=============================================================================== = 5724D-9621 IBM WebSphere Business Integration for Financial Networks = = for Multiplatforms Extending Features V2.2.0 = = PTF UK38898 for APAR PK70507 = =============================================================================== Table of contents ----------------- A. How to use this document B. Changes to your current system C. Post-Installation D. Steps on a customization system E. Steps on a run-time system F. APARs addressed by this PTF A. How to use this document --------------------------- Only the online version of this document is up to date. We strongly recommend that you download the latest version from http://www.ibm.com/software/integration/wbifn/support before you install this PTF. This PTF requires PTF UK38897 for APAR PK68951 for WebSphere BI for FN Base. Install that PTF and follow the description in UK38897.220.readme.txt before you install the current PTF. This PTF requires PTF UK36059 for APAR PK65304. Install that PTF and follow the description in UK36059.220.readme.txt before you install the current PTF. This PTF requires the SAG AddOn PTF 2.2.0.2 for APAR PK65436 to ensure the SAG configuration commands 'readGlobalParameters' and 'updateGlobalParameters' work correctly. The installation of this PTF is done in two phases: 1. Preparation phase During this timeframe your system can continue to process the workload as usual. This phase contains the steps up to and including 'E5 Preparing BAR files with the updated WebSphere BI for FN flows'. 2. Migration phase During this timeframe your system cannot process workload. This phase begins with step 'E6 Restart all WebSphere BI for FN message brokers' and continues until you finished the migration. We recommend that you download the latest version of the documentation from the following web site: www.ibm.com/software/integration/wbifn/library This document assumes the following: 1. The installation directory of WebSphere BI for FN is /opt/IBM/ 2. The names of users, groups, files, directories, etc. are the same as those used in the "Planning, Installation and Customization" manual. If you use different names, use those names instead of the names shown here. B. Changes to your current system --------------------------------- The following modules have been changed: /admin/data/dnfcfcfs.cli /dnf_02_02/admin/data/dnfcvcsv.cli /dnf_02_02/admin/data/dnfczcat.cli /dnf_02_02/admin/win/com.ibm.dnf.Core.zip /dnf_02_02/admin/win/com.ibm.dnf.FinInterfaceLayer.zip /dnf_02_02/admin/win/com.ibm.dnf.RelationshipManagementRuntime.zip /dnf_02_02/admin/win/com.ibm.dnf.Verification.zip /dnf_02_02/run/bin/dnfczml2.awk /dnf_02_02/run/data/dnfczcat.cli /dnf_02_02/run/lil/dnfrmexp.lil /dnf_02_02/run/lil/dnfrmimi.lil /dnf_02_02/run/lil/dnfrmrpt.lil /dnf_02_02/run/msg/dnfccmsg.cat /dnf_02_02/run/res/dnfchrsp.xml /dnf_02_02/run/res/dnfclrsp.xml /dnf_02_02/run/res/dnfcvevt.xml where represents the installation directory C. Post-Installation -------------------- After you have installed this PTF using ISMP: 1. Share the files with your customization and run-time systems. 2. Ensure that the group ownership of the /dnf_02_02/admin directory and all subdirectories and files therein is set to group dniadmin. To do this, enter the following command in AIX shell: chgrp -R dniadmin /opt/IBM/dnf_02_02/admin 3. Ensure that the group ownership of the /dnf_02_02/run directory and all subdirectories and files therein is set to group dnilpp. To do this, enter the following command in AIX shell: chgrp -R dnilpp /opt/IBM/dnf_02_02/run D. Steps on a customization system ---------------------------------- Note: This PTF introduces the new service bundle DNFVERIF for the new signature reverification service. Do not assign this service bundle as part of this migration process. You can do this after the migration has been finished as part of the usual recustomization process. Before you start the customization migration you should ensure that earlier migrations are completed using the CDP 'implement' command. Otherwise the CDP might generate migration statements again, which may cause the deployment vehicles to fail. To update your current definition directory and the customized administrative scripts, and to create deployment instructions and vehicles: D1. Log on to AIX on the