IBM Security Key Lifecycle Manager Version 3.0.0 - Distributed Platforms Fix Pack 4 README


Abstract

Readme documentation for IBM Security Key Lifecycle Manager for Distributed Platforms, Version 3.0.0 Fix Pack 4 (3.0.0.4) including installation-related instructions, prerequisites and corequisites, and a list of fixes.   

Fix pack publish date: 27th July 2020


Contents

List of fixes and features
Download instructions
Supported platforms
Prerequisites
Known issues
Known limitations

Installation information
Installing the IBM Security Key Lifecycle Manager fix pack
Installing fix pack when IBM Security Key Lifecycle Manager Multi-Master environment is set up
Uninstalling the IBM Security Key Lifecycle Manager along with fix pack

Copyright and trademark information


List of fixes and features

Features included in Version 3.0.0.4

Security fixes

Features included in Version 3.0.0.3

  1. Security fixes.
  2. Performance improvements for KMIP QUERY in Multi-Master configuration.

Features included in Version 3.0.0.2

  1. Added support for PEER_TO_PEER device group.

Features included in Version 3.0.0.1

  1. Enabled write capability on a IBM Security Key Lifecycle Manager master server, which is isolated from the Multi-Master setup.
  2. Added support for KMIP 2.0, and made enhancements to the KMIP 1.4 support.
  3. IBM Security Key Lifecycle Manager is now General Data Protection Regulation (GDPR) compliant.
  4. Regular backups from IBM Security Key Lifecycle Manager v2.6 and v2.7 can be restored on v3.0.0.1.
 

APAR fixes included in Version 3.0.0.4

None

APAR fixes included in Version 3.0.0.3

None

APAR fixes included in Version 3.0.0.2

APAR No.

Sev.

Abstract

IJ04428

3

HELP CONTENT DOES NOT APPEAR ON INTERNET EXPLORER.

IJ05708

3

MIGRATION RESTORE FAILS WITH JAVA.LANG.ILLEGALARGUMENTEXCEPTION:CAN NOT SET JAVA.LANG.STRING FIELD.

IJ07781

3

CROSS MIGRATION OF SKLM WITH HSM TO V3.0 SKLM WITH HSM IS FAILING.

IJ08572

3

GUI BUTTON CHANGES BACK TO 'STARTING THE REPLICATION SERVER' STATUS IN REPLICATION PAGE.

APAR fixes included in Version 3.0.0.1

APAR No.

Sev.

Abstract

IJ05547

3

3RD PARTY CERTIFICATE FAILS TO BE IMPORTED WITH MULTI-MASTER ERRORS.

IJ04715

3

THE STEP OF ADDING THE ENCRYPTED PASSWORD INTO THE RESPONSE FILE IS MISSING IN THE PROCEDURE OF UNINSTALLING IN SILENT MODE.

 


Download instructions

  1. Go to IBM Fix Central home page: http://www.ibm.com/support/fixcentral/
  2. In the Product selector field, type IBM Security Key Lifecycle Manager, and select the product name when it appears.
  3. From the Installed Version list, select 3.0.0
  4. From the Platform list, select the appropriate platform, and click Continue.
  5. On the Identify Fixes page, ensure that the Browse for Fixes is selected, and click Continue.
  6. On the Select Fixes page, select fix pack 3.0.0-ISS-SKLM-FP0004, and click Continue.
    You might be prompted to Sign In.  If you do not have an ID, click the Register now link and follow the registration steps as appropriate.
  7. On the Download options page, select a download method (default is Download using Download Director).
  8. Select the associated files and README for fix pack: 3.0.0-ISS-SKLM-FP0004 and click Download now.

Supported platforms

See IBM Security Key Lifecycle Manager Support Matrix.


Fix pack files per platform

Product/Component name

Platform

File name

IBM Security Key Lifecycle Manager version 3.0.0 Fix Pack - 3.0.0-ISS-SKLM-FP0004

AIX

3.0.0-ISS-SKLM-FP0004-AIX.tar.gz

IBM Security Key Lifecycle Manager version 3.0.0 Fix Pack - 3.0.0-ISS-SKLM-FP0004

Linux

3.0.0-ISS-SKLM-FP0004-Linux.tar.gz

IBM Security Key Lifecycle Manager version 3.0.0 Fix Pack - 3.0.0-ISS-SKLM-FP0004

zLinux (System z)

3.0.0-ISS-SKLM-FP0004-zLinux.tar.gz

IBM Security Key Lifecycle Manager version 3.0.0 Fix Pack - 3.0.0-ISS-SKLM-FP0004

