3. To install updates over the network, select the *.iso file on the "Select Service Package" panel of the Install Corrective Service task. The HMC application extracts the files needed to install the corrective service. If you are using USB flash media, copy the *.iso file to the flash media, and then select the file when prompted. 4. The *updhmc* command line command has also been modified to use the *.iso file. To use the command, follow the syntax in this example: updhmc -t s -h -f -u -i In all cases, the HMC application extracts the files needed to install the corrective service.