customization - - - - - - - - - - - - - - - - - - - - - - Log on to AIX UNIX on the customization system as a customizer (ucust1). D2. Change to the customization directory - - - - - - - - - - - - - - - - - - - - - Change to the customization directory by issuing the following command: cd /var/dni_02_02/cus D3. Run your customization profile - - - - - - - - - - - - - - - - - Run your customization profile by issuing the following command: . ./dnicus_ D4. Start the CDP in migration mode - - - - - - - - - - - - - - - - - - Start the CDP in migration mode by issuing the following command: dnicdpm -i D5. Identify your current CDD - - - - - - - - - - - - - - - If you are not sure whether your .cdd reflects your current WebSphere BI for FN instance layout, generate a CDD using the CDP export command. How to this is described in "Planning, Installation, and Customization", Appendix E "CDP command reference". D6. Import your current CDD as the target CDD - - - - - - - - - - - - - - - - - - - - - - - Import your current CDD as the target CDD by issuing the following command: import cdd/.cdd D7. Prepare customization data - - - - - - - - - - - - - - - Update the customized administrative scripts for FIN in the directory '//admin' by entering the following command: prepare D8. Implement the customization changes - - - - - - - - - - - - - - - - - - - - After you have successfully deployed the changes in step E8, implement this CDD as your current CDD to update your 'current definition directory' by entering the following command: implement When the message "DNIZ9013I: Current Definition file already exists." is displayed enter 'y' to continue. D9. Quit the CDP session - - - - - - - - - - - - Quit the CDP session by entering the following command: quit E. Steps on a run-time system ----------------------------- E1. Transferring resources to the WebSphere MB Toolkit workstation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To prepare the WebSphere BI for FN resources located on the WebSphere MB Toolkit workstation in the following steps, you must have the authority of the WebSphere MB domain administrator (UWBIMBD1). The access rights of this user are described in the "Planning, Installation, and Customization" manual in Chapter 1. Planning, in the section "Roles, users, and user groups". To transfer the WebSphere BI for FN resources to a WebSphere MB Toolkit workstation: 1. Log on to the Toolkit workstation. 2. Create a temporary directory to store the files to be transferred from the installation system. 3. Open a Command Prompt window and change to this directory. 4. Transfer, in binary mode, from the installation system to this temporary directory following files: /dnf_02_02/admin/win/com.ibm.dnf.Core.zip /dnf_02_02/admin/win/com.ibm.dnf.FinInterfaceLayer.zip /dnf_02_02/admin/win/com.ibm.dnf.Verification.zip /dnf_02_02/admin/win/com.ibm.dnf.RelationshipManagementRuntime.zip /dni_02_02/admin/win/dni* For example, you can use the following File Transfer Program (FTP) commands to transfer the files: ftp bin prompt cd /dnf_02_02/admin/win get com.ibm.dnf.Core.zip get com.ibm.dnf.FinInterfaceLayer.zip get com.ibm.dnf.Verification.zip get com.ibm.dnf.RelationshipManagementRuntime.zip cd /dni_02_02/admin/win mget dni* bye E2. Setting the Toolkit version and directories - - - - - - - - - - - - - - - - - - - - - - - - To set the correct environment for the tools used in the subsequent steps follow the instructions in the "Planning, Installation, and Customization" manual in chapter "Preparing to create an instance", "Preparing the WebSphere MB Toolkit workstation", -> "Setting the Toolkit version and directories" E3. Backing up all resources installed in a WebSphere MB Toolkit workstation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To save the current level of all WebSphere BI for FN resources installed on a WebSphere MB Toolkit: 1. Open a Command Prompt window and change to the temporary directory you used in step E1. 