Linux PPC

3.0.0-ISS-SKLM-FP0004-LinuxPPC.tar.gz

IBM Security Key Lifecycle Manager version 3.0.0 Fix Pack - 3.0.0-ISS-SKLM-FP0004

Windows

3.0.0-ISS-SKLM-FP0004-Windows.zip


Known issues

  1. IBM Security Key Lifecycle Manager installation fails on Red Hat Enterprise Linux, Version 6.7. Installation of IBM Security Key Lifecycle Manager, Version 3.0 halts during IBM WebSphere Application Server profile creation process and goes into irrecoverable state. To install IBM Security Key Lifecycle Manager, Version 3.0 on Red Hat Enterprise Linux, Version 6.7. follow the steps given in technote before you start with the SKLM installation. Click here for detail.
  2. While installing IBM Security Key Lifecycle Manager 3.0.0.4, the panel to validate the password has the "Validate Credentials" button enabled, even without entering the Database password. Users can safely ignore this, enter all the passwords and then click on validate Credentials button.
  3. In some cases on deleting a master from the Multi-Master setup, you might see the DB2 HADR status might appear as RED in the UI but this is only UI based error and underlying HADR functionality is active. To verify if HADR is working fine user can execute the db2pd command to check the HADR status. db2pd command needs to be executed as a DB administrator / instance user.
    Usage : db2pd -d -hadr
    Example : Example: db2pd -d sklmdb30 -hadrb>

  4. Regular restore of data from one IBM Security Key Lifecycle Manager server configured with HSM to another IBM Security Key Lifecycle Manager server (different Operating system than source) configured with same HSM fails.

Known limitations

  1. Rollback of installed fix pack is not supported.

Installing the fix pack

Installing a fix pack involves the following steps:

A. Complete the prerequisites.

B. Prepare to install the fix pack.

C. Install the fix pack: 

D. Complete the post fix-pack installation tasks.

Prerequisites

  1. Ensure that IBM Security Key Lifecycle Manager, Version 3.0.0 GA, 3.0.0 fix pack 1 (3.0.0.1), 3.0.0 fix pack 2 (3.0.0.2) or 3.0.0 fix pack 3 (3.0.0.3) is already installed.
  2. Ensure that tmp directory does not contain KLMPrev.properties. If present, rename / remove this file before you start applying fix pack.
  3. Ensure that IBM Security Key Lifecycle Manager is not in use.
  4. Back up the IBM Security Key Lifecycle Manager server. For instructions, see Configuring backup and restore.
  5. Back up the WebSphere Application Server files. For instructions, see the following table:
     

S.No.

Instruction

Windows Commands

UNIX/Linux Commands

1.

Windows - Open a command prompt.

Linux / AIX - Open a ksh or bash shell.

Click the Start button, click Run, type cmd, and click the OK button.

If your default shell is not ksh or bash, run "exec ksh" or "exec bash".

2.

Stop WebSphere Application Server.

WAS_HOME\bin\stopServer.bat server1 -username WAS_ADMIN -password WAS_PASSWORD

WAS_HOME/bin/stopServer.sh server1 -username WAS_ADMIN -password WAS_PASSWORD

3.

Make a temporary directory.

mkdir WAS_BACKUP_DIRECTORY
For example: mkdir c:\wasbackup

mkdir WAS_BACKUP_DIRECTORY
For example: mkdir /tmp/wasbackup

4.

Change directory to the temporary directory.

cd c:\wasbackup

cd /tmp/wasbackup

5.

Copy or archive the files from the directory where WebSphere Application Server is installed.

xcopy /y /e /d WAS_HOME c:\wasbackup

tar -cvf wasbackup.tar WAS_HOME/*

6.

Start WebSphere Application Server.

WAS_HOME\bin\startServer.bat server1
Where:
WAS_HOME is the directory where WebSphere Application Server is installed
(default:
C:\Program Files\IBM\WebSphere\AppServer).

WAS_HOME/bin/startServer.sh server1
Where:
WAS_HOME is the directory where WebSphere Application Server is installed (default:
/opt/IBM/WebSphere/AppServer).

 

Prepare to install the fix pack

S. No.

Instruction

Steps

1. 

Make a repository directory.

  1. Open a command prompt.
  2. Make a repository, that is, a directory where you extract the fix pack installer.

Windows

Default repository directory is C:\sklminstall_windowsfp
mkdir C:\sklminstall_windowsfp

UNIX/Linux

Default repository directory is /sklminstall_linuxfp
mkdir /sklminstall_linuxfp

2.

