Abstract
Readme documentation for IBM® Security® Key Lifecycle Manager for Distributed Platforms, Version 2.5.0 Fix Pack 3 including installation-related instructions, prerequisites and corequisites, and a list of fixes. All IBM Security Key Lifecycle Manager for Distributed Platforms fix packs are cumulative. This fix pack contains the content of all prior fix packs published to date.
Fix Pack Publication date :7 Nov 2014
Last modified date :30 Oct 2014
Contents
Platform
support
Download locations
Prerequisites
and corequisites
Known issues
Known
limitations
Updates to CLI
commands
Installation information
Installing
the IBM Security Key Lifecycle Manager fix pack
Prior
to fix pack installation
Performing the
necessary tasks after fix pack installation
List of
Fixes and Features
Copyright and trademark
information
Document change history
|
IBM Security Key Lifecycle Manager Version 2.5.0 platforms supported |
|---|
|
AIX Version 6.1 64-bit |
|
AIX Version 7.1 64-bit |
|
Red Hat Enterprise Linux Version 5 update 4 on x86 64-bit in 32-bit mode |
|
Red Hat Enterprise Linux Version 6 update 3 on x86 64-bit in 32-bit mode |
|
Red Hat Enterprise Linux Version 5 update 4 (System z) on x86 64–bit mode |
|
Red Hat Enterprise Linux Version 6 update 3 (System z) on x86 64–bit mode |
|
SuSE Linux Enterprise Server Version 10 on x86 64–bit |
|
SuSE Linux Enterprise Server Version 11 on x86 64–bit mode |
|
SuSE Linux Enterprise Server Version 11 (System z) on x86 64–bit mode |
|
Sun Server Solaris 10 (SPARC 64–bit in 32-bit mode) |
|
Windows Server 2008 R2 (64-bit in 32-bit mode for all Intel and AMD processors) Standard Edition |
|
Windows Server 2008 R2 (64-bit in 32-bit mode for all Intel and AMD processors) Enterprise Edition |
|
Windows Server 2012 (64-bit in 32-bit mode for all Intel and AMD processors) Standard Edition |
IBM Security Key Lifecycle Manager Version 2.5.0 has been certified to run on the following virtual environments. The platform running within the virtual machine must be supported by the virtual platform server and Security Key Lifecycle Manager Version 2.5.0(see "platforms supported" table).
|
IBM Security Key Lifecycle Manager Version 2.5.0 virtual platforms supported |
|---|
|
VMWare ESX/ESXi Server Versions 4.0, 5.0, 5.1 and 5.5 |
|
Red Hat Enterprise Virtualization/Kernel-Based Virtual Machine (RHEV/KVM) Version 5.4 |
Download IBM Security Key Lifecycle Manager Version 2.5.0 Fix Pack from IBM Fix Central:
Go to IBM Fix Central Home Page, http://www.ibm.com/support/fixcentral/
For the Product Group, select "Security Systems"
For the Product, select "IBM Security Key Lifecycle Manager"
For Installed Version, select your system's appropriate version level, ie. 2.5.0.0
For Platform, select the appropriate platform. Choose "Continue"
At the Identify Fixes page, select the "Browse for Fixes" radio button (default) and choose "Continue".
At the Select Fixes page, choose "Fix Pack 2.5.0-ISS-SKLM-FP0003". Choose "Continue".
You may be prompted to "Sign In". If you do not have an ID, click on the "register now" link and follow the register steps as appropriate.
At the Download Options page, choose a download method. (default is "Download using Download Director")
Select the associated files and README for Fix Pack 2.5.0-ISS-SKLM-FP0003 and select "Download now".
Platforms updated by this fix pack
For current version 2.5.0 installations: This fix pack can be installed on systems with IBM Security Key Lifecycle Manager Version 2.5.0 GA or 2.5.0 FP1 or 2.5.0 FP2
Prerequisites and corequisites
IBM Security Key Lifecycle Manager Version 2.5.0 GA or 2.5.0 FP1 or 2.5.0 FP2 must be installed.
While using silent mode installation, if installaion has failed due to wrong repository path in response file then user may see following warnings:
CRIMA1002W WARNING: The following repositories are not connected:
<old repository path>
Failed to connect to one or more repositories. The repository might be unavailable for several reasons.
Check the repository is correct and accessible by verifying the following:
Verify all the repositories location is correct and available.
In case repositories require credentials, verify the credentials are correctly set in the repositories preference.
Verify if the network connection is available. For environments that use firewalls, verify that access to the repository location is available.
For environments that use proxies, verify the proxy settings are correctly set in the HTTP/FTP preference.