2. Enter the command: dninibak This command creates backup files with names of the form: _dn.zip where represents a letter or letters that indicate to which product feature or features the backup file applies: i The Base feature f All extending features except Enhanced Support for SWIFTNet FileAct fo The Enhanced Support for SWIFTNet FileAct feature Each backup file contains: Links All files in the directory \eclipse\links that have names of the form "com.ibm.dn.link" WebSphere BI for FN eclipse plugins All subdirectories of with names of the form "com.ibm.dn" WebSphere BI for FN project directories All subdirectories of your workspace directory that have names that begin with "DNI_Dn" Note: The dninibak command issues messages to inform you of directories it was unable to find. For example: - If the Enhanced Support for SWIFTNet FileAct feature is not installed, dninibak issues a message to inform you that it was unable to find directories or projects for the feature "dnfo". - If none of the other extending features are installed, dninibak issues a message to inform you that it was unable to find directories or projects for the feature "dnf". If you do not use the corresponding features, you can safely ignore such messages. E4. Installing the updated WebSphere BI for FN Eclipse plug-ins and flows - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To install the updated WebSphere BI for FN Eclipse plug-ins and message flows: 1. Open a Command Prompt window and change to the temporary directory you used in step E1. 2. Enter the command: dnininst This command will install the updated Eclipse plugins. A warning message is displayed for each installed file that did already exist. If the dnininst program issues an error message, check the log file for more information about the reason for the error. 3. Enter the command: dninimcp This command will install the updated message flows. A warning message is displayed for each installed file that did already exist. To refresh the meta data in the Message Brokers Toolkit: a. Start the Toolkit with the -clean parameter. b. In the Message Brokers Toolkit, open the 'Broker Application Development Perspective'. To re-build the WebSphere BI for FN projects: - For Message Broker Toolkit V5: a) Select all projects with names of the form DNI_DnMainflows. b) Right-click and select "Refresh" from the pop-up menu. c) Right-click and select "Rebuild" from the pop-up menu. - For Message Broker Toolkit V6: a) Disable the "Build Automatically" feature. To do this, deselect the "Projects"->"Build Automatically" item in the pull-down menu. b) For all 'DNI_DnMainflows' projects: 1) In the "Resource navigator" window, select the projects. 2) From the main menu, select "Projects->Clean..." 3) In the popup window, select "Clean selected project" and ensure "Start a build immediately" is selected. 4) Press "OK". E5. Preparing BAR files with the updated WebSphere BI for FN flows - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To activate the changes within the WebSphere BI for FN eclipse plugins all affected message flows need to be deployed to all execution groups on all brokers where they are running. To prepare the broker archive files: a. Ensure the Message Brokers Toolkit is not running. b. In the Command Prompt window and from the temporary directory you used in step E1., enter dniupdbd -prepare -d . -q [-p ] [-h ] where The name of the queue manager to which the WebSphere MB configuration manager (CM) is connected. The port required to connect to the queue manager. The default is 1414. The host address of the machine running the CM. The default is 127.0.0.1 (localhost). This step creates broker archive files containing all WebSphere BI for FN message flows affected by the changes contained in this PTF. c. Check the log file dniupdbd.log to ensure that the files were successfully prepared. E6. Restart all WebSphere BI for FN message brokers - - - - - - - - - - - - - - - - - - - - - - - - - - Restart all WebSphere BI for FN message brokers. E7. Deploying all affected WebSphere BI for FN message flows - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To deploy the broker archive files: a. In the Command Prompt window and from the temporary directory you used in step E1. and E5., enter dniupdbd -deploy -q [-p ] [-h ] [-t ] where The name of the queue manager to which the WebSphere MB configuration manager (CM) is connected. The port required to connect to the queue manager. The default is 1414. The host address of the machine running the CM. The default is 127.0.0.1 (localhost). The wait interval for configuration manager and broker response. The default is 600 seconds (10min). This step deploys the broker archive files prepared in step E5. and contained in the current directory to the broker(s). b. Check the log file dniupdbd.log to ensure that the files were successfully deployed. E8. Migrate configuration data - - - - - - - - - - - - - - - - Migrate WebSphere BI for FN Extending Features configuration entities: 1. Ensure that all CTs, COSs and OUs in your current instance are committed, approved, and deployed. 