Change directory to the repository directory.

Windows

cd C:\sklminstall_windowsfp

UNIX/Linux

cd /sklminstall_linuxfp

3.

Download the fix pack into the repository directory.

See Download Instructions

4.

Extract the downloaded file.

Windows

3.0.0-ISS-SKLM-FP0004-Windows.zip

UNIX/Linux

For example: 3.0.0-ISS-SKLM-FP0004-Linux.tar.gz

Note: Use the platform-specific file.

 

Installing the fix pack by using the graphical user interface

S. No.

Instruction

Steps

1. 

Stop WebSphere Application Server, update Java SDK, and then start Installation Manager in GUI mode.

Windows

  1. Open a command prompt, and change the directory to the repository directory.
    For example:

    C:\sklminstall_windowsfp
  2. Run the following command:
    updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:
updateSKLM.bat "c:\Program Files\IBM\Installation Manager" "c:\Program Files\IBM\WebSphere\AppServer" wasadmin wasadminpwd

UNIX/Linux

  1. Open a command prompt, and change the directory to the repository directory.
    For example:

    /sklminstall_linuxfp
  2. Run the following commands:

chmod +x ./updateSKLM.sh

./updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:
updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd

Where:

IM_INSTALL_LOCATION refers to the installation root directory for IBM Installation Manager.
Default value:
Windows:

c:\Program Files\IBM\Installation Manager
Linux:
/opt/IBM/InstallationManager

WAS_HOME refers to installation root directory for WebSphere Application Server (WAS).
Default value:
Windows: 

c:\Program Files\IBM\WebSphere\AppServer 
Linux:
/opt/IBM/WebSphere/AppServer

WAS_ADMIN refers to the ID for the WebSphere Application Server Administrator.

WAS_PASSWORD refers to the password for the WebSphere Application Server Administrator.

2.

Select the IBM Security Key Lifecycle Manager, Version 3.0.0 software package group.

1.     Select the base offering software package group (IBM Security Key Lifecycle Manager, Version 3.0.0).

2.     Click Next.

3.     In the Update Packages panel, select Version 3.0.0.4, and click Next.

3.

Provide credentials for
WebSphere Application Server admin user
(default: wasadmin)
SKLM admin user
(default: SKLMAdmin) and Db2 user
(default: sklmdb30).

  1. In the Update Packages Configuration for IBM Security Key Lifecycle Manager v3.0.0.4 panel:
    • Enter Username and Password for Application Server Administrator.
    • Enter Username and Password for IBM Security Key Lifecycle Manager Application Administrator.
    • Enter Username and Password for IBM DB2 user.
  2. Click Validate Credentials.
    Validation might take few minutes. Wait till the Next button is enabled.
  3. Click Next.
4.

Complete the final step.

In the Update Packages > Summary panel, review the software packages that you want to install, and click Update.
After Installation Manager successfully updates the fix pack for the services that you select, a message is displayed.

 

Installing a fix pack silently

S. No.

Instruction

Steps

1. 

Launch the Installation Manager utility to encrypt the passwords for users as required.

  1. Open a command prompt.
  2. Change the directory to the IM_INSTALL_LOCATION/eclipse/tools directory.

Windows

Run the following command to generate an encrypted password:
imcl.exe encryptString password_to_encrypt

UNIX/Linux

Run the following command to generate an encrypted password:
./imcl encryptString password_to_encrypt

2.

Back up the response file.

Rename the original response file to create a backup of the file: 
SKLM_Silent_Update_platform_Resp.xml
For example: SKLM_Silent_Update_platform_Resp_original.xml

The response file is located in the repository/sklm directory where the fix pack is extracted.

3.

Edit the response file.

Windows

Edit the response file SKLM_Silent_Update_platform_Resp.xml.

  1. Edit the repository location to point to the current location of the installer.
    Sample:

    <repository location='C:\sklminstall_windowsfp\sklm'/>

  2. Edit WASAdmin user name and password (Password needs to be encrypted).
    Sample:

    <data key='user.WAS_ADMIN_ID,com.ibm.sklm30.win>value='wasadmin'/>
    <data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm30.win>
    value='e9PjN93MeQxwnSs9VXJFMw=='/>


  3. Edit SKLMAdmin user name and password (Password need to be encrypted).
    Sample:

    <data key='user.SKLM_ADMIN_ID,com.ibm.sklm30.win>value='SKLMAdmin'/>
    <data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm30.win>
    value='9YTRJMRIydDSdfhaHPs1ag=='/>