Update offerings require that base offerings be available. Verify the base offering is available in a repository. Use the listAvailablePackages command to view the packages available in a repository.
While using IBM Passport Advantage site, verify the connection to the site. Also verify the Passport Advantage connection in the Passport Advantage preference.
While using silent mode installation, if you see the following message:
Updated to com.ibm.sklm.aix_2.5.0.3 in the /opt/IBM/SKLMV25 directory.
WARNING: Problem at line 3, column 35: The "acceptLicense" attribute has
been deprecated. Use "-acceptLicense" command line option to accept license agreements.
CRIMA1002W WARNING: The following repositories are not connected:
<old repository path>
Failed to connect to one or more repositories. The repository might be
unavailable for several reasons.
This means you might have updated to the latest FP level, run the wsadmin AdminTask.tklmVersionInfo() CLI to confirm that.
SKLM v2.5 GA configuration with LDAP may fail. As a fix apply SKLM v2.5 Fix Pack 2 or later and follow this technote for configuration: http://www-01.ibm.com/support/docview.wss?uid=swg21670824.
Rollback of installed FixPack is not supported
tklmServedDataList:O APAR IV16269 added a new option in
tklmServedDataList command to specify the number of entries that
will be displayed. This new option is outputCount.
If outputCount
is 0 (zero), SKLM will display all the entries. If outputCount is
not specified, SKLM will display 2000 entries. For example: print
AdminTask.tklmServedDataList ('[-outputCount 3000]') will display
3000 audit entries.
Note:When setting a large outputCount
value or zero, and you have a large number of audit entries, the
wsadmin process may timeout.
Installing the IBM Security Key Lifecycle Manager Fix Pack
Prior to fix pack installation
Ensure that IBM Security Key Lifecycle Manager is not being utilized before installing the fix pack. If your facility has a "service maintenance outage" process, consider installing this fix pack during an arranged service outage.
A backup of your IBM Security Key Lifecycle Manager server should be performed prior to installing this fix pack. Follow the steps Backing up critical files in the Administering section of the IBM Security Key Lifecycle Manager Product Manuals.
Backup Websphere Application Server files on Windows platforms
|
Instruction |
Command |
|---|---|
|
Open a command prompt. |
Click the Start button, Click Run, type cmd and Click the OK button. |
|
Stop the Websphere Application Server |
WAS_HOME\bin\stopServer.bat server1 -username [WAS_ADMIN] -password [WAS_PASSWORD] |
|
Make a temporary directory |
mkdir [WAS_BACKUP_DIRECTORY] |
|
Change to the temporary directory |
cd c:\wasbackup |
|
Copy the files from the directory where Websphere Application Server files is installed |
xcopy /y /e /d WAS_HOME c:\wasbackup |
|
Start the Websphere Application Server |
WAS_HOME\bin\startServer.bat server1 |
Backup Websphere Application Server files on AIX, Solaris, and Linux platforms
|
Instruction |
Command |
|---|---|
|
Open a ksh or bash shell. |
if your default shell is not ksh or bash, run "exec ksh" or "exec bash". |
|
Stop the Websphere Application Server |
$WAS_HOME/bin/stopServer.sh server1 -username [WAS_ADMIN] -password [WAS_PASSWORD] |
|
Make a temporary directory |
mkdir [WAS_BACKUP_DIRECTORY] |
|
Change to the temporary directory |
cd /tmp/wasbackup |
|
Archive the files from the directory where Websphere Application Server is installed |
tar -cvf wasbackup.tar $WAS_HOME/* |
|
Start the Websphere Application Server |
$WAS_HOME/bin/startServer.sh server1 |
|
Instruction |
Steps |
|---|---|
|
Make a repository directory |
Open a command prompt.Make a repository directory.
|
|
Change directory to the directory created. |
|
|
Download the SKLM fix pack into the repository directory. |
|
|
Extract the downloaded file |
|
Steps for installing Fix Pack for IBM Security Key Lifecycle Manager version 2.5.0 on Windows and Unix platforms in GUI mode
|
Instruction |
Steps |
|---|---|
|
Start Installation Manager in GUI mode |
|
|
Set up the fix pack repository preference |
|
|
Select the SKLM software package group |
|
|
Provide credentials for |
In the Update Packages Configuration for IBM Security Key Lifecycle Manager v2.5.0.3
|
|
Click on Update button |
In the Update Packages > Summary panel, |
Steps for installing a fix pack for IBM Security Key Lifecycle Manager version 2.5.0 on Windows and Unix platforms in silent mode
|
Instruction |
Steps |
|---|---|
|
Installation Manager utility to encrypt the passwords for users as required |
Open a command window, and change to the Installation_Manager_Home/eclipse/tools directory,
Run the following command to generate an encrypted password: Run the following command to generate an encrypted password: |
|
Make a backup of response file |
Create a backup of original response file SKLM_Silent_Update_<platform>_Resp.xml by renaming it.
|
|
Edit the response file. |
Edit the silent response file "SKLM_Silent_Update_<platform>_Resp.xml"
Edit the silent response file "SKLM_Silent_Update_<platform>_Resp.xml" |
|
Install the fix pack |
|
|
Check logs for fix pack installation success |
View the log file output produced for fix pack installation success |
Performing
the necessary tasks after fix pack installation.
