Hardware Management Console Readme *Version 10 Release 3 Maintenance 1061 (V10 R3 M1061) README* Date: 12 December 2024 (C) Copyright International Business Machines Corp., 2024 All rights reserved. Contents <#ibm-content> The information in this Readme contains the fix list and other package information about the Hardware Management Console. * Terminology <#term> * PTF MF71709 HMC V10 R3M1061.0 - for vHMC for x86_64 hypervisors (5765-VHX) <#MF71709> * PTF MF71710 HMC V10 R3M1061.0 - for 7063 Hardware or vHMC for PowerVM (5765-HMB) <#MF71710> * Enhancements <#enhance> * List of fixes <#fixes> * Known issues and limitations <#known> * Best Practices <#best> * Installation <#install> Terminology *x86* - This term is used to reference the Intel hypervisors (KVM, VMWare, Xen) on which Virtual HMC can be installed. *Note:* HMC V10R3 release for x86 is not supported on bare metal (7042 hardware appliances). * ppc64 or ppc64le* - describes the Linux code that is compiled to run on Power-based servers or LPARS (Logical Partitions) PTF MF71709 HMC V10 R3 M1061.0 - for vHMC for x86_64 hypervisors (5765-VHX) This package represents a service pack image that can be used to update the HMC from HMC V10 R3 M1050 release. You can also reference this package by APAR MB04474and PTF MF71709. This image can be installed on top of HMC V10 R3 M1050 with or without other PTFs or Service Packs installed. * Service packs are cumulative and as such will include all the fixes for the PTFs released up to and including the last service pack(s) for this HMC version. Please read the individual Readme files for each PTF to see the list of fixes. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# HMC_Update_V10R3M1061_x86.iso 5683892224 d2be465b418b111df579b690bfa10f8ec0b9267b MB04474 MF71709 Splash Panel information (or lshmc -V output) "version= Version: 10 Release: 3 Service Pack: 1061 HMC Build level 2411282125 MF71709 - HMC V10R3 M1061 ","base_version=V10R3 " PTF MF71710 HMC V10 R3 M1061.0 - for 7063 Hardware or vHMC for PowerVM (5765-HMB) This package represents a service pack image that can be used to update the HMC from HMC V10 R3 M1050 release. You can also reference this package by APAR MB04475 and PTF MF71710. This image can be installed on top of HMC V10 R3 M1050 with or without other PTFs or Service Packs installed. * Service packs are cumulative and will include all the interim fixes for the PTFs released up to and including the last service pack(s) for this HMC version. Please read the individual Readme files for each PTF to see the list of fixes. /Package information/ Package name Size Checksum (sha1sum) APAR# PTF# HMC_Update_V10R3M1061_ppc.iso 5721251840 3937172bab8ac2017ba5806c23c22847255775b9 MB04475 MF71710 Splash Panel information (or lshmc -V output) "version= Version: 10 Release: 3 Service Pack: 1061 HMC Build level 2411282125 MF71710 - HMC V10R3 M1061 ","base_version=V10R3 " Enhancements * Support SSH tunnelling for HMC GUI * Network Address Translation (NAT) firewall configuration support for RMC *Server and Virtualization Management: * * The default LPM NPIV validation policy has been changed to LUN level validation, and a new server-level setting has been added to change this default. * Support for system firmware update operations in parallel from the command line when run in separate command shells. * Support for resuming a failed update or upgrade of system firmware. * Listing Volume unique ID for vFC topology for IBM i and support for VIOS Maintenance Validation to check vFC storage assigned to IBM i (requires IBM i 7.5 TR5) * Licensed Program Products (LPP) software reporting for CMC. Information about LPPs, such as PowerHA SystemMirror, that are installed on AIX and IBM i partitions on managed systems in Power Enterprise Pool 2.0 pools are collected and reported to CMC. *User Experience Improvements for below functions/panels:* * *HMC management :* o Transformed HMC Network settings panels. REST API support for HMC network settings configuration. o New user experience for format media. o New views for third party and additional license agreements. o Transformed HMC certificate management and Certificate revocation list panels. o Added the ability to remove redfish.event from the HMC firewall. redfish.event is used to receive events from Enterprise BMC-based managed systems and is required for the HMC to successfully manage those systems, so redfish.event should be removed from the firewall for an interface only when there are no Enterprise BMC-based managed systems connected to that interface. * *Service Management : * o New user experience for transmit service information panels have been transformed with the newer user experience. To launch the task, click *Service management > Schedule service data* in the left side navigation area on the new GUI. * *System Management : * o New dashboard for Backup profile data with options to backup, restore, and delete profile data. o New user experience for Initialize and Recover. o New user experience for I/O firmware updates and SR-IOV firmware updates. * *Schedule Management : * o New dashboard for scheduled operations with options to create and delete scheduled operations for system, partition, Virtual I/O Server and management console. To