  4. Edit Db2 user name and password (Password need to be encrypted).
    Sample:

    <data key='user.DB2_ADMIN_PWD,com.ibm.sklm30.db2.win.ofng' value='sklmdb30'/>
    <datadata key='user.CONFIRM_PASSWORD,com.ibm.sklm30.db2.win.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/>


UNIX/Linux

Edit the response file: SKLM_Silent_Update_platform_Resp.xml

  1. Edit the repository location to point to the current location of the installer.
    Sample for Linux:

    <repository location='/sklminstall_linuxfp/sklm'/>

  2. Edit WASAdmin user name and password (Password needs to be encrypted).
    Sample:

    <data key='user.WAS_ADMIN_ID,com.ibm.sklm30.linux>value='wasadmin'/>
    <data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm.Linux>
    value='e9PjN93MeQxwnSs9VXJFMw=='/>


  3. Edit SKLMAdmin user name and password (Password needs to be encrypted).
    Sample:

    <data key='user.SKLM_ADMIN_ID,com.ibm.sklm30.linux>value='SKLMAdmin'/>
    <data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm30.linux>
    value='9YTRJMRIydDSdfhaHPs1ag=='/>


  4. Edit the user name and password of the Db2 user (Password need to be encrypted).
    Sample:

    <data key='user.DB2_ADMIN_ID,com.ibm.sklm30.db2.lin.ofng'
    value='sklmdb30'/> <data key='user.DB2_ADMIN_PWD,com.ibm.sklm30.db2.lin.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/>

4.

Install the fix pack.

Windows

  1. Open a command prompt, and change the directory to the repository directory.

For example: C:\sklminstall_windowsfp

  1. Run the following command:

silent_updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

silent_updateSKLM.bat "c:\Program Files\IBM\Installation Manager" "c:\Program Files \IBM\WebSphere\AppServer" wasadmin wasadminpwd

UNIX/Linux

  1. Open a command prompt, and change the directory to the repository directory.
    For example:
    /sklminstall_linuxfp
     
  2. Run the following commands:

chmod +x ./silent_updateSKLM.sh

./silent_updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

./silent_updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd

Where:

IM_INSTALL_LOCATION refers to the installation root directory for IBM Installation Manager.

Default value: 
Windows: 

C:\Program Files\IBM\Installation Manager
Linux: 
/opt/IBM/InstallationManager

WAS_HOME refers to installation root directory for WebSphere Application Server.
Default value:
Windows:

C:\Program Files\IBM\WebSphere\AppServer
Linux:
/opt/IBM/WebSphere/AppServer

WAS_ADMIN refers to the ID for the WebSphere Application Server Administrator.

WAS_PASSWORD refers to the password for the WebSphere Application Server Administrator.

5.

Verify the installation.

Review the log file to confirm a successful installation.
Log files are located at:
Installation_Manager_Home/logs/native



Post fix-pack installation

  1. Use one of the following methods to verify the installation.

  2.       Back up the IBM Security Key Lifecycle Manager server. For more information, see Configuring backup and restore.


Installing IBM Security Key Lifecycle Manager with the fix pack when a Multi-Master environment is set up

Prerequisites 
If the original primary master server is currently acting as a standby master server, promote it to primary and then, install the fix pack. Otherwise the database updates are not applied to the cluster.

To promote a master server to primary, see Promote to primary. 

To install the fix pack
  1. Stop WebSphere Application Server on all the master servers, in any sequence.
    1. Open a command prompt.
    2. Go to the WAS_HOME\bin directory.
      Windows

      C:\Program Files\IBM\WebSphere\AppServer\bin
      Linux
      /opt/IBM/WebSphere/AppServer/bin

       
  2. Stop the IBM Security Key Lifecycle Manager server.
    Windows

    stopServer.bat server1 -username wasadmin -password mypwd
    Linux
    ./stopServer.sh server1 -username wasadmin -password mypwd

  3. Stop Agent on all the master servers, in any sequence.
    1. Open a command prompt.
    2. Go to the SKLM_INSTALL_HOME\agent directory.
      Windows
      C:\Program Files\IBM\SKLMV30\agent
      Linux
      /opt/IBM/SKLMV30/agent
    3. Stop the Agent.
      Windows
      stopAgent.bat WAS_HOME
      For example: stopAgent.bat "C:\Program Files\IBM\WebSphere\AppServer"
      Linux
      ./stopAgent.sh WAS_HOME
      For example: ./stopAgent.sh /opt/IBM/WebSphere/AppServer
       
  4. Apply fix pack on each master server and verify the installation. Perform this step in the following sequence: 
    1. Primary master server
    2. Principal standby master server
    3. Auxilliary standby master servers
    4. Non-HADR master servers

      For steps to install the fix pack, see Installing the fix pack.
      To verify the installation: 
      1. Log in to IBM Security Key Lifecycle Manager and check the version number.
      2.  Ensure that the master server is running and available for use.