2. On the runtime system on which the message broker runs, log on to AIX as the system configuration administrator, for example, sa1. 3. Run the profile for your runtime environment by entering: . /var/dnf_02_02/run/dnfprofile 4. To verify that all necessary components are operational, open a CLI session and issue the list command: dnicli -ou SYSOU -s DNI_SYSADM -c "list -ou %" The CLI displays a list of all OUs. 5. Create a temporary directory where the configuration migration script dnfczmlc can store the CLI command files it will generate and that contain the migration statements. 6. Switch to this directory and enter the following command: dnfczmlc -i [-dir ] [-dual YES|NO] where: The name of the instance. -dir The directory on the runtime system in which the resource files dnfczcat.cli, dnfczcas.cli and dnfczcar.cli are located. The default is the /run/data subdirectory of the directory specified in your runtime profile (dnfprofile) by the DNF_PATH variable. For example, if the value of DNF_PATH is /opt/IBM/dnf_02_02, the default directory is /opt/IBM/dnf_02_02/run/data. -dual YES|NO Specifies whether files are to be created for a system that uses dual authorization for SYSOU. The default is -dual YES. Specify -dual NO only if dual authorization will be turned off for both DNI_SYSADM and DNI_SECADM in SYSOU at the time when the created files are executed. Whether dual authorization is switched on or off for other OUs is irrelevant. Note: This is a long-running task, and might take several minutes to complete. For example, if the name of your instance is INST1 and your system does not use dual authorization, enter: dnfczmlc -i INST1 -dual NO Depending on which of the superseded PTFs you already have applied the program dnfczmlc may create the following CLI command files in the current directory: If dual authorization is not used (-dual NO): - dnfczmlc_2_sa_ent_all.cli If dual authorization is on (-dual YES): - dnfczmlc_5_sa_cre_ct_com.cli - dnfczmlc_5_sa_cre_ct_dep.cli Check the file dnfczmlc.log to ensure that dnfczmlc ran correctly. 7. Execute the generated CLI command files by entering the following command: dnicli -i -s -ou SYSOU -cft | tee -a PK70507cli.log where: The name of the instance. DNI_SYSADM for files executed by the system configuration administrators, abbreviated as SA DNI_SECADM for files executed by the security administrators, abbreviated as UA The CLI command file name, for example dnfczmlc_5_sa_cre_ct_com.cli. The generated CLI command files must be executed in the following sequence and using the following user authorization: If dual authorization is not used (-dual NO): 1. dnfczmlc_2_sa_ent_all.cli by any SA If dual authorization is on (-dual YES): 1. dnfczmlc_5_sa_cre_ct_com.cli by the first SA (SA1) 2. dnfczmlc_5_sa_cre_ct_dep.cli by the second SA (SA2) E13. Restart all sessions and services you use - - - - - - - - - - - - - - - - - - - - - - - Restart all sessions and services you use. How to do this depends on the features of WebSphere BI for FN that you are using. For instance: - Log in SIPN FIN LTs. - Start Enhanced FileAct File Transfer service. - Start Enhanced InterAct service. - Acquire SWIFTNet SnF queues. - Start the applications that send requests to WebSphere BI for FN. For further information refer to the System Administration manual, chapter: 'Operating components, sessions, and services'. *----------------------------------------------------------------------------* * End of Migration * *----------------------------------------------------------------------------* F. APARs addressed by this PTF ------------------------------ PK70507 FIN STOP DUAL SIGNING WHEN BOOTSTRAPCOMPLETE IS SET FOR FIN MESSAGE PROCESSING INDEPENDENT FROM THE EXISTENCE OF BILATERAL KEYS SWIFT has defined a schedule for SWIFTNet FIN Phase II migration. The last customer milestone in this migration is called T3 (bootstrap complete). By declaring T3 as reached, the customer has to