Verify Installation - Run the wsadmin AdminTask.tklmVersionInfo() command
Open a shell (ksh or bash)
Type: cd <WAS_HOME>/bin/
Type: ./wsadmin.sh -lang jython -username <sklmadminUserID> -password <sklmadminPassword>
example: ./wsadmin.sh -lang jython -username sklmadmin -password sklmpassword
At the wsadmin> prompt type: print AdminTask.tklmVersionInfo()
Windows users:
Open a command prompt.
type cd <WAS_HOME>\bin
type: wsadmin -lang jython -username <sklmadminUserID>-password <sklmadminPassword>
example: wsadmin.bat -lang jython -username sklmadmin -password sklmpassword
At the wsadmin> prompt type: print AdminTask.tklmVersionInfo()
Check the output of the tklmVersionInfo command:
IBM Security Key Lifecycle Manager Version = 2.5.0.3
IBM Security Key Lifecycle Manager Build Level = 201410300958
A backup of your IBM Security Key Lifecycle Manager server should be performed after installing this fix pack. Follow the steps Backing up critical files in the Administering section of the IBM Security Key Lifecycle Manager Product Manuals.
New Features Provided by Version 2.5.0.3
|
Added Support for AES 256 Master Key |
|
Added Support for AES 256 Backup Encryption |
|
Added Support for Indicating Last Used Date for Key on Key Deletion Confirmation |
|
Added Support for User Password Change from SKLM GUI |
|
Added Support for Proof of Encryption |
|
Added Syslog Support in Audit Logs |
|
Added Pending Client Cert List REST Service |
|
Added Pending Client Cert Accept REST Service |
|
Added Pending Client Cert Reject REST Service |
|
Added Support for Windows 2012 R2 Server Standard Edition |
New Features Provided by Version 2.5.0.2
|
Added support for IBM_SYSTEM_X_SED |
New Features Provided by Version 2.5.0.1
|
Added KMIP 1.2 Support |
|
Added support for JSON and XML encodings |
APAR fixes included in Fix Pack 3
|
APAR No. |
Sev. |
Abstract |
|---|---|---|
|
2 |
REPEATED RESTORES FAILS WITH SQL2522N MORE THAN ONE BACKUP FILE MATCHES THE TIME STAMP VALUE PROVIDED FOR THE BACKED UP DATABASE IMAGE, AFTER A FAILED RESTORE |
|
|
2 |
SKLM 2.5 FP'S MESSED UP UNICODE CHARACTERS IN NON-EN LOCALE TO "??????" IN GUI |
|
|
2 |
SKLM AUTOBACKUP.BAT FAILS TO INTERPRET PATH IN TIPHOME |
APAR fixes included in Fix Pack 2
|
APAR No. |
Sev. |
Abstract |
|---|---|---|
|
2 |
THIRD PARTY CERTIFICATE IS NOT IMPORTED/EXPORTED CORRECTLY |
|
|
2 |
DS5000 DEVICES REGISTERED KEYS ARE NOT SERVED |
|
|
2 |
LINUX NON-ROOT INSTALLATION REQUIRES AN SSL PORT GREATER THAN WELL KNOW PORTS 1023 |
|
|
2 |
KMIP TRANSACTION FAILS AFTER UPGRADING TO 2.5 OF SKLM. SEE JAVA.LANG.NULLPOINTEREXCEPTIONIN DEBUG LOG |
|
|
2 |
INAPPROPRIATE ERROR MEESAGE RETURNED WHEN KMIP GET MESSAGE CONTAINS WRONG DEVICE GROUP |
|
|
2 |
CLI TKLMKMIPTEMPLATELIST IS NOT DISPLAYING THE REGISTERED KMIP TEMPLATE |
|
|
2 |
ADDING SYSTEM_X TO KLM |
|
|
2 |
SKLM UI GETTING LOGGED OUT |
|
|
2 |
SKLMV2.5 FIX PACK INSTALLATION FAILS WHEN INSTALLING AS NON ROOT ON LINUX SYSTEM |
|
|
2 |
DISABLE SSL WEAK AND MEDIUM CIPHER SUITES FOR KMIP |
|
|
2 |
NEWLY CREATED CERTIFICATE NOT SUPPORTING LEASETIME |
|
|
2 |
RECERTIFY() DIES IF A PKCS10 CERT REQUEST IS SUPPLIED |
|
|
2 |
GUI DOESN'T DISPLAY SECRETDATA OBJECT |
|
|
2 |
CANNOT PERFORM MODIFY OPERATION ON DS5000 DEVICES AND ITS FAMILIES. |
|
|
2 |
LEASETIME IS VALID ATTRIBUTE EVEN IF OBJECT STATE IS REVOKED OR REVOKED_COMPROMISED |
|
|
2 |
EVALUATE MAX_RESPONSE_SIZE IN TTLV TERMS |