Uninstalling the fix pack


Important: The following steps uninstall the entire product package, including IBM Security Key Lifecycle Manager, IBM Db2, and WebSphere Application Server, and all your data will be lost. Take a backup before uninstalling.

Uninstalling IBM Security Key Lifecycle Manager with the fix pack by using the graphical user interface

S. No.

Instruction

Steps

1. 

Complete the prerequisites

Stop the WebSphere Application Server.

2. 

Uninstall IBM Security Key Lifecycle Manager. 

Windows

  1. Browse to IM_INSTALL_LOCATION\eclipse and double-click IBMIM to start IBM Installation Manager in GUI mode.
  2. In IBM Installation Manager, click Uninstall. The Uninstall Packages window opens.
  3. Select the check boxes to uninstall IBM Security Key Lifecycle Manager, Db2, and the WebSphere Application Server.
  4. Click Next. Type the WebSphere Application Server Administrator user ID and the password.
  5. Click Next. The Summary panel opens.
  6. Review the software packages to be uninstalled and their installation directories; click Uninstall.

Unix/Linux

  1. Browse to IM_INSTALL_LOCATION/eclipse and run IBMIM.
  2. In IBM Installation Manager, click Uninstall. The Uninstall Packages window opens.
  3. Select the check boxes to uninstall IBM Security Key Lifecycle Manager, DB2, and the WebSphere Application Server.
  4. Click Next. Type the WebSphere Application Server Administrator user ID and the password.
  5. Click Next. The summary panel opens.
  6. Review the software packages to be uninstalled and their installation directories.
  7. Click Uninstall.

Uninstalling IBM Security Key Lifecycle Manager with the fix pack silently

S. No.

Instruction

Steps

1. 

Go to the repository directory.

1.      Go to the repository directory.
For example:
Windows:

c:\sklminstall_windowsfp
Linux:
/sklminstall_linuxfp

2.     Back up the original response file SKLM_Uninstall_platform_Resp.xml by renaming it to SKLM_Uninstall_platform_Resp_original.xml.

3.     Edit the silent response file SKLM_Uninstall_platform_Resp.xml.
Edit
WASAdmin user name and password (password needs to be encrypted).
Windows 
Sample:

<data key='user.WAS_ADMIN_ID,com.ibm.sklm30.win' value='wasadmin'/>
<data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm30.win' value='e9PjN93MeQxwnSs9VXJFMw==>


UNIX/Linux
Sample:

<data key='user.WAS_ADMIN_ID,com.ibm.sklm30.linux' value='wasadmin'/>
<data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm30.linux' value='e9PjN93MeQxwnSs9VXJFMw=='/>

2.

Uninstall IBM Security Key Lifecycle Manager.

Windows

  1. Open a command prompt.
  2. Change the directory to IM_INSTALL_LOCATION\eclipse\tools directory.
  3. Run the following command:
    imcl.exe -input PATH_TO_UNINSTALL_RESPONSE_FILE -silent
    For example:
    imcl.exe -input "c:\sklminstall_windowsfp\SKLM_Uninstall_Win_Resp.xml" -silent

UNIX/Linux

  1. Open a command prompt.
  2. Change the directory to IM_INSTALL_LOCATION\eclipse\tools directory.
  3. Run the following command:
    ./imcl -input PATH_TO_UNINSTALL_RESPONSE_FILE -silent
    For example:
    ./imcl -input /sklminstall_linuxfp/SKLM_Uninstall_Linux_Resp.xml -silent

Where:

IM_INSTALL_LOCATION refers to the installation root directory for IBM Installation Manager.

Default value:

Windows:
c:\Program Files\IBM\Installation Manager

Linux:
/opt/IBM/InstallationManager

PATH_TO_UNINSTALL_RESPONSE_FILE refers to the uninstallation response file provided or bundled with the fix pack installer.

platform refers to the operating system where the fix pack is being installed / uninstalled.

For example: SKLM_Uninstall_platform_Resp.xml on Linux will be SKLM_Uninstall_Linux_Resp.xml


Copyright and trademark information

http://www.ibm.com/legal/copytrade.shtml

Notices

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION

The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:

End of Document