launch the new scheduled operations dashboard, click *Schedule management* in the left side navigation area on the new GUI. *Note*: The *Schedule operations* tasks in all action menus on the new GUI will launch the old Schedule operations GUI. These tasks will be removed from all action menus on the new GUI in a future PTF. * *Partition/VIOS Management : * o New user experience for partition and VIOS Shutdown, Restart, and Delete operations. o New user experience for *VIOS image* management. To launch the task, click on VIOS Images in the left side navigation area on the new GUI. o New user experience for Volume groups, Virtual media library, Logical volumes, Virtual SCSI and Virtual Fibre channel adapters, and Fibre Channel ports management of VIOS. These tasks are available in the left side navigation area for the selected VIOS. * *User Management : * o Added advanced parameters for both LDAP and KDC configurations. o Added ability to import an LDAP certificate. Future Support Notes * Access to the old dashboard will be removed in a future release. * Support for the FTP option, which is unsecure, will be removed from all HMC interfaces in a future release. SFTP/NFS should be used instead. * Rest API access via port 12443 will be disabled in a future release. Use port 443 instead for accessing HMC Rest APIs. * * General Fixes * Fixed another issue that can cause the HMC GUI dashboard to hang when loading when the language is set to German. * Added a 30-minute timeout to the Exchange FRU procedure to prevent the procedure from hanging indefinitely at the "/Querying service effect for location/" step. * Added the partition name to the Delete partition task log entry. * Changed the GUI Create partition task for IBM i partitions to no longer enable the connection monitoring setting and to start enabling the electronically report errors that cause partition termination or require attention setting. * Corrected the activated memory trend line on the Memory allocation page of the Performance dashboard to show activated memory instead of installed memory. * Fixed several issues with the Processor usage trends graph on the Processor usage page of the Performance dashboard, including fixing missing legends and correcting trend lines. * Corrected the Add system > Find managed system GUI to allow IPv4 addresses with a 0 in the second or third octet. * Corrected the error message returned when an I/O firmware update operation fails due to the I/O firmware update files not being found in the specified location. * Enhanced the *chhmc -c syslog* command to fail with an error if the specified host name contains a space. * Expanded the width of the Hosting partition column and dropdown list in the Partition Profiles > Virtual NIC > Edit VNIC > Backing devices table. * Extended the amount of time the Test Call Home function will wait for the PMH to be received. * Fixed a GUI validation issue that prevented new HMC usernames from containing a dash ('-'). * Fixed a rare issue that can cause a system firmware update for an Enterprise BMC-based managed system to fail with the error "/HSCF0319E An error occurred while attempting to swap the service processor temporary and permanent sides/." * Fixed a rare issue that caused a managed system to transition into Incomplete state after an Initialize system task was run on the other HMC connected to the managed system. * Fixed a rare timing issue that can cause VMI information to be missing from the HMC for one of the VMI interfaces for an Enterprise BMC-based managed system after the HMC is restarted. * Fixed an issue for Chinese and Taiwanese locales which caused firmware updates on Enterprise BMC-based managed systems to fail with the error "/No firmware image specified for system type BMC/". * Fixed an issue preventing dump functions from working for Enterprise BMC-based managed systems when there is a connection from the HMC to the Enterprise BMC but no connection to the VMI. * Fixed an issue that can cause a Communication Problem to occur when launching the GUI VIOS Validate Maintenance Readiness and Prepare panel when the VIOS has a large number of disks. * Fixed an issue that can cause a deploy system template operation to hang and SRC E35A0063 to be reported when the deploy operation installs one or more Virtual I/O Servers using NIM. * Fixed an issue that can cause an Enterprise BMC-based managed system to remain in No Connection state after losing connection then reconnecting to the VMI such as during a system firmware update. * Fixed an issue that can cause SRC E3325009 to be reported when the host name of another HMC in the network has changed. * Fixed an issue that can cause SRC E3551234 to be reported when the HMC is briefly unable to communicate with the in-band BMC during a BMC credentials check. * Fixed an issue that can cause SRCs E3550421, E3D46FFF, or E3D43103 to be reported when an HMC with a firmware version earlier than 1030 tries to use a discovered HMC with version 1030 or later as a call home server. * Fixed an issue that can cause the GUI to launch a blank page when launching any of the Firmware actions from the System actions menu available on the systems GUI for a system. * Fixed an issue that can cause the HMC to temporarily show