assure, that existing BK relationships are no longer available for the FIN CBT and therefore not used for authorization / authentication purposes. Formerly, BK records either from MERVA or stored in WebSphere BI for FN are used for authentication and authorization purposes in FIN interface layer (FIN IL). After having reached SWIFT milestone T3, BK records are no longer allowed to be used. Relationship management authorizations (RM authorizations) and PKI certificates have to be used instead. This is valid for sending and receiving FIN messages. PK64678 RM THE QUERY OUTPUT FOR A RM AUTHORISATION IS WRONG Formerly, in the output of the RM command 'query' you could not distinguish between a RM authorization with no restrictions regarding the message types and a RM authorization that does restrict all message types. Now, message DNFL9469I contains additional information to distinguish between both types of RM authorizations. PK67417 MESSAGE CATALOG UPDATE FOR PTF FOR APAR PK64678 The PTF for the relationship management APAR PK64678 requires an update of the message catalog in order to display the updated message DNFL9469I correctly. PK67420 RM CLI RESOURCE FILE UPDATE FOR PTF FOR APAR PK64678 The PTF for APAR PK64678 adds an additional parameter to the message DNFL9469I. To be able to display this message correctly a CLI resource file update is required. This resource file update is separated from the code change in order to allow for easier superseding with future PTFs. PK67533 RM WBIFN RM DNFL9552E - ATTEMPT TO CHANGE ACCESS RIGHTS OF LOG FILE FAILED Formerly, when the RM command 'import' tried to change the file mode of an existing log file and the started task user id of the Message Broker wasn't the owner of the file, then error DNFL9552E occurred. Now, the RM command 'import' doesn't change the file mode of an existing log file, but leaves the file mode as is. PK68902 FIN OSN'S FOR SYNONYM LTS REMAIN IN DNF_IAMS, THOUGH PROCESSED CORRECTLY Formerly, SWIFT OSNs received for SynonymLTs remain in DNF_IAMS, though they had been processed correctly to the application. No error indication was given anywhere. If recover was run on these messages, they would be processed twice. PK68309 FIN WBIFN ERROR IN MT960 MESSAGE PROCESSING, WHEN BSN FEATURE IS INSTALLED Formerly, message MT960 couldn't be processed when the BSN feature was installed. Now, message MT960 is processed. PK68833 FIN EBA CLEARING EURO1/STEP1 FINCOPY MIGRATION FROM SINGLE TO DOUBLE AUTHENTICATION. EBA Clearing EURO1/STEP1 FINCopy services will migrate from single to double authentication. The migration from single to double authentication will be done on the same week-end for all participants. After the migration messages sent by EURO1/STEP1 participants will be double authenticated (sending). Messages received by participants can be single or double authenticated for the first few days after migration, SWIFT requires vendors to support the receiving of a mixture of single and double authenticated messages. PK69123 SIG CONFIGURABLE SAG REQUEST EXPIRATION FOR SIGNATURE VERIFICATION SERVICE The Signature Verification service used a fixed value of 90 seconds for the MQ message expiration of VerifyDecrypt requests. Now, the expiration time is made adjustable. PK68980 FIN MESSAGE CATALOG AND CLI RESOURCE FILE UPDATE FOR PTF FOR APAR PK62498 The PTF for the FIN APAR PK62498 requires an update of the message catalog and an update of a CLI resource file. This PTF updates the message catalog and adds an additional parameter (TolerateSingleAuthentication)to CT (DnfFinCopyService). This message catalog and resource file update is separated from the code change in order to allow for easier superseding with future PTFs. PK69706 EIAS MISSING EVENTS IN WBI-FN EVENT-LOG AFTER A PROBLEM TO REACH THE DB2 TABLESPACES Formerly, when DIAS attempted to process InterAct response messages while DB2 was down there was no indication regarding a DB2 problem or an indication regarding a problem to process messages within the event tables. Now, the database exception event is shown. PK68309 FIN WBIFN ERROR IN MT960 MESSAGE PROCESSING, WHEN BSN FEATURE IS INSTALLED Formerly, message MT960 couldn't be processed when the BSN feature was installed. Now, message MT960 is processed. ++++ End +++ End +++ End +++ End +++ End +++ End +++ End +++ End +++ End ++++