|
|
2 |
SKLM V2.5 CONFIGURATION WITH LDAP FAILS |
APAR fixes included in Fix Pack 1
|
APAR No. |
Sev. |
Abstract |
|---|---|---|
|
3 |
ON AIX PLATFORM RESTORE OPERATION FAILS DUE TO FILE PERMISSION ISSUE |
|
|
3 |
CERTIFICATE ASSOCIATED WITH JAG DEVICE CANNOT BE REMOVED |
|
|
3 |
ADDING A DEVICEGROUP FROM REST FOR DEVICEFAMILY GPFS FAILS |
|
|
3 |
WHEN WE LIST DEVICEGROUPS FROM REST/CLI IT DOES NOT LIST GPFS |
|
|
3 |
USING REST WHEN WE LIST DEVICEGROUPS FOR ANY TYPE IT DOES NOT LIST 2000 RECORDS |
|
|
3 |
REST SERVICE ATTRIBUTE NAME "ADDNEWCERTSTOPENDING" IS INCORRECTLY DISPLAYED AS "DEVICE.ADDNEWCERTSTOPENDING" |
|
|
3 |
THE SKLM V2.5 "SILENT INSTALL" METHOD REQUIRES ENCRYPTED PASSWORDS IN THE SKLM_RESPONSE FILE. |
|
|
1 |
SKLMADMIN GUI LOGIN GETS WHITE SCREEN USING IE9 |
|
|
1 |
SECURITYKEYLIFECYCLEMANAGER_WAS.INIT FILE CONTAINS PASSWORD FOR WAS ADMIN'S USERID IN CLEAR TEXT ON LINUX SYSTEM |
|
|
2 |
INSTALL OF 2.5 FAILS WITH ERROR COMPLAINING ABOUT NOT ENOUGH SPACE IN FILE SYSTEM EVEN AFTER PREREQ CHECKING PASSED |
|
|
2 |
THE 2.5 DOCUMENTATION INCORRECTLY REFERENCES THE REPLICATION PROPERTIES FILE AS REPLICATIONSKLMGRCONFIG.PROPERTIES |
|
|
2 |
ECDSA ALGORITHM SHOULD NOT BE ALLOWED FOR 3592 OR DS8000 DEVICE GROUPS FROM REST INTERFACE |
Copyright and trademark
information
http://www.ibm.com/legal/copytrade.shtml
Notices
INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer
of express or implied warranties in certain transactions, therefore,
this statement may not apply to you.
This information could
include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Microsoft, Windows, and Windows Server are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel
Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep,
Itanium, and Pentium are trademarks or registered trademarks of Intel
Corporation or its subsidiaries in the United States and other
countries.
Other company, product, or service names may be
trademarks or service marks of others.
THIRD-PARTY LICENSE
TERMS AND CONDITIONS, NOTICES AND INFORMATION
The license
agreement for this product refers you to this file for details
concerning terms and conditions applicable to third party software
code included in this product, and for certain notices and other
information IBM must provide to you under its license to certain
software code. The relevant terms and conditions, notices and other
information are provided or referenced below. Please note that any
non-English version of the licenses below is unofficial and is
provided to you for your convenience only. The English version of the
licenses below, provided as part of the English version of this file,
is the official version.
Notwithstanding the terms and
conditions of any other agreement you may have with IBM or any of its
related or affiliated entities (collectively "IBM"), the
third party software code identified below are "Excluded
Components" and are subject to the following terms and
conditions:
the Excluded Components are provided on an "AS IS" basis
IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
IBM will not be liable to you or indemnify you for any claims related to the Excluded Components
IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.
|
Change Date |
Reason |
Modified by |
|---|---|---|
|
28/10/14 |
Create initial draft for 2.5.0-ISS-SKLM-FP0003 |
PSR |
|
30/10/14 |
Included review comments |
PSR |