Incomplete state when connecting a server with a single all resources partition profile. * Fixed an issue that can cause the Save HMC upgrade data task to fail because the upgrade partition is full due to user-created profile data backup files with file names that have leading spaces. * Fixed an issue that can cause the wrong hosting partition to be shown in the Partition Profiles > Virtual NIC > Edit VNIC > Backing devices table. * Fixed an issue that can intermittently cause the GUI window to go blank, especially when performing a system firmware update operation. * Fixed an issue that can prevent Performance and Capacity Monitoring (PCM) from being enabled. * Fixed an issue that caused SRC E3550046 to be reported and a task error to occur when an HMC user with the hmcviewer task role clicks the Serviceable events link under Quick links on the GUI dashboard. * Fixed an issue that caused the GUI Performance > Turn on/off performance data collection panel to hang while loading when the PCM or Postgres service is not running. * Fixed an issue that caused the HMC to send email notifications to customers of unsuccessful transmission of hardware service information of WWPN.xml files for managed systems. * Fixed an issue that caused the *host *command to fail with a segmentation fault. * Fixed an issue that caused the message "/The system is not capable of Huge Page Memory/." to always be shown on the Partition Memory GUI under Advanced Settings even when the system is capable of Huge Page Memory. * Fixed an issue that caused the modification of an existing HMC user task role to fail with "/HSCL350E Input error: An invalid task has been specified/." when no invalid tasks were specified. * Fixed an issue that caused WWPNs to always be shown as N/A for IBM i partitions on the Partition Profiles > Virtual adapters > Edit virtual fibre channel adapter page. * Fixed an issue that causes automatic renewal of the Update Access Keys (UAKs) for managed systems to renew the UAK for only one managed system each time the automatic renewal process runs. * Fixed an issue that causes the GUI to display a blank System profiles page when system profiles exist. * Fixed an issue that causes the password included in the proxy URI specified with the chsvc --http or --socks parameter to be shown in the console event log and logged in clear text. This issue only occurs when the user ID specified in the proxy URI contains a '@' character. * Fixed an issue that incorrectly caused SRC B3031008 to be called home in a NovaLink co-managed environment when the HMC is not the PowerVM management controller. * Fixed an issue that prevented a change to the physical attention LED state for an Enterprise BMC-based managed system from being reflected on the HMC GUI when the change was initiated on another HMC or by the system itself. * Fixed an issue that prevented a user with a custom task role from being able to power on a system using the new GUI. * Fixed an issue that prevented tasks from being launched from the Systems, Partitions, and VIOS tables in the Tags view in the new GUI. * Fixed an issue where creating a system plan with hardware discovery for inactive partitions causes the current partition configuration and if profile synchronization is enabled the last activated profile to be overwritten by the default profile for the inactive partitions. This issue only occurs for inactive partitions that have a last activated profile and a default profile that are different. * Fixed an issue where SR-IOV adapter settings are not restored when profile data is restored on Enterprise BMC-based managed systems. * Fixed an issue where the HMC REST API RawMetrics/EnergyMonitor completes successfully however the json data returned reports a status of 2 and errorInfo/"[{"errorId":3019,"errorMsg":"Failed to get Power Sensor state"}]/" with some powerEnergyReading attributes missing. This issue always occurs for Enterprise BMC-based managed systems that are running FW1050 or later. * Fixed an issue where using the GUI VIOS Create virtual SCSI adapter task or create virtual fibre channel adapter task to create a client adapter caused any recent changes made to the client partition's last activated profile that had not yet been synced to be overwritten. These tasks are now blocked when the client partition's last activated profile is in a sync suspended state. To unblock these tasks the client partition's last activated profile must be applied or activated. * Fixed an issue which can cause the GUI Capacity on Demand Apply activation code task to time out after 2 hours without actually applying the activation code. This issue only occurs when the activation code being applied requires user confirmation. * Fixed another issue causing a partition remote restart operation to successfully complete without configuring the partition's storage adapters on the destination managed system. This issue occurs when the source managed system is an Enterprise BMC-based managed system that is in No Connection state. * Fixed the new GUI edit profile operation to maintain the HCN ID for each migratable SR-IOV logical port to prevent new devices in the OS from being created when the profile is activated. * Improved the error message returned by the l*shwres -r mem --level lpar --stat *command when the partition does not support the query function. * Increased the width of the IP address column on the partition GUI dashboard so that IPv6 addresses are fully displayed. * Removed some incorrect validations from the Elastic CoD GUI. * Fixed an issue that causes the *chhmccert *command to fail with a file not found error when the directory specified with the -d parameter does not end with a '/'. * Added input validation for special characters in the HMC certificate creation panel on the old GUI dashboard. * Fixed an issue that caused the recover profile data task to always fail to restore partition Platform KeyStore (PKS) data. * Redesigned how redundant MSPs are selected on the partition migration Edit MSP mappings GUI. Also added a Reset all button to the Edit MSP mappings page to reset all configured MSP mappings. Security Fixes * Fixed Apache HTTP Server vulnerabilities: CVE-2023-38709, CVE-2023-45802, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38477, and CVE-2024-39573. * Fixed Java vulnerabilities: CVE-2024-21131 and CVE-2024-21145. * Fixed Kerberos vulnerabilities: CVE-2024-37370 and CVE-2024-37371. * Fixed less vulnerability: CVE-2024-32487. * Fixed libndp vulnerability: CVE-2024-5564. * Fixed libssh vulnerabilities: CVE-2023-6004 and CVE-2023-6918. * Fixed linux firmware vulnerabilities: CVE-2022-46329, CVE-2023-20592, and CVE-2023-31346. * Fixed nghttp2 vulnerability: CVE-2024-28182. * Fixed openssh vulnerability: CVE-2020-15778. * Fixed libxml2 vulnerability: CVE-2024-25062. * Fixed vulnerability for chhmccert command: CWE-532: Insertion of Sensitive Information into Log File. * Fixed CWE-532: Insertion of Sensitive Information into Log File in console event logs. * Addressed CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the preloginmonitor URL. * Updated permissions of application-related files. Command Line Changes * The *lslparmigr *and *migrlpar *commands have been enhanced to support setting the system-level default for the type of validation to be performed for NPIV devices on partition migration validation operations. * The *lslic *and *updlic *commands have been enhanced to support resuming a failed system firmware update or upgrade operation. * A new option has been added to the *chhmc *command to set the Kerberos authentication logging level, and the *lshmc *command has been enhanced to display the level. * The *chhmc *command has been enhanced to support removing redfish.event from the HMC firewall for an interface when there are no Enterprise BMC-based managed systems connected to that interface. * The *chhmccert *and *lshmccert *commands have been enhanced to support certificate revocation lists. * A new option has been added to the *chhmccert *command to specify a passphrase when importing from an SFTP server. * The *lshmccert *command has been enhanced to display certificate issuer information. Known Issues & Limitations * When the HMC's locale is set to a locale that ends in @euro or @preeuro, the local console GUI will not load after logging in. To work around this issue, change the HMC's locale to a locale that does not end in @euro or @preeuro. Locales that end in @euro or @preeuro will be removed in a future release. * The text "Label.ManageBackupProfileReact" appears in the System actions menu. It is not a valid action. This action will be removed from the menu in a future release. * Setting the Microsoft Edge browser to a language not supported by the HMC will cause Learn More links on the GUI to fail to launch help pages with the message "T/he requested help document was not found/." * Dates, times, and numbers on the GUI Performance dashboard are shown in the format based on the HMC language instead of the browser language. * Occasionally a Kerberos user login may fail even when the credentials are valid. As a workaround, try logging in again with the same credentials after a short delay of 15 to 30 seconds. * The state detail for an Enterprise BMC-based system in No Connection state may be blank after the VMI network settings are cleared. To display the correct state detail, reset the connection to the system. * After clearing the VMI network settings for an interface, the managed system may remain in No Connection state even though there is an active network connection to the other VMI interface. To work around this issue, reset the connection to the system. Best Practices * User sessions - The following best practices helps avoid performance degradation gradually over a period of time due to increased login sessions as well as security vulnerabilities such as unauthorized access to the active HMC sessions. o It is a best practice to logoff from HMC UI and then close the browser tab instead of directly closing the tab o Set Idle session timeout for all the users and not leave the timeout as '0' which leaves it as no timeout. * Profile recommendations - The maximum number of partition profiles suggested per partition is 10. Installation Installation instructions for HMC Version 10 upgrades and corrective service can be found at these locations: Upgrading the HMC from Version V10R1 or V10R2M1030 to V10R3M1050 Updating, upgrading, and migrating your HMC machine code Update(s) for HMC V10R2M1050